04-25-2017 06:32 AM
I have few end devices using Aruba ClearPass to authenticate users via TACACS+. Once authenticated, users get privileges depending on their AD group memberships. We have 2 AD groups one with default privileges and other with admin privileges.
At this point any user with valid AD credentials across all domains can login to the device (irrespective of the group membership). They cant execute any commands as no privilege level is assigned but this is still undesirable.
We want to be able to block users from authenticating if they are not the members of the above mentioned AD groups. Is it possible to enforce a policy in which if privilege level of a user is undefined it will fail authentication.
05-29-2017 03:33 AM
Return a TACACS Deny profile to users that you don't want to log in.
What may help is checking the video's on Admin login in the following video series: http://community.arubanetworks.com/t5/Security/Aruba-ClearPass-Workshop-Video-series/td-p/291597 More specific the Admin Access #1 and #3.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).