airwave authorisation on acs 5.3.0.40

stuart hutchinson · ‎01-15-2013

Hello, I am new to ACS 5.x and trying to authenticate Airwave devices on our ACS 5.3.0.40 system.

The instructions I have for a 4.x ACS system don't seem to translate to a 5.x ACS system. They talk about associating an AMP http services under the Interface Configuration tab.

The only instructions I've found for 5.x say to create a custom attribute and nothing else.

http://community.arubanetworks.com/t5/AirWave/Airwave-Login-Authentication-with-ACS-5-x/td-p/16617

So I've done the following:

Policy Elements > Device Administration > Shell Profiles > created a profile called "AMP Air Wave access" and under Custom Attributes added an attrribute called role, Requierment = Mandatory, Value = Admin

Providing the airwave admin user is trying to log in with "Admin" , is this all I need to do?

How does this Shell Profile associate itself with ip addresses for the AMP devices I've input in Network Devices and AAA Clients?

Do I need to add a user "Admin" to ACS users and associate that with the AMP device i.p. addresses in the Network Devices and AAA Clients?

Thanks,

Stuart.

Michal Garcarz · ‎01-15-2013

Hi Stuart,

You need to bind that shell profile to correct authorization rules in access-policies.

Example: Access Policies/Default Device Admin/Authorization

Then create a rule for that specific device (you can use NDG group or just IP) and in result put your shell profile.

If you do not have any modifiers when creating rule please use compound condition (customize option in right bottom)

Of course you can have very specific rules there: for example for just specific username.

--

Michal