User role assignment using TACACS+ attributes
User role assignment is configured on the TACACS+ server using VSAs (vendor-specific attributes) and TACACS+ specified attributes.
TACACS+ servers can return multiple attribute value pairs (AVPs) in response to an authentication request. The attributes are processed in this order of precedence to determine the user role assigned:
If the
Aruba-Admin-RoleVSA is present, map the user to the matching corresponding local user-group name.Else if the
priv-lvlTACACS+ specified attribute is present, extract the privilege level (1, 15, or 19) and map the user to the local user-group corresponding to this privilege level (1=operators,15=administrators,19=auditors). Privilege levels 2 to 14 may also be used with matching local user groups named 2 to 14.Otherwise, the user role cannot be determined, and authentication fails.
Aruba-Admin-Role |
priv-lvl |
User role assigned |
|---|---|---|
<GROUP-NAME> |
Do not care | Matching local user
<GROUP-NAME> |
| Not present | 1 | Operators |
| Not present | 15 | Administrators |
| Not present | 19 | Auditors |
| Not present | 2 to 14 | Matching local user groups named 2 to 14 |
| Not present | Not present | None (not authenticated) |