Authenticate Aruba ClearPass Admins against AD

In this post I will show you how to authenticate Aruba ClearPass admins against Active Directory (AD) using the TACACs protocol. There are much easier ways to configure TACACS policies, i.e. we could copy the inbuilt services or use the service templates and wizards, but you wouldn’t learn anything!

  1. TACACS Workflow
  2. AD as an Authentication Source
  3. AD Users and Groups
  4. Admin Privilege Levels
  5. Enforcement Profiles
  6. Role Mapping Policy
  7. Enforcement Policy
  8. Service
  9. Verification Testing

TACACS Workflow

The TACACs workflow for ClearPass can be a little confusing at first so I have created the image below in an attempt to simplify it for those just getting started. In this scenario just remember that the Network Access Device (NAD) is actually ClearPass itself.

Aruba ClearPass TACACs Flow

AD as an Authentication Source

To configure AD as an authentication source click Configuration > Authentication > Sources and click Add to create a new authentication source.

ClearPass Admin AD Auth Source

Fill out the the DC hostname, bind DN and password, base DN and any other settings you require and click Save.

ClearPass Admin AD Auth Source

AD Users and Groups

ClearPass Policy Manager (CPPM) has five Admin privilege levels available for assignment but for the purpose of this lab, I will only use two. I will assign one group full unlimited access to CPPM and another group Read-Only access. I will also test access with a user that has no privileges assigned. The table below summarises the AD users and group assignment used in this scenario.

ClearPass Admin AD Users Groups

Here are the users and groups in AD.

ClearPass Admin AD Users and Groups

Admin Privilege Levels

I like to work backwards when configuring ClearPass. It’s handy to know that the configuration requirements are already in place and can be easily assigned to a policy later on in the configuration and there will be no surprises.

Click on Administration > Users and Privileges > Admin Privileges to view the ClearPass privilege levels available for assignment. In this example we are going to use the two inbuilt privilege levels:

  • Super Administrator
  • Read-only Administrator

If we click on Read-Only Administrator and click on the Policy Manager tab, we can see what rights a user would have if assigned this privilege level. This is an inbuilt record and cannot be edited but you are free to create your own privilege levels if you want customise the level of access.

ClearPass Admin AD Admin Privileges

Enforcement Profiles

The privilege levels in the previous section are applied to administrative sessions using ‘attributes’ within enforcement profiles. An enforcement profile is the part of ClearPass that is responsible for applying one or more actions based on the conditions that are matched in the enforcement policy. There is a one-to-one mapping of enforcement profiles to admin privileges. To meet our requirements we will use two inbuilt enforcement profiles:

  • [TACACS Super Admin]
  • [TACACS Read-only Admin]

The table below shows the admin privilege levels assigned by each enforcement profile.

ClearPass Admin AD Enforcement Attributes

Click on Configuration > Enforcement > Profiles and select the profile [TACACS Super Admin] to see this in action.

ClearPass Admin AD Enforcement Profile

Go back and do the same with the [TACACS Read-only Admin] profile.

ClearPass Admin AD Enforcement Profile

Role Mapping Policy

When authenticating a user against a set of policy conditions, ClearPass has the option to assign a ‘role’ to the administrator using a role mapping policy. This role can then be referenced in policy enforcement rules without having to repeatedly type complex configuration for each rule.

For TACACs services we can create a role mapping policy which assigns a ClearPass role based on a users AD group membership. I am mapping each of the AD groups we created earlier to an inbuilt role. If there is no match we will assign a role of [other], which has no AD group mapping, so the user will be denied access.

ClearPass Admin AD Role Mapping

To create a role mapping policy click on Configuration > Identity > Role Mappings and click Add.

ClearPass Admin AD Role Mappings

The Summary tab combines the configuration from both the Policy and Mapping Rules tabs.

ClearPass Admin AD Role Mappings

Enforcement Policy

Next, we create an enforcement policy which simply assigns enforcement profiles based on the assigned role. You could create your own enforcement policy, however, the inbuilt policy named [Admin Network Login Policy] gives you exactly what you need. In fact, it will assign an enforcement profile to both TACACS users within AD or users created in the ClearPass local user database.

TIPS = Trust and Identity Policy System. So ‘Tips:Role is just a fancy way of saying ‘ClearPass role’.

Click on Configuration > Enforcement > Policies and click Add to create your own, or use the inbuilt [Admin Network Login Policy] shown below.

ClearPass Admin AD Enforcement Policy

Service

It’s time to create a service, which is a means of grouping all of the policy components that serve a specific type of request into a single configuration set. While our service will reference other policies and profiles, it also has it’s own conditions that administrative sessions must match before the underlying policies and profiles are processed.

Click Configuration > Service and click Add to create a new service. As there are many options to configure, I am only showing the summary tab for the service.

Things to note –

  • For ClearPass to authenticate TACACS requests against itself, the NAD IP address must be 127.0.0.1 (local host IP address)
  • In Authentication Sources under the Authentication tab, ensure that AD is the only source in the list
  • Depending on your AD setup, you may also need to tick the Strip Username Rules: checkbox in the Authentication tab
ClearPass Admin AD Service

You also need to disable the inbuilt service named [Policy Manager Admin Network Login Service] or simply reorder the list of services by placing the one you just created above the inbuilt service. It’s best practice to disable or delete any service you do not require, although you cannot delete any item that is inbuilt to ClearPass.

ClearPass Admin AD Service

Verification Testing

Time to test! When testing TACACS authentication it makes sense to use a different browser. This way one browser can be logged in to ClearPass using the local Admin account for troubleshooting purposes while the other browser is used to test user accounts themselves.

Here are the results in Access Tracker when I log in using the account jblogs (Read Only Access). Click on Monitoring > Live Monitoring > Access Tracker to view the authentication results. You can see below that the correct enforcement profile of [TACACS Read-only Admin] has been applied. Using this account, I can view all ClearPass settings and access monitoring and loggin features but cannot make any changes to the system.

ClearPass Admin AD Access Tracker

The user jdoe (Super Admin Access) is correctly applied the [TACACS Super Admin] enforcement profile.

ClearPass Admin AD Access Tracker

And when I use bfrapples who is not part of any permitted AD group.

ClearPass Admin AD Access Tracker

Congratulations, you have just allowed AD authentication for ClearPass Network Administrators!

Share: