Wireless Access

Reply
Contributor II

More than 10 management accounts?

Is there a way to create more than 10 management accounts for guest provisioning on a 4504 controller? I'm running 5.0.4.3.

Guru Elite

Re: More than 10 management accounts?

You can create users in the internal database and add the internal database to the server group used to authenticate management accounts.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: More than 10 management accounts?

I understand what you're saying but need to clarify something first. In the internal database, I see current guest user accounts. If I add the internal database to the server group being used for authentication, which role will for the guest user accounts take precedence? The role "guest" assigned to the guest users in the internal database or the default role "root" assigned to a user that passes through the Management Authentication Servers?

 

I guess my concern is that I don't want guests who are currently in the internal database to have access to the controller if I do this!

Guru Elite

Re: More than 10 management accounts?

Ok.  This is the page that indicates what you need to configure.  Make sure you make the "default-role" is "no-access" so that any user that does not have a management role like "root" or "read-only" will not be able to login.  Make sure you have a different browser logged into the controller when you are testing this so that you do not get logged out.

 

mgmt.jpg



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: More than 10 management accounts?

Actually, I'm already using a Server Group (which uses external servers) on that page (Management > Administration) that sets the Default Role for anyone who's able to authenticate using this server group to "root". I'm afraid if I make the controller's internal database part of this server group, the current guest users in the internal database will gain "root" access!

 

How's this for an idea: I add the guest management accounts in the external servers linked with the Server Group that I'm currently using and then use "Server Rules" on this page to give these specific users a role of "guest-provisioning"? That should work, right?

Guru Elite

Re: More than 10 management accounts?

Yes, it should.

 

On second thought, if you have all of those guest provisioning users in AD, why don't you just use AD to authenticate all of them.  For the guest provisioning users, you could have an AD group for those users, a remote access policy with the requirements of nas-port-type is VPN and Windows Group is "guest provisioners" and return an attribute "e.g. filter-id" of guest provisioners.  There should be a server derivation rule looking for a filter-id of "guestprovisioners" and changing the role to guest-provisioning".  You would repeate the same for administrative users, etc.  You can then not bother with the internal database.

 

Would this be doable?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: More than 10 management accounts?

Let me look into this. Thanks for your help.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: