Environment : This Article is written for CPPM 6.x and greater
Configuration Steps :
1: Configure the controllers to use TACACS service for management user authentication.
Here are configuration commands to enable TACACS authentication, authorization and accounting on the Aruba MAS. The MAS do not support per command authorization, but will support the pre-defined roles in the MAS.
The pre-defined roles for the MAS are:
Management User Roles---------------------ROLE DESCRIPTION---- -----------root Super user roleread-only Read only commandslocation-api-mgmt location-api-mgmtnetwork-operations network-operationsguest-provisioning guest-provisioningno-access Default role, no commands are accessible for this role
aaa authentication-server tacacs "Aruba-MAS"
aaa server-group "TACACS-group"
aaa authentication mgmt
2: Configure the Tacacs service on CPPM to authenticate Aruba MAS management users.Select the following details:Type : TACACS + EnforcementName : This will be the name of the service.Description : Add a note to it for user's understanding.Make sure that Authorization option is checked. This is used for role based authentication.Add a rule as shown above : it means that any connection with NAD-IP beginning with 10.30.156 and using TACACS protocol should hit this service.The Second Service rule is added to make the Service more robust so that any client authentications coming from this NAD are not treated as TACACS.Click "Next"On this screen add Active directory as Authentication source and hit "Next"Make sure that Active directory is added as an authentication source under this and hit "Next".On this page click on "Add new Role Mapping Policy", this will open a new window as below.On this page, we can select Default Role a Read Only Role. Click "Next".On this window, we will add Roles for authorization.
The rule above means : If user is a member of a given group then he will authenticate with "TACACS network Admin" Role. Similarly we can add new rules based on our requirements as below making sure that below option is set.
Rules Evaluation Algorithm:
Once all the rules are configured, click on save and the screen comes back to the configuration of service. Select the role which we created now. Once all the rules are configured, click on "Save" and the screen comes back to the configuration of service. Select the role which we created now. Now if required, we can add the Enforcement profile. Select the default profile " [Admin Network Login Policy]" from the drop down. Save the configuration. 3 : Add the device to CPPM. Navigate to Configuration » Network » Devices and click on "Add Device" Name: A generic name for user's understanding IP or Subnet Address: IP or Subnet of the device TACACS+ Shared secret: Should match with what we have configured on the Switch. Hit "Save" and exit. Once done, please logout and login with a remote user ( user which exists on AD) and verify.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.