In ArubaOS 6.4.x we would like to have a couple generic Management Users defined on the Aruba Controller. These generic users will fail authentication on our Radius server and so we do not want the Controller to look there. However, we have a number of other users who we want to have "Management" access but only after authenticating through the Radius server.
At Configuration > Management > Administration, under "Management Users" we created two accounts, MUSER1 and MUSER2. We never see any "Management User Statistics" displayed for these accounts even though they are used regularly. Why not?
Under "Management Authentication Servers" we checked "Allow Local Authentication", we set "Default Role" to "no-access", we checked "Enable", and left "MSCHAPv2" unchecked. What impact do these settings have? The ArubaOS 6.4.x User Guide tries to explain it on page 787 but fails miserably.
And we have defined a "Server Group" that contains our Radius server and selected it in the "Server Group >" drop-down box. Directly to the right of that, notice that the "Show Reference" button will report "None found." What is the purpose of this "Show Reference" button and why does using a server group in this location not count as a "Reference"?
And we have a set of "Server Rules," one for each User-Name allowed access.
When MUSER1 or MUSER2 logs in to the system, the authentication process includes a check of the Radius server, which makes an LDAP inquiry and logs a failure. How do we prevent the request for Radius authentication when the user has already been authenticated as a "Management User"?
This is not unique to Radius. If I substitute a Tacacs server in place of the Radius server I get the same result.
What is the authentication process for "Management Users"? In what order do things happen and how can we configure it to behave like this: If USER is authenticated as a "Management Users", stop the authentication process and grant RBAC as defined by the assigned Role. If USER is not authenticated as a "Management Users", try to authenticate the user as defined by our "Server Group" and "Server Rules".