Wireless Access

Hi

Can anyone help out with a strange issue?

We have an Aruba 7210 controller and I want to set up management and guest provisioning access based on AD groups. We want a different set of users to manage the guest user accounts. I have set up the Ldap servers on the controller and created 2 server rules as follows

set role condition memberof contains "Network_Admins" set-value root

set role condition memberof contains "Guest_Provisioners" set-value guest-provisioning

The problem is that when a user in either of the AD groups "Guest_Provisioners" or "Network_Admins" logins in they are placed in the root role and have full access to the controller.

Also, if I remove the rules completely, the "Guest_Provisioner" user can still login but the "Network_Admins" user cannot, which seems very strange to me.

Has anyone come across this before or do I need to set up something else?

Many thanks

Roy

Could you send a screenshot of that?  Also, can you verify that the member of info is typed out correctly including case?  

Do you have ClearPass?  That would definitely work!

The group names are entered correctly as they are in AD with the correct case. We do not have ClearPass.

As well as using memberof I have also tried the attributes Group-Name and Group with no success either.

More strange things today. A Guest_Provisioner user is now able to login and is assigned the role guest-provisioning.

However a Network_Admins user is not able to login no matter how I set up the server rules. Does anyone have any ideas?

thanks

Roy

Probably, because there is nobody with the memberOf attribute that contains Network_Admins.

The memberof attribute for the user in question has Network_Admins in the value. The users are members of several groups. Is there a limit to how many group memberships the Aruaba controller can process?

Also, if I remove all the server rules, the Guest_Provisioner user can still log in but is assigned to the root role. The Network_Admins user still cannot login.

If you change the default role to "No Access", then only users that match an attribute will be let in.

You should use the aaa query-user commandline command to see what attributes are returned for a users: http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Debugging-LDAP/m-p/91/highlight/true#M40

Also pay attention to the order that your rules are evaluated:  If a user is a member of both groups, the user will be assigned based on the first rule that matches..

When I run aaa query-user, it returned results for users in the Guest_Provisioners group but not for any other users.

Tracked the problem down to our filter option on the LDAP server config. This had been copied from our old controller and was set to the DN of the Guest_Provisioners group. This appears to have been blocking acess to any other groups. As soon as I reset the filter to (objectclass=*) everything is now working as planned. The server rules are now working as expected.

Thanks very much for the help.