HPE Switch Management Authentication with ClearPass

Community Administrator
Community Administrator

Courtesy of and created by: @vrajasimhan

 

This article walks thru CPPPM & HPE Switch config needed for Management auth using CPPM. We are going to look at using HP VSAs as part of RADIUS Accept from CPPM to control what commands an user can execute.

 

This was tested using Clearpass 6.5 and HPE 2920 Switch running 16.01 (Beta) / 15.17 versions.

 

Switch Side Config ::

Add CPPM as RADIUS server

radius-server host 10.163.232.198 key <value>

Create a Server Group with the server(s)..

aaa server-group radius "mgmt" host 10.163.232.198

Map the server-group as Primary Source of auth for WebUI & SSH.

aaa authentication web login radius server-group "mgmt" local

aaa authentication ssh login radius server-group "mgmt" local

Add config to drop to admin (In HPE world; Manager mode) directly with below config and send service-type VSA as 6 as part of RADIUS Accept.

aaa authentication login privilege-mode

Add config to allow command authorization as part of RADIUS Accept. This would allow us to send thru HP VSAs what commands can the user use.

aaa authorization commands radius

 

ClearPass Config ::

Create new service with below attributes (which is unique HP Switches) 

Below attributes are unique to HPE Switch MGMT auth. If you want to limit to a switch; you can add NAS IP as well.

1.png

Specify auth method as PAP and speify auth source. In this case; I have used local DB. If you do this; ensure you have some user in local-db.. I have a user called hpadmin for testing this.

2.png

No Role mapping is required.

3.png

Enforcement Policy : For now; use the default “Sample Allow Access Policy”.  We would create a new enforcement profile / policy and map it to this service.

 4.png

Enforcement Profile : We would create an enforcement which would return the attributes we required as part of RADIUS Accept.

5.png

Atttributes ::

Service-Type = 6 for setting the user to Admin. If you want Read-Only; you need to send 7.

The HP VSAs are used to specify what commands are allowed / disallowed.

 6.png

Enforcement Policy  :: Map the Enforcement Profile to Policy

7.png8.png

 

Finally, map the Enforcement Policy to the Service we have already created.

9.png

 

 

Testing ::

Clearpass :: Access Tracker sent RADIUS Accept with right Enforcement Policy / RADIUS return attributes.

10.png
HP Switch ::

Login Successful and any command with "Config" fails while other commands work..

VJ-Edge-2530#

VJ-Edge-2530# show running-config

Not authorized to execute this command.

VJ-Edge-2530# configure

Not authorized to execute this command.

VJ-Edge-2530# configure terminal

Not authorized to execute this command.

VJ-Edge-2530# show run Not authorized to execute this command.

VJ-Edge-2530# show version

Image stamp: /ws/swbuildm/rel_portland_qaoff/code/build/lakes(swbuildm_rel_portland_qaoff_rel_portland)

Aug 24 2015 12:18:22             

YA.15.17.0008             

284  

Boot Image: Secondary

Boot ROM Version: YA.15.17

The command list VSA can be used to deny any commands and I have used config as an example. We can use meta characters ^,$ to sepcify start and end of word and it would be exactly matched i.e. ^configure$ would block only configure not the others. We can also specify multiple commands with ";"(without space) i.e.  HP-Command-String = “^configure$;^show running-config$”

 

 

Version history
Revision #:
2 of 2
Last update:
‎01-04-2016 07:58 AM
Updated by:
 
Labels (2)
Contributors
Comments
NaidaKukuruzovic

Hello,

 

Is it possible to have both switch management authentication with Clearpass and Manager username/password?

 

Since we have enabled ssh login authentication with ClearPass, it is not possible to log in to switches using the manager password, only our AD usernames/passwords. 

 

We need to be able to login with manager password since we want to add the switches to AirWave and in order to do that we need to provide username/password and we do not want to put some username/password from AD. 

 

Best Regards,

 

Naida

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: