Wireless Access

Hello,

Using here FreeRADIUS for Management Access. I have configured AirWave for RADIUS Authentication, enabled Single Sign On and defined a Alcatel-Lucent Controller Role in Admin Role (AirWave web gui).

Anyway, if I want to open a controller web gui out of AirWave I am prompted for credentials again.

Is there any special configuration needed on controller side, how this works exactly?

Thanks in advance!

Regards,

Tobias Hachmer

What version of firmware is the controller running?

Controller needs to be on at least 6.2.  And the command to run is:

# allow-sso <username> <controller-role>

On the AMP side, the AMP user's role needs to have 'Aruba Controller Role' set to match controller-role of SSO user.

Keep in mind that there's an open AOS bug 84165 as the allow-sso command is missing from some 6.2 builds.

Thanks for the reply.

It would be easier if the user guide were a bit more on detail. But since the sso feature were introduced in 6.2 why this feature was described in AirWave User Guide for version 7.4.0?

What is the best practice here to configure user roles on controller and airwave for management access?

E.g for our Admins with all privileges I define RADIUS Users with RADIUS Attribute Aruba-Admin-Role "root" and Aruba-Priv-Admin-User to bypass enable password.

To accomplish sso do I have to create a user role on airwave called "root" for AirWave Administrator?

Btw I really miss a detailed intruction guide for the whole RADIUS Aruba dictionary. Which attribute can I use for what, are there any values for attributes which are hardcoded, and so forth.

Thanks in advance,

Tobias Hachmer

Single sign on for controllers in Airwave has nothing directly to do with radius roles, but everything to do with Airwave internal roles.  In each management role in Airwave, you determine whether or not they will have single sign on privileges to the controller or not.  If yes, you select what role (privileges) in the controller would correspond to roles in Airwave.

This only comes into play on the "Open Controller WebUI" dropdown when viewing the monitoring page of a controller in Airwave.  If Single Sign on is configured for the Airwave user's role, Airwave will login to the controller and execute the allow-sso command which will generate a temporary URL that airwave can use to redirect the Airwave user to the Controller's GUI without logging in with the correct privileges.  That would allow a user who has already logged into Airwave, NOT to have to login to the controller before going to a page.

Of course, since the command is missing in 6.2, there is no way to take advantage of this until it is fixed.  :(

Hello cjoseph,

thanks for your reply!

So, when sso has nothing directly to do with radius roles, there's no need to configure the admin roles on controller the same as in airwave?

rgin wrote that the controller needs to be on at least 6.2. You wrote the command "allow-sso" is missing since 6.2. This let me believe this feature hasn't been working at all since it was introduced. Is this right? If no, in which firmware version this command/ feature was introduced?

Here we are running 6.1.3.7.

Regards,

Tobias Hachmer

Let me look into this further.  Will update when I find out more.

UPDATE:

The AOS build used by QA during testing was an internal only build.  After acceptance and the subsequent AirWave 7.6 release, the feature was delayed to AOS 6.3.0.0.  The AirWave UI will be updated in AirWave 7.7 (and any subsequent 7.6 patches) to reflect that AOS 6.3 is the requirement for the Single Sign On feature.

Thanks!