How to authenticate Management users of Mobility Access Switch (MAS) via CPPM

By AnandKumar Sukumar posted Jul 18, 2014 08:38 AM


Introduction :

This Article explains about-

    i) Authenticating 
Mobility Access Switch management users from AD.
    ii) Configuring the services on CPPM for authentication.
    iii) Using TACACS service for authentication.

Environment : This Article is written  for CPPM 6.x and greater


Configuration Steps :

The following steps are to be followed.

1: Configure the controllers to use TACACS service for management user authentication.


Here are configuration commands to enable TACACS authentication, authorization and accounting on the Aruba MAS. The MAS do not support per command authorization, but will support the pre-defined roles in the MAS.

The pre-defined roles for the MAS are:

Management User Roles
ROLE                            DESCRIPTION
----                                        -----------
root                               Super user role
read-only                     Read only commands
location-api-mgmt    location-api-mgmt
network-operations  network-operations
guest-provisioning   guest-provisioning
no-access                  Default role, no commands are accessible for this role

aaa authentication-server tacacs "Aruba-MAS"
   host x.x.x.x
   key "Aruba"

aaa server-group "TACACS-group"
auth-server Aruba-MAS

aaa authentication mgmt
   server-group "TACACS-group"

2: Configure the Tacacs service on CPPM to authenticate Aruba MAS management users.


Select the following details:

Type : TACACS + Enforcement
Name : This will be the name of the service.
Description : Add a note to it for user's understanding.
Make sure that Authorization option is checked. This is used for role based authentication.

Add a rule as shown above : it means that any connection with NAD-IP beginning with 10.30.156 and using TACACS protocol  should hit this service.

The Second Service rule is added to make the Service more robust so that any client authentications coming from this NAD are not treated as TACACS.

Click "Next"

On this screen add Active directory as Authentication source and hit "Next"


Make sure that Active directory is added as an authentication source under this and hit "Next".


On this page click on "Add new Role Mapping Policy", this will open a new window as below.

On this page, we can select Default Role a Read Only Role. Click "Next".


On this window, we will add Roles for authorization.


The rule above means : If user is a member of a given group then he will authenticate with  "TACACS network Admin" Role.

Similarly we can add new rules based on our requirements as below making sure that below option is set.

Rules Evaluation Algorithm:

First applicable

Once all the rules are configured, click on save and the screen comes back to the configuration of service. Select the role which we created now.


Once all the rules are configured, click on "Save" and the screen comes back to the configuration of service. Select the role which we created now.


Now if required, we can add the Enforcement profile.

Select the default profile " [Admin Network Login Policy]" from the drop down.


Save the configuration.

3 : Add the device to CPPM.

Navigate to
Configuration » Network » Devices and click on "Add Device"


Name: A generic name for user's understanding
IP or Subnet Address: IP or Subnet of the device
TACACS+ Shared secret: Should match with what we have configured on the Switch.
Hit "Save" and exit.

Once done, please logout and login with a remote user ( user which exists on AD) and verify.