Security, WIDS/WIPS and Aruba ECS

Reply
Contributor II
Posts: 41
Registered: ‎03-10-2011

Guest Provisioning Authentication

Hello,

This is my first post on the Airheads Forum, so, hopefully I am following etiquette :). The only reason for posting is I simply cannot find a thread that answers my question:

"Alternative Guest Provisioning Authentication to Management Authentication Servers"

A new Wireless Solution is being deployed at a Client site, Employee and Guest Networks. The Controller and AP management is handled by an outsourced company and the client wishes to have Guest Provisioning handled locally.

Controller Management is authenticated via the external companies Radius Servers, via the Management Authentication Server Group Settings.

Thus far, Guest Provisioning Authentication has only been tested by adding the local companies LDAP server as a tertiary server to the Management Authentication Server Group and setting a user derivation role to the successful LDAP authentication (currently using a username prefix).

This is however not ideal, as it the controller is initially sending the local users domain credentials to the third party radius servers, fail through is then using the LDAP server and authenticating successfully.

What I would like to achieve is separating local user Guest Provisioning authentication from external third party Controller management authentication, as currently both use the URL of the Master controller. Simply putting the LDAP server up the list is not an option, as is just reverses the problem.

What would be ideal is if the controller could respond to two URLs for example.

Has anyone had this experience and found a workaround?

Thanks

-David
Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: Guest Provisioning Authentication

Let me see if I understand and answer this corredctly:

Guest provisioning and administration of the controller are provided by the same administrative interface. Users who pass radius (admin users) as well as LDAP (guest users) are getting the same rights when they authenticate to the controller. You want radius users who pass to get a different role (root) than guest administrative users (guest-provisioning)?

If that is the case, we have to use whatever we get back from each server to put the authenticated management user in a role, as well as use the "Default Role" under Management Authentication Servers to limit the roles privileges that users get to authenticate.

You can use the post here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=704 to have radius users send back an attribute, reference in a server derivation role to give those users root access. You can then use the "Default Role" under Management Authentication Servers in the Administration page to limitthe default role to "guest-provisioning". That means, that any user who authenticates successfully will by default get the guest-provisioning role, unles overridden by some attribute that you are sending via radius, that you have a server derivation role for. For example:

You have 2 servers in a group, 1 Radius for management and LDAP for guest provsioning. You also have your radius server via remote access policy sending back a radius addtribute, "filter-id" of "rootaccess". The controller is looking for that attribute and will, via server derivation rule change the user's role to root when it sees filter-id send back "rootaccess". Anybody else who authenticates successfully "LDAP" will only get guest-provisioning", due to the default role on teh admin page.

Does that make sense?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 41
Registered: ‎03-10-2011

Re: Guest Provisioning Authentication

Hi Colin

Thanks for the reply.

Yes, that makes good sense. The issue that I am trying to get around, is that the Radius authenticated Management users are a completely separate (company) entity from the Guest Provisioning users. I am trying to figure out a way where user credentials are only sent to the correct authentication server.

You mentioned that both sets of users use the same interface, and user derivation can be used to allocate a role. However, I am trying to avoid Company X user credentials being sent to Company Y, only to have Company Y reply with "user not found" equalling a derivation of Guest Provisioning.

It would be so simple of there was a Guest Provisioning Specific URL that such users could access, say on a specific port to the controller. The only section that I can see to configure is the Management Authentication Servers.

Thanks again

-Dave
Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: Guest Provisioning Authentication

If you use "failthrough" in the server group, it will send a bad username or passsword and the next server in the group will be tried. Is that what you mean?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 41
Registered: ‎03-10-2011

Re: Guest Provisioning Authentication




Yes, but, the issue arises before even considering the server group and failthrough, if I am correct, in that any group(s) of users can only be authenticated by one server group hierarchy.

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: Guest Provisioning Authentication

A server group can contain a radius server, ldap server and the internal server group on the controller. You can, in the same server group, have server derivation rules that apply to all three types of servers. What is your limitation in this scenario?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 41
Registered: ‎03-10-2011

Re: Guest Provisioning Authentication

I currently have

Pri 1 - Management Company Radius
Pri 2 - Management Company Radius
Pri 3 - Client Company LDAP

Server Rule:

1 // User-Name / Starts-With // "xuk" (Client naming convention) // set-role // GP

This works perfectly well, but I don't want the Clients users sending login credentials to the Management Company Radius servers.

So, when a Client user logs in to the Controller GUI, the server group initially sends the Client users credentials to the Radius Server, failing, and eventually authenticating at the LDAP server.
Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: Guest Provisioning Authentication

You could put the LDAP server first.

You can also use the "match-authstring" parameter in the properties of the server in the radius group If the radius server admins put their REALM before their usernme you can edit the radius server. From the user guide for 'match-authstring":

"This option associates the authentication server with a match rule that the controller can compare with the user/client information in the authentication request. With this option, the user/client information in the authentication request can be in any of the following formats:
\
@
host/.
An authentication request is sent to the server only if there is a match between the specified match rule and the user/client
information.You can configure multiple match rules for an authentication server."


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 41
Registered: ‎03-10-2011

Re: Guest Provisioning Authentication

Perfect, thanks Colin, just tried it and that works, if I don't set a GP derivation and use LDAP for my client login id (local network access) I am logged in to the controller as root. If I then set a user derivation of GP keeping LDAP at the top of the server group hierarchy but using auth string, I redirected to the GP page.

Thanks for your help!

-David
Search Airheads
Showing results for 
Search instead for 
Did you mean: