Wireless Access

Reply
Occasional Contributor II
Posts: 10
Registered: ‎03-30-2011

Unable to Change AAA Authentication Mgmt Default-Role

Hi,

 

I'm trying to change the aaa authentication mgmt default-role from "read-only" to "root," but I am unable to do so.

 

I can understand that anything referencing the server group defined would be read-only, but I am also using a local login that has root access.  The problem is reproducible using the cli (telnet/ssh) or the web interface.

 

FYI, I'm running an Alcatel-Lucent-branded 4308 controller running AOS version 3.3.1.14.

 

Thanks,

 

John

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: Unable to Change AAA Authentication Mgmt Default-Role

What are you trying to accomplish?  Are you using the local database and an external server for management authenticaton?  How do you want it to work?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎03-30-2011

Re: Unable to Change AAA Authentication Mgmt Default-Role

Anyone who has root privileges with their ldap credentials cannot make changes, due to configuration below.

 

 

aaa authentication mgmt
   default-role "read-only"
   server-group "server_group_name"
   enable

 

We need to change the default role, but not even locally stored root credentials aren't allowed either.

 

 

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: Unable to Change AAA Authentication Mgmt Default-Role

You want to write a server derivation rule like this:  http://community.arubanetworks.com/aruba/attachments/aruba/115/462/1/configuration-management-administration.jpg

 

EXCEPT your ldap attribute is memberOf, the operator is "contains" whatever group your management users are in and your role would be root.  That would create an exception to what you have configured for users in that AD group.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: