Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

More than 10 management accounts?

This thread has been viewed 0 times

  • 1.  More than 10 management accounts?

    Posted Jan 18, 2012 12:40 PM

    Is there a way to create more than 10 management accounts for guest provisioning on a 4504 controller? I'm running 5.0.4.3.



  • 2.  RE: More than 10 management accounts?

    EMPLOYEE
    Posted Jan 18, 2012 02:19 PM

    You can create users in the internal database and add the internal database to the server group used to authenticate management accounts.

     



  • 3.  RE: More than 10 management accounts?

    Posted Jan 18, 2012 05:59 PM

    I understand what you're saying but need to clarify something first. In the internal database, I see current guest user accounts. If I add the internal database to the server group being used for authentication, which role will for the guest user accounts take precedence? The role "guest" assigned to the guest users in the internal database or the default role "root" assigned to a user that passes through the Management Authentication Servers?

     

    I guess my concern is that I don't want guests who are currently in the internal database to have access to the controller if I do this!



  • 4.  RE: More than 10 management accounts?

    EMPLOYEE
    Posted Jan 18, 2012 06:33 PM

    Ok.  This is the page that indicates what you need to configure.  Make sure you make the "default-role" is "no-access" so that any user that does not have a management role like "root" or "read-only" will not be able to login.  Make sure you have a different browser logged into the controller when you are testing this so that you do not get logged out.

     

    mgmt.jpg



  • 5.  RE: More than 10 management accounts?

    Posted Jan 18, 2012 06:43 PM

    Actually, I'm already using a Server Group (which uses external servers) on that page (Management > Administration) that sets the Default Role for anyone who's able to authenticate using this server group to "root". I'm afraid if I make the controller's internal database part of this server group, the current guest users in the internal database will gain "root" access!

     

    How's this for an idea: I add the guest management accounts in the external servers linked with the Server Group that I'm currently using and then use "Server Rules" on this page to give these specific users a role of "guest-provisioning"? That should work, right?



  • 6.  RE: More than 10 management accounts?

    EMPLOYEE
    Posted Jan 18, 2012 09:31 PM

    Yes, it should.

     

    On second thought, if you have all of those guest provisioning users in AD, why don't you just use AD to authenticate all of them.  For the guest provisioning users, you could have an AD group for those users, a remote access policy with the requirements of nas-port-type is VPN and Windows Group is "guest provisioners" and return an attribute "e.g. filter-id" of guest provisioners.  There should be a server derivation rule looking for a filter-id of "guestprovisioners" and changing the role to guest-provisioning".  You would repeate the same for administrative users, etc.  You can then not bother with the internal database.

     

    Would this be doable?

     



  • 7.  RE: More than 10 management accounts?

    Posted Jan 19, 2012 01:27 AM

    Let me look into this. Thanks for your help.