User role assignment using RADIUS attributes
User role assignment is configured on the RADIUS server using VSAs (vendor-specific attributes).
RADIUS servers can return multiple attribute value pairs (AVPs) in response to an authentication request. The attributes are processed in this order of precedence to determine the user role assigned:
If the
Aruba-Admin-RoleVSA is present, map the user to the matching local user-group name.Else if the
Aruba-Priv-Admin-UserVSA is present, extract the privilege level (1, 15, or 19) and map the user to the local user-group corresponding to this privilege level (1=operators,15=administrators,19=auditors). Privilege levels 2 to 14 may also be used with matching local user groups named 2 to 14.Else If Service-Type AVP is present, map
Administrative-User(6)toadministratorsand mapNAS-Prompt-User(7)tooperators.Otherwise, the user role cannot be determined, and the authentication fails.
Aruba-Admin-Role |
Aruba-Priv-Admin-User |
service-type |
User role assigned |
|---|---|---|---|
<GROUP-NAME> |
Do not care | Do not care | Matching local user
<GROUP-NAME> |
| Not present | privilege level =1 | Do not care | Operators |
| Not present | privilege level =15 | Do not care | Administrators |
| Not present | privilege level =19 | Do not care | Auditors |
| Not present | privilege level =2 to 14 | Do not care | Matching local user groups named 2 to 14 |
| Not present | Not present | Administrative-User(6) |
Administrators |
| Not present | Not present | NAS-Prompt-User(7) |
Operators |
| Not present | Not present | Not present (or = any other value) | None (not authenticated) |
The
Service-Type attribute is retained only for backward compatibility. It is recommended that you instead use the
Aruba-Admin-Role or
Aruba-Priv-Admin-User VSA.