Security

I'm looking for a little guidance on the best way to handle Admin access to Aruba Instant using freeRADIUS for Authentication, which subsequently uses Kerberos5 as the back-end for Authorization and user-database. Without becoming an expert in freeRADIUS and Kerberos5, and without purchasing an expensive AAA solution, what is the best way to handle/limit basic Authentication of specific kerberos5 users logging into the IAPs Instant portal, for example, Admins?

I use this solution for Authenticating 802.1x WiFi users, and works successfully. I just need to be able to allow or deny Login Access to the Instant portal istelf to Administer configurations based on either freeRADIUS or Kerberos5. I'm just not sure which is the best way to go yet.

In short: I have RADIUS configured in Instant. RADIUS uses Kerberos5 as a back-end for Authentication and Authorization. I need to identify who is an Administrator allowed to configure the Aruba devices through Admin access to "Instant" without allowing all my Kerberos5 users access.

Believe me, trying to find the answer to this question has been really difficult, because neither RADIUS or Kerberos developer sites address the coexistence of both in one solution. 

@brconflict: against which backend do you authenticate via Kerberos 5?

Client <-- (802.1x) --> IAP <-- (RADIUS) --> freeRADIUS <-- (Kerberos 5) --> ???

Kerberos 5 uses a MySQL database maybe. I don't manage that side of things. No Windows users (Only Macs and Linux). But the sequence of AUTH you illustrated is correct. I'm more looking toward using either freeRADIUS groups (if possible), or to somehow identify users for an "admin" group in Kerberos that can be "allowed" to administer Aruba Instant. I just don't wish to go down one path of futility if the orther is a better idea (Kerberos or RADIUS) Thanks!

@brconflict: you might want to have a closer look on how to use the authorize_check_query for checking for user attributes after the Kerberos 5 authentication.