AAA, NAC, Guest Access & BYOD

How to authenticate Management users of Mobility Access Switch (MAS) via CPPM

Introduction :

This Article explains about-

    i) Authenticating 
Mobility Access Switch management users from AD.
    ii) Configuring the services on CPPM for authentication.
    iii) Using TACACS service for authentication.


Environment : This Article is written  for CPPM 6.x and greater

 

Configuration Steps :

The following steps are to be followed.


1: Configure the controllers to use TACACS service for management user authentication.

 

Here are configuration commands to enable TACACS authentication, authorization and accounting on the Aruba MAS. The MAS do not support per command authorization, but will support the pre-defined roles in the MAS.

The pre-defined roles for the MAS are:

Management User Roles
---------------------
ROLE                            DESCRIPTION
----                                        -----------
root                               Super user role
read-only                     Read only commands
location-api-mgmt    location-api-mgmt
network-operations  network-operations
guest-provisioning   guest-provisioning
no-access                  Default role, no commands are accessible for this role

aaa authentication-server tacacs "Aruba-MAS"
   host x.x.x.x
   key "Aruba"

aaa server-group "TACACS-group"
auth-server Aruba-MAS

aaa authentication mgmt
   server-group "TACACS-group"
   enable



2: Configure the Tacacs service on CPPM to authenticate Aruba MAS management users.

rtaImage.png



Select the following details:

Type : TACACS + Enforcement
Name : This will be the name of the service.
Description : Add a note to it for user's understanding.
Make sure that Authorization option is checked. This is used for role based authentication.

Add a rule as shown above : it means that any connection with NAD-IP beginning with 10.30.156 and using TACACS protocol  should hit this service.

The Second Service rule is added to make the Service more robust so that any client authentications coming from this NAD are not treated as TACACS.

Click "Next"

On this screen add Active directory as Authentication source and hit "Next"

rtaImage.png



Make sure that Active directory is added as an authentication source under this and hit "Next".

rtaImage.png



On this page click on "Add new Role Mapping Policy", this will open a new window as below.

On this page, we can select Default Role a Read Only Role. Click "Next".

rtaImage.png



On this window, we will add Roles for authorization.

rtaImage.png



The rule above means : If user is a member of a given group then he will authenticate with  "TACACS network Admin" Role.

Similarly we can add new rules based on our requirements as below making sure that below option is set.

Rules Evaluation Algorithm:

First applicable


Once all the rules are configured, click on save and the screen comes back to the configuration of service. Select the role which we created now.


rtaImage.png



Once all the rules are configured, click on "Save" and the screen comes back to the configuration of service. Select the role which we created now.

rtaImage.png



Now if required, we can add the Enforcement profile.

Select the default profile " [Admin Network Login Policy]" from the drop down.


rtaImage.png


Save the configuration.

3 : Add the device to CPPM.

Navigate to
Configuration » Network » Devices and click on "Add Device"

rtaImage.png


Name: A generic name for user's understanding
IP or Subnet Address: IP or Subnet of the device
TACACS+ Shared secret: Should match with what we have configured on the Switch.
Hit "Save" and exit.

Once done, please logout and login with a remote user ( user which exists on AD) and verify.



 

 

Version History
Revision #:
1 of 1
Last update:
‎07-18-2014 05:38 AM
Updated by:
 
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.