Security

Reply
Highlighted
Occasional Contributor II

Aruba wifi controller requesting priv-level=15 on a read-only account.

Hi there me again. I have now moved to working on read-Only access on an Aruba Wi-Fi controller.

 

We have Aruba CPPM set-up to return the read-only role using the 'Aruba:common' setting for Aruba-Admin-Role role=read-only

 

The authentication works then I get the following error message for the privilege level:

 

INFO AAA.AuthenLoginSession - completeAuthentication: Requested priv_level=15 greater than Max Allowed priv_level=0

 

The CPPM is set with the priv_level service set to 0 - I can get it working if I set that to 15 but then it isn't a read-only account and changes can be performed on the controller. I am guessing I am probably missing a setting somewhere as to why the controller is requesting priv_level=15

 

The default-role on the controller is read-only:

 

aaa authentication mgmt

   server-group "AAAservers"
   default-role read-only
   enable

 

This works fine for our Read-Write settings but I can't get Read-Only working on the GUI using the root Aruba-Admin-Role. Any pointers?

 

Kind regards,

 

Z

Highlighted

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

You will need to have to Roles defined.

 

Screen Shot 2014-05-30 at 12.58.14 AM.png

 

Screen Shot 2014-05-30 at 12.58.24 AM.png

 

Screen Shot 2014-05-30 at 12.58.03 AM.png

 

Here is an exaple of my controller tacacs

 

Screen Shot 2014-05-30 at 12.58.24 AM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
Occasional Contributor II

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

Troy,

 

Thanks for your reply. We do have it set-up like your eample with the read-only role on CPPM. The thing is if we use priv_level=15 then the access is not read-only as per the documentation:

 

read-only

Permits access to CLI show commands or WebUI monitoring pages only.

 

When I log in with the read-only accuont and priv_level=15 set it allows me to log in no problem but then I have access to everything. I can view and change the configuration window in the WebUI so defeats the object. I am setting this up for our security team so they wouldn't be too happy about having configuration options. On the CLI I can run configure terminal too which I don't want to be able to do. Have you checked your read-only account only gives you show commands and WebUI monitoring pages?

If I try using a lower priv_level on the CPPM it fails to authenticate due to the level requested by the controller being 15 but for read-only surely it should be lower?

 

I have logged a call with our support company but they haven't come up with a solution yet.

 

Kind regards,

 

Z

 

 

 

 

 

                   

Highlighted
New Contributor

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

I am having the same issue and Aruba TAC has not come up with a solution yet. Any new insight?

Highlighted
New Contributor

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

I am using the read only settings but the users seem to get priviledge exec access... Any updates on this?

Highlighted
Occasional Contributor II

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

Hi,

did anyone solve this problem, please?

Thanks,

Kamil

Highlighted
Contributor I

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

Did OP (or anyone else) ever get this figured out?  I have a case open with TAC about this very issue today 6 years later...

You'd think if it was a bug from years ago they'd have it figured out by now.  Running 8.5 train

Highlighted
Guru Elite

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

Are you using the method here?  https://community.arubanetworks.com/t5/Security/TACACS-Session-Authorization/td-p/33536 where the role is returned using Aruba-Admin-Role?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

Yes, I am.  I would give you screenshots, but like OP stated, my config looks 100% identical to the one tarnold shows and claims should work.  So if that's my config, what am I missing?

 

If I try to set the privilege level to something like 0, 1, 6, or 7 (I haven't tried everything besides 15, but I'm guessing it is) on the read-only profile, I get the following error in CPPM logs: 
Requested priv_level greater than Max Allowed priv_level

 

TAC is looking into it, but so far is completely stumped too.  He was literally googling it with me.

Highlighted
Guru Elite

Re: Aruba wifi controller requesting priv-level=15 on a read-only account.

Just checking to make sure your issue is identical.

 

We all have to Google it because most of us just use radius and return the admin role.. We use Tacacs if we must....

 

Let us know if you get it sorted 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: