1) Switch settings

tacacs-server host 192.168.2.10 vrf xyz
tacacs-server host 192.168.2.11 vrf xyz
tacacs-server key plaintext xyzxyzxyz
tacacs-server auth-type pap #pap is default - statement not needed

aaa group server tacacs group-tacacs
server 192.168.2.10 vrf xyz
server 192.168.2.11 vrf xyz

aaa authentication login default group group-tacacs local
aaa authentication allow-fail-through

1.1) to verify user permissions, after successful logon run command: show user information
to see which groups are available on cx switch run command:
show user-group
GROUP NAME GROUP TYPE INCLUDED GROUP NUMBER OF RULES
-------------- -------------- ------------------ -------------------
administrators built-in n/a n/a
auditors built-in n/a n/a
operators built-in n/a n/a


2) on Tacacs server side return the right attributes

2.1) clearpass Enforcement Profile:
Action: Accept
Service Attributes: Aruba:Common Aruba-Admin-Role = administrators

>> the important part is the service attribute "Aruba:Common" and the role "administrators"


computer2know :: thank you for your visit :: have a nice day :: © 2022