hI,
CPPM 6.11.x
We have a tacacs service that, although it lists all commands. typed by the logged in use, doesnt restrict whwt command you type.
We have recently starte supporting Cisco NEXUS devices for TACACS and ruun into a bit of a problem. The NEXUS device can have multiple IP addreses ( I'm led to believe think multiple virtual switches). If I create a netrwork/device for each IP address then users can log in by ssh'ing to any of the ip addresses and stuff works.
However our engineers dont want to do that, theres a cli command they can use once they've logged onto the nexus to move to another switch. Problem is this works for some people and not others. Looking at clerpass, you can see the initial login and the commands. they type in but as soon as they switch to another "switch" clearpass sees the authortization coiming in from a different. ip address and rejects the command. The engineer then sees a "you are not authorized to use this command" message, which I guess is correct, as the end user is on a different "switch"
A colleague suggested you could assign multiple ipv4 addresses to a given clearpass network device and even showed a snippet of a doc saying so ( no url unfortunatley) However, both on a. 6.11.x and 6/12/x cppm server comma or semicolon deimiting of ip addresses fails. As far as i can see its 1 ip address per device.
Should say at this point. I'm still using the Aruba TACACS enforcement policy and not. a Cisco one. Planning on using the device vendor id to check for a vendor of cisco and applying. an appropriate ciscp tacacs setup .
Best
Alex
-------------------------------------------