Security

Reply
Aruba Employee

TACACS on Clear Pass -Authentication privilege level mismatch

Trying to get TACACS configured with AD group auth.

 

I have the users in the group defined 

 

But I keep hitting this error...

 

Error Category:
Tacacs authentication
Error Code:
Authentication privilege level mismatch
 Alerts for this Request :
Tacacs serverRequested priv_level=[01] greater than Max Allowed priv_level=[00]
Aruba

Re: TACACS on Clear Pass -Authentication privilege level mismatch

You need to make sure you modify your policy (Configuration » Enforcement » Policies » Edit - [Admin Network Login Policy]) and add your AD group settings in to the corresponding privilege level.

 

Just make it a copy of the original policy and modify the copy...

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: TACACS on Clear Pass -Authentication privilege level mismatch

I am having exactly the same problem with the mismatched privilege levels.

 

However, I am not sure how to solve this.. I have copied the original [Admin Network Login Policy] but how do I set the corresponding privilege level within the policy?

Guru Elite

Re: TACACS on Clear Pass -Authentication privilege level mismatch

That is configured in the Enforcement Profile.  Create a new TACACS enforcement profile and reference it in the enforcement policy.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: TACACS on Clear Pass -Authentication privilege level mismatch

Thanks for the post guys this was helpful at getting this issue resolved. I did things a bit differently and instad of putting my Authorization in the Enforcement I used a Role for Authorization and associate a TACACS role that was created with elevated  permissions. In the enforcement section I just used the TIPS to associate the role that was determined and it applys the Super Admin TACACS profile. 

 

Once completed everything worked as necessary, and I just cloned the default service and appened my Roles / Enforcement policies to the cloned profile so everything was retained. 

Justin Kwasnik | ACMX# 598 | ACCX# 638
Occasional Contributor I

Re: TACACS on Clear Pass -Authentication privilege level mismatch

I read through the previous responses and found another cause.   In my case, I had everything right, except in the Role Mapping > Mapping Rules, I had an operator of EQUALS rather than CONTAINS.   I fail to understand why EQUALS doesn't work, as the AD group name I specified is exactly as I wrote it: Network Admins.  I even tried quotes around the group name.

 

So my whole Mapping Rule looks like this:

(Authorization:ITLAB-ROOT:memberOf CONTAINS Network Admins) [TACACS Super Admin]     

(where ITLAB-ROOT is my AD source).

 

Thanks!

Guru Elite

Re: TACACS on Clear Pass -Authentication privilege level mismatch

You’d need to use the Groups attribute instead of memberOf to use EQUALS.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: TACACS on Clear Pass -Authentication privilege level mismatch

Thanks, Tim.  Tried Group and it works.  I still don't understand why... Maybe that requires the LDAP string "CN=..."? Guess I need to learn the format requirements of each type.  

 

Also, is there somewhere one can review the actual results of role mappings after an authentication event?  It's disappointing to me that in the tracker logs of a given authentication, there's no mention of my AD group, even when successful.

Guru Elite

Re: TACACS on Clear Pass -Authentication privilege level mismatch

Yes, it’s based on how the data is parsed.

You can see the authorization data under the Input tab.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: