We saw last time how to correctly integrate Aruba ClearPass CPPM with CVP so TACACS+ users can authenticate with the correct network role. The purpose of this document is to show the same for Cisco ISE (successor of ACS) TACACS+. Our goal is to make Cisco ISE send us the cvp-roles=network-admin attribute in the Authorization reply packet.
NOTE If you are running CVP versions 2018.2.0 and 2018.2.1 you might hit BUG 345723 due to which in tacacs-provider authorization we are not checking for TAC_PLUS_AUTHOR_STATUS_PASS_ADD flag. We can provide a binary patch as a workaround.. This is fixed in 2018.2.2
“The authorization arguments in both the REQUEST and the RESPONSE are attribute-value pairs. The attribute and the value are in a single US-ASCII string and are separated by either a “=” (0X3D) or a “*” (0X2A). The equals sign indicates a mandatory argument. The asterisk indicates an optional one.” –TACACS+ IEEE DRAFT
Configuring cvp-roles in Cisco ISE
This guide assumes that you already have a running TACACS+ config. The following steps will show you how to configure the cvp-roles shell attributes correctly.
1) Go to Work Centers ⇒ Device Administration ⇒ Policy Elements ⇒ Results ⇒ Tacacs Profiles
2) Click Add, go to Task Attribute View and configure Common Task Type as Shell
3) Scroll down and you’ll see Custom Attributes
4) Add a custom attribute with Name=cvp-roles and Value=network-admin
You can also set the default privilege and/or maximum privilege to 15
5) If you click on Raw View you’ll see the Profile attributes like below:
cvp-roles*network-admin and priv-lvl=15; where * (asterisk) means OPTIONAL attribute. You can also put it as MANDATORY attribute and in that case it’ll be cvp-roles=network-admin
Please pay attention here and don’t add any extra spaces, otherwise that’ll be part of the string which will be ignored and CVP will revert to the default value of network-operator.
The cvp-roles attribute will be only used for authorization on the CVP side, to have a successful authorization on EOS, you’ll need to add the roles=network-admin attribute as well:
You now should be authorized as network-admin on CVP
If all configuration was correct, pcaps should look like below(either cvp-roles*network-admin or cvp-roles=network-admin; no spaces between the key-value pairs):
|Request from CVP||Reply from Cisco ISE|
|Putting network-admin in quotes, will result in CVP ignoring the cvp-roles attribute and it’ll revert to network-operator|
|Use the Task Attribute View always!
Don’t add spaces between the attributes and their values (it’s not python) the extra spaces will be considered as part of the string for the attributes and we’ll ignore them.