Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

radius vsa settings for view-only login on IAP

This thread has been viewed 10 times

  • 1.  radius vsa settings for view-only login on IAP

    Posted Jul 27, 2015 11:52 AM

    Hi,

     

    I recently installed an IAP cluster with 11 AP's (version 6.4.2.6-4.1.1.7_50209) and enabled RADIUS authentication for the webgui login. Now, I would also like to enable RADIUS authentication for view-only. Is this possible? And if yes, how?

    Fyi: I already tried ArubaOS based attributes/settings on the RADIUS server to do this, but that did not work (works for non-instant controllers though).

     

    Krs,

    Dante



  • 2.  RE: radius vsa settings for view-only login on IAP
    Best Answer

    EMPLOYEE
    Posted Jul 27, 2015 11:54 AM

    On instant ONLY available on the 4.2.0.0 version currently in beta testing.  Not available in 4.1.1.7

     



  • 3.  RE: radius vsa settings for view-only login on IAP

    Posted Jul 27, 2015 11:56 AM

    Ok, Colin, thanks for that info!



  • 4.  RE: radius vsa settings for view-only login on IAP

    EMPLOYEE
    Posted Jul 27, 2015 11:57 AM

    If you would like to test the beta 2 of 4.2.0.0 please send me a PM with your IAP model and email address.

     



  • 5.  RE: radius vsa settings for view-only login on IAP

    Posted Jul 05, 2017 02:50 AM

    Did this feature get any traction? I can't seem to see any mention of it elsewhere.



  • 6.  RE: radius vsa settings for view-only login on IAP

    EMPLOYEE


  • 7.  RE: radius vsa settings for view-only login on IAP

    Posted Jul 05, 2017 09:39 PM

    Hi Colin.

     

    Thank you for the link. To clarify if you want to authenticate view-only or guest registration users via radius you need to have "Authentication server" turned on for all admin as well?

     

    Additionally it seems clearpass (or any radius server) should be returning a privilege level that relates to admin/view-only/guest-reg. I can’t however find this in the clearpass user guide relating to instant auth. Do you know of any existing documentation on how to define these privilege levels for instant gui authentication.

     

    Regards,

    Brendon



  • 8.  RE: radius vsa settings for view-only login on IAP

    EMPLOYEE
    Posted Jul 05, 2017 10:49 PM

    You have to turn on Radius Auth under whatever you want radius authentication for.  In addition, you need to return a Radius VSA to allow users to authenticate for that role:

     

    The VSA is called “Aruba-Admin-Role” and can take one of the following values:
    1) root -  Default Role, Super user role, admin
    2) read-only -  Read only commands
    3) guest-provisioning -  guest user

     

    For example, you could have radius auth for root users, but local authentication for read-only users, or radius auth for both.  You just need to return the correct VSA when doing radius auth for the user that will be authenticating..



  • 9.  RE: radius vsa settings for view-only login on IAP

    Posted Jan 18, 2017 10:16 AM

    Hi,

     

    I'm looking for the same solution, but for guest user registration. I am on the latest 4.3.1.1 and have radius setup for a group of admin users to administration of the IAPVC. But how do I configure my Radius (NPS) to allow only a group of users to IAPVC administration  and all domain users to access guest user registration?

     

    Best regards, 

    \\ Andreas