Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Accounting for management users

This thread has been viewed 1 times

  • 1.  Accounting for management users

    Posted Dec 13, 2011 12:04 PM

    Hi everybody,

    I've been following the guides posted by cjoseph to authenticate the management users through RADIUS server, it's working fine, but now I have to perform accounting to these managment users. Since the accounting profile is used on AAA profiles, I don't know if I could do accounting to admin users and not just to wireless users.

    Btw, is possible to give another privilege (not root...for example "read only"), through RADIUS authentication?

    Thanks in advance, any idea will be very useful. :smileyhappy:

     

    César



  • 2.  RE: Accounting for management users

    Posted Dec 13, 2011 12:16 PM

    Accounting is usually used to tell the RADIUS server when a user started and stopped a session.  For management users, that may not be relevant.

     

    Are you wanting to do "authorization" (where you allow certain commands for certain users and more or less for other users)?

     

    Right now, the controller only has the concept of roles (read-only, guest-provisioning, root, network-operations, etc).  You CAN pass a RADIUS attribute back to the controller to properly set the role.  For example, if the user requesting controller authentication is a member of "admins", you can pass back the attribute called "Class" with a value of "root".  On the controller you can create a rule (under Management > Administration > Server Rules) by setting "Condition" = Class, "Operation" = value-of, "Action" = set role.  That way, when the RADIUS server responded to the authentication attempt, it would include Class (the way you do that depends on your RADIUS server) with the value of "root".  The controller would then apply the root role to anyone in the Admins group (or whatever group you want to check against in your RADIUS server).



  • 3.  RE: Accounting for management users

    Posted Dec 13, 2011 12:36 PM

    Thanks for the quick reply :smileyhappy:

     

    My customer is asking me to do that, they wants to know when a administrator logs into the controller.

     

    Btw, I'm gonna perform a lab to test what you just tell me about the roles, I'll be sharing the results with all of you.

     

     

    Kind regards,

     

    César



  • 4.  RE: Accounting for management users

    Posted Dec 16, 2011 10:53 AM

    Olino,

     

    So can't I perform RADIUS accounting for Managment Users, just wireless users???

     

     

    César



  • 5.  RE: Accounting for management users

    EMPLOYEE
    Posted Dec 16, 2011 11:02 AM

    If you want to see what your management users are doing just type "show audit-trail".  The output of that audit-trail is also syslogged:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-audit-trail-all/m-p/971/highlight/true#M65