Monitoring, Management & Location Tracking

 View Only
last person joined: one year ago 

Articles relating to existing and legacy HPE Aruba Networking products and solutions including AirWave, Meridian Apps, ALE, Central / HPE Aruba Networking Central, and UXI / HPE Aruba Networking User Experience Insight
Back to Library

Integrating an ACS (TACACS+) server to Authenticate AWMS Users 

Jun 10, 2014 06:14 PM

NOTE: As of AWMS 7.0, ACS 5.0 is not supported. This condition may have changed in a later version of AirWave.

To authenticate AWMS (AMP) users using a Cisco ACS (TACACS+) RADIUS server use the following steps:

NOTE: This is for authenticating users to access the AMP server, not for end users accessing APs.


On the ACS (TACACS+) server:

1.Go to the Interface Configuration page and click on the TACACS+ link
2. Under New Services enter:

Service: AMP
Protocol: https
<Submit>

(***Note: these are case sensitive***)

3.Go to the Group Setup page
4. Edit Settings for each user group that applies
5. Check "AMP https"
6. Check "Custom attributes" and enter a role in the box provided of the form

role=<name_of_amp_role>

Example:

role=DormMonitoring

***PLEASE NOTE: In AMP 6.3 and earlier the default administrator role was called "AMP Administration". In 6.4 fresh installs this role was changed to be called "Admin." All other properties and permissions are the same, and no other roles were changed. ***

7. Go to the Network Configuration page 
8. Under "AAA Clients": <Add Entry>
9. Enter the hostname and IP address of the AMP and provide a shared key or secret. 
For "Authenticate Using" select TACACS+. 
<Submit>
10. Go to the User Setup page and add users to the Group.


On the AWMS (AMP) server:

1.Go to the AMP Setup > Authentication page 
2. Enable TACACS+ Authentication and Authorization: Yes
3. Enter necessary information
(keep in mind case sensitivity)
4. Go to the AMP Setup > Roles page
5.Create the Role you specified on the TACACS+ above (ex: DormMonitoring)


Troubleshooting:

1.On TACACS+: Reports and Activity > "Failed attempts" and "Passed Authentication" shows failed and successful auth attempts.
2. From the AMP command line do a tcpdump of all the traffic between AMP and the TACACS+ server:

# tcpdump host <address_of_tacacs>

3. The roundtrip from AMP to TACACS+ to authenticate users can be very slow. To improve responsiveness for AMP users, be sure to keep the AMP's authorization lifetime setting reasonably high (AMP Setup > General page; last item in General section).

Statistics
0 Favorited
4 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.