Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Using LDAP AD account to login into the 7210 Controllers

This thread has been viewed 44 times

  • 1.  Using LDAP AD account to login into the 7210 Controllers

    Posted May 04, 2014 12:11 PM

    I am new to Aruba and wanted to incorperate LDAP AD accounts for our engineers to use to login into the controller instead of using local accounts. Can anyone help show me how to do this or configure this?

     

    Thanks,

    Chan


    #7210


  • 2.  RE: Using LDAP AD account to login into the 7210 Controllers
    Best Answer

    EMPLOYEE
    Posted May 04, 2014 06:18 PM

    You first need to add your LDAP server as a AAA server in Configuration> Security> Authentication> LDAP server.  After you do that, test it with Diagnostics> AAA Test Server (with the pap method) to see if it works.

     

    After you determine it works, go to Configuration> Security> Authentication> Server Groups.  Type in a new server group name and then click on Add.  Add your LDAP server above to that server group.

     

    Next...go to Configuration> Management> Administration.  Change the Server Group Dropdown Parameter from Default to your own server group name you created just above above.  Also, under Management Authentication Servers, make sure Enable has a checkbox.  Click on apply.

     

    Open a different browser (not a different browser tab) and attempt to authenticate.


    #7210


  • 3.  RE: Using LDAP AD account to login into the 7210 Controllers

    Posted May 05, 2014 12:07 PM

    It worked. Now how do you assign privileges (root, operator, etc) base on the users within the LDAP groups?


    #7210


  • 4.  RE: Using LDAP AD account to login into the 7210 Controllers
    Best Answer

    Posted May 05, 2014 12:18 PM

    Do you have clearpass? if you do look here

     

    If not i believe you can configure a server rule to set the role to root if it matches the incoming role you want to be the root, operator, etc. This is configured under Administration

     

    Example: if the incoming user has a role of engineer you can set a rule to say if user role equals engineer set role to root


    #7210


  • 5.  RE: Using LDAP AD account to login into the 7210 Controllers

    EMPLOYEE
    Posted May 05, 2014 12:24 PM

    Here is what you need to do:

     

    1.  Understand what attribute you are using to trigger a role (aaa query-user)

    2.  Configure the default role to "no access":

    3.  Create a server derivation rule in the server group to translate the attribute to a management role

     

    1.  Execute the command below and see what AD groups the user is a part of (memberOf is normally used)

    aaa query-user <name of ldap server> <username of user>

     2. Set the default role to no-access, so that users that pass AD authentication, but do not passyour rule below do not get in:

     

    ldapadmin.png

    3.  Under the server rules, I created a rule to see if my AD user is part of the AD group Admin.  If that is true, it will give me root privileges when I login.  memberOf, the ldap attribute usually contains the AD group membership and that is what I used in this case.

     

    *please ignore that I have a radius server here in the server group.  It should be an LDAP server.


    #7210


  • 6.  RE: Using LDAP AD account to login into the 7210 Controllers

    Posted May 05, 2014 12:29 PM

    Thank you both for helpling on this basic topic. It's guys like you that make my transistion from another vendor (to be nameless) to the Aruab wireless solutions with no prior working knowledge very easy.

     

    I'm a big fan and follower of you guys. Please keep up the good work, both of you.

     

    Thanks,

    Chan 


    #7210