Security

Reply
Super Contributor II
Posts: 368
Registered: ‎09-05-2012

CPPM - Tips access with LDAP account

Hey,

 

I was wondering if there is a safe way to 'replace' the default '[Policy Manager Admin Network Login Service]' with a service that would authenticate domain accounts instead of local accounts.

 

This service can't be edited and I am hesitant to move this service from it's default location (1) for fear that I will end up locking myself out of the CPPM while I test.

 

I would like to use an LDAP group for admins that can login '/tips'. Currently it is setup for local accounts only.

 

I was thinking of using the same method used to do the "Guest Operator Logins" service.

My only fear though is the definition of the service. The only thing that filters the '[Policy Manger...]' service is the 'NAD-IP-ADDRESS'. I suspect I would have to put my custom service before the default service to do testing, but if I get the definition of the service wrong I could end up locking myself out of the CPPM. I think anyway...

 

Does anyone have some recommendations I could try to set this up? Or is it not recommended?

 

Thank you,

 

Cheers

Guru Elite
Posts: 7,823
Registered: ‎09-08-2010

Re: CPPM - Tips access with LDAP account

[ Edited ]

Create a TACACS policy and put it above the TIPS policy. In that policy you can map AD groups to the built in TIPS roles that the next service will evalutate.

 

tacacs-rollmap3.PNG

 

tacacs-rollmap.PNG

 

tacacs-rollmap2.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: CPPM - Tips access with LDAP account

This can be done...just copy that default service and in the new service add BOTH the LDAP server and the admin user repository as authentication sources so you don't get locked out while testing.  Meaning...admin/eTIPS123 will still work.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Super Contributor II
Posts: 368
Registered: ‎09-05-2012

Re: CPPM - Tips access with LDAP account

Oh wow.. I am dumb..

I didn't think of doing that honestly and I don't know why!

 

Thank you guys for the suggestions!

 

I will start testing right away!

Super Contributor II
Posts: 368
Registered: ‎09-05-2012

Re: CPPM - Tips access with LDAP account

[ Edited ]

Hey,

 

Thanks for the suggestions guys.

Worked perfectly.

 

I was able to create the service and successfully test the login using an LDAP account and I did not lock myself out of the system!

 

Cheers

 

P.S. I would mark both as "the solution" but I don't think that I can :(

Search Airheads
Showing results for 
Search instead for 
Did you mean: