Block external IP address to access device via TACACS

Aruba Employee
Aruba Employee

Summary : This article talks about rejecting all requests from external IP address for TACACS authentication.


Introduction :


This article talks about creating an enforcement policy to allow TACACS access only to internal IP and reject all such request from External IP address.


Feature Notes :


This article works on CPPM 6.2 and greater.


Configuration Steps :


We have few devices which are on public IP for some reason, how do we make sure that no one ( not even employees) access it from an external network.

We must never expose SHELL/SSH access to the devices to WEB.

The best way is to create a enforcement policy as per the details below and map it to our service.


The condition highlighted is the condition which will allow access only to the IPs which begin with the value provided, rest will be rejected.



The condition :



Connection Client-IP-Address BEGINS_WITH 10.10.10

can be matched with any other AND rules to make the service secure. Please feel free to customize it based on the requirement.


Verification :



We can verify it by trying to authenticate via an external IP and will see the Access reject for the same request.


Version history
Revision #:
1 of 1
Last update:
‎11-10-2014 03:51 AM
Updated by:
Labels (1)


I have done this and it is working great, except for a specific vendor where its device deals with the 'TACACS Deny Profile' as accept response and allows read only access to this device.

Any idea how to make CPPM respond with 'REJECT' instead?



Search Airheads
Showing results for 
Search instead for 
Did you mean: