Comware 7 Tacacs priv-level

RBAC in comware | 6/28/2018


Today i have been looking to a good table for the privilege levels in comware 7. Within Clearpass you can return a priv-level within the tacacs authentication.

This table is also know as the RBAC table.

Here is the table i was looking for:


User role name level Permissions
network-admin - Accesses all features and resources in the sytem.
network-operator -

Accesses all display commands for all features and resouces in the system.

Enables local authentication users to change their passwords.

level-n(0 to 15) 0

Has access to dianostics commands like tracert and ping. These are configurable.

  1 Has all rights of 0 plus display commands to all resources in the system
  2-8,10-14 No rights by default
  9 Has all rights to all features and resources accept RBAC, local users, file management and device management
  15 Has all rights exept changing local users with network-admin of network-operator role


Categories Clearpass

Client debuging on Meru controller


Found this in the tech docs of Meru.


Via CLI commands on the Meru controller CLI

To enable the station log while in the Meru controller CLI, enter these commands:

Enter the interactive per-station event logging shell:

wlan-controller # station-log
After entering "station-log" the prompt will change to "station-log>" at which point the following commands can be entered (where <MAC address> is the station's MAC address containing colons):
station-log> station add <MAC address>
station-log> enable
At this point, the Meru controller will display information about the specified station(s), specifically, debug messages for the station's 802.11 connection.

To disable, use:
station-log> station del <MAC address>
station-log> disable
station-log> quit

Via Meru Controller Web UI

The station log for a specific station can also be obtained via the Meru controller Web UI under Monitor > Diagnostics > Station.

1. Enter MAC address containing colons and click on "Start Diagnostics".

2. Select "Station Diagnostics".

3. To disable logging of the station log, click on "Stop Diagnostics". 


Works great!


URL of the KB

Meru wireless controller bug



I ran into a bug today with an wireless controller of Meru. The customer had an wireless network with 802.1x authentication with reauthentication.

Within the access tracker i saw a lot of rejects from this controller.

Radius:IETF:Called-Station-Id    %mac%
Radius:IETF:Calling-Station-Id    %mac%
Radius:IETF:Connect-Info    CONNECT Unknown Radio
Radius:IETF:Framed-MTU    1250
Radius:IETF:NAS-IP-Address    %IP% from meru controller
Radius:IETF:NAS-Port    0
Radius:IETF:NAS-Port-Type    19
Radius:IETF:Service-Type    1
Radius:IETF:User-Name    %mac same as Calling station ID%

After a while i figured out that in the security profile both " MAC Auth Primary RADIUS Profile Name " and " MAC Auth Secondary RADIUS Profile Name " where filled in.

"MAC Filtering" was configured as off, so if i wanted to change this i needed to put is on and change it to no radius and set it back to off. The Meru controller did nothing with this change.

Trough the cli i tried it also with the following commands under the security profile:

no mac-filter-radius-server primary

no mac-filter-radius-server secondary

But when you exit you receive the following error:

Error:Acl Environment state and MAC Primary and Secondary Radius Profile valid only if mac filtering is on

So i created a new security profile and set it to the ESS of the network with the issue and the problem of the rejects disappeared.

PS: After applying the new security profile every client needs the re-authenticate. 

Categories Clearpass

Clearpass Client did not complete EAP transaction

with ssh authentication | 11/24/2017 | Comments: 27


Today i ran into a problem with radius authentication on a ArubaOS-Switch for management.

The switch was a Aruba 2530 with ssh configured to authenticate to a clearpass cluster with peap-mschapv2.

The error i got in clearpass was "Client did not complete EAP transaction". and in the logs there was no inner method available.

So the switch was configured this way:

aaa authentication web login peap-mschapv2 local
aaa authentication web enable radius local
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable radius local

After some looking i found out that the time on the switch was running behind and that the sntp configuration was not correct. So i changed it to the correct config and let it sync.

Now the authentication did complete as normal and i could login over ssh.

ArubaOS-Switch 16.03.0004 released


Today the latest version of ArubaOS-Switch is released for the 5400 and the 3810M switches.
You can find the release notes here:

With now support for /31 subnets!

Categories ArubaOS-Switch

Site to Site VPN Juniper SRX to Fritz!Box

4/18/2017 | Comments: 58

I had to make an site to site ipsec connection between a Juniper SRX and a Fritz!box.
Now the configuration is not that easy on the Fritz!box so i will post the configurations of both devices here.

Things to remember:
- Fritz!Box : You can't use the subnet for your internal network, the tool below don't let you.
- Fritz!Box : You can use the tool which is made available by AVM to generate you own config for the Fritz!Box. You can download it from:

- Juniper SRX: add the tunnel interface in a security zone!

You can change the proposals in the Fritz!Box config to the following



The config of the Fritz!Box vpn connection is done within the following menu:
Internet -> Permit Access : Tab VPN



interfaces {
    st0 {
        unit 1 {
            family inet {
routing-options {
    static {
        route next-hop st0.1;
security {
    ike {
        proposal fritzbox {
            authentication-method pre-shared-keys;
            dh-group group1;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        policy ike-policy-cfgr2 {
            mode aggressive;
            proposals fritzbox;
            pre-shared-key ascii-text "key"; ## SECRET-DATA
        gateway ike-gate-cfgr2 {
            ike-policy ike-policy-cfgr2;
            address %external_IP_Fritzbox%;
            external-interface ge-0/0/0.0;
            version v1-only;
    ipsec {
        policy ipsec-policy-cfgr2 {
            perfect-forward-secrecy {
                keys group1;
            proposal-set standard;
        vpn ipsec-vpn-cfgr2 {
            bind-interface st0.1;
            ike {
                gateway ike-gate-cfgr2;
                ipsec-policy ipsec-policy-cfgr2;
            establish-tunnels immediately;
    address-book {
        global {
            address net-cfgr_192-168-1-0--24;
            address subnet_ext;
    policies {
        from-zone trust to-zone vpn-1 {
            policy trust-vpn-1-cfgr {
                match {
                    source-address net-cfgr_192-168-1-0--24;
                    destination-address subnet_ext;
                    application any;
                then {
        from-zone vpn-1 to-zone trust {
            policy vpn-1-trust-cfgr {
                match {
                    source-address subnet_ext;
                    destination-address net-cfgr_192-168-1-0--24;
                    application any;
                then {

        security-zone vpn-1 {
            interfaces {


vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "vpn-to-srx";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip =;
                local_virtualip =;
                remoteip = %ip-of-SRX%;
                remote_virtualip =;
                localid {
                        ipaddr = %Local-External-IP%;
                remoteid {
                        ipaddr = %ip-of-SRX%;
                mode = phase1_mode_aggressive;
                phase1ss = "def/3des/sha";
                keytype = connkeytype_pre_shared;
                key = "KEY";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr =;
                                mask =;
                phase2remoteid {
                        ipnet {
                                ipaddr =;
                                mask =;
                phase2ss = "esp-all-all/ah-all/comp-all/pfs";
                accesslist = "permit ip any";
        ike_forward_rules = "udp", 


New HCL released

4/14/2017 | Comments: 1


There is a new HCL released, version you can download it from the HCL page!


Categories HCL