Wireless Access

last person joined: 38 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Setting up ap-provisioning Management User

This thread has been viewed 41 times
  • 1.  Setting up ap-provisioning Management User

    Posted Jun 25, 2021 02:33 PM
      |   view attached
    Hello,

    I'm looking to set up a management user with the "ap-provisioning" role, so that our field team can log into the MM and provision new AP's they install.

    So far when I log in as the user, I see the provisioning menu stuff to the left, but no AP's show up.

    I've added this user on the MM level.
    I've added this user on the Managed Network > Folder level.
    I've added this user in both places at the same time.

    In all three scenarios, when I log in, it is the same.

    Has anyone had success with this?

    Also, if we get this working, will the ap-provisioning user be able to create AP Groups? 

    Thanks,

    Chris


  • 2.  RE: Setting up ap-provisioning Management User

    Posted Jun 26, 2021 07:57 AM
    Adding the user at the MM level should be all you need.

    After the user logs in, you should ssh into the MM with a root user and type "show loginsessions" to confirm the user, privileges and path.  If that doesn't make sense, you should open a TAC case.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Setting up ap-provisioning Management User

    Posted Jun 28, 2021 06:09 AM
    Hi 

    Sorry if derailing thread slightly. 

    Is it possible to edit the ap-provisioning role, so that when this account is used it has different access depending on the MD folder structure? Authentication handled by radius/Clearpass.

    i.e
    Managed Network
    Production Campus > ap-provisioning default role settings applied
    development > ap-provisioning role used however full root access allowed. 






  • 4.  RE: Setting up ap-provisioning Management User

    Posted Jun 28, 2021 10:10 AM
    I don't know if this will help you, but you can restrict management user traffic to specifc nodes:  https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=8153a5b9-35cc-40e3-9fd7-dc731a4edd6e

    You can only define the top folder, NOT pick and choose specific folders.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: Setting up ap-provisioning Management User

    Posted Jun 28, 2021 01:36 PM
    Hi cjoseph,

    Ok, I set it to just have the user on the MM. Here's what I see with that command:

    (vmm1-x.y.com) [mynode] #show loginsessions
    
    Session Table
    -------------
    ID  User Name   User Role        Connection From  Idle Time  Session Time  Path
    --  ---------   ---------        ---------------  ---------  ------------  ----
    1   admin       root             1.2.3.4          00:00:10   00:08:10      /
    2   deployment  ap-provisioning  5.6.7.8          00:00:02   00:00:05      /md/Controllers​

    The path for the deployment user is correct, but I still don't see anything when I log in as the "deployment" user.

    I guess I'll open up at TAC case?

    What would you expect to see with an ap-provisioning user?

    Does CPSec+certificates mess this up? It seems like when I connect a new AP and it shows up in the controller it is no longer in an "unprovisioned" state even though it is just in the default AP group, so maybe it wouldn't show up for an ap-provisioning role? I would think the ap-provisioning role would be able to see all the AP's and provision/re-provision them as necessary, right?

    Thanks!

    -Chris


  • 6.  RE: Setting up ap-provisioning Management User

    Posted Jul 22, 2021 06:29 PM
    Just in case anyone is curious about the resolution of this:

    We were running 8.5.0.11, and the ap-provisioning role was not working
    I opened a TAC case, and they recommended we update software to 8.7.1.2.
    Now the ap-provisioning role works.
    Apparently the ap-provisioning role has had some issues with older versions.