Wireless Access

 View Only
last person joined: 15 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Granular permissions to Mobility Conductor/Controllers

This thread has been viewed 20 times
  • 1.  Granular permissions to Mobility Conductor/Controllers

    Posted Feb 27, 2024 04:02 PM


    With Mobility Conductor/Controllers running, and Clearpass 6.11.7 for TACACS, we are granting read-only permission for our PC technicians and helpdesk staff for troubleshooting WiFi connectivity on the controllers.

    I would like to make it possible for those users to remove clients from the denylist/blacklist, without giving them full administrative rights. Is this possible to give granular access for specific commands?

    If not - would there be a creative way to to this with an API on a standalone web page, or something along those lines?

  • 2.  RE: Granular permissions to Mobility Conductor/Controllers
    Best Answer

    Posted Feb 27, 2024 04:29 PM

    When using Clearpass with TACACS there is an "aruba:common" dictionary attribute called "Aruba-Admin-Role"

    Those roles are pre-configured on the Controllers [i.e. root, read-only, guest-provisioning, etc]

    The specific value that would likely fit your scenario would be: "network-operations"

    You would need to configure that TACACS VSA as a part of your Enforcement Profile that is triggered for those helpdesk users. 

    If my post was useful, please Accept Solution and Give Kudos.
    Zak Chalupka
    Principal Engineer - HPE Aruba
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

  • 3.  RE: Granular permissions to Mobility Conductor/Controllers

    Posted Feb 27, 2024 05:03 PM

    Zak, that did exactly what I needed, thank you.

    I found a list of commands included in "network-operations" here. This is for 8.6 I did not find an equivalent document for 8.10 but this seems to still apply:

    If there was not a role that fit what we needed, is it possible to create custom roles that can run more specific commands?