Configuring Users Accounts for the IAP Management Interface
You can configure RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. or TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. authentication servers to authenticate and authorize the management users of an Instant Access Point (IAP). The authentication servers determine if the user has access to administrative interface. The privilege level for different types of management users is defined on the RADIUS or TACACS server. The IAPs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS or TACACS server.
In Aruba Central (on-premises), the IAP management user passwords are stored and displayed as hash instead of plain text. The command is enabled by default on the IAPs provisioned in the template and UI groups. If a pre-configured IAP joins Aruba Central and is moved to a new group, Aruba Central uses the configuration settings and discards configuration settings, if any, on the IAP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an IAP.
To configure authentication parameters for local admin, read-only, and guest management administrator account settings, complete the following steps:
- In the app, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under , click > .
A list of APs is displayed in the view.
- Click the icon.
The tabs to configure the APs are displayed.
- Click .
- Click the tab.
The System page is displayed.
-
Click the accordion and configure the following parameters:
Table 1: Configuration Parameters for the IAP Users
Type of the User
Authentication Options
Steps to Follow
In the drop-down list, select if you want to specify a single set of user credentials. If using an internal authentication server:
- In and , enter a username and password.
- In , retype the password to confirm.
In the drop-down list, select the RADIUS or TACACS authentication servers. You can also create a new server by selecting from the drop-down list.
In the drop-down list, select option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS server (RADIUS server timeout).
To use this option, select the authentication servers and configure the user credentials for internal server based authentication.
- In and , enter a username and password.
- In , retype the password to confirm.
If two servers are configured, the users can use them in the primary or backup mode, or load balancing mode. To enable load balancing, select from the drop-down list. For more information on load balancing, see Authentication Servers for IAPs.
If a TACACS server is selected, enable TACACS accounting to report management commands, if required.
To configure a user account with the read-only privileges:
- In and , enter a username and password.
- In , retype the password to confirm.
To configure a guest user account with the read-only privileges:
- In and , enter a username and password.
- In , retype the password to confirm.
- Click .
