Security

Reply
Regular Contributor I

Silverpeak TACACS+ Admin Access Deny not working

Hello Everyone,

 

I am working to create a TACACS Service for Silverpeak Admin access. I have create a TACACS dictionary, and i am able to assign the role of admin or monitor. I base this on AD Group membership.

 

The default enforcement profile in my policy is [TACACS Deny Profile]. If a user authenticates successfully, and does not get a role of SLVP_admin or SLVP_view they are assigned the enforcment profile [TACACS Deny Profile].

 

However, they are still authenticated and put in to the default user role as defined in silverpeak. The default user role can only be admin or monitor, there is no deny option in SilverPeak.

 

So as a test I created a new enforcement profile based on silverpeak:ip with role=deny, however it still hits the default role and grants access.

 

How can i force a deny on TACACS to silverpeak? It seems if they user gets authenticated successfully, role mapping/enforcement does not deny them access. 

 

Thanks,


_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Highlighted
Regular Contributor I

Re: Silverpeak TACACS+ Admin Access Deny not working

Found the issue. In silverpeak the authorization needs to be set to Remote Only, instead of RemoteFirst. Then it does not take into account the local default user.

 

_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: