Security

Reply
MVP Expert

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Yes my mistake. Thanks for clearing that up Cjoseph. I was thinking about "Allow local authentication".
Pasquale M. | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Dbell,

 

If you are completely locked out, please look at the document in the post here: http://community.arubanetworks.com/t5/Monitoring-Management-Location/Management-Authentication-using-Windows-2008-as-a-Radius-Server/ta-p/174672

 

The post is for Airwave.  The controller just requires the attribute "root" instead of "Admin" on page 18 for it to work.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

I disconnected from the network and have a controlable controller once again.

Still do not have a solution for read-only access for network auditors.  Will have to point them at AMP I guess?

Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

dbell6809,

 

For your network auditors you would return the attribute of "read-only" to give them read only access from radius.  Your returned attribute has to match an administrative role exactly for users to gain access:

roles.png

 

If you had to disconnect from the network, you have "allow local authentication" unchecked.  You will need to correctly be sending back that radius attribute from the document as either "root" or "read-only" to give users access when "no access" is enabled.  If you have anything besides "no access" enabled, any user who simply passes radius authentication has access to your controller and that is not a good thing.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Thanks! I did get in by disconnecting the network cable briefly and logging
in from the console port. My issues were due to the fact that I do not
have RADIUS administrative rights anymore.

--

<Personal Info Removed>

Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

We are trying to get that to work but have not found the correct VSA
attribute to return read-only for the Web GUI. Our configuration works
correctly for putty or SSH access but not the gui.

Thanks

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Did you read the document from the post that I linked to here?  http://community.arubanetworks.com/t5/Monitoring-Management-Location/Management-Authentication-using-Windows-2008-as-a-Radius-Server/ta-p/174672

 

There is an attached document that details how to do this.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

The same administrative rights should work on both GUI and SSH.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

You certainly would think so. They however do not. Like I said putty works
fine but the GUI allows full administrative access using the non-privileged
user account. I would have expected putty to work the same way. I guess I
should go back in with putty and if although I have pound prompt, I may
not be able to make changes.

Thanks

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Type show loginsessions to see what role admin users get.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: