The fix I found for the above issue:
Log into your MC and issue the command: show aaa server-group your-aaa-server-group
-> This will show your configured auth servers
If you log into your mc and issue the command : show aaa authentication-server tacacs one-of-your-auth-servers-from-above
-> This will show the config of one of your configured tacacs servers (see attached screenshot)
The issue is that "Session Authorization" is not enabled which is the parameter that allows clearpass to pass a role up to the controller.
The fix (see screenshot)
- Configure mode
- aaa authentication-server tacacs one-of-your-auth-servers-from-above
- session-authorization
- exit
- write memory
Hopefully this helps you guys get yours working as well -
CJ
Original Message:
Sent: May 28, 2014 09:21 AM
From: zyontrific
Subject: Aruba wifi controller requesting priv-level=15 on a read-only account.
Hi there me again. I have now moved to working on read-Only access on an Aruba Wi-Fi controller.
We have Aruba CPPM set-up to return the read-only role using the 'Aruba:common' setting for Aruba-Admin-Role role=read-only
The authentication works then I get the following error message for the privilege level:
INFO AAA.AuthenLoginSession - completeAuthentication: Requested priv_level=15 greater than Max Allowed priv_level=0
The CPPM is set with the priv_level service set to 0 - I can get it working if I set that to 15 but then it isn't a read-only account and changes can be performed on the controller. I am guessing I am probably missing a setting somewhere as to why the controller is requesting priv_level=15
The default-role on the controller is read-only:
aaa authentication mgmt
server-group "AAAservers"
default-role read-only
enable
This works fine for our Read-Write settings but I can't get Read-Only working on the GUI using the root Aruba-Admin-Role. Any pointers?
Kind regards,
Z