Network Management

Reply
Guru Elite
Posts: 20,780
Registered: ‎03-29-2007

[TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

[ Edited ]

It is a little known fact that you can enable single-sign on between Airwave and your controllers.  The idea is that you use Airwave as a central point of management, but if you need to get into a controller, Airwave should be able to automatically log you in to it with the correct privileges, without you having to re-enter your username and password.  All you need to configure this is:

 

(1) Root Access on Airwave to make the configuration change

(2) Correct Admin/Root level and enable credentials entered into Airwave for that Controller.

 

Here is how it works.  In Airwave, go to AMP Setup > Roles.  There you will see all of the Roles of Users that could login to AMP.  If you edit the Role, the Aruba Controller Role parameter controls what privileges on the Aruba Controller a user in AMP that Clicks on Open Controller WebUI will have.  The Aruba Controller Role parameter by default is set to disabled.  In the screenshot below, we changed it to root, which means that anyone who logs into Airwave who has the Admin role, will be able to click on the Open Controller WebUI (when monitoring a controller) and be redirected to the controller's page without logging in.  You can also set the paramater to read-only for Airwave admin roles that you only want read-only access to your controller with SSO.

role.png

 

Enable Single Sign On in AMP

 amp.PNG

After looking at a controller in Airwave, I can open up the Controller's dashboard to any menu item without having to login to the controller:

 

open.png

 

sso2.png

 

Under the hood:

 

How is works, is that Airwave will look at the Aruba Controller Role parameter of the currently logged in management user and if it is disabled, it will do nothing.  If it has a root or read-only role, it will execute a command, "allow-sso <username> <controller admin role>" on the controller.  The controller will spit back a special URL that airwave would need to connect to the controller over https to gain those permissions.  It redirects the Airwave user to that special URL and the controller grants the permissions.

 

You can tell if a user has logged in to a controller with Airwave SSO by typing "show audit trail":

 

show audit-trail 

Jan 18 20:04:25  fpcli: USER:admin@192.168.1.6 COMMAND:<allow-sso "admin" "root" > -- command executed successfully

 You can also tell if a SSO user is currently logged in by typing "show loginsessions:

 

(192.168.1.3) #show loginsessions 
 
Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       192.168.1.76     00:00:00   00:00:02
2   admin_sso  root                        00:02:20   00:06:50

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,948
Registered: ‎10-25-2011

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

Hello Collin

I got this question asked yesterday hahah

 

The thing is that i have been trying this with no luck...

I did enable the feature in the Airwave like this

sso1.PNG

After that i tried logging in using the Airwave

sso2.PNGsso3.PNG

 

I get prompted to put my user and password...

 

I got Airwave 7.7.8

Trying with a Aruba controller 6.3.1.2

 

Is there anything im missing Collin?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,948
Registered: ‎10-25-2011

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

Maybe im missing this part

2) Correct Admin/Root level and enable credentials entered into Airwave for that Controller.

The only device credential i find are the telnet and enable secret ones here

 

ss4.PNG

 

If those are not the ones that you are referring

Can you please point me where they are?

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,780
Registered: ‎03-29-2007

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

That is correct.  On the commandline of your controller (#), type admin-sso ? and see if it autocompletes.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,948
Registered: ‎10-25-2011

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

It does not autocomplete
Is not in the command list!

sso5.PNG

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,780
Registered: ‎03-29-2007

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

Sorry.  It is "allow-sso".  It is there in the command list.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,948
Registered: ‎10-25-2011

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

yeah it autocompletes

I did what it says here

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Single-Sign-On/td-p/75732

 

Which was that command but i still get to promt of the login

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,948
Registered: ‎10-25-2011

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

[ Edited ]

this was the output

 

(Office_Alternetworks) #allow-sso admin root
66af997b-b9b5-40ca-95ee-7219fef2902c

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,780
Registered: ‎03-29-2007

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

Do you see that command executed in the Audit trail by Airwave?  What version of Airwave, by the way?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,948
Registered: ‎10-25-2011

Re: [TUTORIAL] Single Sign-On (sso) to Aruba Controllers from Airwave (ArubaOS 6.3 and Above)

(Office_Alternetworks) #show audit-trail login
Dec 21 15:34:57  cli[1576]: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:34:59  cli[1576]: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:35:19  webui[1494]: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:35:26  cli[1576]: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:35:41  cli[1576]: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:36:09  cli[1576]: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:36:33  webui[1494]: USER: admin has logged in from 172.16.3.43. 
Dec 21 15:37:41  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:37:44  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:37:56  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:38:00  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:39:58  webui[1494]: USER: admin has logged in from 172.16.3.122. 
Dec 22 04:18:23  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 22 04:18:55  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 23 04:18:23  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 23 04:18:54  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 23 08:45:11  webui[1494]: USER: admin has logged in from 172.29.0.26. 
Dec 23 12:15:46  webui[1494]: USER: admin has logged in from 172.29.0.26. 
Dec 23 12:16:38  fpcli: USER: admin has logged in from 172.29.0.26. 
Dec 23 12:33:31  fpcli: USER: admin connected from 172.29.0.26 has logged out. 
Dec 24 04:18:23  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 24 04:18:54  fpcli: USER: admin connected from 172.16.3.222 has logged out. 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: