05-28-2014 06:21 AM
Hi there me again. I have now moved to working on read-Only access on an Aruba Wi-Fi controller.
We have Aruba CPPM set-up to return the read-only role using the 'Aruba:common' setting for Aruba-Admin-Role role=read-only
The authentication works then I get the following error message for the privilege level:
INFO AAA.AuthenLoginSession - completeAuthentication: Requested priv_level=15 greater than Max Allowed priv_level=0
The CPPM is set with the priv_level service set to 0 - I can get it working if I set that to 15 but then it isn't a read-only account and changes can be performed on the controller. I am guessing I am probably missing a setting somewhere as to why the controller is requesting priv_level=15
The default-role on the controller is read-only:
aaa authentication mgmt
This works fine for our Read-Write settings but I can't get Read-Only working on the GUI using the root Aruba-Admin-Role. Any pointers?
05-29-2014 11:02 PM
You will need to have to Roles defined.
Here is an exaple of my controller tacacs
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
05-30-2014 02:22 AM - edited 05-30-2014 04:13 AM
Thanks for your reply. We do have it set-up like your eample with the read-only role on CPPM. The thing is if we use priv_level=15 then the access is not read-only as per the documentation:
Permits access to CLI show commands or WebUI monitoring pages only.
When I log in with the read-only accuont and priv_level=15 set it allows me to log in no problem but then I have access to everything. I can view and change the configuration window in the WebUI so defeats the object. I am setting this up for our security team so they wouldn't be too happy about having configuration options. On the CLI I can run configure terminal too which I don't want to be able to do. Have you checked your read-only account only gives you show commands and WebUI monitoring pages?
If I try using a lower priv_level on the CPPM it fails to authenticate due to the level requested by the controller being 15 but for read-only surely it should be lower?
I have logged a call with our support company but they haven't come up with a solution yet.