ClearPass TACACS+ Authorization with CVP
The purpose of this article is to learn how to correctly set up the TACACS+ service in Aruba ClearPass in order to successfully authenticate on the CVP GUI as a network admin. Our goal is to configure ClearPass Policy Manager [CPPM] to send us the cvp-roles=network-admin attribute in the TACACS+ Authorization reply packet. By default this does not happen, because cvp-roles is a custom attribute that has to be added to the TACACS+ dictionary on any type of TACACS+ implementation. Without this, the default role of network-operator will be allocated to the user, that will only have read-only access on the CVP GUI. For configuring AAA on CVP, please refer to our online configuration guide. In my examples I’ve used Aruba CPPM 6.7, however older versions should have similar settings.
Looking at the packet captures
It’s very easy to take a packet capture on the CVP VM. We can use the following tcpdump command:
tcpdump -nevvi eth0 host 10.83.12.221 and port 49 -w cvproles.pcap
We can filter on the IP address of the TACACS+ server using the host flag and filter on TCP port 49 that is used by tacacs using the port flag as above. Finally, we can write the captures taken to a file with the -w flag and copy the file to our PC for further analysis using Wireshark.
To be able to view the encrypted TACACS+ packets in Wireshark, we’ll need to specify the encryption key. To do that, go to Preferences – Protocols – TACACS+ and type the key like in the below figure:
A TACACS+ authorization request from CVP looks like below:
As you can see CVP sets service=shell and expects the cvp-roles attribute from the server.
This is how a Decrypted Reply looks like if the cvp-roles attribute is NOT sent from the TACACS+ server:
In this case, you’ll be logged in as network-operator on the CVP GUI instead of network-admin:
When the cvp-roles attribute is specified, an example authorization reply when the authorization attribute status in the enforcement profile is set to REPLACE (PASS_REPL) looks like the following:
Note Due to BUG 345723, which was introduced in CVP 2018.2.0 external TACACS server authorization is not supported when the server sends “TAC_PLUS_AUTHOR_STATUS_PASS_ADD” flag or PASS_ADD (0x01 in hex value) as seen in Wireshark packet captures. This was fixed in 2018.2.2, however a binary patch can be provided as a workaround for 2018.2.0 and 2018.2.1 versions.
Similarly, when the authorization attribute status in the enforcement profile is set to ADD (PASS_ADD) the authorization reply looks like below:
Steps to configure the cvp-roles shell attribute
1. Go to the Administration tab on the left side and click on Dictionaries – TACACS+ Services
2. Search for shell and select Export (note that you cannot add new attributes from the GUI, you need to do it from a text editor and re-import the XML)
3. Add the cvp-roles attribute like below:
<ServiceAttribute allowedValuesCsv="network-admin,network-operator" dataType="String" dispName="cvp-roles" name="cvp-roles"/>
Your final XML should look similar to the following output:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0"> <TipsHeader exportTime="Thu Dec 27 15:28:13 GMT 2018" version="6.7"/> <TacacsServiceDictionaries> <TacacsServiceDictionary dispName="Shell" name="shell"> <ServiceAttribute dataType="String" dispName="Access control list" name="acl"/> <ServiceAttribute dataType="String" dispName="cmd" name="cmd"/> <ServiceAttribute dataType="String" dispName="Auto command" name="autocmd"/> <ServiceAttribute dataType="String" dispName="Callback line" name="callback-line"/> <ServiceAttribute dataType="String" dispName="Callback rotary" name="callback-rotary"/> <ServiceAttribute allowedValuesCsv="true,false" dataType="String" dispName="No callback verify" name="nocallback-verify"/> <ServiceAttribute dataType="Unsigned32" dispName="Idle time" name="idletime"/> <ServiceAttribute dataType="Unsigned32" dispName="Timeout" name="timeout"/> <ServiceAttribute allowedValuesCsv="network-admin,network-operator" dataType="String" dispName="cvp-roles" name="cvp-roles"/> <ServiceAttribute dataType="Unsigned32" dispName="Privilege level" name="priv-lvl"/> <ServiceAttribute allowedValuesCsv="true,false" dataType="String" dispName="No hangup" name="nohangup"/> <ServiceAttribute allowedValuesCsv="true,false" dataType="String" dispName="No escape" name="noescape"/> </TacacsServiceDictionary> </TacacsServiceDictionaries> </TipsContents>
Note that if you have created custom role(s) under CVP Account Management, you can add those as well to the allowedValuesCsv key. The values have to be in quotes and comma separated if there are more than one.
<ServiceAttribute allowedValuesCsv="network-admin,network-operator,custom-role1" dataType="String" dispName="cvp-roles" name="cvp-roles"/>
4. Save the XML and then re-import it, by selecting again the shell service dictionary and clicking on the Import button on the top right
5. If everything was fine, when clicking on the shell service dictionary, you should see a similar list as below:
6. The next step is to create an Enforcement profile and specify the shell attributes.
Go to the Configurations tab and click on Enforcement Profiles. Since, you might not have permission to modify existing profiles, you can copy one of them. In my case, I’ve made a copy of the TACACS Network Admin profile. Click on the profile and click on Copy.
7. Click on the newly created Enforcement Profile
8. Add the Shell service and configure the service attributes from the Services tab
It should look like below:
Then click Save.
9. Create an Enforcement Policy by going to the Configuration tab — Enforcement — Policies — Add
10. Give it a name and Select the Default Profile:
11. Add Rules.
I’ve only added the following for easier testing:
- Type: Tips
- Name: Role
- Operator: MATCHES_ANY
- Value: TACACS Network Admin
12. Select the Enforcement Profile (the copy of the TACACS Network Admin in my case) and save.
After this your TACACS+ should be working correctly.
13. Let’s authenticate from CVP and see if the role is inherited correctly
14. After logging in we can check the role of the user by clicking on the person icon on the top right:
15. From the Aruba side, we can monitor the authentications from the Access Tracker on the Monitoring page
If the cvp-roles attribute was added to a different service dictionary and hence the shell service was not set in the enforcement profile, you’ll see a similar error on the session detail: