Wireless Access

Hi,

Í've been trying to setup RADIUS authentication (MS NPS 2012R2) on the Aruba controller, to get adminstrators authenticatted and assigend the 'root' role based on the RADIUS by returned attribute.

After following the ArubaOS 6.4.3 user guide, I still have the following 3 questions that are still unanswered:

1- The authentication requests are still be done locally, even with the box 'mode' selected. I don't see any request hitting my RADIUS server and, even without the allow local authentation box selected, can still authenticate based the local user. HOw can I enforce this and not have local authentication being processed.

2- It is not clear which attributes values are required for Aruba to process the correct role received from RADIUS. I do have a VSA for Aruba confgured with 14823. I'm assuming the attribute value of the string is 'root', as this should be the role send back by RADIUS in case the user is authenticated. Also what is the vendor-assigned atrribute number?

3- How can I assure users are being assigned the role 'root' based on membership of a group name, for instance ' IT Adminstrators' instead of an username.

Thanks for the clarification.

Hi, 

So you are trying to setup management authentication using an external RADIUS server. 

More information is required on how you have configured it. 

First, check if a "AAA test-server" is successful. 

Then, verify if the server is mapped for mgmt authentication - "#show aaa authentication mgmt". 

The vendor assigned attribute values are here, 

(Aruba3600) #show aaa radius-attributes | include Aruba,Value
Attribute                         Value  Type         Vendor     Id
Aruba-Mdps-Device-Version         21     String       Aruba      14823
Aruba-Mdps-Max-Devices            18     Integer      Aruba      14823
Aruba-Location-Id                 6      String       Aruba      14823
Aruba-Template-User               8      String       Aruba      14823
Aruba-No-DHCP-Fingerprint         14     Integer      Aruba      14823
Aruba-AirGroup-Device-Type        27     Integer      Aruba      14823
Aruba-Mdps-Device-Profile         33     String       Aruba      14823
Aruba-Mdps-Device-Udid            15     String       Aruba      14823
Aruba-AirGroup-Shared-User        25     String       Aruba      14823
Aruba-Mdps-Device-Serial          22     String       Aruba      14823
Aruba-AirGroup-Shared-Group       35     String       Aruba      14823
Aruba-AP-IP-Address               34     IP Addr      Aruba      14823
Aruba-Auth-Survivability          28     String       Aruba      14823
Aruba-User-Role                   1      String       Aruba      14823
Aruba-Network-SSO-Token           37     String       Aruba      14823
Aruba-Port-Id                     7      String       Aruba      14823
Aruba-Priv-Admin-User             3      Integer      Aruba      14823
Aruba-Mdps-Device-Product         20     String       Aruba      14823
Aruba-User-Group                  36     String       Aruba      14823
Aruba-WorkSpace-App-Name          31     String       Aruba      14823
Aruba-AS-Credential-Hash          30     String       Aruba      14823
Aruba-User-Vlan                   2      Integer      Aruba      14823
Aruba-AirGroup-Version            38     Integer      Aruba      14823
Aruba-AirGroup-Shared-Role        26     String       Aruba      14823
Aruba-Device-Type                 12     String       Aruba      14823
Aruba-Mdps-Device-Imei            16     String       Aruba      14823
Aruba-Essid-Name                  5      String       Aruba      14823
Aruba-AP-Group                    10     String       Aruba      14823
Aruba-AS-User-Name                29     String       Aruba      14823
Aruba-CPPM-Role                   23     String       Aruba      14823
Aruba-Mdps-Device-Name            19     String       Aruba      14823
Aruba-Mdps-Provisioning-Settings  32     String       Aruba      14823
Aruba-AirGroup-User-Name          24     String       Aruba      14823
Aruba-Mdps-Device-Iccid           17     String       Aruba      14823
Aruba-Framed-IPv6-Address         11     String       Aruba      14823
Aruba-Named-User-Vlan             9      String       Aruba      14823
Aruba-Admin-Role                  4      String       Aruba      14823

Thanks, 

Rajaguru Vincent 

---

@Jer wrote:

 

Hi,

 

Í've been trying to setup RADIUS authentication (MS NPS 2012R2) on the Aruba controller, to get adminstrators authenticatted and assigend the 'root' role based on the RADIUS by returned attribute.

 

After following the ArubaOS 6.4.3 user guide, I still have the following 3 questions that are still unanswered:

 

1- The authentication requests are still be done locally, even with the box 'mode' selected. I don't see any request hitting my RADIUS server and, even without the allow local authentation box selected, can still authenticate based the local user. HOw can I enforce this and not have local authentication being processed.

2- It is not clear which attributes values are required for Aruba to process the correct role received from RADIUS. I do have a VSA for Aruba confgured with 14823. I'm assuming the attribute value of the string is 'root', as this should be the role send back by RADIUS in case the user is authenticated. Also what is the vendor-assigned atrribute number?

3- How can I assure users are being assigned the role 'root' based on membership of a group name, for instance ' IT Adminstrators' instead of an username.

 

Thanks for the clarification.

---

Try this:  http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/56705/1/Management+Authentication+using+Windows+IAS+as+a+Radius+Server%20(1).pdf

Thanks guys, it is working!

The problem was besides selecting the 'mode' box in the RADIUS server setting, the 'enable' box wasn't selected in the mgmt auth server (not mentioned in the manual btw). With the specific VSA mentioned in the manual I have the correct role assigned now.