Security

I am having exactly the same problem with the mismatched privilege levels.

However, I am not sure how to solve this.. I have copied the original [Admin Network Login Policy] but how do I set the corresponding privilege level within the policy?

That is configured in the Enforcement Profile.  Create a new TACACS enforcement profile and reference it in the enforcement policy.

Thanks for the post guys this was helpful at getting this issue resolved. I did things a bit differently and instad of putting my Authorization in the Enforcement I used a Role for Authorization and associate a TACACS role that was created with elevated  permissions. In the enforcement section I just used the TIPS to associate the role that was determined and it applys the Super Admin TACACS profile. 

Once completed everything worked as necessary, and I just cloned the default service and appened my Roles / Enforcement policies to the cloned profile so everything was retained. 

I read through the previous responses and found another cause.   In my case, I had everything right, except in the Role Mapping > Mapping Rules, I had an operator of EQUALS rather than CONTAINS.   I fail to understand why EQUALS doesn't work, as the AD group name I specified is exactly as I wrote it: Network Admins.  I even tried quotes around the group name.

So my whole Mapping Rule looks like this:

(Authorization:ITLAB-ROOT:memberOf CONTAINS Network Admins) [TACACS Super Admin]     

(where ITLAB-ROOT is my AD source).

Thanks!

Thanks, Tim.  Tried Group and it works.  I still don't understand why... Maybe that requires the LDAP string "CN=..."? Guess I need to learn the format requirements of each type.  

Also, is there somewhere one can review the actual results of role mappings after an authentication event?  It's disappointing to me that in the tracker logs of a given authentication, there's no mention of my AD group, even when successful.

Is there any restriction on the characters that can make up a username ? I've got things set up here so that if a userid is a member of an AD group I assign a particular role and then act upon thgat role in the Enforcement policy.

Works just fine for usernames made up of alphanumeric charcters.

We have special "dollar" accounts here  ( normal username terminated by a $ with admin rights) and try as I might even though this format of username is in an AD group clearpass 6.8 comes back saying that the account doesn't exist in an AD group

Account details attached