03-06-2017 12:59 AM
We are in the middle of a project to replace a legacy Cisco ACS TACACS+ platform with a new HPE Clearpass platform.
We are faced with an issue of the HPE Clearpass server not returning a 'brcd-role' back to the BR-VDX6740 switch. We see the switch requesting a SHELL and brcd-role, but despite the HPE Clearpass server being configured with this, it only responds with the priv-lvl 15 and not the 'brcd-role' which results in the TACACS+ user assuming the 'User' role.
Just wondering if anyone else out there has managed to get this working? I've attached a screenshot showing the HPE Clearpass configuration. I'm hoping I've just got something configured incorrectly with the Clearpass as it works seamlessly with the Cisco ACS with the 'optional' attribute 'brcd-role = admin'.
Appreciate this isn't a Clearpass forum, just hoping somebody else has a similar configuration that can be shared.
03-10-2017 02:23 AM
As far as I can tell you have a good handle on how this should work as you have had this previously configured under ACS.
I am afraid I am not familiar with HPE Clearpass but have quite a bit of experience with VDX and TACACS+ on other platforms.
Does HPE have the facility to configure the brcd-role as an optional argument rather than a mandatory argument. Having more than one mandatory argument configured as part of a single TACACS+ service can cause some authorization issues.
Also what happens if you configure a TACACS+ service with only brcd-role = admin and remove priv-lvl = 15 altogether does this work for the VDX switches?