Wired Intelligent Edge

 View Only

  • 1.  Manage Switches within Clearpass and AZURE Entra ID

    Posted Dec 02, 2025 03:29 AM

    Using Aruba Clearpass and AZURE AD, what is the requirement for managing switches?



    -------------------------------------------


  • 2.  RE: Manage Switches within Clearpass and AZURE Entra ID

    Posted Dec 02, 2025 08:25 AM

    You need to enable TACACS+ / RADIUS device administration when you use Aruba Clearpass and Azure AD. 

    Since Azure AD does not support LDAP or MSCHAPv2, so ClearPass cannot query Azure AD directly. You must integrate in one of these ways:
    1. Entra ID (Azure AD) + SAML 2.0 for ClearPass Admin Login Only (NOT for TACACS+). This works only for logging into the ClearPass web GUI, not for managing switches.
    TACACS+ cannot use SAML, so this does NOT solve device management.
    2.  Use ClearPass Azure AD Secure Client / OAuth 2.0 / Graph API (REQUIRED for TACACS+ or RADIUS device admin). This is the correct method for switch management.

    I guess technical details on how to do such configs, you can find online. If not, we can check if we can help.



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP
    Just an Aruba enthusiast and contributor by cases
    If you find my comment helpful, KUDOS are appreciated.
    ------------------------------



  • 3.  RE: Manage Switches within Clearpass and AZURE Entra ID

    Posted Dec 02, 2025 03:11 PM

    I appreciate your response.

    Kindly provide me Details about :

    Use ClearPass Azure AD Secure Client / OAuth 2.0 / Graph API

    -------------------------------------------

    Original Message


  • 4.  RE: Manage Switches within Clearpass and AZURE Entra ID

    Posted Dec 03, 2025 07:01 PM

    ClearPass Azure AD Secure Client (OAuth 2.0 + Microsoft Graph) → Required for TACACS+ or RADIUS device administration (switch logins, command authorization, and accounting)
    Regarding TACACS + AOS-CX switch configuration, please refer to the hardening guide: https://arubanetworking.hpe.com/techdocs/AOS-CX/10.16/PDF/hardening.pdf
    Sample:
    # TACACS+ server(s)-ClearPass nodes
    switch(config)# tacacs-server host 10.100.0.252 key plaintext T@cac$serv3rkey
    switch(config)# tacacs-server host 10.100.0.253 key plaintext T@cac$serv3rkey

     

    # AAA: login via TACACS+, failover to local if ClearPass is down
    switch(config)# aaa authentication login default group tacacs local

     

    # (Optional) Authorization & Accounting
    switch(config)# aaa authorization commands default group tacacs local
    switch#
    -------------------------------------------

    Original Message


Related Content