- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
01-07-2013 04:02 PM
Trying to get TACACS configured with AD group auth.
I have the users in the group defined
But I keep hitting this error...
Error Category: | Tacacs authentication |
Error Code: | Authentication privilege level mismatch |
Tacacs server | Requested priv_level=[01] greater than Max Allowed priv_level=[00] |
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
01-07-2013 04:16 PM
You need to make sure you modify your policy (Configuration » Enforcement » Policies » Edit - [Admin Network Login Policy]) and add your AD group settings in to the corresponding privilege level.
Just make it a copy of the original policy and modify the copy...
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: TACACS on Clear Pass -Authentication privilege level mismatch
04-08-2013 01:58 AM
I am having exactly the same problem with the mismatched privilege levels.
However, I am not sure how to solve this.. I have copied the original [Admin Network Login Policy] but how do I set the corresponding privilege level within the policy?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: TACACS on Clear Pass -Authentication privilege level mismatch
04-11-2013 03:53 PM
That is configured in the Enforcement Profile. Create a new TACACS enforcement profile and reference it in the enforcement policy.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: TACACS on Clear Pass -Authentication privilege level mismatch
09-26-2014 12:44 PM
Thanks for the post guys this was helpful at getting this issue resolved. I did things a bit differently and instad of putting my Authorization in the Enforcement I used a Role for Authorization and associate a TACACS role that was created with elevated permissions. In the enforcement section I just used the TIPS to associate the role that was determined and it applys the Super Admin TACACS profile.
Once completed everything worked as necessary, and I just cloned the default service and appened my Roles / Enforcement policies to the cloned profile so everything was retained.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: TACACS on Clear Pass -Authentication privilege level mismatch
09-26-2017 04:15 AM - edited 09-26-2017 04:15 AM
I read through the previous responses and found another cause. In my case, I had everything right, except in the Role Mapping > Mapping Rules, I had an operator of EQUALS rather than CONTAINS. I fail to understand why EQUALS doesn't work, as the AD group name I specified is exactly as I wrote it: Network Admins. I even tried quotes around the group name.
So my whole Mapping Rule looks like this:
(Authorization:ITLAB-ROOT:memberOf CONTAINS Network Admins) [TACACS Super Admin]
(where ITLAB-ROOT is my AD source).
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: TACACS on Clear Pass -Authentication privilege level mismatch
09-26-2017 05:47 AM
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: TACACS on Clear Pass -Authentication privilege level mismatch
09-26-2017 08:27 AM
Thanks, Tim. Tried Group and it works. I still don't understand why... Maybe that requires the LDAP string "CN=..."? Guess I need to learn the format requirements of each type.
Also, is there somewhere one can review the actual results of role mappings after an authentication event? It's disappointing to me that in the tracker logs of a given authentication, there's no mention of my AD group, even when successful.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: TACACS on Clear Pass -Authentication privilege level mismatch
09-26-2017 08:30 AM
You can see the authorization data under the Input tab.
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator