Education – Australia / New Zealand

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Aruba Employee

Authorising commands on ProCurve/AOSS with RADIUS

Overview

A RADIUS server such as ClearPass can be used to control what commands an authenticated user can run on the CLI of that switch. Different users or user groups can be assigned granular access to CLI commands, based on white or black lists.

 

How it works

When the NAS (switch) sends the RADIUS server a valid user name and password, the RADIUS server (ClearPass) sends an Access-Accept packet that contains two additional attributes (command list and the command exception flag). When an authenticated user enters a command on the switch, the switch checks whether the user has permission to execute that command.


After the Access-Accept packet is delivered, the command list resides on the switch. Any changes to the user's command list on the RADIUS server are not seen until the user is authenticated again.

 

The table "HPE command string and exception" in the Access Security Guide shows how to combine the HP-Command-String and HP-Command-Exception attributes for various outcomes.

 

Process

This document assumes a working ClearPass and switch configuration, with switch logins already authenticated by RADIUS, and focusses on the additional config to enable command authorisation. It extends and updates Jamie's "HPE Switch Management Authentication with ClearPass".

 

Switch Configuration

The key additional command on the switch is:

aaa authorization commands radius

You may want to keep an SSH session open on the switch as you test to make sure you don't lock yourself out.

 

ClearPass Configuration

Preparation

Make sure you have the latest RADIUS dictionary installed for Hewlett Packard Enterprise (31 or more entries). CPPM:Administration\Dictionaries\RADIUS

HPE RADIUS dictionary.jpg

Existing Service

I already had the Service "Switch Authentication - ProCurve_AOSS" for RADIUS logins to switches.

Service Switch Authentication - ProCurve_AOSS.png

Enforcement Profile

The existing profile was renamed to "Allow Access Profile - ProCurve AOSS Admin", and an additional profile created "Allow Access Profile - ProCurve AOSS Operator"

ProCurve Switch enforcement profiles.png

The admin profile needed to be modified to enable all commands to be run (otherwise the login would not complete). All commands will run except those listed (and none are listed).

ProCurve Switch enforcement profiles - admin.png

The operator profile has a much more restrictive set of commands. Only the commands in the list will run:

ProCurve Switch enforcement profiles - operator.png

These enforcement profile need to be linked in the Service.

Service Switch Authentication - ProCurve enforcement.png

 

Testing

Admin Group User

Logged in as "nadmin", a member of network admins group

bvcore01# conf
bvcore01(config)#

Successful login and full access to all commands.

 

Operator Group User

Logged in as "operator1", a member of the operators group

bvcore01# conf
Not authorized to execute this command.
bvcore01# sh ver
Image stamp:
 /ws/swbuildm/maint_spokane_qaoff/code/build/btm(swbuildm_maint_spokane_qaoff_ma
int_spokane)
                Dec 21 2017 21:31:18
                K.16.02.0022m
                435
Boot Image:     Primary

Boot ROM Version:    K.15.30
bvcore01# chassislocate blink 1
bvcore01# ssh 172.20.100.9
Not authorized to execute this command.

Only commands in the enforcement profile for operators are able to run.

The Access Tracker view

AccessTracker output for operator1.png

 

Console

Currently not configured for RADIUS login, so you can always connect with a serial console cable.

 

 

References



Richard Litchfield, HPE Aruba
Network Solution Architect
Network Ambassador
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: