Security

Reply
Regular Contributor I

obtaining root access via ssh to controllers using CPPM as radius

I recently created a new service in CPPM to allow management access via radius auth to my controllers. This seems to work as expected when using the WebUI login. Aruba-Admin-Role correctly passes VSA 'root' or 'read-only' depending on user. When I SSH to the controller I get placed into the non-enabled prompt even with 'root VSA'.  I realized "enabled" is notthe same as root but I'm wondering if there is a way to configure it so a user with root priv would get placed into the enabled role automatically without having to type 'enable' then enablepassword.

 

Thanks,

Mike

Guru Elite

Re: obtaining root access via ssh to controllers using CPPM as radius

You could go ahead and eliminate anyone from having to type enable.

 

http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/enable_bypass.htm?Highlight=enable-bypass

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Guru Elite

Re: obtaining root access via ssh to controllers using CPPM as radius

Just curious, why are you using RADIUS instead of TACACS+?

To your question, you'd need to set 'enable bypass' on the controller(s).

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: obtaining root access via ssh to controllers using CPPM as radius

Thanks for the replies.

 

@Colin: What would happen if the ssh user was granted read-only priviliges via CPPM VSA? Would they also be dumped into the enabled level if enable bypass is, um, enabled? On the same vein, it appears a read-only user who connects via ssh can type enable and if they know the password they will be elevated. Is that correct? I would have almost expected the enable command to be denied for read-only users..

 

@Tim: All in good time re: TACACS+. The service isn't enabled yet on CPPM though that may well happen soon for other network devices.  Because the controllers do not make use of any returned attributes from a TACACS+ server I saw no reason to jump start the service on CPPM at this time. We're going from a local mgmt user to radius authn on the controllers so that's progress.

Guru Elite

Re: obtaining root access via ssh to controllers using CPPM as radius

Mike - you can't really do much on an Aruba controller without enable. That's why we recommend everyone use enable bypass. Returning read-only admin as the role will not allow config changes.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: obtaining root access via ssh to controllers using CPPM as radius

True, which is a discussion for another day. Consider a scenario where we have very junior staff that I'd like to have provision/rename/regroup APs but whom I do not feel comfortable giving root access.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: