01-05-2015 03:50 PM
Hey guys, I have a rather dumb question. I have a customer with CPPM with a big list of radius service policies that I setup for admin access to various vendors, Aruba, Palo Alto, Cisco, Checkpoint. The service rules for the policies are very basic and only consist of the source device group that I setup for each one respectivly and then each one has its own specific list of enforcement policies.
Everything works great, however we are looking to migrate radius authentication for wireless users over to this CPPM and I can't figure out how to keep the regular user authentications from hitting the admin service policy. Seems like this should be pretty simple. I normally use the Aruba-Essid-Name equals to seperate out policies for different WLANs but I can't figure out how to seperate Admins.
Solved! Go to Solution.
01-05-2015 03:54 PM
You could also consider using TACACS+ for management AAA as its a bit more robust.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
01-05-2015 04:08 PM
The SSID attribute actually shows up when an Admin tries to authenticate to a controller itself when they are on one of the Aruba wireless networks which I thought was kind of odd. I found this out when I tried putting in Radius:Aruba Aruba-Essid-Name Not Exist in the policy trying to keep it seperate. This works except when an admin is on the wireless network they can't admin a controller.
01-05-2015 06:43 PM
Does your wireless service include the following?
Radius:IETF -- NAS-Port-Type -- EQUALS -- Wireless-802.11 (19)
Try adding the following to your admin login service:
Radius:IETF -- Service Type -- EQUALS -- Administrative-User (6)
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX