Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Migrating Tacacs Switch CLI access to Clearpass

This thread has been viewed 5 times

  • 1.  Migrating Tacacs Switch CLI access to Clearpass

    Posted May 09, 2016 08:44 AM

    Currently we use ACS for our Cisco switch autentication using the Tacacs protocol, we've recently installed a couple of Clearpass appliances and I want to move our Tacacs authentication over to Clearpass.

     

    The way our exisitng ACS is configured is we have 2 different groups Admin (Unrestricted CLI access) and Restricted (Limited CLI Command set) and all account information is backed off to our AD.

     

    I've followed the various doc on Tacacs configuration on Clearpass and managed to get the Admin group working with a lab switch.

     

    What I'm struggling with is the Restricted group, I've configured it exactly the same as the Admin group with the only difference being I've got 7 commands listed in the commands tab in the Enforcement profile, when I try and login to the lab switch with a user who is associated to this group I get the following error.

    Tacacs serverRequested priv_level=[01] greater than Max Allowed priv_level=[00]

    I've had a look all through the Enforcement profile for the priv_level of 1 or 0 but all I can find is where I've got the priv_level 15 configured in the services part of the profile.

     

    Any help would be much appreciated.

     

    Thanks

     

    Jon



  • 2.  RE: Migrating Tacacs Switch CLI access to Clearpass
    Best Answer



  • 3.  RE: Migrating Tacacs Switch CLI access to Clearpass

    Posted May 09, 2016 10:42 AM

    Thanks for the doc, I had 1 aaa command incorrect on the switch CLI. Removed it and it all started working.