Comware 7 Tacacs priv-level

RBAC in comware | 6/28/2018


Today i have been looking to a good table for the privilege levels in comware 7. Within Clearpass you can return a priv-level within the tacacs authentication.

This table is also know as the RBAC table.

Here is the table i was looking for:


User role name level Permissions
network-admin - Accesses all features and resources in the sytem.
network-operator -

Accesses all display commands for all features and resouces in the system.

Enables local authentication users to change their passwords.

level-n(0 to 15) 0

Has access to dianostics commands like tracert and ping. These are configurable.

  1 Has all rights of 0 plus display commands to all resources in the system
  2-8,10-14 No rights by default
  9 Has all rights to all features and resources accept RBAC, local users, file management and device management
  15 Has all rights exept changing local users with network-admin of network-operator role


Categories Clearpass

Meru wireless controller bug



I ran into a bug today with an wireless controller of Meru. The customer had an wireless network with 802.1x authentication with reauthentication.

Within the access tracker i saw a lot of rejects from this controller.

Radius:IETF:Called-Station-Id    %mac%
Radius:IETF:Calling-Station-Id    %mac%
Radius:IETF:Connect-Info    CONNECT Unknown Radio
Radius:IETF:Framed-MTU    1250
Radius:IETF:NAS-IP-Address    %IP% from meru controller
Radius:IETF:NAS-Port    0
Radius:IETF:NAS-Port-Type    19
Radius:IETF:Service-Type    1
Radius:IETF:User-Name    %mac same as Calling station ID%

After a while i figured out that in the security profile both " MAC Auth Primary RADIUS Profile Name " and " MAC Auth Secondary RADIUS Profile Name " where filled in.

"MAC Filtering" was configured as off, so if i wanted to change this i needed to put is on and change it to no radius and set it back to off. The Meru controller did nothing with this change.

Trough the cli i tried it also with the following commands under the security profile:

no mac-filter-radius-server primary

no mac-filter-radius-server secondary

But when you exit you receive the following error:

Error:Acl Environment state and MAC Primary and Secondary Radius Profile valid only if mac filtering is on

So i created a new security profile and set it to the ESS of the network with the issue and the problem of the rejects disappeared.

PS: After applying the new security profile every client needs the re-authenticate. 

Categories Clearpass

Clearpass Client did not complete EAP transaction

with ssh authentication | 11/24/2017


Today i ran into a problem with radius authentication on a ArubaOS-Switch for management.

The switch was a Aruba 2530 with ssh configured to authenticate to a clearpass cluster with peap-mschapv2.

The error i got in clearpass was "Client did not complete EAP transaction". and in the logs there was no inner method available.

So the switch was configured this way:

aaa authentication web login peap-mschapv2 local
aaa authentication web enable radius local
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable radius local

After some looking i found out that the time on the switch was running behind and that the sntp configuration was not correct. So i changed it to the correct config and let it sync.

Now the authentication did complete as normal and i could login over ssh.