AAA, NAC, Guest Access & BYOD

Block external IP address to access device via TACACS

Aruba Employee

Summary : This article talks about rejecting all requests from external IP address for TACACS authentication.

 

Introduction :

 

This article talks about creating an enforcement policy to allow TACACS access only to internal IP and reject all such request from External IP address.

 

Feature Notes :

 

This article works on CPPM 6.2 and greater.

 

Configuration Steps :

 

We have few devices which are on public IP for some reason, how do we make sure that no one ( not even employees) access it from an external network.

We must never expose SHELL/SSH access to the devices to WEB.

The best way is to create a enforcement policy as per the details below and map it to our service.


rtaImage.jpg

The condition highlighted is the condition which will allow access only to the IPs which begin with the value provided, rest will be rejected.

rtaImage.jpg

 

The condition :

 

 

Connection Client-IP-Address BEGINS_WITH 10.10.10

can be matched with any other AND rules to make the service secure. Please feel free to customize it based on the requirement.

 

Verification :

 

 

We can verify it by trying to authenticate via an external IP and will see the Access reject for the same request.

 

Version history
Revision #:
1 of 1
Last update:
‎11-10-2014 03:51 AM
Updated by:
 
Labels (1)
Contributors
Comments
rajo7

Hello,

I have done this and it is working great, except for a specific vendor where its device deals with the 'TACACS Deny Profile' as accept response and allows read only access to this device.

Any idea how to make CPPM respond with 'REJECT' instead?

 

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.