Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎05-16-2012

Aruba wifi controller requesting priv-level=15 on a read-only account.

Hi there me again. I have now moved to working on read-Only access on an Aruba Wi-Fi controller.

 

We have Aruba CPPM set-up to return the read-only role using the 'Aruba:common' setting for Aruba-Admin-Role role=read-only

 

The authentication works then I get the following error message for the privilege level:

 

INFO AAA.AuthenLoginSession - completeAuthentication: Requested priv_level=15 greater than Max Allowed priv_level=0

 

The CPPM is set with the priv_level service set to 0 - I can get it working if I set that to 15 but then it isn't a read-only account and changes can be performed on the controller. I am guessing I am probably missing a setting somewhere as to why the controller is requesting priv_level=15

 

The default-role on the controller is read-only:

 

aaa authentication mgmt

   server-group "AAAservers"
   default-role read-only
   enable

 

This works fine for our Read-Write settings but I can't get Read-Only working on the GUI using the root Aruba-Admin-Role. Any pointers?

 

Kind regards,

 

Z

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

You will need to have to Roles defined.

 

Screen Shot 2014-05-30 at 12.58.14 AM.png

 

Screen Shot 2014-05-30 at 12.58.24 AM.png

 

Screen Shot 2014-05-30 at 12.58.03 AM.png

 

Here is an exaple of my controller tacacs

 

Screen Shot 2014-05-30 at 12.58.24 AM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎05-16-2012

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

[ Edited ]

Troy,

 

Thanks for your reply. We do have it set-up like your eample with the read-only role on CPPM. The thing is if we use priv_level=15 then the access is not read-only as per the documentation:

 

read-only

Permits access to CLI show commands or WebUI monitoring pages only.

 

When I log in with the read-only accuont and priv_level=15 set it allows me to log in no problem but then I have access to everything. I can view and change the configuration window in the WebUI so defeats the object. I am setting this up for our security team so they wouldn't be too happy about having configuration options. On the CLI I can run configure terminal too which I don't want to be able to do. Have you checked your read-only account only gives you show commands and WebUI monitoring pages?

If I try using a lower priv_level on the CPPM it fails to authenticate due to the level requested by the controller being 15 but for read-only surely it should be lower?

 

I have logged a call with our support company but they haven't come up with a solution yet.

 

Kind regards,

 

Z

 

 

 

 

 

                   

New Contributor
Posts: 2
Registered: ‎04-03-2014

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

I am having the same issue and Aruba TAC has not come up with a solution yet. Any new insight?

New Contributor
Posts: 2
Registered: ‎04-03-2014

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

I am using the read only settings but the users seem to get priviledge exec access... Any updates on this?

Search Airheads
Showing results for 
Search instead for 
Did you mean: