Configuring Users Accounts for the IAP Management Interface

You can configure RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. authentication servers to authenticate and authorize the management users of an Access Point (AP). The authentication servers determine if the user has access to management interface. The privilege level for different types of management users is defined on the RADIUS or TACACS server. The APs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS or TACACS server.

In HPE Aruba Networking Central, the AP management user passwords are stored and displayed as hash instead of plain text. The hash-mgmt-user command is enabled by default on the AP provisioned in the template and UI groups. If a pre-configured AP joins HPE Aruba Networking Central and is moved to a new group, HPE Aruba Networking Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the AP. In other words, HPE Aruba Networking Central hashes management user passwords irrespective of the management user configuration settings running on an AP.

To configure authentication parameters for local admin, read-only, and guest management administrator account settings, complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click Show Advanced.
  5. Click the System tab.

    The System page is displayed.

  6. Expand the Administrator accordion and configure the following parameters:

    Table 1: Configuration Parameters for the AP Users

    Type of the User

    Authentication Options

    Steps to Follow

    Client Control

    Internal

    In the Authentication drop-down list, Select Internal if you want to specify a single set of user credentials.

    To set Internal from Authentication, complete the following:

    1. Select Internal from the Authentication drop-down list.
    2. Specify the Username and Password.
    3. Retype the password to confirm.

    HPE Aruba Networking Central now supports SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. Timed Account Lockout feature on APs without any RADIUS server that allows an administrator to configure the number of unsuccessful authentication attempts to authenticate remotely.

    To configure a user account with SSH Timed Account Locked feature, complete the following:

    1. Set a type of authentication from the Authentication drop-down list.

    2. Specify the Username and Password.
    3. Retype the password to confirm.
    4. Set the number of login retries in the Login Retries text box.
    5. Set the number of retry delay seconds in the Retry Delay Seconds text box.
    6. Click Save Settings.

    NOTE: The Login Retries and Retry Delay Seconds text box are optional parameters.

    Authentication Server

    In the Authentication drop-down list, Select Authentication Server if you want to use an Authentication server to authenticate the management user.

    To set Authentication Server from Authentication, complete the following:

    1. Select Authentication Server from the Authentication drop-down list. You can add up to two authentication servers.
    2. Auth Server 1 and Auth Server 2—Specify the authentication servers to be used from the Auth Server 1 and Auth Server 2 drop-down lists. You can either select an existing server from the drop-down list or create a new server by selecting New from the Auth Server 1 and Auth Server 2 drop-down lists.
    3. TACACS Accounting—If a TACACS server is selected, select the TACACS accounting check box to report management commands, if required.
    4. Load Balancing—If two servers are configured, users can use them in the primary or backup mode, or load balancing mode. Click the toggle switch to enable Load Balancing. For more information on load balancing, see Authentication Servers for IAPs.

    Authentication Server with fallback to Internal

    In the Authentication drop-down list, select Authentication Server with fallback to Internal if you want to use authentication server as a primary authentication method and Internal authentication as a backup authentication option. The AP will fall back to internal authentication in the following scenarios:

    • When the response from the authentication server times out.
    • When the authentication request is rejected by the authentication server.
    • When there is a mismatch in the authentication server shared secret.

    To set Authentication Server with fallback to Internal from Authentication, complete the following:

    1. Select Authentication Server with fallback to Internal from the Authentication drop-down list. You can add up to two authentication servers.
    2. Auth Server 1 and Auth Server 2—Specify the authentication servers to be used from the Auth Server 1 and Auth Server 2 drop-down lists. You can either select an existing server from the drop-down list or create a new server by selecting New from the Auth Server 1 and Auth Server 2 drop-down lists.
    3. TACACS Accounting—If a TACACS server is selected, select the TACACS accounting check box to report management commands, if required.
    4. Load Balancing—If two servers are configured, users can use them in the primary or backup mode, or load balancing mode. Click the toggle switch to enable Load Balancing. For more information on load balancing, see Authentication Servers for IAPs.

    5. Specify the Username and Password.

    6. Retype the password to confirm.

    HPE Aruba Networking Central now supports SSH Timed Account Lockout feature on APs without any RADIUS server that allows an administrator to configure the number of unsuccessful authentication attempts to authenticate remotely.

    To configure a user account with SSH Timed Account Locked feature, complete the following:

    1. Set a type of authentication from the Authentication drop-down list.

    2. Specify the Username and Password.
    3. Retype the password to confirm.
    4. Set the number of login retries in the Login Retries text box.
    5. Set the number of retry delay seconds in the Retry Delay Seconds text box.
    6. Click Save Settings.

    NOTE: The Login Retries and Retry Delay Seconds text box are optional parameters.

    Authentication Server with fallback to Internal when timeout

    In the Authentication drop-down list, select Authentication Server with fallback to Internal when timeout if you want to use authentication server as a primary authentication method and Internal authentication as a backup authentication option. The AP will fall back to internal authentication only when the response from the authentication server times out.

    To set Authentication Server with fallback to Internal when timeout from Authentication, complete the following:

    1. Select Authentication Server with fallback to Internal when timeout from the Authentication drop-down list. You can add up to two authentication servers.
    2. Auth Server 1 and Auth Server 2—Specify the authentication servers to be used from the Auth Server 1 and Auth Server 2 drop-down lists. You can either select an existing server from the drop-down list or create a new server by selecting New from the Auth Server 1 and Auth Server 2 drop-down lists.
    3. TACACS Accounting—If a TACACS server is selected, select the TACACS accounting check box to report management commands, if required.
    4. Load Balancing—If two servers are configured, users can use them in the primary or backup mode, or load balancing mode. Click the toggle switch to enable Load Balancing. For more information on load balancing, see Authentication Servers for IAPs.

    5. Specify the Username and Password.

    6. Retype the password to confirm.

    HPE Aruba Networking Central now supports SSH Timed Account Lockout feature on APs without any RADIUS server that allows an administrator to configure the number of unsuccessful authentication attempts to authenticate remotely.

    To configure a user account with SSH Timed Account Locked feature, complete the following:

    1. Set a type of authentication from the Authentication drop-down list.

    2. Specify the Username and Password.
    3. Retype the password to confirm.
    4. Set the number of login retries in the Login Retries text box.
    5. Set the number of retry delay seconds in the Retry Delay Seconds text box.
    6. Click Save Settings.

    NOTE: The Login Retries and Retry Delay Seconds text box are optional parameters.

    View Only

     

     

     

    To configure a user account with the read-only privileges, complete the following:

    1. Specify the Username and Password.
    2. Retype the password to confirm.

    Guest Registration Only

     

    To configure a guest user account with the read-only privileges, complete the following:

    1. Specify the Username and Password.
    2. Retype the password to confirm.
  7. Click Save Settings.