12-13-2011 09:03 AM
I've been following the guides posted by cjoseph to authenticate the management users through RADIUS server, it's working fine, but now I have to perform accounting to these managment users. Since the accounting profile is used on AAA profiles, I don't know if I could do accounting to admin users and not just to wireless users.
Btw, is possible to give another privilege (not root...for example "read only"), through RADIUS authentication?
Thanks in advance, any idea will be very useful. :smileyhappy:
12-13-2011 09:16 AM
Accounting is usually used to tell the RADIUS server when a user started and stopped a session. For management users, that may not be relevant.
Are you wanting to do "authorization" (where you allow certain commands for certain users and more or less for other users)?
Right now, the controller only has the concept of roles (read-only, guest-provisioning, root, network-operations, etc). You CAN pass a RADIUS attribute back to the controller to properly set the role. For example, if the user requesting controller authentication is a member of "admins", you can pass back the attribute called "Class" with a value of "root". On the controller you can create a rule (under Management > Administration > Server Rules) by setting "Condition" = Class, "Operation" = value-of, "Action" = set role. That way, when the RADIUS server responded to the authentication attempt, it would include Class (the way you do that depends on your RADIUS server) with the value of "root". The controller would then apply the root role to anyone in the Admins group (or whatever group you want to check against in your RADIUS server).
12-13-2011 09:35 AM
Thanks for the quick reply :smileyhappy:
My customer is asking me to do that, they wants to know when a administrator logs into the controller.
Btw, I'm gonna perform a lab to test what you just tell me about the roles, I'll be sharing the results with all of you.
12-16-2011 08:02 AM
If you want to see what your management users are doing just type "show audit-trail". The output of that audit-trail is also syslogged: http://community.arubanetworks.com/t5/Command-of-t
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base