User role assignment using TACACS+ attributes
User role assignment is configured on the TACACS+ server using VSAs (vendor-specific attributes) and TACACS+ specified attributes.
TACACS+ servers can return multiple attribute value pairs (AVPs) in response to an authentication request. The attributes are processed in this order of precedence to determine the user role assigned:
If the
Aruba-Admin-Role
VSA is present, map the user to the matching corresponding local user-group name.Else if the
priv-lvl
TACACS+ specified attribute is present, extract the privilege level (1, 15, or 19) and map the user to the local user-group corresponding to this privilege level (1=operators
,15=administrators
,19=auditors
). Privilege levels 2 to 14 may also be used with matching local user groups named 2 to 14.Otherwise, the user role cannot be determined, and authentication fails.
Aruba-Admin-Role |
priv-lvl |
User role assigned |
---|---|---|
<GROUP-NAME> |
Do not care | Matching local user
<GROUP-NAME> |
Not present | 1 | Operators |
Not present | 15 | Administrators |
Not present | 19 | Auditors |
Not present | 2 to 14 | Matching local user groups named 2 to 14 |
Not present | Not present | None (not authenticated) |