Wireless Access

Occasional Contributor II

Accounting for management users

Hi everybody,

I've been following the guides posted by cjoseph to authenticate the management users through RADIUS server, it's working fine, but now I have to perform accounting to these managment users. Since the accounting profile is used on AAA profiles, I don't know if I could do accounting to admin users and not just to wireless users.

Btw, is possible to give another privilege (not root...for example "read only"), through RADIUS authentication?

Thanks in advance, any idea will be very useful. :smileyhappy:



Aruba Employee

Re: Accounting for management users

Accounting is usually used to tell the RADIUS server when a user started and stopped a session.  For management users, that may not be relevant.


Are you wanting to do "authorization" (where you allow certain commands for certain users and more or less for other users)?


Right now, the controller only has the concept of roles (read-only, guest-provisioning, root, network-operations, etc).  You CAN pass a RADIUS attribute back to the controller to properly set the role.  For example, if the user requesting controller authentication is a member of "admins", you can pass back the attribute called "Class" with a value of "root".  On the controller you can create a rule (under Management > Administration > Server Rules) by setting "Condition" = Class, "Operation" = value-of, "Action" = set role.  That way, when the RADIUS server responded to the authentication attempt, it would include Class (the way you do that depends on your RADIUS server) with the value of "root".  The controller would then apply the root role to anyone in the Admins group (or whatever group you want to check against in your RADIUS server).

Occasional Contributor II

Re: Accounting for management users

Thanks for the quick reply :smileyhappy:


My customer is asking me to do that, they wants to know when a administrator logs into the controller.


Btw, I'm gonna perform a lab to test what you just tell me about the roles, I'll be sharing the results with all of you.



Kind regards,



Occasional Contributor II

Re: Accounting for management users



So can't I perform RADIUS accounting for Managment Users, just wireless users???




Guru Elite

Re: Accounting for management users

If you want to see what your management users are doing just type "show audit-trail".  The output of that audit-trail is also syslogged:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-audit-trail-all/m-p/971/highlight/true#M65


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: