Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000181974

Dell EMC Networking OS10 TACACS+ configuration on ClearPass

Summary: When authenticating with tacacs+ in ClearPass, the netoperator default role is given instead of sysadmin.

Article Content

Instructions


Possible Error Logs

Dec 23 22:04:38 TKMXA01-NSA1 .clish[30182]: LOG PREFIX: Dell EMC (OS10)
Dec 23 22:04:39 TKMXA01-NSA1 .clish[30182]: [MGMT:CLISH], privilege level is not config'ed
Dec 23 22:04:39 TKMXA01-NSA1 .clish[30182]: [MGMT:CLISH], ptree exception: No such node (rpc-reply.data.system.user.privilege-level)
Dec 23 22:04:39 TKMXA01-NSA1 .clish[30182]: [MGMT:CLISH], User privilege is not in CMS db,assigning default value(1)
Dec 23 22:04:39 TKMXA01-NSA1 .clish[30182]: [MGMT:CLISH], Error: Failed to get mode for view hidden-view
Dec 23 22:04:40 TKMXA01-NSA1 .clish[30182]: Node.1-Unit.1:PRI [audit], CLI session started for user pnielsen with role netoperator on /dev/pts/1
Dec 23 22:04:40 TKMXA01-NSA1 .clish[30182]: [MGMT:CLISH], No mgmt-clish accounting profiles to retrive at clish startup
-----------------------------------------

 

Follow These Steps to Change the Role

For the sysadmin role to be granted, we must first define shell:roles in the tacacs+ services dictionary.

1.  In the ClearPass Policy Manager under Administration, go to Dictionaries -> Tacacs+ Services -> Select ppp:ip  and then click export.


 
2.  Open the XML file in notepad++ and add the following line (see below), and save the file with the change.
ServiceAttribute dataType="String" dispName="shell:roles" name="shell:roles"/>



3.  Import the changes to ClearPass.  Return to ClearPass Policy Manager, under Administration go to Dictionaries -> TACACS+ Services -> Select ppp:ip -> Click Import.

Attach the  XML file and specify the secret, then click import.

 


4.  Apply the Service to your Enforcement Profile.  To learn about how to create an Enforcement profile please visit here 

Under Configuration, go to Enforcement -> Profiles -> Select or Add a new Enforcement Profile   -> Click Services.
 
  1. Set the privilege level to 15
  2. Add PPP:IP by choosing it from the “Authorize Attribute Status”
  3. Under Server Attributes, Click the “Click to add…” icon
  4. Select PPP:IP as types, shell:roles for Name and sysadmin for value.



Note: If you did not import the TACACS+ Services Dictionary with the changes the shell:roles option will not be present.  You can additionally import the XML file here.   Be sure to set the secret here and be sure it’s the same you are using on the OS10 switch.

Verify/add the tacacs configuration



Attempt to login with your tacacs account


 
 

Article Properties

Affected Product

W-ClearPass Hardware Appliances, W-ClearPass Virtual Appliances

Last Published Date

15 Jan 2021

Version

2

Article Type

How To

Back to Top