AAA, NAC, Guest Access & BYOD

Block external IP address to access device via TACACS

by on ‎11-10-2014 03:51 AM

Summary : This article talks about rejecting all requests from external IP address for TACACS authentication.

 

Introduction :

 

This article talks about creating an enforcement policy to allow TACACS access only to internal IP and reject all such request from External IP address.

 

Feature Notes :

 

This article works on CPPM 6.2 and greater.

 

Configuration Steps :

 

We have few devices which are on public IP for some reason, how do we make sure that no one ( not even employees) access it from an external network.

We must never expose SHELL/SSH access to the devices to WEB.

The best way is to create a enforcement policy as per the details below and map it to our service.


rtaImage.jpg

The condition highlighted is the condition which will allow access only to the IPs which begin with the value provided, rest will be rejected.

rtaImage.jpg

 

The condition :

 

 

Connection Client-IP-Address BEGINS_WITH 10.10.10

can be matched with any other AND rules to make the service secure. Please feel free to customize it based on the requirement.

 

Verification :

 

 

We can verify it by trying to authenticate via an external IP and will see the Access reject for the same request.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.