Security

Hi,

in Aruba IAPs (Model 207) I've set "Authentication server with fallback". TACACS authentication is working fine. However for some reason I'm still also able to login to IAP as local admin. 

From Clearpass I can see that it denies (Access Tracker says "rejected") for that local user but IAP still lets it to login. Any solutions?

In enforcement policies I've set the default policy to the default [TACACS Deny Profile].

When logging in to the Aruba switches everything is working correctly. Local user is not usable if tacacs connection is up. 

IAP Software version is 6.5.4.3 and model is iap 207

Thank you for your help! :)

Unfortunately, using fallback means both servers will be used, even upon rejection from the Tacacs server.  The only solution is to ensure that your local username and password are different from the Tacacs server.  http://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#UG_files/Authentication/UserManagement/ConfAdminUser.htm?Highlight=tacacs

Hi,

thank you for your response. Can you specify what do you mean? 

The problem here is that I can use the local account even the tacacs is UP. Guide says that this shouldn't be possible.

Guide says:

"Authentication server w/ fallback to internal option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS/TACACS server (RADIUS/TACACS server timeout)"

It also switches to internal for a reject.  If you want the functionality changed, please log an issue here:  innovate.arubanetworks.com/ideas

For anyone with similar problem, I solved this case next way:

-AD user with same name and pw as the local user in IAP

-Created a policy in Clearpass that when that user tries to log in to IAPs, it forces "IAP guest-login".

-Now when tacacs is active, local IAP user is able to log in but in read-only mode. If tacacs goes down, full rights.