Security

Reply
Contributor II

Re: TACACS on Clear Pass -Authentication privilege level mismatch

Hi alexsuoy,

 

Its probably not the right thread, but I didn't have any issues with having a $ in the end of the username.

 

I could also only find permitted characters for user/pass when binding clearpass to AD. I was not able to find anything obvious that involved LDAP authorizaiton with AD. 

 

ad-bind-permitted-characters.png

I was able to perform a manual ldap query in the AD server, this worked as expected. I could also see the memberOf info. 

 

user-dollarsign-ldap-query.png

 

I have also included TACACS Policy Manager authorization info for the same user account. 

 

access-tracker-authorization.png

 

You may want to check the LDAP servers to ensure they have the correct data and are syncing. Not sure if you are defining them as FQDN / IP / or domain in the address section for the LDAP server. 

 

I would also recommend try a manual query.

Auth Server => Attributes => "Select" Authentication => "Select" Attributes "tab" => Enter Username.  

 

Justin Kwasnik | ACMX# 598 | ACCX# 638
MVP Expert

Re: TACACS on Clear Pass -Authentication privilege level mismatch

Thanks for the above. the priv level missmatch seems to have morph'd into a being unable to assign a user role based upon checking for username membership of an AD group . Works for lot of other groups ... works on my dev server .... doesnt work on my prodn one .... Must be something thats staring me in the face  but cxanl;t see it at the moment :-(

 

A

Contributor II

Re: TACACS on Clear Pass -Authentication privilege level mismatch

Your welcome.

 

I did not have theprivledge level mismatch issue on 6.8.0 with custom admin rights. In the past I had only seen this when you create custom admin privledges, in combination to AD users. 

 

If you had used the default admin privledges and AD users. I never seemed to obtain this error with previous releases. 

Justin Kwasnik | ACMX# 598 | ACCX# 638
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: