How to authenticate IAP admin user against CPPM over TACACS.

Aruba Employee
Aruba Employee

This article helps to configure IAP mgmt/admin user authentication against ClearPass over TACACS.


TACACS+ support is only available from the Instant code version - x.x.x.


IAP Configuration:

Step 1: Adding CPPM as TACACS Server in IAP

Go to Security > Authentication Servers > New > TACACS add ClearPass Server.




Step 2: Enabling Admin authentication against External Server with fallback to Internal DB.

Go to > System > Admin > Set the Authentication to "Authentication server w/fallback to Internal" and map the TACACS Server.

Note: The authentication fall back to local db happens only when the external (RADIUS/TACACS) authentication servers are timeout/not available.


rtaImage (1).png


ClearPass Configuration:

Step 1: Add IAP IP-address/hostname in ClearPass as Network Device under Configuration > Network > Devices.(Use same Shared Secret hey on both IAP and CPPM).

Step 2: Create a TACACS based enforcement erofile and Set the Privilege Level to 15 and Selected Service to "Aruba Common".

Note: IAP doesn't require Aruba-Admin-Role returned by CPPM to assign the privilege. If you wish to have Read-only or Guest Registration privilege then the user account can be Created in IAP under System > Admin > View only or Guest Registration Only.


rtaImage (2).png


Step 3: Create a TACACS Service and map the above Profile in the Enforcement Policy to authenticate the users.

You could use the simple Service Rule shown below for service categorization.


rtaImage (3).png


rtaImage (4).png


The above configuration works for Instant GUI and CLI admin login.

Version history
Revision #:
1 of 1
Last update:
‎08-07-2014 06:55 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: