Security

I'm working on a sign-in kisok for our front desk at our facility. All guests to our facility will be required to sign in on this computer. Many of our guests also require access to the Internet. We have Aruba configured for this already using a captive portal and a guest authentication using the Internal DB. The receptionist is able to create these accounts for our guests. However, I'd like to automate this even further and have a the kiosk ask the guest if they need Internet access. If they do, I'd like to have my application (just a simple vb.net app) be able to create the account for them, set to expire at the end of the day.

 

Is there a way to create these user accounts using an API of some sort?

 

Thanks for any and all help.

You could write a script that consoles in and runs the following command:



local-userdb add username "user" password "pw"

I did have that thought, but wouldn't I need to use my admin password in order to console in? I don't mind having the compile in a password that only has access to provision guest users, but would like to avoid putting my admin password into the app.

You could create a new user with the guest-provisioning role and a strong
password.

When I SSH into the controller, I am able to login using my guest provisioning user... however, when I hit '?' to see available commands it does not list 'local-userdb' as a valid command:

 

enable                  Turn on Privileged commands
exit                    Exit this session. Any unsaved changes are lost.
help                    Help on CLI command line processing and a
                        Description of the interactive help system
logout                  Exit this session. Any unsaved changes are lost.
ping                    Send ICMP echo packets to the specified ip address.
tracepath               Trace path to the specified IPv6 address.
traceroute              Trace route to the specified ip address.

 

If I type it regardless, it does not accept it. 'enable' only accepts my admin password (as I would expect).

you first have to go to enable mode, with the command enable and the enable password.

 

if your ArubaOS version is high enough you can configure to system to automatically go to enable mode, the config for this is: enable bypass

This seems like a plausible solution. However, I've run into an issue. I have a user that has the "guest-provisioning" role. After adding the "enable bypass" configuration option, I can log in with that user and have a full list of commands available when I hit '?'. Unfortunately, when I run the local-userdb command, I get an error about not having permission:

 

You do not have permission to execute the command: local-userdb add username "test" password ******

unfortunately the same happens for me, version 6.4.2.3.

 

the alternative would be to use a user with more rights, but that is of course risky.

---

@StarDestroyer wrote:

I did have that thought, but wouldn't I need to use my admin password in order to console in? I don't mind having the compile in a password that only has access to provision guest users, but would like to avoid putting my admin password into the app.

---

StartDestroyer,

 

It probably would be easier for you to point to an LDAP container in active directory where your guest users reside and enable "fail through" in the server group that is authenticating your guests.  Your script could add users to that container in active directory.  The controller's internal guest database would be checked and then your AD container that you would be adding your users to would also be checked.  Here is what you can do:

 

- Create an LDAP server where the base-dn is your container

- Add that LDAP server to the server group that your guest users are being authenticated to

- Enable "Fail Through" on that server group, so that it checks the guest database, AND your ldap for guest users

- Use your VB scripting to add whatever users you want to AD.

 

The guest facility within the controller is fairly rudimentary and was not built to do what you need it to.

 

 

I'm not sure I like the idea of putting guest users in my Active Directory any more than I like the idea of compiling in an administartive password to my Aruba system.

 

It's really a shame that a user with the guest-provisioning role can't provision a guest from the command line. That would have been a workable solution.

StarDestroyer,

 

It was built for a user logging in with the GUI.  If you can protect the host with the username and password that is used for this function, you have a solution.  You should create a separate user for this function and look at the audit trail.