ArubaOS 6.0 added support for TACACS+ "session authorization". In looking through the user guide today, I realized that it never got documented, and so people may not know this exists.
We do not support per-command authorization against a TACACS server, where each time a CLI command is issued, the controller would check with TACACS to see if that user is allowed to execute the command. What we do instead is allow a TACACS+ server to return a management user role at the time of initial authentication, similar to returning a RADIUS attribute.
How it works:
First, enable session-authorization under your TACACS server definition:
aaa authentication-server tacacs "tacacs-server"
host 10.1.1.1
key db145da5ec23300702e
tcp-port 4949
session-authorization
Once this is enabled, the controller will send a TACACS authorization request to the server after the initial authentication exchange is done. The request will include two fields, which you'll need to configure on the TACACS server as a matching rule:
service=aruba
protocol=common
The controller expects to get a response back which grants access, and which contains the following:
Aruba-Admin-Role=<role>
where <role> consists of one of the following:
- root Super user role
- read-only Read only commands
- location-api-mgmt location-api-mgmt
- network-operations network-operations
- guest-provisioning guest-provisioning
- no-access Default role, no commands are accessible for this role
Hope that is helpful to someone!