User role assignment with RADIUS attributes

Consider the following when configuring your RADIUS server for user authentication on the switch:
  • RADIUS users are assigned user roles (privilege levels) based on the Aruba-Priv-Admin-User Vendor-Specific Attribute (VSA) or the Service-Type attribute or a combination of both.

  • The Aruba-Priv-Admin-User VSA identifies three user roles (privilege levels) as follows:
    • 15: Administrators

    • 1: Operators

    • 19: Auditors

  • The Service-Type attribute identifies two user roles (privilege levels) as follows:
    • Administrative-User(6): Administrators

    • NAS-Prompt-User(7): Operators

NOTE:

It is recommended that you only use the Aruba-Priv-Admin-User VSA. The Service-Type attribute is retained for backward compatibility.

The Aruba-Priv-Admin-User VSA and the Service-Type attributes configured on the RADIUS server, result in the following user role (privilege level) assignment on the switch:

Aruba-Priv-Admin-User Service-Type User role assigned Reason for this assignment (because)
Not set Administrative-User(6) Administrators Service-Type is 6.
15 Administrative-User(6) Administrators Service-Type is 6 and VSA is 15.
15 Not set Administrators VSA is 15.
15 Set other than 6 None (error) Service-Type does not match VSA.
Set other than 15 Administrative-User(6) None (error) Service-Type does not match VSA.
Not set NAS-Prompt-User(7) Operators Service-Type is 7.
1 NAS-Prompt-User(7) Operators Service-Type is 7 and VSA is 1.
1 Not set Operators VSA is 1.
1 Set other than 7 None (error) Service-Type does not match VSA.
Set other than 1 NAS-Prompt-User(7) None (error) Service-Type does not match VSA.
19 Not set Auditors VSA is 19.
19 Set to any value None (error) No Service-Type associated with auditors.
Not set Not set None (error) Nothing configured.
Set to any value or not set Set other than 6 or 7 None (error) Per RFC 2865, NAS does not need to be implemented with all Service-Types. It treats unsupported Service-Type as Access-Reject.