AAA, NAC, Guest Access & BYOD

Airwave External Auth using CPPM/RADIUS

CPPM can pass on attributes required for RADIUS Auth for Airwave login.

 

Environment : Airwave + CPPM

 

 

Airwave using CPPM as RADIUS Server for Authentication


In this scenario we are using a Local Repository with 2 test Users classified under 2 Roles with each Role sending a different attribute using Enforcement Profile for Admin/User level access on Airwave.
Following are the steps on CPPM


Step 1) Create Users and Roles

 

User Role
testadmin Admin
testuser User

 
Step 2) Create a Role Mapping Policy

Type Name Operator Value RoleName
RADIUS : IETF User-Name EQUALS testadmin Admin
RADIUS : IETF User-Name EQUALS testuser User

 
Step 3) Enforcement Policy with following rules

Type Name Operator Value Enforcement Profile
Local User Repository Role_Name EQUALS Admin Admin Profile
Local User Repository Role_Name EQUALS User User Profile

 
You can modify the above rule to a more generic one so that you don’t have to create rules for each user.


Step 4) Create 2 enforcement policies for each role so that it returns the required attributes to the airwave server.

 

Following are the attributes to return for each role.

Profile Name Type Name Value
Admin Profile Radius : Aruba Aruba-Admin-Role Admin
User Profile Radius : Aruba Aruba-Admin-Role Read-Only Monitoring & Auditing

 
The Airwave server would understand the above role attributes by default when returned by CPPM.  You can create more roles and return value as required. The return value must match the role name on the AMP server.


Step 5) Create a new RADIUS Enforcement (Generic) service

  1. Service Role : NAD-IP-Address = <AMP Server IP>
  2. PAP for Local User Repository
  3. Select the Role Mapping Policy created in Step2
  4. Select the Enforcement Policy in Step3

Refer the screenshot below

 

rtaImage.png

 

Step 6) Add AMP Server as a Network Device. Specify the IP address of the AMP server and shared secret.
Step 7) Configuring Airwave Server

  1. Navigate to AMP Setup > Authentication
  2. Enable RADIUS Authentication and Authorization. Specify CPPM IP and shared secret used in Step 6.
  3. You can also change the Authentication priority to Remote so that all requests go to RADIUS first. If that fails, it checks the local database.

Refer the screenshot here for the configuration on the airwave server.

 

 

rtaImage (1).png

 

This can also be done without role mapping where the enforcement profile can send the role based on the attributes of an AD user or any other local user

 

BASIC Troubleshooting steps

  1. Check Monitoring > Access Tracker on CPPM to ensure that Airwave Server sends a request. If not make sure that the Data port (not the Management port) is reachable as CPPM listens for RADIUS requests on data port only if both of them are active. If you are using Management port only then CPPM would listen to requests on Management.
  2. On receiving the request on Access Tracker. Double click on the request and check the attributes returned and verify if they match as needed.

 

Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 09:53 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.