Network Management

last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

RADIUS Authentication: How to setup ArubaOS & Airwave

This thread has been viewed 3 times

  • 1.  RADIUS Authentication: How to setup ArubaOS & Airwave

    Posted Oct 02, 2013 01:40 AM

    Hello,

     

    I have a problem to authenticate ArubaOS (Management Auth) and Airwave against the same RADIUS Server (FreeRADIUS).

     

    ArubaOS:

    Here I have the following builtin roles:

    - no-access

    - root

    - read-only

    - network-operations

    - location-api-mgmt

    - guest provisioning

     

    1. Where can I find the documentation which right each role has?

    2. Can I define custom roles for mgmt auth?

     

    Airwave:

    In Airwave I can setup custom roles.

     

    Now to RADIUS:

    ArubaOS and Airwave parses the RADIUS Reply-Item Aruba-Admin-Role.

    For all our Network Admins we have set this to "root".

     

    To achieve Airwave RADIUS Authentication for the same Admins we have set up a role in Airwave which is called "root", either.

    This is working well if you're not distinguish Airwave rights.

     

    But know we want to have some Network Admins (ArubaOS role: root) to be Airwave Administrator, e.g. also "root" and some Network Admins (ArubaOS role: root) to be only AP/ Device Manager (e.g. role "airwave-manager" in Airwave).

     

    - How could this be achieved?

    - Can I configure somewhere in Airwave which RADIUS Reply-Item is parsed? E.g. a separate RADIUS VSA would be helpful, like Aruba-Airwave-Role.

     

    I know I can configure in ArubaOS Server Rules and tried to get this working:

     

    << aaa server-group "servergroup_mgmtauth"
<<  auth-server asaradius
<<  set role condition Aruba-Admin-Role equals "airwave-admin" set-value root 
<<  set role condition Aruba-Admin-Role equals "airwave-manager" set-value root

    But this is not working.

     

    Please help me. How other people achieve this?

     

    Regards,

    Tobias Hachmer



  • 2.  RE: RADIUS Authentication: How to setup ArubaOS & Airwave

    EMPLOYEE
    Posted Oct 02, 2013 07:41 AM

    1.Information on built-in controller roles is in the user guide here:  http://www.arubanetworks.com/techdocs/ArubaOS_62_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Defaults/Default_Management_User_.htm?Highlight=network-operations

     

    2.  You will have to use a compound statement in Freeradius to check for the ip address of the Airwave server, check the group that the user is in and return the correct attribute.  Airwave cannot parse returned management authentication and make changes.

     

     



  • 3.  RE: RADIUS Authentication: How to setup ArubaOS & Airwave

    Posted Oct 02, 2013 09:24 AM

    Tanks cjoseph for the answer!

     

    Yeah, I know I can such unlang things in authorize section like:

     

            if(NAS-IP-Address == x.x.x.x) {
                if(Ldap-Group == "DN" ) {
                        update reply {
                                Aruba-Admin-Role := "airwave-admin"
                        }
                }
                elsif(Ldap-Group == "DN" ) {
                        update reply {
                                Aruba-Admin-Role := "airwave-manager"
                        }
                }
                elsif(Ldap-Group == "DN" ) {
                        update reply {
                                Aruba-Admin-Role := "airwave-read"
                        }
                }
        }

     

    But these things are dirty hacks into static configuration files of freeradius. If there's no dedicated VSA for airwave roles where can I send a feature request to? Airwave actually parses Aruba-Admin-Role. I think its no magic to set this to a new one.

     

    Regards,

    Tobias Hachmer