Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

obtaining root access via ssh to controllers using CPPM as radius

This thread has been viewed 5 times

  • 1.  obtaining root access via ssh to controllers using CPPM as radius

    Posted Dec 11, 2017 04:16 PM

    I recently created a new service in CPPM to allow management access via radius auth to my controllers. This seems to work as expected when using the WebUI login. Aruba-Admin-Role correctly passes VSA 'root' or 'read-only' depending on user. When I SSH to the controller I get placed into the non-enabled prompt even with 'root VSA'.  I realized "enabled" is notthe same as root but I'm wondering if there is a way to configure it so a user with root priv would get placed into the enabled role automatically without having to type 'enable' then enablepassword.

     

    Thanks,

    Mike



  • 2.  RE: obtaining root access via ssh to controllers using CPPM as radius

    EMPLOYEE
    Posted Dec 11, 2017 04:18 PM

    You could go ahead and eliminate anyone from having to type enable.

     

    http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/enable_bypass.htm?Highlight=enable-bypass



  • 3.  RE: obtaining root access via ssh to controllers using CPPM as radius

    Posted Dec 12, 2017 09:52 AM

    Thanks for the replies.

     

    @Colin: What would happen if the ssh user was granted read-only priviliges via CPPM VSA? Would they also be dumped into the enabled level if enable bypass is, um, enabled? On the same vein, it appears a read-only user who connects via ssh can type enable and if they know the password they will be elevated. Is that correct? I would have almost expected the enable command to be denied for read-only users..

     

    @Tim: All in good time re: TACACS+. The service isn't enabled yet on CPPM though that may well happen soon for other network devices.  Because the controllers do not make use of any returned attributes from a TACACS+ server I saw no reason to jump start the service on CPPM at this time. We're going from a local mgmt user to radius authn on the controllers so that's progress.



  • 4.  RE: obtaining root access via ssh to controllers using CPPM as radius

    EMPLOYEE
    Posted Dec 12, 2017 09:55 AM
    Mike - you can't really do much on an Aruba controller without enable. That's why we recommend everyone use enable bypass. Returning read-only admin as the role will not allow config changes.


  • 5.  RE: obtaining root access via ssh to controllers using CPPM as radius

    Posted Dec 13, 2017 09:44 AM

    True, which is a discussion for another day. Consider a scenario where we have very junior staff that I'd like to have provision/rename/regroup APs but whom I do not feel comfortable giving root access.



  • 6.  RE: obtaining root access via ssh to controllers using CPPM as radius

    EMPLOYEE
    Posted Dec 11, 2017 04:19 PM
    Just curious, why are you using RADIUS instead of TACACS+?

    To your question, you'd need to set 'enable bypass' on the controller(s).