Security

Reply
Highlighted
Occasional Contributor II

Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

We want to use Windows server 2012 NPS RADIUS for both read-write management access and read-only management access and we have configured an Aruba 3200 controller to point to the radius server and Windows Active directory groups for differentiating administrative access from non-administrative or read-only access.  

I log in with my normal account (dbell) with putty (SSH) and I get limited > access. I can then login with my Privileged AD account (dbell-pr) and gain admin privileged access.  On the web gui I log in with my dbell-pr and get admin access and if I log in with my normal dbell account I still get privileged access (admin).  Do you have any ideas on how to eliminate administrative access through the web gui for my normal non-privileged account?  We are using 14823 as directed by limited documentation we have found.  We are currently using a 1 for the vendor assigned attribute number and it works to limit access through putty to only read-only, but does nothing to limit read-write access on the web GUI.  Am I missing something here?

Displaying 2015-07-06_9-17-45.png

 

Displaying 2015-07-06_9-17-23.png


Accepted Solutions
Highlighted
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

You are sending back an Aruba-User-Role attribute instead of an Aruba Administrative Role attribute.  

 

Create a separate remote access policy and put it on the top of your policies.  The condition Must have type of Virtual or VPN so it can be differentiated from Wireless Users.  Virtual or VPN is used for administrative access:

vpn.png

You then Add your Vendor Specific Attribute with Aruba's VSA Number or Vendor Code:

vsa.png

You click on Configure Attribute to Configure What you are sending Back:  The Vendor Assigned Attribute of 4 is the Aruba's VSA for Aruba-Admin-Role:

(Aruba7005-US) #show aaa radius-attributes | include Aruba-Admin-Role
Aruba-Admin-Role                  4      String       Aruba      14823

So, I configure it with the number 4 and put in the "read-only" string that I want to send back:

vsa2.png

 

When I login, this is what is seen on the controller to validate who I am, my role and how I got that role:

 

 

(Aruba7640-US) #    whoami
user employee - role read-only 
(Aruba7640-US) #show loginsessions 

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   employee   read-only  192.168.1.84     00:00:00   00:01:36
2   admin      root       192.168.1.84     00:01:44   00:01:49
3   admin      root       192.168.1.84     00:03:08   00:03:30


Jul 7 11:36:15 :124038:  <INFO> |authmgr|  Selected server NPS for method=Management; user=employee,  essid=<>, domain=<>, server-group=NPS
Jul 7 11:36:15 :124004:  <DBUG> |authmgr|  aal_authenticate (851)(INC) : os_auths 1, s NPS type 2 inservice 1 markedD 0 sg_name NPS
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:471] Radius authenticate user (employee) PAP using server NPS
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1319] :L2 User lookup failed, skipping Aruba-Port-ID
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:53] Add Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1740] Sending radius request to NPS:192.168.1.25:1812 id:9,len:162 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-IP-Address: 192.168.1.3 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-Port-Id: 0 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-Port-Type: 5 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  User-Name: employee 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1756]  Password: ***** 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Service-Type: Administrative-User 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Calling-Station-Id: 192.168.1.84 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Called-Station-Id: 000B86B8B5F8 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Framed-IP-Address: 192.168.1.84 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Essid-Name:  
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Location-Id: N/A 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-AP-Group: N/A 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Device-Type:  
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Message-Auth: \327\324\2531\315R\275\265\367u\024uImM\272 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:77] Find Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:83]  Current entry: srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121041:  <DBUG> |authmgr|  User employee MAC=00:00:00:00:00:00 not found.
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:38] Del Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1175] Authentication Successful
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1177] RADIUS RESPONSE ATTRIBUTES:
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  {Aruba} Aruba-Admin-Role: read-only 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Framed-Protocol: PPP 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Service-Type: Framed-User 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Class: \246\217\010\315 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RADIUS_ID: \011 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Rad-Length: 95 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RADIUS_CODE: \002 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RAD_AUTHENTICATOR: \032GL\3508X\240\337\214OQ\022\247\335\311@ 
Jul 7 11:36:15 :124066:  <INFO> |authmgr|  Administrative User result=Authentication Successful(0), method=Management, username=employee IP=192.168.1.84 auth server=NPS
Jul 7 11:36:15 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=Management, server=NPS, user=192.168.1.84 
Jul 7 11:36:15 :124607:  <DBUG> |authmgr|  server_cbh(): response=0 from Auth server 'NPS for client:9 proto:1 eap-type:0'.
Jul 7 11:36:15 :124004:  <DBUG> |authmgr|  server_cbh (392)(DEC) : os_auths 0, s NPS type 2 inservice 1 markedD 0 sg_name NPS
Jul 7 11:36:15 :124612:  <DBUG> |authmgr|  AuthSurv_onAuthSucc(authsurv:0): Entered, proto:1 eap-type:0x0 for username:'employee' auth-server:'NPS'.
Jul 7 11:36:15 :124025:  <NOTI> |authmgr|  Administrative user 'employee' authenticated successfully  (role=read-only, privileged=0)
Jul 7 11:36:17 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:115] seq_num_timeout_handler: Freed 0 entries

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post


All Replies
Highlighted
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

You should make sure that on the Aruba controller the default role for administrative access is set to "no access". That way, only someone who has the administrative VSA of root will get root.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Doing this will completly lock you out of managing the controller.

Highlighted
All-Decade MVP 2020

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

No, If local authentication is enabled you can still log in using your root credential.
Highlighted
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

No you are wrong> Try it

Highlighted
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access


@dbell6809 wrote:

Doing this will completly lock you out of managing the controller.


Nope.  Local management accounts will still work, if they were working before.  Local accounts already have attributes assigned so they always work.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

You are wrong. I am locked out completely!!!!!

Highlighted
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Dbell6809,

 

If you do not allow local accounts to authenticate while Radius is working, and you are NOT sending back an adminstrative role in the VSA, you would not be able to access your controller, no.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
MVP Expert

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

if "no access" is enabled, local authentication will not work unless the radius server is not responding at which point local access will work again.
Highlighted
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access


@pmonardo wrote:
if "no access" is enabled, local authentication will not work unless the radius server is not responding at which point local access will work again.

pmonardo,

 

"No Access" means do not allow access to anyone who does not send a Administrative Role in the Aruba VSA during Authentication.  Which means that people that simply pass authentication in Radius, cannot access the controller.

 

If you uncheck "Allow Local Authentication", local users cannot authenticate, when radius is still responding.

 

Combining both means only a user who authenticates successfully via radius and his user sends a VSA will be able to access the controller, when the radius server is reachable.  If the radius server is not reachable, local admin accounts will work with both of these options enabled.

 

 

I just want to make it clear those two options are different things.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: