Security

Hey,

 

I was wondering if there is a safe way to 'replace' the default '[Policy Manager Admin Network Login Service]' with a service that would authenticate domain accounts instead of local accounts.

 

This service can't be edited and I am hesitant to move this service from it's default location (1) for fear that I will end up locking myself out of the CPPM while I test.

 

I would like to use an LDAP group for admins that can login '/tips'. Currently it is setup for local accounts only.

 

I was thinking of using the same method used to do the "Guest Operator Logins" service.

My only fear though is the definition of the service. The only thing that filters the '[Policy Manger...]' service is the 'NAD-IP-ADDRESS'. I suspect I would have to put my custom service before the default service to do testing, but if I get the definition of the service wrong I could end up locking myself out of the CPPM. I think anyway...

 

Does anyone have some recommendations I could try to set this up? Or is it not recommended?

 

Thank you,

 

Cheers

Create a TACACS policy and put it above the TIPS policy. In that policy you can map AD groups to the built in TIPS roles that the next service will evalutate.

 

 

 

Does this setup require an Access license, or does a standard server Platform license suffice?

------------------------------
Ed Santora
------------------------------

Original Message:
Sent: Aug 07, 2013 01:35 PM
From: Tim Cappalli
Subject: CPPM - Tips access with LDAP account

Create a TACACS policy and put it above the TIPS policy. In that policy you can map AD groups to the built in TIPS roles that the next service will evalutate.

 

 

 

TACACS requires 100 Access Licenses or more to be present for the feature to be enabled, but does not consume the licences (unmetered).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 10, 2021 03:26 PM
From: Ed Santora
Subject: CPPM - Tips access with LDAP account

Does this setup require an Access license, or does a standard server Platform license suffice?

------------------------------
Ed Santora

Original Message:
Sent: Aug 07, 2013 01:35 PM
From: Tim Cappalli
Subject: CPPM - Tips access with LDAP account

Create a TACACS policy and put it above the TIPS policy. In that policy you can map AD groups to the built in TIPS roles that the next service will evalutate.

 

 

 

This can be done...just copy that default service and in the new service add BOTH the LDAP server and the admin user repository as authentication sources so you don't get locked out while testing.  Meaning...admin/eTIPS123 will still work.

Oh wow.. I am dumb..

I didn't think of doing that honestly and I don't know why!

 

Thank you guys for the suggestions!

 

I will start testing right away!

Hey,

 

Thanks for the suggestions guys.

Worked perfectly.

 

I was able to create the service and successfully test the login using an LDAP account and I did not lock myself out of the system!

 

Cheers

 

P.S. I would mark both as "the solution" but I don't think that I can :(