Management Access Restriction to a specific Node

By esupport posted Nov 06, 2018 05:16 AM


How to provide privilege to a management user to specific node?

This article applies to all Aruba hardware and virtual mobility controllers running 8.x version and higher.



Starting from 8.x version we can provide access to a management user to a specific node and restrict him from doing changes on other MD/nodes. 

Logging in using admin privileges on MM might give you the complete root access to all other MDs. Instead we can restrict the management user and provide him privileges to

a specific node/MD so that while logging into MM he can read/write the configuration only on the specific MD whereas he can only read the configuration of other MD/nodes.



From CLI:

(Aruba-MM) [mynode] (config) #mgmt-user user1 root node /md/cluster/00:0c:29:f9:7a:d9
Re-Type Password:********

user1 --- username

root --- privilege/role name

/md/cluster/00:0c:29:f9:7a:d9  --- node path

(Aruba-MM) [mynode] (config) #show mgmt-user

Management User Table
USER    PASSWD  ROLE                 STATUS   PATH
----    ------  ----                 ------   ----
admin   *****   root                 ACTIVE   /
guest   *****   guest-provisioning   ACTIVE   /
user1   *****   root                 ACTIVE   /md/cluster/00:0c:29:f9:7a:d9

From WebUI:



1. Logged into MM using credentials "user1" 

2. Trying to modify changes for a different node and while saving the config you will get a error message at the bottom




Jul 31, 2019 02:52 AM

Is there any documentation about this? Unfortunately I'm not able to configure the aruba-admin-path for a standalone controller. I tried the following values but I always landed directly on the controller.

Radius:ArubaAruba-Admin-Path=node /mm

May 01, 2019 12:47 PM

awesome, thanks so much

Apr 18, 2019 03:22 PM

Is there a VSA for Radius so the node path can be applied to a non local management user?