Security

Reply
Occasional Contributor II

Aruba IAP with tacacs and fallback

Hi,

 

in Aruba IAPs (Model 207) I've set "Authentication server with fallback". TACACS authentication is working fine. However for some reason I'm still also able to login to IAP as local admin. 

 

From Clearpass I can see that it denies (Access Tracker says "rejected") for that local user but IAP still lets it to login. Any solutions?

 

In enforcement policies I've set the default policy to the default [TACACS Deny Profile].

 

When logging in to the Aruba switches everything is working correctly. Local user is not usable if tacacs connection is up. 

 

IAP Software version is 6.5.4.3 and model is iap 207

 

Thank you for your help! :)

Guru Elite

Re: Aruba IAP with tacacs and fallback

Unfortunately, using fallback means both servers will be used, even upon rejection from the Tacacs server.  The only solution is to ensure that your local username and password are different from the Tacacs server.  http://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#UG_files/Authentication/UserManagement/ConfAdminUser.htm?Highlight=tacacs


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Aruba IAP with tacacs and fallback

Hi,

 

thank you for your response. Can you specify what do you mean? 

The problem here is that I can use the local account even the tacacs is UP. Guide says that this shouldn't be possible.

 

Guide says:

"Authentication server w/ fallback to internal option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS/TACACS server (RADIUS/TACACS server timeout)"

 

 

Guru Elite

Re: Aruba IAP with tacacs and fallback

It also switches to internal for a reject.  If you want the functionality changed, please log an issue here:  innovate.arubanetworks.com/ideas


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Aruba IAP with tacacs and fallback

For anyone with similar problem, I solved this case next way:

-AD user with same name and pw as the local user in IAP

-Created a policy in Clearpass that when that user tries to log in to IAPs, it forces "IAP guest-login".

-Now when tacacs is active, local IAP user is able to log in but in read-only mode. If tacacs goes down, full rights.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: