Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎07-12-2011

API for creating guest user in Internal DB?

I'm working on a sign-in kisok for our front desk at our facility. All guests to our facility will be required to sign in on this computer. Many of our guests also require access to the Internet. We have Aruba configured for this already using a captive portal and a guest authentication using the Internal DB. The receptionist is able to create these accounts for our guests. However, I'd like to automate this even further and have a the kiosk ask the guest if they need Internet access. If they do, I'd like to have my application (just a simple vb.net app) be able to create the account for them, set to expire at the end of the day.

 

Is there a way to create these user accounts using an API of some sort?

 

Thanks for any and all help.

Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: API for creating guest user in Internal DB?

You could write a script that consoles in and runs the following command:



local-userdb add username "user" password "pw"

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎07-12-2011

Re: API for creating guest user in Internal DB?

I did have that thought, but wouldn't I need to use my admin password in order to console in? I don't mind having the compile in a password that only has access to provision guest users, but would like to avoid putting my admin password into the app.

Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: API for creating guest user in Internal DB?

You could create a new user with the guest-provisioning role and a strong
password.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎07-12-2011

Re: API for creating guest user in Internal DB?

When I SSH into the controller, I am able to login using my guest provisioning user... however, when I hit '?' to see available commands it does not list 'local-userdb' as a valid command:

 

enable                  Turn on Privileged commands
exit                    Exit this session. Any unsaved changes are lost.
help                    Help on CLI command line processing and a
                        Description of the interactive help system
logout                  Exit this session. Any unsaved changes are lost.
ping                    Send ICMP echo packets to the specified ip address.
tracepath               Trace path to the specified IPv6 address.
traceroute              Trace route to the specified ip address.

 

If I type it regardless, it does not accept it. 'enable' only accepts my admin password (as I would expect).

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: API for creating guest user in Internal DB?

you first have to go to enable mode, with the command enable and the enable password.

 

if your ArubaOS version is high enough you can configure to system to automatically go to enable mode, the config for this is: enable bypass

Occasional Contributor I
Posts: 9
Registered: ‎07-12-2011

Re: API for creating guest user in Internal DB?

This seems like a plausible solution. However, I've run into an issue. I have a user that has the "guest-provisioning" role. After adding the "enable bypass" configuration option, I can log in with that user and have a full list of commands available when I hit '?'. Unfortunately, when I run the local-userdb command, I get an error about not having permission:

 

You do not have permission to execute the command: local-userdb add username "test" password ******

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: API for creating guest user in Internal DB?

unfortunately the same happens for me, version 6.4.2.3.

 

the alternative would be to use a user with more rights, but that is of course risky.

Guru Elite
Posts: 21,554
Registered: ‎03-29-2007

Re: API for creating guest user in Internal DB?


StarDestroyer wrote:

I did have that thought, but wouldn't I need to use my admin password in order to console in? I don't mind having the compile in a password that only has access to provision guest users, but would like to avoid putting my admin password into the app.


StartDestroyer,

 

It probably would be easier for you to point to an LDAP container in active directory where your guest users reside and enable "fail through" in the server group that is authenticating your guests.  Your script could add users to that container in active directory.  The controller's internal guest database would be checked and then your AD container that you would be adding your users to would also be checked.  Here is what you can do:

 

- Create an LDAP server where the base-dn is your container

- Add that LDAP server to the server group that your guest users are being authenticated to

- Enable "Fail Through" on that server group, so that it checks the guest database, AND your ldap for guest users

- Use your VB scripting to add whatever users you want to AD.

 

The guest facility within the controller is fairly rudimentary and was not built to do what you need it to.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎07-12-2011

Re: API for creating guest user in Internal DB?

I'm not sure I like the idea of putting guest users in my Active Directory any more than I like the idea of compiling in an administartive password to my Aruba system.

 

It's really a shame that a user with the guest-provisioning role can't provision a guest from the command line. That would have been a workable solution.

Search Airheads
Showing results for 
Search instead for 
Did you mean: