Today i have been looking to a good table for the privilege levels in comware 7. Within Clearpass you can return a priv-level within the tacacs authentication.
This table is also know as the RBAC table.
Here is the table i was looking for:
|User role name||level||Permissions|
|network-admin||-||Accesses all features and resources in the sytem.|
Accesses all display commands for all features and resouces in the system.
Enables local authentication users to change their passwords.
|level-n(0 to 15)||0||
Has access to dianostics commands like tracert and ping. These are configurable.
|1||Has all rights of 0 plus display commands to all resources in the system|
|2-8,10-14||No rights by default|
|9||Has all rights to all features and resources accept RBAC, local users, file management and device management|
|15||Has all rights exept changing local users with network-admin of network-operator role|
I ran into a bug today with an wireless controller of Meru. The customer had an wireless network with 802.1x authentication with reauthentication.
Within the access tracker i saw a lot of rejects from this controller.
Radius:IETF:Connect-Info CONNECT Unknown Radio
Radius:IETF:NAS-IP-Address %IP% from meru controller
Radius:IETF:User-Name %mac same as Calling station ID%
After a while i figured out that in the security profile both " MAC Auth Primary RADIUS Profile Name " and " MAC Auth Secondary RADIUS Profile Name " where filled in.
"MAC Filtering" was configured as off, so if i wanted to change this i needed to put is on and change it to no radius and set it back to off. The Meru controller did nothing with this change.
Trough the cli i tried it also with the following commands under the security profile:
no mac-filter-radius-server primary
no mac-filter-radius-server secondary
But when you exit you receive the following error:
Error:Acl Environment state and MAC Primary and Secondary Radius Profile valid only if mac filtering is on
So i created a new security profile and set it to the ESS of the network with the issue and the problem of the rejects disappeared.
PS: After applying the new security profile every client needs the re-authenticate.
Today i ran into a problem with radius authentication on a ArubaOS-Switch for management.
The switch was a Aruba 2530 with ssh configured to authenticate to a clearpass cluster with peap-mschapv2.
The error i got in clearpass was "Client did not complete EAP transaction". and in the logs there was no inner method available.
So the switch was configured this way:
aaa authentication web login peap-mschapv2 local
aaa authentication web enable radius local
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable radius local
After some looking i found out that the time on the switch was running behind and that the sntp configuration was not correct. So i changed it to the correct config and let it sync.
Now the authentication did complete as normal and i could login over ssh.