Campus Switching and Routing

Reply
New Contributor

Allow local "manager" account even if RADIUS is available

I have configured my 2920 switch to do RADIUS authentication, which works as expected, however I would also like to allow the local "manager" account to log in even if RADIUS is responding in the case where the RADIUS server is up but maybe the back-end user database is not responding correctly. I realize this is an edge case. Is there a way to do this in Aruba OS? I'm on version 16.02.

 

-Scott

Aruba Employee

Re: Allow local "manager" account even if RADIUS is available

Greetings!

 

When configuring access methods for switch management access, the 'aaa authentication <feature>' commands provide the ability to configure both a primary and secondary authentication method. If you'd like RADIUS to be the primary method and local username/password to be the secondary, you would use the following commands (these cover console/SSH login and enable access, as well as access to the Web UI):

 

switch(config)# aaa authentication console login radius local 
switch(config)# aaa authentication console enable radius local 
switch(config)# aaa authentication ssh login radius local 
switch(config)# aaa authentication ssh enable radius local 
switch(config)# aaa authentication web login radius local 
switch(config)# aaa authentication web enable radius local 

You can find more background info and suggestions in the ArubaOS-Switch Hardening Guide, as well as the Access Security Guide.



Matthew Fern | Technical Marketing Engineer, Wired Intelligent Edge
Aruba, a Hewlett Packard Enterprise Company
New Contributor

Re: Allow local "manager" account even if RADIUS is available

Thanks for the reply, however that's not exactly what I was asking. I actually opened a support ticket with the HPE support portal, and they confirmed that there is no configuration which allows the local user database to be used when the RADIUS server is available.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: