CPPM - Tips access with LDAP account



I was wondering if there is a safe way to 'replace' the default '[Policy Manager Admin Network Login Service]' with a service that would authenticate domain accounts instead of local accounts.


This service can't be edited and I am hesitant to move this service from it's default location (1) for fear that I will end up locking myself out of the CPPM while I test.


I would like to use an LDAP group for admins that can login '/tips'. Currently it is setup for local accounts only.


I was thinking of using the same method used to do the "Guest Operator Logins" service.

My only fear though is the definition of the service. The only thing that filters the '[Policy Manger...]' service is the 'NAD-IP-ADDRESS'. I suspect I would have to put my custom service before the default service to do testing, but if I get the definition of the service wrong I could end up locking myself out of the CPPM. I think anyway...


Does anyone have some recommendations I could try to set this up? Or is it not recommended?


Thank you,



Guru Elite

Re: CPPM - Tips access with LDAP account

Create a TACACS policy and put it above the TIPS policy. In that policy you can map AD groups to the built in TIPS roles that the next service will evalutate.







Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480

Re: CPPM - Tips access with LDAP account

This can be done...just copy that default service and in the new service add BOTH the LDAP server and the admin user repository as authentication sources so you don't get locked out while testing.  Meaning...admin/eTIPS123 will still work.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos

Re: CPPM - Tips access with LDAP account

Oh wow.. I am dumb..

I didn't think of doing that honestly and I don't know why!


Thank you guys for the suggestions!


I will start testing right away!


Re: CPPM - Tips access with LDAP account



Thanks for the suggestions guys.

Worked perfectly.


I was able to create the service and successfully test the login using an LDAP account and I did not lock myself out of the system!




P.S. I would mark both as "the solution" but I don't think that I can :(

Search Airheads
Showing results for 
Search instead for 
Did you mean: