Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎01-18-2017

Clearpass and specific AD group

Hi,

 

I've been trying to configure tacacs with AD authentication this whole week but no success. 

Can someone tell me, how to authenticate against specific AD group? Now Clearpass is allowing all AD users to log in to network devices. I want that only users in specific AD group are allowed to log in to network devices.

 

Thank you very much for you help!

 

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass and specific AD group

Need to post a screen shot of your role mapping and enforcement profile.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎01-18-2017

Re: Clearpass and specific AD group

Hi,

 

how are these settings related what Clearpass is looking from Windows AD?

All I want is that if user belongs to TACACS group at windows AD it is authenticated, otherwise not.

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass and specific AD group

Because in either the role mapping and/or enforcement you need to have a "member belongs to x group" if you share a screen shot then we can tell you if it is setup correctly

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎01-18-2017

Re: Clearpass and specific AD group

Ok so it's not done under the "Authentication" tab? 

Like "Look users from this specific AD group"?

 

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass and specific AD group

example

 

FullSizeRender.jpg

 

FullSizeRender[1].jpg

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎01-18-2017

Re: Clearpass and specific AD group

Hi,

 

mine looks like:

 

cppm_roles.jpg

 

cppm_enforcement.jpg

 

"Tacacs-FullAccess" is the AD group where the allowed users belong to.

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass and specific AD group

You don't need to define it in both the role and enforcement. I only do it because I use two separate domains and want to get more granular..

you also have in your default as an allow, so if the user was just found in AD then you will allow all. That should be like mine where if they don't fit my conditions then it sends a reject.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎01-18-2017

Re: Clearpass and specific AD group

Hi,

 

I switched the default to "Not_allowed" but still all AD users are able to log in to network devices.

 

cppm_roles2.jpg

 

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass and specific AD group

You need to just delete the role mapping. Only use enforcement and you need to change the default there
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: