Security

Reply
Contributor II
Posts: 60
Registered: ‎04-16-2010

Migrating Tacacs Switch CLI access to Clearpass

Currently we use ACS for our Cisco switch autentication using the Tacacs protocol, we've recently installed a couple of Clearpass appliances and I want to move our Tacacs authentication over to Clearpass.

 

The way our exisitng ACS is configured is we have 2 different groups Admin (Unrestricted CLI access) and Restricted (Limited CLI Command set) and all account information is backed off to our AD.

 

I've followed the various doc on Tacacs configuration on Clearpass and managed to get the Admin group working with a lab switch.

 

What I'm struggling with is the Restricted group, I've configured it exactly the same as the Admin group with the only difference being I've got 7 commands listed in the commands tab in the Enforcement profile, when I try and login to the lab switch with a user who is associated to this group I get the following error.

Tacacs serverRequested priv_level=[01] greater than Max Allowed priv_level=[00]

I've had a look all through the Enforcement profile for the priv_level of 1 or 0 but all I can find is where I've got the priv_level 15 configured in the services part of the profile.

 

Any help would be much appreciated.

 

Thanks

 

Jon

MVP
Posts: 4,120
Registered: ‎07-20-2011

Re: Migrating Tacacs Switch CLI access to Clearpass

see if this link helps:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-perform-management-authentication-of-Cisco-Switch-against/ta-p/234332

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 60
Registered: ‎04-16-2010

Re: Migrating Tacacs Switch CLI access to Clearpass

Thanks for the doc, I had 1 aaa command incorrect on the switch CLI. Removed it and it all started working.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: