Wireless Access

Reply
Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Strange management authentication

Hi

 

Can anyone help out with a strange issue?

 

We have an Aruba 7210 controller and I want to set up management and guest provisioning access based on AD groups. We want a different set of users to manage the guest user accounts. I have set up the Ldap servers on the controller and created 2 server rules as follows

 

set role condition memberof contains "Network_Admins" set-value root

set role condition memberof contains "Guest_Provisioners" set-value guest-provisioning

 

The problem is that when a user in either of the AD groups "Guest_Provisioners" or "Network_Admins" logins in they are placed in the root role and have full access to the controller.

 

Also, if I remove the rules completely, the "Guest_Provisioner" user can still login but the "Network_Admins" user cannot, which seems very strange to me.

 

Has anyone come across this before or do I need to set up something else?

 

Many thanks

Roy

 

 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Strange management authentication

Could you send a screenshot of that?  Also, can you verify that the member of info is typed out correctly including case?  

 

Do you have ClearPass?  That would definitely work!

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Re: Strange management authentication

The group names are entered correctly as they are in AD with the correct case. We do not have ClearPass.

 

As well as using memberof I have also tried the attributes Group-Name and Group with no success either.

 

Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Re: Strange management authentication

More strange things today. A Guest_Provisioner user is now able to login and is assigned the role guest-provisioning.

 

However a Network_Admins user is not able to login no matter how I set up the server rules. Does anyone have any ideas?

 

thanks

Roy

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: Strange management authentication

Probably, because there is nobody with the memberOf attribute that contains Network_Admins.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Re: Strange management authentication

The memberof attribute for the user in question has Network_Admins in the value. The users are members of several groups. Is there a limit to how many group memberships the Aruaba controller can process?

Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Re: Strange management authentication

Also, if I remove all the server rules, the Guest_Provisioner user can still log in but is assigned to the root role. The Network_Admins user still cannot login.

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: Strange management authentication

If you change the default role to "No Access", then only users that match an attribute will be let in.

 

You should use the aaa query-user commandline command to see what attributes are returned for a users: http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Debugging-LDAP/m-p/91/highlight/true#M40

Also pay attention to the order that your rules are evaluated:  If a user is a member of both groups, the user will be assigned based on the first rule that matches..

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Re: Strange management authentication

When I run aaa query-user, it returned results for users in the Guest_Provisioners group but not for any other users.

 

Tracked the problem down to our filter option on the LDAP server config. This had been copied from our old controller and was set to the DN of the Guest_Provisioners group. This appears to have been blocking acess to any other groups. As soon as I reset the filter to (objectclass=*) everything is now working as planned. The server rules are now working as expected.

 

Thanks very much for the help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: