Wireless Access

Reply
Contributor II
Posts: 52
Registered: ‎12-11-2012

Using LDAP AD account to login into the 7210 Controllers

I am new to Aruba and wanted to incorperate LDAP AD accounts for our engineers to use to login into the controller instead of using local accounts. Can anyone help show me how to do this or configure this?

 

Thanks,

Chan

Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Using LDAP AD account to login into the 7210 Controllers

You first need to add your LDAP server as a AAA server in Configuration> Security> Authentication> LDAP server.  After you do that, test it with Diagnostics> AAA Test Server (with the pap method) to see if it works.

 

After you determine it works, go to Configuration> Security> Authentication> Server Groups.  Type in a new server group name and then click on Add.  Add your LDAP server above to that server group.

 

Next...go to Configuration> Management> Administration.  Change the Server Group Dropdown Parameter from Default to your own server group name you created just above above.  Also, under Management Authentication Servers, make sure Enable has a checkbox.  Click on apply.

 

Open a different browser (not a different browser tab) and attempt to authenticate.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 52
Registered: ‎12-11-2012

Re: Using LDAP AD account to login into the 7210 Controllers

[ Edited ]

It worked. Now how do you assign privileges (root, operator, etc) base on the users within the LDAP groups?

Community Administrator
Posts: 2,254
Registered: ‎12-03-2013

Re: Using LDAP AD account to login into the 7210 Controllers

[ Edited ]

Do you have clearpass? if you do look here

 

If not i believe you can configure a server rule to set the role to root if it matches the incoming role you want to be the root, operator, etc. This is configured under Administration

 

Example: if the incoming user has a role of engineer you can set a rule to say if user role equals engineer set role to root

CWNA, ACMP, Security +
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Using LDAP AD account to login into the 7210 Controllers

[ Edited ]

Here is what you need to do:

 

1.  Understand what attribute you are using to trigger a role (aaa query-user)

2.  Configure the default role to "no access":

3.  Create a server derivation rule in the server group to translate the attribute to a management role

 

1.  Execute the command below and see what AD groups the user is a part of (memberOf is normally used)

aaa query-user <name of ldap server> <username of user>

 2. Set the default role to no-access, so that users that pass AD authentication, but do not passyour rule below do not get in:

 

ldapadmin.png

3.  Under the server rules, I created a rule to see if my AD user is part of the AD group Admin.  If that is true, it will give me root privileges when I login.  memberOf, the ldap attribute usually contains the AD group membership and that is what I used in this case.

 

*please ignore that I have a radius server here in the server group.  It should be an LDAP server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 52
Registered: ‎12-11-2012

Re: Using LDAP AD account to login into the 7210 Controllers

Thank you both for helpling on this basic topic. It's guys like you that make my transistion from another vendor (to be nameless) to the Aruab wireless solutions with no prior working knowledge very easy.

 

I'm a big fan and follower of you guys. Please keep up the good work, both of you.

 

Thanks,

Chan 

Search Airheads
Showing results for 
Search instead for 
Did you mean: