Security

Hello Guys, 

 

I am configuring a new service on CPPM so that AD users can manage the ClearPass using their accounts. There is already a service configured with TACAS+ enforcement but the authentication source its using is local database. I have tried adding new autthentciation source "AD" but get the error that its nit editable. I have also tried creating the new service, by follwoing the link below: 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Configure-management-authentication-for-ClearPass-against/ta-p/187296

 

But when i try to save it, I am getting the error " Authorization is enabled but no authorization sources are configured"

 

I would appreciate any help, if anyone have dealt with this issue before. Thanks 

 

Kind Regards, 

 

Uncheck the authorization check box on the first tab of the service.

Hi Cappalli, 

 

Thanks for your reply. yepp, unchecked the authorization check box it created the service but for this service to work does it have to be before the old service which we were using to login? The authentication source for old service was local dataabase.

 

Does the oder of the service matter? 

 

During the logon using the AD account, in the username box do we have to give the AD name\ and then account name? 

 

I am still unable to login to CPPM using AD account and in the oder first service is using local database as its authentcation source and AD service is 2 nd on the list. 

 

Hope this make sense, plz let me know if you havee any queries. 

 

Thanks 

 

Thanks 

Yes, the new service would have to be higher in the list.

Hi, 

 

Thanks for your quick reply, moved the new service to the top of the list but still unable to login using the AD account. Anything else which you can suggest to check? 

 

Thanks

What is access tracker showing?

Hi, 

 

Just checked the access tracker, Its showing that thr request has been rejected. I have checked the alert and it states "Authentication Priviliege level mismatch"

 

Thanks 

 

 

Hi, 

 

Thanks for your all your help..magage to solve this issue. Do you know if its possible to authentciate Aurba controller and Air wave server managment against the AD? 

 

Thanks Agin :)

Yes, both can use the same TACACS+ service, you just need to add additional
enforcement profiles to return the controller and AirWave management roles.
You can also split them out into a separate TACACS+ service if desired.



http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-authe
nticate-Management-users-of-Aruba-Controllers-via/ta-p/187358

Thanks, will do this later and will let you know how it goes!

 

Kind Regards, 

Hi Cappali, 

 

All AD users are able to access the Clear pass using their AD logins. Is it possible to only give access to Admin group? 

 

Thanks 

 

Hi Cappali, 

 

Any help re my last reply will be appreciated. 

 

Thanks 

Supermo, did you see the article here:?   http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Configure-management-authentication-for-ClearPass-against/ta-p/187296

 

 

To be clear, the configuration that prevents anyone from logging in is the Tacacs Deny Profile here:  

Hi Cjoseph, 

 

Thanks for your reply. I have used the same article to configure the managment access for CPPM through AD. The problem is when I change the Defaault role to Guest or other as mentioned in the article none of the users from AD are able to login and I need the Admin users to be able to login.

 

I have also added the role to allow Admin users access but no luck. The only time it works when I change the default role to Read-only or super-admin but it allows all AD users same priviledges. 

 

Thanks 

That probably means none of your mapping rules are matching.  What does your mapping rule screen look like?

Yepp, its looks same as the screen shot which you have privided, only my domain name and AD group is different. 

 

Thanks 

That can only mean you are not matching anything.  I would open a case with support to check your work.

 Hi Cjoseph, 

 

I have managed to solve the issue and now I can login to CPPM using AD admin account and normal AD users are not able to login.Please can you help me configuring a service on CPPM so that Aruba controller and Air wave server login through the AD same as CPPM? 

 

Thanks 

 

 

An article on management authentication of Airwave using ClearPass is in the knowledgebase here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Airwave-External-Auth-using-CPPM-RADIUS/ta-p/183348

 

An article on management authentication of an Aruba Controller using ClearPass is in the knowledgebase here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-authenticate-Management-users-of-Aruba-Controllers-via/ta-p/187358

 

Please search the knowledgebase for answers to any questions.