Network Management

Reply
Occasional Contributor II
Posts: 44
Registered: ‎08-10-2011

RADIUS Authentication: How to setup ArubaOS & Airwave

Hello,

 

I have a problem to authenticate ArubaOS (Management Auth) and Airwave against the same RADIUS Server (FreeRADIUS).

 

ArubaOS:

Here I have the following builtin roles:

- no-access

- root

- read-only

- network-operations

- location-api-mgmt

- guest provisioning

 

1. Where can I find the documentation which right each role has?

2. Can I define custom roles for mgmt auth?

 

Airwave:

In Airwave I can setup custom roles.

 

Now to RADIUS:

ArubaOS and Airwave parses the RADIUS Reply-Item Aruba-Admin-Role.

For all our Network Admins we have set this to "root".

 

To achieve Airwave RADIUS Authentication for the same Admins we have set up a role in Airwave which is called "root", either.

This is working well if you're not distinguish Airwave rights.

 

But know we want to have some Network Admins (ArubaOS role: root) to be Airwave Administrator, e.g. also "root" and some Network Admins (ArubaOS role: root) to be only AP/ Device Manager (e.g. role "airwave-manager" in Airwave).

 

- How could this be achieved?

- Can I configure somewhere in Airwave which RADIUS Reply-Item is parsed? E.g. a separate RADIUS VSA would be helpful, like Aruba-Airwave-Role.

 

I know I can configure in ArubaOS Server Rules and tried to get this working:

 

<< aaa server-group "servergroup_mgmtauth"
<<  auth-server asaradius
<<  set role condition Aruba-Admin-Role equals "airwave-admin" set-value root 
<<  set role condition Aruba-Admin-Role equals "airwave-manager" set-value root 

But this is not working.

 

Please help me. How other people achieve this?

 

Regards,

Tobias Hachmer

Guru Elite
Posts: 20,591
Registered: ‎03-29-2007

Re: RADIUS Authentication: How to setup ArubaOS & Airwave

1.Information on built-in controller roles is in the user guide here:  http://www.arubanetworks.com/techdocs/ArubaOS_62_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Defaults/Default_Management_User_.htm?Highlight=network-operations

 

2.  You will have to use a compound statement in Freeradius to check for the ip address of the Airwave server, check the group that the user is in and return the correct attribute.  Airwave cannot parse returned management authentication and make changes.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 44
Registered: ‎08-10-2011

Re: RADIUS Authentication: How to setup ArubaOS & Airwave

Tanks cjoseph for the answer!

 

Yeah, I know I can such unlang things in authorize section like:

 

        if(NAS-IP-Address == x.x.x.x) {
                if(Ldap-Group == "DN" ) {
                        update reply {
                                Aruba-Admin-Role := "airwave-admin"
                        }
                }
                elsif(Ldap-Group == "DN" ) {
                        update reply {
                                Aruba-Admin-Role := "airwave-manager"
                        }
                }
                elsif(Ldap-Group == "DN" ) {
                        update reply {
                                Aruba-Admin-Role := "airwave-read"
                        }
                }
        }

 

But these things are dirty hacks into static configuration files of freeradius. If there's no dedicated VSA for airwave roles where can I send a feature request to? Airwave actually parses Aruba-Admin-Role. I think its no magic to set this to a new one.

 

Regards,

Tobias Hachmer

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: