08-12-2016 08:25 AM - edited 08-12-2016 08:27 AM
I am working through configuring TACACS+ on a 3810 and have a few questions that I haven't been able to find answers to.
1. Is it possible to change the login text, similar to how ACS can with a Cisco switch? Where when you SSH or console to the switch, the login and password text can be customize to something like Corp Username, Corp Password? It's a great way to immediately know when you are having issues between NAD and NAC.
2. Is it possible to log in with either AD or Local (local account to the switch, not CPPM) credentials, even when CPPM is up and working fine? I want to be able to fallback to local in case of AD account lockout or similar issues. I can only seemingly login with local switch credentials when communication to CPPM is broken.
3. How can I make it so when I login to the switch that I am placed directly in enable mode?
When all is said and done, I am happy to post a complete how to. I haven't been able to find one, so I don't think I would be duplicating.
Thanks a million.
08-17-2016 01:59 AM
For question 1, do you mean changing the login prompts itself? Not sure if that is possible. However, you can set a banner motd that is shown before a user logs in, and you can put in there that the switch is under central login:
hp2530(config)# banner exec Set the exec (post-login) banner. last-login Enable the last-login banner that displays information about the last successful login and unsuccessful login attempts. motd Set the message of the day banner.
For topics 2 and 3, please check the following video:
And as a summary for 2: put in both ClearPass and local, which will fallback to local if ClearPass fails authentication. In my environment I can use either ClearPass or local credentials:
aaa authentication web login radius server-group "CPPM" local aaa authentication web enable radius server-group "CPPM" local aaa authentication ssh login radius server-group "CPPM" local
For item 3: the command you are likely missing:
aaa authentication login privilege-mode
The examples connect to ClearPass over RADIUS instead of TACACS; but in the end it should be very similar.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).