How to configure Airwave management authentication with CPPM as an external RADIUS Server.
Though Airwave supports both RADIUS and TACACS for its management login, there may be instances where we need to integrate Airwave login with an available external server that supports RADIUS only.
In this article we will use CPPM as an external RADIUS server to set this up. But, what is important is to know the return attribute that we need to enforce from the external RADIUS server for a successful login.
1. Login to Airwave as an administrator.
2. Navigate to AMP Setup --> Authentication tab.
3. Under the head RADIUS Configuration, Set YES for Enable RADIUS Authentication and Authorization.
4. Configure the IP address/hostname of the external RADIUS Server as shown below:
5. Create a shared secret for password encryption between the external RADIUS and Airwave.
6. Change the authentication priority to be Remote.
1. Login to ClearPass Policy Manager as an administrator.
2. Navigate to Configuration --> Network --> Devices. Add Airwave IP address/hostname as a RADIUS client with the same shared secret, that was used before.
3. Navigate to Configuration --> Enforcement --> Profiles. Add a new enforcement profile of template - ARUBA RADIUS ENFORCEMENT. Navigate to Attributes tab and under the name, select the Aruba-Admin-Role from the drop down. The attribute value should the available in the list of roles in Airwave --> AMP Setup --> Roles.
4. Navigate to Enforcement --> Policies. Create a new enforcement policy of type RADIUS. Under the Rules, configure a simple RULE as shown below:
4. Navigate to Configuration --> Services. Click Add to create a new service with template RADIUS enforcement Generic with appropriate name.
5. Under the Authentication tab, select PAP/CHAP as authentication method with appropriate authentication source. In this example, I have created a user-account in the CPPM local database. If required, we can create and add any external authentication sources like Active Directory or Open LDAP to the list of authentication sources.
6. Navigate to enforcement and from the drop-down select Airwave Login Enforcement policy. Summary of the Services screenshot is shown below:
1. Login to Airwave and navigate to create a new role in Airwave, called 'test'.
2. Login to ClearPass and navigate to Configuration --> Identity --> Local User to create a local user, called 'airwave'.
3. Login to Airwave with the username 'airwave'. Check ClearPass access tracker to confirm the user authentication status and the output tab to confirm enforcement of proper role.