ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 6
Registered: ‎07-06-2009

LDAP server - Server Rules

Hi,

We wish to use LDAP server for user authentication. We already setup 1 LDAP server. On aruba controller, we already defined 1 LDAP server. On server group, we already added 1 server group and added LDAP server on it.

We tested on aaa test server for 1 user account and it showed authentication successfully. But when i login to captive portal it can login but after 5 second it kick me out from the system.

I know that we need to define server rules on server group. What we planned is, to devide group within staff and student. The question is:

1. What should we define the attribute on server rules which is available attribute on LDAP server?

2. On LDAP server got 1 attribute which is gidNumber (group id number) and we planned to use this attribute to devide between staff and student. But in server rules wizard attribute dont have the gidNumber.

3. Can we customize/add manually our own attribute on server group (aruba cntroller) instead of using the ready made attribute by aruba?


We stuck on this problem only. Is the any other way to solve our problem? Any experience/hustler user please come and give some advise :).
Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

LDAP server for management authentication

Tesvin,

You can use the procedure here: https://airheads.arubanetworks.com/vBulletin/showthread.php?p=1017#post1017

As an example, you would go to Configuration> Security> Authentication. In the right pane, you would click on "Server Groups" for the group that the LDAP server being used for management authentication is in. You would then add the server rule to get the user into the management role by looking for an attribute returned and placing the user in the role as a result. For example, if you were trying to place the user in the "root" role if he has "arubaadmin" in his "GroupMembership" attribute, you would add the following in the attached pictures:

You would then go to configuration> management> administration and make sure that the server group (in this case ldap-auth) is the one you wrote the server rule for. Also make sure that the default role is "no access". This will ensure that everyone who does NOT have "arubaadmin" will plainly get NO access. If you want other users that do not have "arubaadmin" to still login but with a lesser role, change this default role parameter to that lesser role.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎07-06-2009

Thanks Joseph

Hello Joseph,

Thanks for your reply. I did wht you asked me to do. And i am stuck on server rules.

1. You said that add groupMembership attribute but i dont see any name groupMembership attribute like what you said. (See attachment)

2. Is there any way to add manually attribute? Or maybe got command line to add our own attribute to aruba? For example, groupMembership like what you said, we add manually and put it on server rule attribute as a condition on aruba.

1. When i went to console and type aaa query-user
its nothing come out. (See attachment).


PLease assist. Your kind help really appreciate. Thanks
Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

LDAP Query

Tesvin,

Use the "show aaa authentication-server ldap" command to show all the LDAP servers configured on your controller. Next use the "aaa query-user " command to get your output, and see your attributes. I'm not sure why your command does not work, but it is really case sensitive, so make sure you type the server exactly, based on the output . Anything that has a colon after it can be just referred to as an attribute. You don't have to use the dropdown, you can just type it in (see attached pic).


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎07-06-2009

Re: LDAP server - Server Rules

Joseph,

The drop down attribute you can just type it in? Why i cannot type it in?
Occasional Contributor I
Posts: 6
Registered: ‎07-06-2009

Re: LDAP server - Server Rules

Joseph my version is 3.1 so i need to use drop down menu to choose the attributes instead of typing it. It wont allowed me to type it in. Now i upgrade to version 3.2 and i am able to type it in. Thanks.

Joseph. Do you know how to add server rules using command line on CL?
Occasional Contributor I
Posts: 6
Registered: ‎07-06-2009

Re: LDAP server - Server Rules


Joseph my version is 3.1 so i need to use drop down menu to choose the attributes instead of typing it. It wont allowed me to type it in. Now i upgrade to version 3.2 and i am able to type it in. Thanks.

Joseph. Do you know how to add server rules using command line on CL?






Joseph,

I found the command how to add server rules on server groups. Many thanks. Your info help me much. Thanks.
Occasional Contributor I
Posts: 6
Registered: ‎07-06-2009

Re: LDAP server - Server Rules

Joseph,

I solved my problem already. Just want to share something here.

Add server rules on server group.

conf t
aaa server-group
set role condition set-value

example:

conf t
aaa server-group ldap-server
set role condition gidNumber equals 555 set-value admin
Search Airheads
Showing results for 
Search instead for 
Did you mean: