Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Restricting who can Authenticate to an end device depending on the AD group membership

This thread has been viewed 0 times

  • 1.  Restricting who can Authenticate to an end device depending on the AD group membership

    Posted Apr 25, 2017 09:33 AM

    Current Setup:

    I have few end devices using Aruba ClearPass to authenticate users via TACACS+. Once authenticated, users get privileges depending on their AD group memberships. We have 2 AD groups one with default privileges and other with admin privileges. 

    At this point any user with valid AD credentials across all domains can login to the device (irrespective of the group membership). They cant execute any commands as no privilege level is assigned but this is still undesirable. 

     

    Ideal Setup:

    We want to be able to block users from authenticating if they are not the members of the above mentioned AD groups. Is it possible to enforce a policy in which if privilege level of a user is undefined it will fail authentication. 

     

      Thanks! 



  • 2.  RE: Restricting who can Authenticate to an end device depending on the AD group membership

    EMPLOYEE
    Posted May 29, 2017 06:33 AM

    Return a TACACS Deny profile to users that you don't want to log in.

     

    What may help is checking the video's on Admin login in the following video series: http://community.arubanetworks.com/t5/Security/Aruba-ClearPass-Workshop-Video-series/td-p/291597 More specific the Admin Access #1 and #3.