Currently we use ACS for our Cisco switch autentication using the Tacacs protocol, we've recently installed a couple of Clearpass appliances and I want to move our Tacacs authentication over to Clearpass.
The way our exisitng ACS is configured is we have 2 different groups Admin (Unrestricted CLI access) and Restricted (Limited CLI Command set) and all account information is backed off to our AD.
I've followed the various doc on Tacacs configuration on Clearpass and managed to get the Admin group working with a lab switch.
What I'm struggling with is the Restricted group, I've configured it exactly the same as the Admin group with the only difference being I've got 7 commands listed in the commands tab in the Enforcement profile, when I try and login to the lab switch with a user who is associated to this group I get the following error.
Tacacs server | Requested priv_level=[01] greater than Max Allowed priv_level=[00] |
I've had a look all through the Enforcement profile for the priv_level of 1 or 0 but all I can find is where I've got the priv_level 15 configured in the services part of the profile.
Any help would be much appreciated.
Thanks
Jon