ArubaOS and Controllers

Reply
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Management User to provision only

Is there any way to create a management user that can provision access points as they are installed but not modify the controller config in any other way?

Thanks in advance
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Management User to provision only

Hi Terry,

There isn't any way to get that granular in the system. Can you give us some more information on the use case for this more role?

thanks,
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Management User to provision only

I'm wondering if, instead of creating custom roles for activities like this, Aruba should implement command restriction support via TACACS+ authorization. That way, the user's logon role could still be "root," but their command execution can be limited.

So, specific activities like AP provisioning or whatever else someone may want to lock down, can be done by the user themselves.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Management User to provision only

That's a good idea, but I'm not sure how many folks use TACACS+ to authenticate users. Seems popular in larger Cisco shops, but the system would have to also accommodate those using other tools. Would an AirWave role also work? It would probably require us to implement role permission flexibility into AirWave to avoid creating a ton of custom roles.

It might also be possible to support functions like this via the XML API that is a part of PEF in 3.4. That would require custom scripting on the user side of things, but could possibly be built into a provisioning system in much the same way that carriers automate things via CORBA scripting. It sounds like that might be the use case here, where lots of APs are being provisioned by low-level employees.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Management User to provision only

Good point Andy, some use local accounts and RADIUS. Actually, I think AOS can only get role assignment from RADIUS anyway, so doing all that work for command auth with TACACS might not be all that worth it.
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: Management User to provision only


Hi Terry,

There isn't any way to get that granular in the system. Can you give us some more information on the use case for this more role?

thanks,
-awl




Sorry, I dropped of the face of the earth there for a while.
In a nutshell, my access points are deployed by technicians in our organization while I am responsible for the configuration side of things. I seems to me that when a technician is doing the physical installations it would be of benefit for them to be able to properly provision each AP in the FQLN mapper. I would like to be able to allow this to happen without giving the tech the rights to modify any other settings.
Search Airheads
Showing results for 
Search instead for 
Did you mean: