How to Configure management authentication for ClearPass against AD

Aruba Employee
Aruba Employee

Introduction : This Article explains about-

    i) Authenticating CPPM management users from AD.
    ii) Configuring the services on CPPM for authentication.
    iii) Using TACACS service for authentication.


Feature Notes : An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network. CPPM can use AD for authentication and role based authorization to authenticate CPPM management users.


Environment : This Knowledge base is written for CPPM 6.x version.


Configuration Steps :

The following steps are to be followed.

1: Add Active directory and a Authentication source.
2: Configure the Tacacs service on CPPM to authenticate management users.

Please refer to the detailed steps below.

2a: Login to CPPM as an admin user and browse to Configuration » Services and click " Add new service ". It will open a new window as below.


Select the following details:

Type : TACACS + Enforcement
Name : This will be the name of the service.
Description : Add a note to it for user's understanding.
Make sure that Authorization option is checked. This is used for role based authentication.
Add a rule as shown above : it means that any connection with NAD-IP as local host ( should hit this service
Click Next

2b: In this screen add Active directory as Authentication source and hit "Next"


2c: Make sure that Active directory is added as an authentication source under this and hit "Next"


2 d: On this page click on " Add new Role Mapping Policy", this will open a new window as below.


On this page, we can select Default Role a Read Only Role. Click "Next"

On this window, we will add Roles for authorization.


The rule above means : if user is a member of Domain Admin then he will authenticate with a Super Admin Role.

Similarly we can add new rules based on our requirements as below making sure that below option is set.


Rules Evaluation Algorithm:

First applicable



Once all the rules are configured, click on save and the screen comes back to the configuration of service. Select the role which we created now.


2e: Now if required, we can add the Enforcement profile.

Select the default profile " [Admin Network Login Policy]" from the drop down.


Save the configuration.

Once done, please logout and login with a remote user ( user which exists on AD) and verify.

Verification : Login to CPPM as an AD user.

I used a user  "super-user" which is member of "Domain-Admins" group. As per our configuration, we should get "TACACS Super Admin" role.

After logging in, please navigate to

Monitoring » Live Monitoring » Access Tracker and click the most recent event with user name as " your_user".

In this test condition username = 


Click on Policies to check the Role.




Version history
Revision #:
2 of 2
Last update:
‎07-17-2014 07:35 AM
Updated by:

The problem here is anyone with an AD account will be created read-only access. How do you create a default enforcement profile for TACACS that reject access? 

Hi Ben,


In the above(article) Role Mapping policy, the default role is set to [TACACS Read-only Admin], that is why anyone with AD account is able to get read-only access.



Please change the default role to any other roles like [Guest] or [Other] in your Role Mapping Policy, which will reject access to unauthorized AD accounts.



Well thanks, It works. But a shame this is not intuitive and inconsistent with the enforcement profiles system.

Hi Ben,

As per the Service, the enforcement profiles will be applied based on the given role. Policy Manager assigns roles to user/client  as per the role mapping  policy and then based on the matching role we apply the enforcement profiles.

Policy Manager evaluates the conditions in the role mapping to assign the roles. Users/clients not meeting the conditions will be assigned with  the detault role. In the origuinal article the default role is [TACACSS Read-only Admin]. and the Enforcement Policy is set to assign "Read-only Administrator" Privilege to any user gets the role [TACACSS Read-only Admin].

In the above comment, you were requested to change the default role in the rolemapping to [Guest], so that the users not meening the conditions derived in the role mapping will get [Guest] role and when it goes to the enforcement policies evaluation the [Guest] role won't match any of the conditions and end up getting the default enforcemnt profile [TACACS Deny Profile], which rejects the access/authentication request.

Below are the default admin privileges, available in the CPPM.

Navigation : Administration >> Users and Privileges >> Admin Privileges.



Please follow the below steps, if you wish to create your own enforcement Policy/Profiles.

Step:1Creating Enforcement profiles.

Go to Configuration >> Enforcement >> Profiles >> Add >> Template >> TACACS+ Based Enforcement and create the enforcement profiles with required provileges as shown below.


Prolfie Name: Super Administrator

Super Administrator..png


Profile Name: Helpdesk




Step 2: Creating Enforcement Policies.

Go to Configuiration >> Enforcement >> Policies >> Add >> Set the Enforcement Type to TACACS+ and Set the Default Role to [TACACS Deny Profile] . Derive the rules as per you requirement and map the Enforcement profiles.




Ex-2: If you wish to skip the Role Mapping, you could derive the enforcement policy as shown below and just map it to the service (role mapping is not required).



Ah, that's how I expected it to work. I looked for the 'TACACS Deny Profile' on my system but did not find it. It may have been inadvertently deleted.

Hi Saravanan,


What will happen if the AD server is unreachable, will we be able to login the CPPM using default username and password? 


Thank you. 


Yes, that account will work at any time.

Hi, ClearPass Entry Licensing does not support TACACS+. Is it possible to use Radius for management authentication to ClearPass instead? Regards Manfred M.
Search Airheads
Showing results for 
Search instead for 
Did you mean: