This article walks thru CPPPM & HPE Switch config needed for Management auth using CPPM. We are going to look at using HP VSAs as part of RADIUS Accept from CPPM to control what commands an user can execute.
This was tested using Clearpass 6.5 and HPE 2920 Switch running 16.01 (Beta) / 15.17 versions.
Switch Side Config ::
Add CPPM as RADIUS server
radius-server host 10.163.232.198 key <value>
Create a Server Group with the server(s)..
aaa server-group radius "mgmt" host 10.163.232.198
Map the server-group as Primary Source of auth for WebUI & SSH.
aaa authentication web login radius server-group "mgmt" local
aaa authentication ssh login radius server-group "mgmt" local
Add config to drop to admin (In HPE world; Manager mode) directly with below config and send service-type VSA as 6 as part of RADIUS Accept.
aaa authentication login privilege-mode
Add config to allow command authorization as part of RADIUS Accept. This would allow us to send thru HP VSAs what commands can the user use.
aaa authorization commands radius
ClearPass Config ::
Create new service with below attributes (which is unique HP Switches)
Below attributes are unique to HPE Switch MGMT auth. If you want to limit to a switch; you can add NAS IP as well.
Specify auth method as PAP and speify auth source. In this case; I have used local DB. If you do this; ensure you have some user in local-db.. I have a user called hpadmin for testing this.
No Role mapping is required.
Enforcement Policy : For now; use the default “Sample Allow Access Policy”. We would create a new enforcement profile / policy and map it to this service.
Enforcement Profile : We would create an enforcement which would return the attributes we required as part of RADIUS Accept.
Atttributes ::
Service-Type = 6 for setting the user to Admin. If you want Read-Only; you need to send 7.
The HP VSAs are used to specify what commands are allowed / disallowed.
Enforcement Policy :: Map the Enforcement Profile to Policy
Finally, map the Enforcement Policy to the Service we have already created.
Testing ::
Clearpass :: Access Tracker sent RADIUS Accept with right Enforcement Policy / RADIUS return attributes.
HP Switch ::
Login Successful and any command with "Config" fails while other commands work..
VJ-Edge-2530#
VJ-Edge-2530# show running-config
Not authorized to execute this command.
VJ-Edge-2530# configure
Not authorized to execute this command.
VJ-Edge-2530# configure terminal
Not authorized to execute this command.
VJ-Edge-2530# show run Not authorized to execute this command.
VJ-Edge-2530# show version
Image stamp: /ws/swbuildm/rel_portland_qaoff/code/build/lakes(swbuildm_rel_portland_qaoff_rel_portland)
Aug 24 2015 12:18:22
YA.15.17.0008
284
Boot Image: Secondary
Boot ROM Version: YA.15.17
The command list VSA can be used to deny any commands and I have used config as an example. We can use meta characters ^,$ to sepcify start and end of word and it would be exactly matched i.e. ^configure$ would block only configure not the others. We can also specify multiple commands with ";"(without space) i.e. HP-Command-String = “^configure$;^show running-config$”