Network Management

Reply
Contributor II
Posts: 39
Registered: ‎02-03-2016

AirWave 8.2.0.1 login with CPPM as Radius Server not working

Hi!

 

I'm trying to get the AMP login with a CPPM Radius Service running.

 

The AMP Server generates the Radius Request correctly - CPPM Access Tracker says 'ACCEPT' as login status mathing the correct service, but the AMP Server login screen still responds with 'Login failed Please re-enter username and password'. The same CPPM Service works fine with my switches.

(The CPPM service rule is just a list/group of IP addresses)

 

Is there a logfile an the AMP server, where I can check what's going wrong?

 

With regards

Manfred

Guru Elite
Posts: 8,194
Registered: ‎09-08-2010

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

Are you returning a management role to AirWave?



Also, why not use TACACS+?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 39
Registered: ‎02-03-2016

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

Im returning the attribute Radius:IETF Service-Type Administrative-User (6) with my Enforcement profile.

 

There ia also an attribute type Radius:Aruba Type 'Aruba-Admin-Role (4)' - but I'm not sure which value to choose...

(maybe I'm close to the solution...)

 

Why not Tacacs+:

Tried to keep it simple and don't like too many CPPM services - Radius works fine with my HPE Provision switch environment. (and don't have much experience with Tacas+...)

 

With regards

Manfred

Guru Elite
Posts: 8,194
Registered: ‎09-08-2010

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

You'll need to use Aruba-Admin-Role with a role name that matches what you
have configured in AirWave.



You may want to consider TACACS+ long term. It's a purpose built management
protocol with many additional features.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 39
Registered: ‎02-03-2016

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

Thank you - I will try to configure ist with TACACS+

 

Found also a nice article for Radius:

http://community.arubanetworks.com/t5/Monitoring-Management-Location/How-to-configure-management-login-in-Airwave-with-CPPM-as-RADIUS/ta-p/266272

 

But in the meantime my AirWave 8.2.0.1 server did not finish the Upgrade to 8.2.0.2 sucessfully and does not come up anymore - I will have to fix this first I'm afraid:

 

STEP 5: Installing upgrade.
Mon May  9 20:47:45 2016: Last PID not available VisualRF Engine...
make[1]: *** [rabbitmq_config] Error 34
make[1]: Leaving directory `/root/svn/mercury'
make: *** [upgrade] Error 2
make: Leaving directory `/root/svn/mercury'
Stopping Pound:                                            [  OK  ]
Stopping httpd:                                            [  OK  ]
Shutting down rabbitmq-server:
Shutting down Erlang Port Mapper Daemon (epmd):
failed to kill pid 12213                                   [  OK  ]
Mon May  9 20:47:45 2016: Last PID not available VisualRF Engine...


Upgrade aborted.
Please contact Aruba Networks Support at
1-800-WiFi-LAN or support@arubanetworks.com
DISABLED - 2!!
*** WARNING *** Directory may have been renamed out from under you: /bin/pwd=/root/svn_old/mercury
[root@localhost mercury]#

 

After that I gave it a second chance - also without success:

 

STEP 6: Restarting AMP services.
DISABLED - 1!!
*** WARNING *** Directory may have been renamed out from under you: /bin/pwd=/root/svn_old/mercury
[root@localhost mercury]#

 

...and now for something completely different...

 

With kind regards

Manfred

Contributor II
Posts: 39
Registered: ‎02-03-2016

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

My AirWave Server is back Online - after the 3rd upgrade try it started sucessfully.

Strange bevaviour...

Contributor II
Posts: 39
Registered: ‎02-03-2016

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

[ Edited ]

Now I'm trying it with TACACS+ - configured AMP for TACACS+ Authentication.

 

Seems that I have misconfigured the CPPM enforcement profile, but have no idea what's going wrong.

 

I'm getting the following alert on my CPPM Session - the Login status is 'ACCEPT':

No enforcement profiles matched to perform command authorization

Tacacs service=AMP:https not enabled

 

Is there a configuration example for CPPM and AMP available?

 

With kind regards

Manfred

 

Contributor II
Posts: 39
Registered: ‎02-03-2016

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

This is how I configured the enforcement profile:

tacacs enforcement.JPG

Guru Elite
Posts: 8,194
Registered: ‎09-08-2010

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

Try removing the device in the device group list.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 39
Registered: ‎02-03-2016

Re: AirWave 8.2.0.1 login with CPPM as Radius Server not working

[ Edited ]

Hi!

 

That fixed my problem - will have to review why...

 

Many thanks...

 

With kind regards

Manfred

Search Airheads
Showing results for 
Search instead for 
Did you mean: