I just implimented this for 5412 running 15.x code with cppm 6.4.
I have manager and operator enforcement policies mapping from TIPS role to individual AD group memberships
I won't go through every step in this post (maybe later), but here are some of the hurdles I overcame due to conflicting HP manuals and general CPPM newbness:
On service, make sure authorization is checked and configured for source.
For the Enforcement profile the attributes for manager (enable) and operator (read only) access should be:
Radius:IETF | Service-Type | = | Administrative-User (6) |
Radius:IETF | Service-Type | = | NAS-Prompt-User (7) |
If you are authing against Active Directory using a memberOf attribute, be sure to select "CONTAINS" instead of EQUALS when defining AD group role mapping.
On procurve switch, I used peap-radius for primary auth and local for secondary. This equates to [EAP-PEAP] on clearpass service authentication method.
ie. "aaa authentication telnet enable peap-mschapv2 local"
Translation: for authenticating to switch mgmt via telnet, highest privelege, use peap/radius for primary and local user authentication for secondary method.
Also, on procurve switch use "aaa authentication login privilege-mode". Check manual for details, but basically if you don't have this on, it won't log in with manager (enable) level access even if you are returning the attribute from clearpass.
I hope this helps. If you have more questions, I'd be glad to help within forum.
Best of Luck,
CmC