ArubaOS and Controllers

Reply
Contributor I
Posts: 76
Registered: ‎05-14-2009

authentication via LDAPS and map to a role

may be the nature of Aruba OS. I can only created up to 10 management accounts in the controller. Is it possible to be authenticated via LDAPS and map it to a role in the controller? Like user name in LDAPS admin.ny and with a role guest-provisioninng role in the contorller. :confused:

Max of 10 admin accounts in a big borporate enviropment is not practical . A company with over 20 sites will definitely need something like this.

Thank you!
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Map to a role

Tary,

You CAN use LDAP to map users to a role. First, you define an LDAP server, then place it into a server group.

You can write a rule in the server group that looks at LDAP for the membership:

set role condition groupMembership contains "Network-Admin-Group" set-value guest-provisioning

groupMembership (case sensitive) are one of a number of LDAP attributes that you can use to do admin role derivation. You can find out what attributes are returned for a user from LDAP by doing the aaa query command:

aaa query-user

You should get output like this:

groupMembership: cn=Network-Admin-group,ou=Groups,ou=Departments,o=TMOC
groupMembership: cn=Desktop-Admin-Group,o=TMOC
groupMembership: cn=B&G-Work-Request-Group,ou=Groups,ou=Departments,o=TMOC
groupMembership: cn=OTPS-Budget-System-Group,ou=Groups,ou=Departments,o=TMOC
groupMembership: cn=Registrar-Admin,o=TMOC
groupMembership: cn=Teaming-Program-Group,ou=Groups,ou=Departments,o=TMOC
groupMembership: cn=FWS-Program-Group,ou=Groups,ou=Departments,o=TMOC
cn: username

You can use a derivation role for any attribute listed in the query result.

If you are already using Microsoft's IAS Radius to authenticate your users for 802.1x, etc you may want to skip configuring an LDAP server and re-use that radius server for management authentication using the attached document. If you use this method, you are simply using groups in Active Directory to set roles, instead of inividual accounts. This is better because the user can re-use his username and password from AD to login and access can simply be managed via groups, instead of users being created manually. Finally, the audit trail (https://airheads.arubanetworks.com/vBulletin/showthread.php?t=383) on the controller will have a detailed record of what user, from what IP address made a change.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: