Posted on July 10, 2020 4:12 pm
 |  Asked by Mauricio Guzman
Print Friendly, PDF & Email

Hi all,

I’m trying to configured a read-only account to have access to certain (non-critical) commands via the api and I’m having no luck.

Aruba ClearPass is doing the TACACS authentication & authorization, admin lvl 15 is working great, the issue is with read-only.

ClearPass read-only is configured with the following attributes

shell  cpv-roles network-operator

shell priv-lvl=1

Switch is configured like this

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

management api http-commands
no shutdown

I’m getting the following error:

“jsonrpc”: “2.0”,
“id”: “EapiExplorer-1”,
“error”: {
“data”: [
“errors”: [
“Invalid input (privileged mode required)”
“message”: “CLI command 1 of 1 ‘show ip access-lists’ failed: invalid command”,
“code”: 1002

I have a strong feeling I’m missing some commands on the switch but not one hundred percent certain.


Any help would be greatly appreciated it.




Posted by Tamas Plugor
Answered on July 10, 2020 4:21 pm

Hi Mauricio,

As the error says you require privileged mode, you cannot run show ip access-list with priv-lvl 1, so you need to set priv level to higher, level 2 worked for me for example.

Also to avoid having unknown roles in EOS, in ClearPass you might also need to set roles=network-operator in addition to cvp-roles=network-operator or cvp-roles*network-operator as cvp-roles is only used by CVP, for EOS the attribute is roles. This is just in case you use both CVP and EOS for that user.


Posted by Mauricio Guzman
Answered on July 10, 2020 5:34 pm

Hi Tamas,

Thank you very much for the information!!

Post your Answer

You must be logged in to post an answer.