ArubaOS and Controllers

Reply
New Contributor
Posts: 3
Registered: ‎09-19-2011

Aruba VSA - Aruba-Priv-Admin-User

Good morning everyone. While configuring our controller to authenticate management users against RADIUS/NPS I ran across one word document that said to setup the VSA Aruba-Priv-Admin-User (number 3) to a value of 7.

This seemed to work, however I can't figure out the significance of the value 7. Pretty much any number I put in that VSA seems to work.

Does anyone have any idea what the values for this VSA correspond to?

Thanks!
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: Aruba VSA - Aruba-Priv-Admin-User

I hate to say it, but the Attribute, rather than the number is what matters. Let's hope they don't fix this to only work with 7 in the future....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎09-19-2011

Re: Aruba VSA - Aruba-Priv-Admin-User

In other words the value can be anything and controller is just looking for the presence of that attribute in the RADIUS response?

What exactly does this attribute do?
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: Aruba VSA - Aruba-Priv-Admin-User

That specific attribute when the controller receives it from radius it will:

(1) Allow the authenticated user to login to the controller
(2) Will allow the authenticated user to bypass the Enable Prompt on the commandline

It is when you want certain admins to NOT have to type enable at the command prompt.

The global "enable bypass" parameter in ArubaOS 6.1 does the same thing, but for all admin users.

UPDATE: Actually the value just has to be non-zero to work.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎09-19-2011

Re: Aruba VSA - Aruba-Priv-Admin-User

Great, thanks for the quick information!
Occasional Contributor I
Posts: 8
Registered: ‎10-29-2010

I can't get admins authenticated by Radius

Hi,
I see your discusion, and it's obviouse that you have working configuration...
So may be you can help me...
I have set-up system -- IAS server on windows 2003 domain controller as a RADIUS, and set-up autentication vendor specific requisites, but I see that management requests are rejected by IAS. I have firmware version 5.0.3, latest available for the used hardware.
When I connect to WLAN from same PC, with same user -- authentication requests are accepted.
When I try to get autrhentication for GII access through Radius, it doesn't work at all -- only locally created users can get in.
Requests for management authentication look slightly different (I set-up Wireshark on the IAS server, so I can trace what really happens there).

WLAN is set with RADIUS PEAP authentication, and it works, both with allowed PEAP termination on controller, or without it (than I see ful handshake going between Radius and controller).
For management requests there is just single request with encrypted password (not CHAP challenge/response!), and answer (reject). So it seems to use some different profile, but I haven't any way to configure it...
I attached a capture file (first is request when I connect to WLAN, with termination on, it's accpeted, and second is I try to access GUI, rejected).
I see that when logging to WLAN, PC added domain to username, but there is no difference, if I try to input username with domain into WEB GUI prompt, everuthing looks exactly the same.

Any advice will be appreciated.
Regards,
Eizens
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: Aruba VSA - Aruba-Priv-Admin-User


Hi,
I see your discusion, and it's obviouse that you have working configuration...
So may be you can help me...
I have set-up system -- IAS server on windows 2003 domain controller as a RADIUS, and set-up autentication vendor specific requisites, but I see that management requests are rejected by IAS. I have firmware version 5.0.3, latest available for the used hardware.
When I connect to WLAN from same PC, with same user -- authentication requests are accepted.
When I try to get autrhentication for GII access through Radius, it doesn't work at all -- only locally created users can get in.
Requests for management authentication look slightly different (I set-up Wireshark on the IAS server, so I can trace what really happens there).

WLAN is set with RADIUS PEAP authentication, and it works, both with allowed PEAP termination on controller, or without it (than I see ful handshake going between Radius and controller).
For management requests there is just single request with encrypted password (not CHAP challenge/response!), and answer (reject). So it seems to use some different profile, but I haven't any way to configure it...
I attached a capture file (first is request when I connect to WLAN, with termination on, it's accpeted, and second is I try to access GUI, rejected).
I see that when logging to WLAN, PC added domain to username, but there is no difference, if I try to input username with domain into WEB GUI prompt, everuthing looks exactly the same.

Any advice will be appreciated.
Regards,
Eizens




Management users use "PAP" and this must be enabled on the remote access profile. In addition, they use the NAS-Port-TYPE of VPN.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: