Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Silverpeak TACACS+ Admin Access Deny not working

This thread has been viewed 1 times

  • 1.  Silverpeak TACACS+ Admin Access Deny not working

    Posted Nov 21, 2017 11:38 AM

    Hello Everyone,

     

    I am working to create a TACACS Service for Silverpeak Admin access. I have create a TACACS dictionary, and i am able to assign the role of admin or monitor. I base this on AD Group membership.

     

    The default enforcement profile in my policy is [TACACS Deny Profile]. If a user authenticates successfully, and does not get a role of SLVP_admin or SLVP_view they are assigned the enforcment profile [TACACS Deny Profile].

     

    However, they are still authenticated and put in to the default user role as defined in silverpeak. The default user role can only be admin or monitor, there is no deny option in SilverPeak.

     

    So as a test I created a new enforcement profile based on silverpeak:ip with role=deny, however it still hits the default role and grants access.

     

    How can i force a deny on TACACS to silverpeak? It seems if they user gets authenticated successfully, role mapping/enforcement does not deny them access. 

     

    Thanks,


    _ELiasz



  • 2.  RE: Silverpeak TACACS+ Admin Access Deny not working
    Best Answer

    Posted Nov 21, 2017 12:36 PM

    Found the issue. In silverpeak the authorization needs to be set to Remote Only, instead of RemoteFirst. Then it does not take into account the local default user.

     

    _ELiasz