Wireless Access

last person joined: 10 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

how to configure a local user's privilege and use it to login with different priv

This thread has been viewed 3 times

  • 1.  how to configure a local user's privilege and use it to login with different priv

    Posted Nov 25, 2016 10:01 AM

    Hi, guys, I need create a local user in CPPM, and use this user to login network devices with a read -only right ?

    and also another local user need full 15 level access.

    how do I configure on the control ?

    where I need link the user with different privilege ?

     

    thank you



  • 2.  RE: how to configure a local user's privilege and use it to login with different priv

    Posted Nov 25, 2016 10:04 AM

    I mean how do I configure on the clearpass !

    I have partial done with configuration on the clearpass and I can use those two user login network devices now

     

    thank you!



  • 3.  RE: how to configure a local user's privilege and use it to login with different priv

    EMPLOYEE
    Posted Nov 25, 2016 10:07 AM

    Are you saying read-only access to clearpass or read-only access to network devices?



  • 4.  RE: how to configure a local user's privilege and use it to login with different priv

    Posted Nov 25, 2016 10:15 AM

    Hi, jcoseph:

     

    thank you for your quick response !

    I am using clearpass for our network devices login control thru Tacacs or Radius. it is not for clearpass itself. It for thousands different network devices. we need associate with AD, and also we need create some users in the local user section of the clearpass. and use them to login our network devices as backup. but we need defferent privileges for those local users.

     

    thank you 



  • 5.  RE: how to configure a local user's privilege and use it to login with different priv

    EMPLOYEE
    Posted Nov 25, 2016 10:37 AM

    What type of devices?  Do you already have regular tacacs login working for those devices through clearpass local users?



  • 6.  RE: how to configure a local user's privilege and use it to login with different priv

    Posted Nov 25, 2016 11:10 AM

    mainly the types of devices are cisco routers,switches  ,asa and avaya swithes .

    And I have already gotten those local users login devices .

    currently, for tacacs service , default profile is tacacs deny profile.

    and all of  those local users have 15 level privilege which we don't want to see. we want to seperate. 

    I know if we  associate with AD, then AD can take this part , we just put the authorization value match with AD..

    but  for those local users, I am stucking here.



  • 7.  RE: how to configure a local user's privilege and use it to login with different priv

    EMPLOYEE
    Posted Nov 25, 2016 12:23 PM

    What is your enforcement profile for your privilege 15 users and what is your enforcement policy for your read-only users when you do AD authentication?



  • 8.  RE: how to configure a local user's privilege and use it to login with different priv

    Posted Nov 25, 2016 02:32 PM

    for the AD part, I need work with servers team to classify the different group. but  I don't get that far. currently only associate with AD. we use LAN ID  to login thedevices and get privilege 15, ( included the members of my group). for read-only , honestly , I don't have time to work with AD team . SO far this part, no done yet.

    so far, every users has 15 lev



  • 9.  RE: how to configure a local user's privilege and use it to login with different priv

    Posted Nov 25, 2016 02:44 PM
      |   view attached

    I creat two profiles for tacacs one for 15 level : shell pri-lvl=15

    another is for 1 level :shell pri-lvl=15

     

    In the service session, I create enforcement policy :

    authorization : AD member-of contain network admin ( this value need confirm with server team)

     authorization: AD memeber-of  contain Read-only-user 

    here is the screen shot: