Security

Reply
New Contributor
Posts: 1
Registered: ‎04-25-2017

Restricting who can Authenticate to an end device depending on the AD group membership

Current Setup:

I have few end devices using Aruba ClearPass to authenticate users via TACACS+. Once authenticated, users get privileges depending on their AD group memberships. We have 2 AD groups one with default privileges and other with admin privileges. 

At this point any user with valid AD credentials across all domains can login to the device (irrespective of the group membership). They cant execute any commands as no privilege level is assigned but this is still undesirable. 

 

Ideal Setup:

We want to be able to block users from authenticating if they are not the members of the above mentioned AD groups. Is it possible to enforce a policy in which if privilege level of a user is undefined it will fail authentication. 

 

  Thanks! 

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Restricting who can Authenticate to an end device depending on the AD group membership

Return a TACACS Deny profile to users that you don't want to log in.

 

What may help is checking the video's on Admin login in the following video series: http://community.arubanetworks.com/t5/Security/Aruba-ClearPass-Workshop-Video-series/td-p/291597 More specific the Admin Access #1 and #3.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: