Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎12-16-2010

Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

We want to use Windows server 2012 NPS RADIUS for both read-write management access and read-only management access and we have configured an Aruba 3200 controller to point to the radius server and Windows Active directory groups for differentiating administrative access from non-administrative or read-only access.  

I log in with my normal account (dbell) with putty (SSH) and I get limited > access. I can then login with my Privileged AD account (dbell-pr) and gain admin privileged access.  On the web gui I log in with my dbell-pr and get admin access and if I log in with my normal dbell account I still get privileged access (admin).  Do you have any ideas on how to eliminate administrative access through the web gui for my normal non-privileged account?  We are using 14823 as directed by limited documentation we have found.  We are currently using a 1 for the vendor assigned attribute number and it works to limit access through putty to only read-only, but does nothing to limit read-write access on the web GUI.  Am I missing something here?

Displaying 2015-07-06_9-17-45.png

 

Displaying 2015-07-06_9-17-23.png

Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

You should make sure that on the Aruba controller the default role for administrative access is set to "no access". That way, only someone who has the administrative VSA of root will get root.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎12-16-2010

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Doing this will completly lock you out of managing the controller.

Regular Contributor II
Posts: 225
Registered: ‎10-29-2014

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

No, If local authentication is enabled you can still log in using your root credential.
HTH
Cheers
SumaN
Occasional Contributor II
Posts: 18
Registered: ‎12-16-2010

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

No you are wrong> Try it

Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access


dbell6809 wrote:

Doing this will completly lock you out of managing the controller.


Nope.  Local management accounts will still work, if they were working before.  Local accounts already have attributes assigned so they always work.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎12-16-2010

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

You are wrong. I am locked out completely!!!!!

Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Dbell6809,

 

If you do not allow local accounts to authenticate while Radius is working, and you are NOT sending back an adminstrative role in the VSA, you would not be able to access your controller, no.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

if "no access" is enabled, local authentication will not work unless the radius server is not responding at which point local access will work again.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access


pmonardo wrote:
if "no access" is enabled, local authentication will not work unless the radius server is not responding at which point local access will work again.

pmonardo,

 

"No Access" means do not allow access to anyone who does not send a Administrative Role in the Aruba VSA during Authentication.  Which means that people that simply pass authentication in Radius, cannot access the controller.

 

If you uncheck "Allow Local Authentication", local users cannot authenticate, when radius is still responding.

 

Combining both means only a user who authenticates successfully via radius and his user sends a VSA will be able to access the controller, when the radius server is reachable.  If the radius server is not reachable, local admin accounts will work with both of these options enabled.

 

 

I just want to make it clear those two options are different things.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: