Network Management

It is a little known fact that you can enable single-sign on between Airwave and your controllers.  The idea is that you use Airwave as a central point of management, but if you need to get into a controller, Airwave should be able to automatically log you in to it with the correct privileges, without you having to re-enter your username and password.  All you need to configure this is:

 

(1) Root Access on Airwave to make the configuration change

(2) Correct Admin/Root level and enable credentials entered into Airwave for that Controller.

 

Here is how it works.  In Airwave, go to AMP Setup > Roles.  There you will see all of the Roles of Users that could login to AMP.  If you edit the Role, the Aruba Controller Role parameter controls what privileges on the Aruba Controller a user in AMP that Clicks on Open Controller WebUI will have.  The Aruba Controller Role parameter by default is set to disabled.  In the screenshot below, we changed it to root, which means that anyone who logs into Airwave who has the Admin role, will be able to click on the Open Controller WebUI (when monitoring a controller) and be redirected to the controller's page without logging in.  You can also set the paramater to read-only for Airwave admin roles that you only want read-only access to your controller with SSO.

 

Enable Single Sign On in AMP

 

After looking at a controller in Airwave, I can open up the Controller's dashboard to any menu item without having to login to the controller:

 

 

 

Under the hood:

 

How is works, is that Airwave will look at the Aruba Controller Role parameter of the currently logged in management user and if it is disabled, it will do nothing.  If it has a root or read-only role, it will execute a command, "allow-sso <username> <controller admin role>" on the controller.  The controller will spit back a special URL that airwave would need to connect to the controller over https to gain those permissions.  It redirects the Airwave user to that special URL and the controller grants the permissions.

 

You can tell if a user has logged in to a controller with Airwave SSO by typing "show audit trail":

 

show audit-trail 

Jan 18 20:04:25  fpcli: USER:admin@192.168.1.6 COMMAND:<allow-sso "admin" "root" > -- command executed successfully

 You can also tell if a SSO user is currently logged in by typing "show loginsessions:

 

(192.168.1.3) #show loginsessions 
 
Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       192.168.1.76     00:00:00   00:00:02
2   admin_sso  root                        00:02:20   00:06:50

 

 

Hello Collin

I got this question asked yesterday hahah

 

The thing is that i have been trying this with no luck...

I did enable the feature in the Airwave like this

After that i tried logging in using the Airwave

 

I get prompted to put my user and password...

 

I got Airwave 7.7.8

Trying with a Aruba controller 6.3.1.2

 

Is there anything im missing Collin?

 

Cheers

Carlos

Maybe im missing this part

2) Correct Admin/Root level and enable credentials entered into Airwave for that Controller.

The only device credential i find are the telnet and enable secret ones here

 

 

If those are not the ones that you are referring

Can you please point me where they are?

Cheers

Carlos

That is correct.  On the commandline of your controller (#), type admin-sso ? and see if it autocompletes.

It does not autocomplete
Is not in the command list!

Sorry.  It is "allow-sso".  It is there in the command list.

yeah it autocompletes

I did what it says here

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Single-Sign-On/td-p/75732

 

Which was that command but i still get to promt of the login

this was the output

 

(Office_Alternetworks) #allow-sso admin root
66af997b-b9b5-40ca-95ee-7219fef2902c

 

Do you see that command executed in the Audit trail by Airwave?  What version of Airwave, by the way?

 

(Office_Alternetworks) #show audit-trail login
Dec 21 15:34:57  cli[1576]: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:34:59  cli[1576]: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:35:19  webui[1494]: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:35:26  cli[1576]: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:35:41  cli[1576]: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:36:09  cli[1576]: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:36:33  webui[1494]: USER: admin has logged in from 172.16.3.43. 
Dec 21 15:37:41  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:37:44  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:37:56  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 21 15:38:00  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 21 15:39:58  webui[1494]: USER: admin has logged in from 172.16.3.122. 
Dec 22 04:18:23  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 22 04:18:55  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 23 04:18:23  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 23 04:18:54  fpcli: USER: admin connected from 172.16.3.222 has logged out. 
Dec 23 08:45:11  webui[1494]: USER: admin has logged in from 172.29.0.26. 
Dec 23 12:15:46  webui[1494]: USER: admin has logged in from 172.29.0.26. 
Dec 23 12:16:38  fpcli: USER: admin has logged in from 172.29.0.26. 
Dec 23 12:33:31  fpcli: USER: admin connected from 172.29.0.26 has logged out. 
Dec 24 04:18:23  fpcli: USER: admin has logged in from 172.16.3.222. 
Dec 24 04:18:54  fpcli: USER: admin connected from 172.16.3.222 has logged out. 

 

172.16.3.222 is the airwave ip address

Does just "show audit-trail" show airwave executing the command?  What version of Airwave?

Airwwave 7.7.7

the lastest entries i see in show audit trail are

 

Jan 19 09:09:32  fpcli: USER:admin@10.10.100.2 COMMAND:<local-userdb-ap del all > -- command executed successfully 
Jan 19 09:15:30  fpcli: USER:admin@10.10.100.2 COMMAND:<allow-sso "admin" "root" > -- command executed successfully 

(Office_Alternetworks) #   

 

And ArubaOS 6.3.1.2?  What controller model?   Okay, we will get it checked out.

Controller mode is master

 

Just to review Collin to see if i do everything i need to

 

1. I went to the airwave and put aruba controller role root on the roles on the admin role in the airave like this
2. After that i went to the controller and issue the command "allow-sso"
3. I then try going to the airwave and open the controller GUI by going here

 

It didnnt work

 

 

Just to review to see if i didnt miss anything

 

Controlller version  6.3.1.2 on Master Role, and the controller model is 620

Airwave version 7.7.7.7

 

Cheers

Carlos

Can you upgrade to 7.7.8 and try?  That is what I have working right now.

 

sure

 

let me upgrade it

After that ill come back to you

 

Cheers

Carlos

Welll there is something weird happening

im trying to start_amp_upgrade -v 7.7.8 and nothing happens...

It does accept the command as it does not send me any error... but it does nothing...

 

Aw well ill do an offline upgrade  hope that works well :)

 

Cheers

Carlos

it keep happening the same even with the upgrade

 

It must be something silly im missing or it just dont work with 620 model?

 

Anything else i can check out?

 

Cheers

Carlos

If you can execute the command on the 620, it should work on the 620. You should see Airwave executing the command in the audit trail. If not, we should open a case to determine why Airwave is not SSHing into the controller to set that.

Well i did ran a command with the airwave but a cli command and i see this on the controller with the audit trail command

 

Jan 19 11:46:15  fpcli: USER:admin@172.16.3.222 COMMAND:<no paging > -- command executed successfully 
Jan 19 11:46:15  fpcli: USER:admin@172.16.3.222 COMMAND:<encrypt disable > -- command executed successfully 

 The thing is that when i try on the airwave running the tab of performance or any tab of the web gui of the controller i see nothing in the audit trail....

 

Guess i would need to open a support case?

Do this:

 

config t

audit-trail all

 

Then try to get to the controller from AMP and see if the command is run.

nothing...

I did show audit trail all like you said

And i can even see the last command i executed

 

Jan 19 14:41:15  fpcli: USER:admin@10.10.100.2 COMMAND:<show audit-trail > -- command executed successfully 

 :(

Okay.  Looks like Airwave is not logging in to create the session.  Let us check and get back to you.

 

Granted you've already passed the allow-sso command on the controller, there's 2 settings in AMP to check for Single Sign-On.

 

Enable Single Sign-On from AMP

1. AMP Setup -> Authentication tab -> Single Sign-On -> enable single sign-on

 

Then, you'll also want to make sure that the AMP User has a specified Aruba Controller role.

2. AMP Setup -> Roles -> edit role -> AMP Controller Role -> by default this is 'disabled'

 

Once those 2 settings are valid, the controller's IP link should take you directly into the Controller's UI (showing the front dashboard page for performance).  And the dropdown for controller quick links should take you to the appropriate pages as well.

Rob you did it!!!

I didn tknow you had to enable that on the authentication tab under amp setup

 

 

Now i can log in throuhgh the airwave, and i can see log out admin_sso!

 

Guess thats that fastest way to know you are logging through sso :)

 

Cheers

Carlos

Just a quick note, Colin did have that screenshot in his tutorial regarding the SSO on AMP. ;)

I dont remenber looking that on the manual at that time when i tried... oh well..

The thing is that is working

 

Cheers

Carlos

I did not have that last screenshot there on the initial article.  I corrected it after Rob posted his.

Ah well that explains that :)

 

Cheers

Carlos

Just trying to help ;)

definitely explains that...lol

Didn't know how to annotate the change.  Thanks for helping.