Reset Search
 

 

Article

How to configure TACACS+ to allow ports to be added to some VLANs but not others

« Go Back

Information

 
TitleHow to configure TACACS+ to allow ports to be added to some VLANs but not others
Objective
Configure TACACS+ command authorization such that users can only add ports to a certain VLAN.
Environment
  • EXOS All
  • TACACS+ command authorization
  • Aruba ClearPass
Procedure
EXOS will send the first word of a command as the 'command' portion of the command authorization request, and the rest of the command will be in the 'argument' field.

For example,
configure vlan data add port 1 untagged will result the following values being sent to the TACACS+ server:

command='configure'
argument='vlan data add port 1 untagged'

Because of this, the server must be configured to permit all configuration starting with 'configure vlan data add port', but deny other configuration. This can be accomplished by specifying a wildcard in the argument portion.

For this example, the command authorization configuration on the server would be to permit the following:
command='configure'
argument='vlan data add port .*'

where .* is used as a wildcard.

This example is for Aruba ClearPass, but configuration should be similar in other TACACS+ servers.
Additional notes
For additional details on wildcards in Aruba ClearPass, see the following post from Aruba's community:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/TACACS-Command-Authorization-Restriction/td-p/256940

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255