Is there a way to create more than 10 management accounts for guest provisioning on a 4504 controller? I'm running 18.104.22.168.
You can create users in the internal database and add the internal database to the server group used to authenticate management accounts.
I understand what you're saying but need to clarify something first. In the internal database, I see current guest user accounts. If I add the internal database to the server group being used for authentication, which role will for the guest user accounts take precedence? The role "guest" assigned to the guest users in the internal database or the default role "root" assigned to a user that passes through the Management Authentication Servers?
I guess my concern is that I don't want guests who are currently in the internal database to have access to the controller if I do this!
Ok. This is the page that indicates what you need to configure. Make sure you make the "default-role" is "no-access" so that any user that does not have a management role like "root" or "read-only" will not be able to login. Make sure you have a different browser logged into the controller when you are testing this so that you do not get logged out.
Actually, I'm already using a Server Group (which uses external servers) on that page (Management > Administration) that sets the Default Role for anyone who's able to authenticate using this server group to "root". I'm afraid if I make the controller's internal database part of this server group, the current guest users in the internal database will gain "root" access!
How's this for an idea: I add the guest management accounts in the external servers linked with the Server Group that I'm currently using and then use "Server Rules" on this page to give these specific users a role of "guest-provisioning"? That should work, right?
Yes, it should.
On second thought, if you have all of those guest provisioning users in AD, why don't you just use AD to authenticate all of them. For the guest provisioning users, you could have an AD group for those users, a remote access policy with the requirements of nas-port-type is VPN and Windows Group is "guest provisioners" and return an attribute "e.g. filter-id" of guest provisioners. There should be a server derivation rule looking for a filter-id of "guestprovisioners" and changing the role to guest-provisioning". You would repeate the same for administrative users, etc. You can then not bother with the internal database.
Would this be doable?
Let me look into this. Thanks for your help.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.