AirWave and Network Management

Aruba Employee

AAA enabled AMP logon question

From what I've seen, AMPs that have AAA enabled for logon first check their local user DB for accounts before going to TACACS/RADIUS to authenticate a user.

Am I correct about this? If so, isn't that kind of backwards? Usually a system will go to its AAA server first for user authentication, then only if those systems are unavailable will they fall back to local user.
Regular Contributor I

Re: AAA enabled AMP logon question

You are correct. The local DB is checked first.

The main reason we did this was for performance for people using local accounts with TACACS+ accounts.

Do you need it to be done the other way (check AAA server first, then local DB)?
Aruba Employee

Re: AAA enabled AMP logon question

Yes, checking TACACS first is preferable for us. Only if the TACACS servers are unavailable should the local DB be checked. The way it is now, someone could logon as a local user with admin rights and we lose some audit trail information on who exactly made changes.
Regular Contributor I

Re: AAA enabled AMP logon question

You won't necessarily lose audit trail information unless people are sharing the local accounts. AMP keeps an audit log that includes the username and what settings are changed regardless of where a user is authenticated.

RADIUS and TACACS+ auth is also optionally cached for some period of time (the AMP User Authorization Lifetime on AMP Setup > General) for performance reasons. You can turn off this caching, but every hit to the AWMS web server will result in a hit on your TACACS+ server, which may slow things down.

The support team can help you patch your AMP to change the priority. It involves moving some apache directives around.
Search Airheads
Showing results for 
Search instead for 
Did you mean: