Wireless Access

Reply
Occasional Contributor II
Posts: 22
Registered: ‎08-17-2011

Accounting for management users

Hi everybody,

I've been following the guides posted by cjoseph to authenticate the management users through RADIUS server, it's working fine, but now I have to perform accounting to these managment users. Since the accounting profile is used on AAA profiles, I don't know if I could do accounting to admin users and not just to wireless users.

Btw, is possible to give another privilege (not root...for example "read only"), through RADIUS authentication?

Thanks in advance, any idea will be very useful. :smileyhappy:

 

César

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Accounting for management users

Accounting is usually used to tell the RADIUS server when a user started and stopped a session.  For management users, that may not be relevant.

 

Are you wanting to do "authorization" (where you allow certain commands for certain users and more or less for other users)?

 

Right now, the controller only has the concept of roles (read-only, guest-provisioning, root, network-operations, etc).  You CAN pass a RADIUS attribute back to the controller to properly set the role.  For example, if the user requesting controller authentication is a member of "admins", you can pass back the attribute called "Class" with a value of "root".  On the controller you can create a rule (under Management > Administration > Server Rules) by setting "Condition" = Class, "Operation" = value-of, "Action" = set role.  That way, when the RADIUS server responded to the authentication attempt, it would include Class (the way you do that depends on your RADIUS server) with the value of "root".  The controller would then apply the root role to anyone in the Admins group (or whatever group you want to check against in your RADIUS server).

Occasional Contributor II
Posts: 22
Registered: ‎08-17-2011

Re: Accounting for management users

Thanks for the quick reply :smileyhappy:

 

My customer is asking me to do that, they wants to know when a administrator logs into the controller.

 

Btw, I'm gonna perform a lab to test what you just tell me about the roles, I'll be sharing the results with all of you.

 

 

Kind regards,

 

César

Occasional Contributor II
Posts: 22
Registered: ‎08-17-2011

Re: Accounting for management users

Olino,

 

So can't I perform RADIUS accounting for Managment Users, just wireless users???

 

 

César

Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Accounting for management users

If you want to see what your management users are doing just type "show audit-trail".  The output of that audit-trail is also syslogged:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-audit-trail-all/m-p/971/highlight/true#M65

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: