User role assignment with RADIUS attributes
Consider the following when configuring your RADIUS server for user authentication on the switch:
RADIUS users are assigned user roles (privilege levels) based on the
Aruba-Priv-Admin-User
Vendor-Specific Attribute (VSA) or theService-Type
attribute or a combination of both.- The
Aruba-Priv-Admin-User
VSA identifies three user roles (privilege levels) as follows:15
: Administrators1
: Operators19
: Auditors
- The
Service-Type
attribute identifies two user roles (privilege levels) as follows:Administrative-User(6)
: AdministratorsNAS-Prompt-User(7)
: Operators
NOTE:
It is recommended that you only use the
Aruba-Priv-Admin-User
VSA. The
Service-Type
attribute is retained for backward compatibility.
The
Aruba-Priv-Admin-User
VSA and the
Service-Type
attributes configured on the RADIUS server, result in the following user role (privilege level) assignment on the switch:
Aruba-Priv-Admin-User |
Service-Type |
User role assigned | Reason for this assignment (because) |
---|---|---|---|
Not set | Administrative-User(6) |
Administrators | Service-Type is 6.
|
15 | Administrative-User(6) |
Administrators | Service-Type is 6 and VSA is 15.
|
15 | Not set | Administrators | VSA is 15. |
15 | Set other than
6 |
None (error) | Service-Type does not match VSA.
|
Set other than 15 | Administrative-User(6) |
None (error) | Service-Type does not match VSA.
|
Not set | NAS-Prompt-User(7) |
Operators | Service-Type is 7.
|
1 | NAS-Prompt-User(7) |
Operators | Service-Type is 7 and VSA is 1.
|
1 | Not set | Operators | VSA is 1. |
1 | Set other than
7 |
None (error) | Service-Type does not match VSA.
|
Set other than 1 | NAS-Prompt-User(7)
|
None (error) | Service-Type does not match VSA.
|
19 | Not set | Auditors | VSA is 19. |
19 | Set to any value | None (error) | No
Service-Type associated with
auditors .
|
Not set | Not set | None (error) | Nothing configured. |
Set to any value or not set | Set other than
6 or
7 |
None (error) | Per RFC 2865, NAS does not need to be implemented with all Service-Types. It treats unsupported Service-Type as Access-Reject. |