Current Setup:
I have few end devices using Aruba ClearPass to authenticate users via TACACS+. Once authenticated, users get privileges depending on their AD group memberships. We have 2 AD groups one with default privileges and other with admin privileges.
At this point any user with valid AD credentials across all domains can login to the device (irrespective of the group membership). They cant execute any commands as no privilege level is assigned but this is still undesirable.
Ideal Setup:
We want to be able to block users from authenticating if they are not the members of the above mentioned AD groups. Is it possible to enforce a policy in which if privilege level of a user is undefined it will fail authentication.
Thanks!