How to configure Web GUI authentication with Radius on HPE Switches


You might have a requirement to configure Radius authentication for Web GUI access to HPE Switches. This allows users from a variety of groups to access the Web GUI of the switch with the appropriate level of access.

This solution has been tested and found to be working with Aruba-2930F running WC.16.04.0009, but this should more or less work with other models of Aruba OS switches as well.


This article covers the steps needed for getting the Web GUI authentication work with Radius


Firstly we need to configure the Radius server on the HPE Switch


(config)#radius-server host <Radius Server IP> key <Radius Shared Secret>

And then you could create a server group and map that server, however this step is optional and will help in cases where you have multiple Radius servers all of which can be added to the server group

aaa server-group radius <Server Group Name> host <IP address of the Radius server created>

The commands to enable Radius authentication for Web GUI access with local fallback are as below


(conf)#aaa authentication web login radius server-group <Server Group> local
(conf)#aaa authentication web enable radius server-group <Server Group> local

Please make sure that "local" is always added at the end so that the switch's local credentials allow you to get in incase of a Radius server failure.


Once this is done, the switch configuration is done and we can move on to the Radius server configuration.

There are 2 pre-defined access levels for HPE Switches "manager" and "operator" and they also apply to the WebGUI.

The attribute that you need to return from the Radius server for getting a manager level of access which is full access to everything is

Radius:IETF Service-Type = Administrative-User(6)

For letting a user login as operator, the attribute that you need to return is 

Radius:IETF Service-Type = NAS-Prompt-User (7)

Once the Radius server is configured to return these attributes for Manager and operator level of access respectively you should be able to have users login to the Web GUI with appropriate levels of access 



You can verify that users are able to login as Managers and operators depending on the attributes returned by the Radius server

Login page

After entering credentials and clicking login


You can see that the role is manager 


Based on the attributes returned by the Radius server which are 


for Manager role

Similarly for an operator we could see that they are getting the operator role

As per the attributes returned by the Radius server

for Operator level access


Version history
Revision #:
1 of 1
Last update:
3 weeks ago
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: