Airwave External Auth using CPPM/RADIUS

Aruba Employee
Aruba Employee

CPPM can pass on attributes required for RADIUS Auth for Airwave login.


Environment : Airwave + CPPM



Airwave using CPPM as RADIUS Server for Authentication

In this scenario we are using a Local Repository with 2 test Users classified under 2 Roles with each Role sending a different attribute using Enforcement Profile for Admin/User level access on Airwave.
Following are the steps on CPPM

Step 1) Create Users and Roles


User Role
testadmin Admin
testuser User

Step 2) Create a Role Mapping Policy

Type Name Operator Value RoleName
RADIUS : IETF User-Name EQUALS testadmin Admin
RADIUS : IETF User-Name EQUALS testuser User

Step 3) Enforcement Policy with following rules

Type Name Operator Value Enforcement Profile
Local User Repository Role_Name EQUALS Admin Admin Profile
Local User Repository Role_Name EQUALS User User Profile

You can modify the above rule to a more generic one so that you don’t have to create rules for each user.

Step 4) Create 2 enforcement policies for each role so that it returns the required attributes to the airwave server.


Following are the attributes to return for each role.

Profile Name Type Name Value
Admin Profile Radius : Aruba Aruba-Admin-Role Admin
User Profile Radius : Aruba Aruba-Admin-Role Read-Only Monitoring & Auditing

The Airwave server would understand the above role attributes by default when returned by CPPM.  You can create more roles and return value as required. The return value must match the role name on the AMP server.

Step 5) Create a new RADIUS Enforcement (Generic) service

  1. Service Role : NAD-IP-Address = <AMP Server IP>
  2. PAP for Local User Repository
  3. Select the Role Mapping Policy created in Step2
  4. Select the Enforcement Policy in Step3

Refer the screenshot below




Step 6) Add AMP Server as a Network Device. Specify the IP address of the AMP server and shared secret.
Step 7) Configuring Airwave Server

  1. Navigate to AMP Setup > Authentication
  2. Enable RADIUS Authentication and Authorization. Specify CPPM IP and shared secret used in Step 6.
  3. You can also change the Authentication priority to Remote so that all requests go to RADIUS first. If that fails, it checks the local database.

Refer the screenshot here for the configuration on the airwave server.



rtaImage (1).png


This can also be done without role mapping where the enforcement profile can send the role based on the attributes of an AD user or any other local user


BASIC Troubleshooting steps

  1. Check Monitoring > Access Tracker on CPPM to ensure that Airwave Server sends a request. If not make sure that the Data port (not the Management port) is reachable as CPPM listens for RADIUS requests on data port only if both of them are active. If you are using Management port only then CPPM would listen to requests on Management.
  2. On receiving the request on Access Tracker. Double click on the request and check the attributes returned and verify if they match as needed.


Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 09:53 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: