Wireless Access

Hi,

With Aruba OS 5.0.4.7, is it possible to keep the local default "admin" account enabled but only used as last resort when the specified tacacs server group fails?

Thanks,

ckc

Depending on what you are looking to achieve, have a look at the following command:

mgmt-user localauth-disable

This should disable local authentication (for example "admin"), if the RADIUS/TACACS server is responding.  If the server does not respond, the local account can be used.

If you just want to use both RADIUS/TACACS and local accounts (admin), leave the setting as enabled.

I want to ensure everyone is logging in with their tacacs account instead of using the admin account which is enabled by default. As a backup, in case the tacacs server group is not reachable, I still want the default admin account available.

So to confirm, if I disable the admin account with "mgmt-user localauth-disable", if tacacs fails, the admin account will still work right? I'm on AOS 5.0.4.7

Thanks,

ckc

Yes this is correct (and it is for all local admin accounts, not just "admin").   Please see the results below:

Authentication attempt by "admin" when RADIUS is online:
authmgr[1547]: <124004> <DBUG> |authmgr| aal_authenticate user:admin vpnflags:0
authmgr[1547]: <124004> <DBUG> |authmgr| unknown user=x.x.x.x, method=Management
authmgr[1547]: <124004> <DBUG> |authmgr| aal_authenticate server_group:default
authmgr[1547]: <124004> <DBUG> |authmgr| Select server for method=Management, user=admin, essid=<>, server-group=radius-group, last_srv <>
authmgr[1547]: <124004> <DBUG> |authmgr| server=radius-server, ena=1, ins=1 (1)
authmgr[1547]: <124038> <INFO> |authmgr| Selected server radius-server for method=Management; user=admin, essid=<>, domain=<>, server-group=radius-group
authmgr[1547]: <124064> <NOTI> |authmgr| Administrative User Authentication Failed: username=admin IP=x.x.x.x auth server=radius-server
authmgr[1547]: <124003> <INFO> |authmgr| Authentication result=Authentication failed(1), method=Management, server=radius-server, user=x.x.x.x
authmgr[1547]: <124004> <DBUG> |authmgr| Auth server 'radius-server' response=1
aaa[1460]: <125027> <DBUG> |aaa| mgmt-auth: admin, failure, , 0
aaa[1460]: <125059> <NOTI> |aaa| Since user 'admin' authentication is rejected by authentication server, the user will not be given any access

Authentication attempt by "admin" when RADIUS is not responding:
authmgr[1547]: <124004> <DBUG> |authmgr| aal_authenticate user:admin vpnflags:0
authmgr[1547]: <124004> <DBUG> |authmgr| unknown user=x.x.x.x, method=Management
authmgr[1547]: <124004> <DBUG> |authmgr| aal_authenticate server_group:default
authmgr[1547]: <124004> <DBUG> |authmgr| Select server for method=Management, user=admin, essid=<>, server-group=radius-group, last_srv <>
authmgr[1547]: <124004> <DBUG> |authmgr| server=radius-server, ena=1, ins=1 (1)
authmgr[1547]: <124038> <INFO> |authmgr| Selected server radius-server for method=Management; user=admin, essid=<>, domain=<>, server-group=radius-group
authmgr[1547]: <124066> <INFO> |authmgr| Administrative User Authentication Successful: username=admin IP=x.x.x.xauth server=radius-server
authmgr[1547]: <124003> <INFO> |authmgr| Authentication result=AAA server timeout(2), method=Management, server=radius-server, user=x.x.x.x
authmgr[1547]: <124004> <DBUG> |authmgr| Auth server 'radius-server' response=2
authmgr[1547]: <124014> <NOTI> |authmgr| Taking Server radius-server out of service for 10 mins
authmgr[1547]: <124004> <DBUG> |authmgr| Select server for method=Management, user=admin, essid=<>, server-group=radius-group, last_srv radius-server
authmgr[1547]: <124038> <INFO> |authmgr| Selected server <> for method=Management; user=admin, essid=<>, domain=<>, server-group=radius-group
authmgr[1547]: <124004> <DBUG> |authmgr| Timed Out to N/A
aaa[1460]: <125027> <DBUG> |aaa| mgmt-auth: admin, failure, , 0
aaa[1460]: <125024> <NOTI> |aaa| Authentication Succeeded for User admin, Logged in from x.x.x.xport 53416, Connecting to x.x.x.x port 4343 connection type HTTPS

Thank you.

ckc