This article helps to configure IAP mgmt/admin user authentication against ClearPass over TACACS.
TACACS+ support is only available from the Instant code version 6.4.0.2 - x.x.x.
IAP Configuration:
Step 1: Adding CPPM as TACACS Server in IAP
Go to Security > Authentication Servers > New > TACACS add ClearPass Server.
Step 2: Enabling Admin authentication against External Server with fallback to Internal DB.
Go to > System > Admin > Set the Authentication to "Authentication server w/fallback to Internal" and map the TACACS Server.
Note: The authentication fall back to local db happens only when the external (RADIUS/TACACS) authentication servers are timeout/not available.
ClearPass Configuration:
Step 1: Add IAP IP-address/hostname in ClearPass as Network Device under Configuration > Network > Devices.(Use same Shared Secret hey on both IAP and CPPM).
Step 2: Create a TACACS based enforcement erofile and Set the Privilege Level to 15 and Selected Service to "Aruba Common".
Note: IAP doesn't require Aruba-Admin-Role returned by CPPM to assign the privilege. If you wish to have Read-only or Guest Registration privilege then the user account can be Created in IAP under System > Admin > View only or Guest Registration Only.
Step 3: Create a TACACS Service and map the above Profile in the Enforcement Policy to authenticate the users.
You could use the simple Service Rule shown below for service categorization.
The above configuration works for Instant GUI and CLI admin login.