Security

Hi there me again. I have now moved to working on read-Only access on an Aruba Wi-Fi controller.

We have Aruba CPPM set-up to return the read-only role using the 'Aruba:common' setting for Aruba-Admin-Role role=read-only

The authentication works then I get the following error message for the privilege level:

INFO AAA.AuthenLoginSession - completeAuthentication: Requested priv_level=15 greater than Max Allowed priv_level=0

The CPPM is set with the priv_level service set to 0 - I can get it working if I set that to 15 but then it isn't a read-only account and changes can be performed on the controller. I am guessing I am probably missing a setting somewhere as to why the controller is requesting priv_level=15

The default-role on the controller is read-only:

aaa authentication mgmt

   server-group "AAAservers"
   default-role read-only
   enable

This works fine for our Read-Write settings but I can't get Read-Only working on the GUI using the root Aruba-Admin-Role. Any pointers?

Kind regards,

Z

You will need to have to Roles defined.

Here is an exaple of my controller tacacs

Troy,

Thanks for your reply. We do have it set-up like your eample with the read-only role on CPPM. The thing is if we use priv_level=15 then the access is not read-only as per the documentation:

When I log in with the read-only accuont and priv_level=15 set it allows me to log in no problem but then I have access to everything. I can view and change the configuration window in the WebUI so defeats the object. I am setting this up for our security team so they wouldn't be too happy about having configuration options. On the CLI I can run configure terminal too which I don't want to be able to do. Have you checked your read-only account only gives you show commands and WebUI monitoring pages?

If I try using a lower priv_level on the CPPM it fails to authenticate due to the level requested by the controller being 15 but for read-only surely it should be lower?

I have logged a call with our support company but they haven't come up with a solution yet.

Kind regards,

Z

I am having the same issue and Aruba TAC has not come up with a solution yet. Any new insight?

I am using the read only settings but the users seem to get priviledge exec access... Any updates on this?

Hi,

did anyone solve this problem, please?

Thanks,

Kamil

Did OP (or anyone else) ever get this figured out?  I have a case open with TAC about this very issue today 6 years later...

You'd think if it was a bug from years ago they'd have it figured out by now.  Running 8.5 train

Are you using the method here?  https://community.arubanetworks.com/t5/Security/TACACS-Session-Authorization/td-p/33536 where the role is returned using Aruba-Admin-Role?

Yes, I am.  I would give you screenshots, but like OP stated, my config looks 100% identical to the one tarnold shows and claims should work.  So if that's my config, what am I missing?

If I try to set the privilege level to something like 0, 1, 6, or 7 (I haven't tried everything besides 15, but I'm guessing it is) on the read-only profile, I get the following error in CPPM logs: 
Requested priv_level greater than Max Allowed priv_level

TAC is looking into it, but so far is completely stumped too.  He was literally googling it with me.

Just checking to make sure your issue is identical.

We all have to Google it because most of us just use radius and return the admin role.. We use Tacacs if we must....

Let us know if you get it sorted 

The fix I found for the above issue:

Log into your MC and issue the command: show aaa server-group your-aaa-server-group

-> This will show your configured auth servers

If you log into your mc and issue the command : show aaa authentication-server tacacs one-of-your-auth-servers-from-above

-> This will show the config of one of your configured tacacs servers (see attached screenshot)

The issue is that "Session Authorization" is not enabled which is the parameter that allows clearpass to pass a role up to the controller.

The fix (see screenshot)

• Configure mode
• aaa authentication-server tacacs one-of-your-auth-servers-from-above
• session-authorization
• exit
• write memory

Hopefully this helps you guys get yours working as well - 

CJ