Posted on July 10, 2020 4:12 pm
 |  Asked by Mauricio Guzman
 |  41 views
RESOLVED
0
0
Print Friendly, PDF & Email

Hi all,

I’m trying to configured a read-only account to have access to certain (non-critical) commands via the api and I’m having no luck.

Aruba ClearPass is doing the TACACS authentication & authorization, admin lvl 15 is working great, the issue is with read-only.

ClearPass read-only is configured with the following attributes

shell  cpv-roles network-operator

shell priv-lvl=1

Switch is configured like this

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

management api http-commands
no shutdown

I’m getting the following error:

{
“jsonrpc”: “2.0”,
“id”: “EapiExplorer-1”,
“error”: {
“data”: [
{
“errors”: [
“Invalid input (privileged mode required)”
]
}
],
“message”: “CLI command 1 of 1 ‘show ip access-lists’ failed: invalid command”,
“code”: 1002
}
}

I have a strong feeling I’m missing some commands on the switch but not one hundred percent certain.

 

Any help would be greatly appreciated it.

 

Cheers!

MG

0
Posted by Tamas Plugor
Answered on July 10, 2020 4:21 pm

Hi Mauricio,

As the error says you require privileged mode, you cannot run show ip access-list with priv-lvl 1, so you need to set priv level to higher, level 2 worked for me for example.

Also to avoid having unknown roles in EOS, in ClearPass you might also need to set roles=network-operator in addition to cvp-roles=network-operator or cvp-roles*network-operator as cvp-roles is only used by CVP, for EOS the attribute is roles. This is just in case you use both CVP and EOS for that user.

HTH,
Tamas

0
Posted by Mauricio Guzman
Answered on July 10, 2020 5:34 pm

Hi Tamas,

Thank you very much for the information!!

Post your Answer

You must be logged in to post an answer.