Wireless Access

I have found guides on how to connect MM to AD using LDAPS so I have created 2 LDAP connections and put them in a server group. However. I cannot find any documentation on how to enable actually using it or how/where to select AD users or groups and assigning them roles in MM.

It's kind of unbelievable there is no readily available information about this, not in the documentation, not here and not on Google/Youtube. Any input, links, docs appreciated, I can't be the only one trying to control management access using AD.

This is not for 1x, Clearpass or anything else, just plain login to the MM with AD accounts.

I don't mean to be dismissive, but you don't see any guides, because everyone has moved on from LDAP to Radius. LDAP is not as flexible, or easy to troubleshoot as radius and 99% of people who use LDAP to AD can simply use add/remove to install the free Microsoft Radius.  You are not the only one doing management authentication to AD, you are just one of the few still trying with LDAP.  LDAP is inflexible and difficult to troubleshoot.  It also requires a service account that will break everything if the password is changed or disabled.

I would just install Microsoft NPS and start with that:  https://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672

Thanks for your input csjoseph! I believe we can do both RADIUS & TACACS to this domain so chosing another mechanism is of course doable.

Personally I understand LDAP much better than RADUS and we use it a lot for other systems. If there is more thorough documentation for using RADIUS->AD auth then that may be the way we have to go instead then.

The document here probably describes what you need to do on a basic level:  https://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/56705/1/Management+Authentication+using+Windows+IAS+as+a+Radius+Server%20(1).pdf

Check out this website query for more ideas:  https://www.google.com/search?rlz=1CAKDZI_enUS905US905&sxsrf=ALeKk02aS41erNioUJbwJ3E5fJIETeoxBw%3A1593181205549&ei=FQT2XvyJIdWqtQaMg5aICg&q=site%3Acommunity.arubanetworks.com+radius+management+authentication&oq=site%3Acommunity.arubanetworks.com+radius+management+authentication&gs_lcp=CgZwc3ktYWIQA1DjhgZYsaMGYIGlBmgAcAB4AIABvwGIAZsVkgEEMzEuMpgBAKABAaoBB2d3cy13aXo&sclient=psy-ab&ved=0ahUKEwi86Ma-1p_qAhVVVc0KHYyBBaEQ4dUDCAw&uact=5

Just to summarize if anyone else looks for the same. MM does not seem to have the ability to integrate with AD through LDAP(S) in any meaningful way. Any auth done this way will give the authenticated user or group one pre-defined role only since LDAP accounts cannot be linked to multiple roles. Only way to differentiate users/roles from and AD is through using a mechanism that allows for a role to be communicated to the client (MM) as part of the auth process, such as RADIUS or TACACS.

Also worth noting is that MM does not do search or recursion from the configured search base, you need to specify the full directory path to the ou containing the user or group that will be used for auth. 

I honestly have not tried LDAP in ArubaOS 8.x, but in 6.x you certainly could decide what management role a user obtained by using the memberOf attribute to map AP groups to admin roles.  Again, LDAP is not a very efficient way of doing management authentication in ArubaOS.

Closing this thread.