You are here: Home > CLI Commands > Just_CLI_Topics > mgmt-user

mgmt-user

mgmt-user

audit-period

console-blocks

localauth <username>

ssh-pubkey

client-cert <certname> <username> <role> [<rcp>]

webui-cacert <certificate_name> [serial <number>] <username> <role> [<rcp>]

<username> <rolename> <max-concurrent-session> [node <path>] <password> <old-password>

Description

This command configures an administrative user.

Syntax

Parameter

Description

Default

audit-period

Configures an audit period.

 

console-blocks

Blocks serial console access once the user logs out.

localauth <username>

Enables the authentication of management users based on the results returned by the authentication server.

To disable this setting, use the no mgmt-user localauth command.

To verify if authentication of local management user accounts is enabled or disabled, use the following command:

show mgmt-user local-authentication-mode

ssh-pubkey

Configures certificate authentication of administrative users using the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. through SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. .

client-cert

Name of the X.509X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. client certificate for authenticating administrative users using SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. .

<username>

Name of the user.

<role>

Role assigned to the authenticated user.

<rcp>

Revocation Checkpoint for the ssh user's client certificate. The rcp checks the revocation status of the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. user’s client certificate before permitting access.

webui-cacert

The client certificate for authenticating administrative users using the WebUI.

<certificate_name>

The name of the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate. If configured, certificate authentication and authorization are automatically completed using an authentication server.

serial

Serial number of the client certificate.

<username>

Name of the user.

<role>

Role assigned to the authenticated user.

<rcp>

Revocation Checkpoint for the ssh user's client certificate. The rcp checks the revocation status of the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. user’s client certificate before permitting access.

<username>

Name of the user.

You can create a maximum of 10 management users.

NOTE: If you configure a root management user, you can use special characters except for double-byte characters.

<rolename>

Role assigned to the user. Predefined roles include:

guest-provisioning: Allows the user to create guest accounts on a special WebUI page.

location-apiApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.-mgmt: Permits access to location APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. information. You can log into the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.; however, you cannot use any CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands.

network-operations: Permits access to Monitoring, Reports, and Events pages in the WebUI. You can log into the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.; however, you can only use a subset of CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands to monitor the controller.

read-only: Permits access to CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. show commands or WebUI monitoring pages only.

root: Permits access to all management functions on the controller.

standard: This role has root privileges but cannot make changes to the management users.

max-concurrent-sessions

Configures the maximum concurrent session for a management user. The maximum number of sessions allowed are 10.

node

Configures node level permissions. Use this parameter when you want to configure an authenticated user assigned to a role in the managed device.

<path>

Path of the managed device.

<password>

NOTE: You are prompted for the <password> for this user after you type in <role> and press Enter.

The password must have a minimum of six characters.

You can use special characters in the management user password. The restrictions are as follows:

You cannot use double-byte characters

You cannot use the question mark (?)

You cannot use white space <space >

<old-password>

Provide the old password, to enable the user to change the management user password.

Usage Guidelines

You can configure client certificate authentication of WebUI or SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. management users (by default, only username/password is used). To configure certificate authentication for the WebUI or SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. , use the web-server mgmt-auth certificate or ssh mgmt-auth public-key commands, respectively.

Use webui-cacert <certificate name> command if you want an external authentication server to derive the management user role. This is helpful if there are a large number of users who need to be authenticated.

Use the mgmt-user webui-cacert <certificate_name> serial <number> <username> <role> if you want the authentication process to use previously configured certificate name and serial number to derive the user role.

Use the mgmt-user webui-cacert <certificate_name> serial <number> <username> <role> <rcp> command if you want to configure an optional RCP for an ssh-pubkey user.

Use the mgmt-user <username> <rolename> node <path> <password> to configure an authenticated user assigned to a role in the managed device.

Example

The following command configures a management user and role:

(host)[node](config) #mgmt-user testuser1 root

Password: *****

Re-Type password: *****

Related Commands

Version

Modification

show mgmt-users

Displays a list of management users on the Mobility Master and details of each management user.

Command History

Release

Modification

ArubaOS 8.4.0.0

The following sub-parameters were introduced in the <username> parameter:

max-concurrent-sessions

old-password

The audit-period parameter was introduced.

ArubaOS 8.2.2.0

The following sub-parameters were introduced in the <username> parameter:

max-concurrent-sessions

old-password

The audit-period parameter was introduced.

ArubaOS 8.1.0.0

The standard role was introduced.

ArubaOS 8.0.1.0

The node parameter was introduced in the mgmt-user <username> <rolename> command.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platform

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/