User role assignment using TACACS+ attributes

User role assignment is configured on the TACACS+ server using VSAs (vendor-specific attributes) and TACACS+ specified attributes.

TACACS+ servers can return multiple attribute value pairs (AVPs) in response to an authentication request. The attributes are processed in this order of precedence to determine the user role assigned:

  • If the Aruba-Admin-Role VSA is present, map the user to the matching corresponding local user-group name.

    • Else if the priv-lvl TACACS+ specified attribute is present, extract the privilege level (1, 15, or 19) and map the user to the local user-group corresponding to this privilege level (1=operators, 15=administrators, 19=auditors). Privilege levels 2 to 14 may also be used with matching local user groups named 2 to 14.

      • Otherwise, the user role cannot be determined, and authentication fails.

This information is summarized as follows:
Aruba-Admin-Role priv-lvl User role assigned
<GROUP-NAME> Do not care Matching local user <GROUP-NAME>
Not present 1 Operators
Not present 15 Administrators
Not present 19 Auditors
Not present 2 to 14 Matching local user groups named 2 to 14
Not present Not present None (not authenticated)