AAA, NAC, Guest Access & BYOD

How to authenticate IAP admin user against CPPM over TACACS.

by on ‎08-07-2014 06:55 AM

This article helps to configure IAP mgmt/admin user authentication against ClearPass over TACACS.

 

TACACS+ support is only available from the Instant code version 6.4.0.2 - x.x.x.

 

IAP Configuration:

Step 1: Adding CPPM as TACACS Server in IAP

Go to Security > Authentication Servers > New > TACACS add ClearPass Server.

 

rtaImage.png

 

Step 2: Enabling Admin authentication against External Server with fallback to Internal DB.

Go to > System > Admin > Set the Authentication to "Authentication server w/fallback to Internal" and map the TACACS Server.

Note: The authentication fall back to local db happens only when the external (RADIUS/TACACS) authentication servers are timeout/not available.

 

rtaImage (1).png

 

ClearPass Configuration:

Step 1: Add IAP IP-address/hostname in ClearPass as Network Device under Configuration > Network > Devices.(Use same Shared Secret hey on both IAP and CPPM).

Step 2: Create a TACACS based enforcement erofile and Set the Privilege Level to 15 and Selected Service to "Aruba Common".

Note: IAP doesn't require Aruba-Admin-Role returned by CPPM to assign the privilege. If you wish to have Read-only or Guest Registration privilege then the user account can be Created in IAP under System > Admin > View only or Guest Registration Only.

 

rtaImage (2).png

 

Step 3: Create a TACACS Service and map the above Profile in the Enforcement Policy to authenticate the users.

You could use the simple Service Rule shown below for service categorization.

 

rtaImage (3).png

 

rtaImage (4).png

 

The above configuration works for Instant GUI and CLI admin login.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.