Security

Reply
New Contributor
Posts: 1
Registered: ‎04-05-2016

Various TACACS questions.

[ Edited ]

I am working through configuring TACACS+ on a 3810 and have a few questions that I haven't been able to find answers to.

 

1. Is it possible to change the login text, similar to how ACS can with a Cisco switch? Where when you SSH or console to the switch, the login and password text can be customize to something like Corp Username, Corp Password? It's a great way to immediately know when you are having issues between NAD and NAC.

 

2. Is it possible to log in with either AD or Local (local account to the switch, not CPPM) credentials, even when CPPM is up and working fine? I want to be able to fallback to local in case of AD account lockout or similar issues. I can only seemingly login with local switch credentials when communication to CPPM is broken.

 

3. How can I make it so when I login to the switch that I am placed directly in enable mode?

 

When all is said and done, I am happy to post a complete how to. I haven't been able to find one, so I don't think I would be duplicating.

 

Thanks a million.

Aruba Employee
Posts: 398
Registered: ‎11-04-2011

Re: Various TACACS questions.

For question 1, do you mean changing the login prompts itself? Not sure if that is possible. However, you can set a banner motd that is shown before a user logs in, and you can put in there that the switch is under central login:

hp2530(config)# banner
 exec                  Set the exec (post-login) banner.
 last-login            Enable the last-login banner that displays information about the last successful login and unsuccessful login attempts.
 motd                  Set the message of the day banner.

For topics 2 and 3, please check the following video: 

And as a summary for 2: put in both ClearPass and local, which will fallback to local if ClearPass fails authentication. In my environment I can use either ClearPass or local credentials:

aaa authentication web login radius server-group "CPPM" local
aaa authentication web enable radius server-group "CPPM" local
aaa authentication ssh login radius server-group "CPPM" local

For item 3: the command you are likely missing:

aaa authentication login privilege-mode

The examples connect to ClearPass over RADIUS instead of TACACS; but in the end it should be very similar.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: