CPPM can pass on attributes required for RADIUS Auth for Airwave login.
Environment : Airwave + CPPM
Airwave using CPPM as RADIUS Server for Authentication
In this scenario we are using a Local Repository with 2 test Users classified under 2 Roles with each Role sending a different attribute using Enforcement Profile for Admin/User level access on Airwave.
Following are the steps on CPPM
Step 1) Create Users and Roles
User |
Role |
testadmin |
Admin |
testuser |
User |
Step 2) Create a Role Mapping Policy
Type |
Name |
Operator |
Value |
RoleName |
RADIUS : IETF |
User-Name |
EQUALS |
testadmin |
Admin |
RADIUS : IETF |
User-Name |
EQUALS |
testuser |
User |
Step 3) Enforcement Policy with following rules
Type |
Name |
Operator |
Value |
Enforcement Profile |
Local User Repository |
Role_Name |
EQUALS |
Admin |
Admin Profile |
Local User Repository |
Role_Name |
EQUALS |
User |
User Profile |
You can modify the above rule to a more generic one so that you don’t have to create rules for each user.
Step 4) Create 2 enforcement policies for each role so that it returns the required attributes to the airwave server.
Following are the attributes to return for each role.
Profile Name |
Type |
Name |
Value |
Admin Profile |
Radius : Aruba |
Aruba-Admin-Role |
Admin |
User Profile |
Radius : Aruba |
Aruba-Admin-Role |
Read-Only Monitoring & Auditing |
The Airwave server would understand the above role attributes by default when returned by CPPM. You can create more roles and return value as required. The return value must match the role name on the AMP server.
Step 5) Create a new RADIUS Enforcement (Generic) service
- Service Role : NAD-IP-Address = <AMP Server IP>
- PAP for Local User Repository
- Select the Role Mapping Policy created in Step2
- Select the Enforcement Policy in Step3
Refer the screenshot below
Step 6) Add AMP Server as a Network Device. Specify the IP address of the AMP server and shared secret.
Step 7) Configuring Airwave Server
- Navigate to AMP Setup > Authentication
- Enable RADIUS Authentication and Authorization. Specify CPPM IP and shared secret used in Step 6.
- You can also change the Authentication priority to Remote so that all requests go to RADIUS first. If that fails, it checks the local database.
Refer the screenshot here for the configuration on the airwave server.
This can also be done without role mapping where the enforcement profile can send the role based on the attributes of an AD user or any other local user
BASIC Troubleshooting steps
- Check Monitoring > Access Tracker on CPPM to ensure that Airwave Server sends a request. If not make sure that the Data port (not the Management port) is reachable as CPPM listens for RADIUS requests on data port only if both of them are active. If you are using Management port only then CPPM would listen to requests on Management.
- On receiving the request on Access Tracker. Double click on the request and check the attributes returned and verify if they match as needed.