It is a little known fact that you can enable single-sign on between Airwave and your controllers. The idea is that you use Airwave as a central point of management, but if you need to get into a controller, Airwave should be able to automatically log you in to it with the correct privileges, without you having to re-enter your username and password. All you need to configure this is:
(1) Root Access on Airwave to make the configuration change
(2) Correct Admin/Root level and enable credentials entered into Airwave for that Controller.
Here is how it works. In Airwave, go to AMP Setup > Roles. There you will see all of the Roles of Users that could login to AMP. If you edit the Role, the Aruba Controller Role parameter controls what privileges on the Aruba Controller a user in AMP that Clicks on Open Controller WebUI will have. The Aruba Controller Role parameter by default is set to disabled. In the screenshot below, we changed it to root, which means that anyone who logs into Airwave who has the Admin role, will be able to click on the Open Controller WebUI (when monitoring a controller) and be redirected to the controller's page without logging in. You can also set the paramater to read-only for Airwave admin roles that you only want read-only access to your controller with SSO.
Enable Single Sign On in AMP
After looking at a controller in Airwave, I can open up the Controller's dashboard to any menu item without having to login to the controller:
Under the hood:
How is works, is that Airwave will look at the Aruba Controller Role parameter of the currently logged in management user and if it is disabled, it will do nothing. If it has a root or read-only role, it will execute a command, "allow-sso <username> <controller admin role>" on the controller. The controller will spit back a special URL that airwave would need to connect to the controller over https to gain those permissions. It redirects the Airwave user to that special URL and the controller grants the permissions.
You can tell if a user has logged in to a controller with Airwave SSO by typing "show audit trail":
show audit-trail
Jan 18 20:04:25 fpcli: USER:admin@192.168.1.6 COMMAND:<allow-sso "admin" "root" > -- command executed successfully
You can also tell if a SSO user is currently logged in by typing "show loginsessions:
(192.168.1.3) #show loginsessions
Session Table
-------------
ID User Name User Role Connection From Idle Time Session Time
-- --------- --------- --------------- --------- ------------
1 admin root 192.168.1.76 00:00:00 00:00:02
2 admin_sso root 00:02:20 00:06:50