I can't for the life of me enforce a user to be given priv level 1.
Switch config:
CPTESTSW05#show running-config | sec aaa
aaa new-model
aaa group server tacacs+ CPPM-TACACS
server name CPPM01-TACACS
aaa group server radius CPPM-RADIUS
server name CPPM01-RADIUS
aaa authentication login userAuthentication group CPPM-TACACS local
aaa authentication dot1x default group CPPM-RADIUS
aaa authorization config-commands
aaa authorization exec default group CPPM-TACACS if-authenticated
aaa authorization commands 0 default group CPPM-TACACS none
aaa authorization commands 1 default group CPPM-TACACS if-authenticated
aaa authorization commands 15 default group CPPM-TACACS if-authenticated
aaa authorization network userAuthorization group CPPM-RADIUS local
aaa accounting exec default start-stop group CPPM-RADIUS
aaa accounting commands 15 default start-stop group CPPM-TACACS
aaa accounting connection default start-stop group CPPM-TACACS
aaa accounting system default start-stop group CPPM-RADIUS
aaa server radius dynamic-author
client 10.10.20.30 server-key password
port 3799
auth-type all
aaa session-id common
match result-type aaa-timeout
CPTESTSW05#show running-config | sec tacacs
aaa group server tacacs+ CPPM-TACACS
server name CPPM01-TACACS
ip tacacs source-interface GigabitEthernet1/0/1
tacacs server CPPM01-TACACS
address ipv4 10.10.20.30
key password
CPTESTSW05#show running-config | beg line
line con 0
exec-timeout 0 0
logging synchronous
login authentication userAuthentication
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login authentication userAuthentication
transport input ssh
line vty 5 16
exec-timeout 0 0
logging synchronous
login authentication userAuthentication
transport input ssh
---
For Clearpass I am trying to set the priv level 1 with an enforcement profile. For example:
With this current config, I am not able to change the priv level from 15 to anything, and I am not able to restrict any commands. I must be missing something.