Configuring Management Users

Internal, RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , or TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  authentication servers can be configured to authenticate and authorize management users of an Instant AP. The authentication servers determine if the user has access to administrative interface. The privilege level for different types of management users is defined on the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , or TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server instead of the Instant AP. The Instant APs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , or TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server.

The following procedure describes how to configure authentication parameters for local admin, read-only, and guest management administrator account settings:

  1. Navigate to the Configuration > System page.
  2. Expand Admin.
  3. Configure the settings defined in the Authentication Parameters for Management Users table below.
  4. Click Save.

Table 1: Authentication Parameters for Management Users

Type of User

Authentication Options

Steps to Follow

Local Administrator

 

Internal

Select Internal Authentication if you want to specify a single set of user credentials.

The following procedure allows you to configure an internal authentication server:

  1. Select Internal in the Authentication drop-down list.
  2. Specify the Username and Password.
  3. Retype the password to confirm.

Authentication Server

Select Authentication server if you want to use an authentication server to authenticate the management user.

The following procedure configures an authentication server:

  1. Select Authentication server in the Authentication drop-down list. You can add up to 2 authentication servers.
  2. Auth server 1 and Auth server 2—Specify the authentication servers to be used in the Auth server 1 and Auth server 2 drop-down list. You can either select existing servers from the drop-down list or create a new one by clicking the + option.
  3. Load balancing—If two servers are configured, users can use them in the primary or backup mode, or load balancing mode. To enable load balancing, select Enabled. For more information on load balancing, see Dynamic Load Balancing between Two Authentication Servers.
  4. TACACS accounting—If a TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server is selected, click the TACACS accounting toggle switch to report management commands, if required.

Authentication server w/fallback to Internal

The following procedure configures an authentication server as a primary authentication method and internal authentication server as a backup authentication option:

  1. Select Authentication serverw/fallback to Internal in the Authentication drop-down list. You can add up to 2 authentication servers.
  2. Auth server 1 and Auth server 2—Specify the authentication servers to be used in the Auth server 1 and Auth server 2 drop-down list. You can either select existing servers from the drop-down list or create a new one by clicking the + option.
  3. Load balancing—If two servers are configured, users can use them in the primary and backup mode, or load balancing mode. To enable load balancing, select Enabled. For more information on load balancing, see Dynamic Load Balancing between Two Authentication Servers.
  4. TACACS accounting—If a TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server is selected, toggle the TACACS accounting switch to enabled to report management commands, if required.
  5. Specify a Username and Password for local authentication.
  6. Retype the password to confirm.

The Instant AP will fall back to internal authentication in the following scenarios:

  • When the response from the authentication server times out.
  • When the authentication request is rejected by the authentication server.
  • When there is a mismatch in the authentication server shared secret.

NOTE: To configure the Instant AP to fall back to local authentication only when the authentication server response times out, configure the mgmt-auth-server-timout-local-backup command. Configuring this will stop the AP from falling back to internal authentication when the authentication request is rejected by the server or there is a mismatch in authentication server shared secret. For more information, see Aruba Instant 8.x CLI Reference Guide.

View Only

 

 

Internal

Select Internal to specify a single set of user credentials.

The following procedure allows you to configure an internal authentication server:

  1. Specify the Username and Password.
  2. Retype the password to confirm.

Authentication server

If a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server is configured, select Authentication server for authentication.

Guest Registration Only

Internal

Select Internal to specify a single set of user credentials.

The following procedure allows you to configure an internal authentication server:

  1. Specify the Username and Password.
  2. Retype the password to confirm.

Authentication server

If a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server is configured, select Authentication server for authentication.

 

The following command allows you to configure a local admin user:

(Instant AP)(config)# mgmt-user <username> [password]

The following command allows you to configure guest management administrator credentials:

(Instant AP)(config)# mgmt-user <username> [password] guest-mgmt

The following command allows you to configure a user with read-only privilege:

(Instant AP)(config)# mgmt-user <username> [password] read-only

The following command allows you to configure management authentication settings:

(Instant AP)(config)# mgmt-auth-server <server1>

(Instant AP)(config)# mgmt-auth-server <server2>

(Instant AP)(config)# mgmt-auth-server-load-balancing

(Instant AP)(config)# mgmt-auth-server-local-backup

The following command allows you to enable TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. accounting:

(Instant AP)(config)# mgmt-accounting command all