How to configure Web GUI authentication with Radius on HPE Switches

MVP
MVP
Requirement:

You might have a requirement to configure Radius authentication for Web GUI access to HPE Switches. This allows users from a variety of groups to access the Web GUI of the switch with the appropriate level of access.

This solution has been tested and found to be working with Aruba-2930F running WC.16.04.0009, but this should more or less work with other models of Aruba OS switches as well.



Solution:

This article covers the steps needed for getting the Web GUI authentication work with Radius



Configuration:

Firstly we need to configure the Radius server on the HPE Switch

 

(config)#radius-server host <Radius Server IP> key <Radius Shared Secret>

And then you could create a server group and map that server, however this step is optional and will help in cases where you have multiple Radius servers all of which can be added to the server group

aaa server-group radius <Server Group Name> host <IP address of the Radius server created>

The commands to enable Radius authentication for Web GUI access with local fallback are as below

 

(conf)#aaa authentication web login radius server-group <Server Group> local
(conf)#aaa authentication web enable radius server-group <Server Group> local

Please make sure that "local" is always added at the end so that the switch's local credentials allow you to get in incase of a Radius server failure.

 

Once this is done, the switch configuration is done and we can move on to the Radius server configuration.

There are 2 pre-defined access levels for HPE Switches "manager" and "operator" and they also apply to the WebGUI.

The attribute that you need to return from the Radius server for getting a manager level of access which is full access to everything is

Radius:IETF Service-Type = Administrative-User(6)

For letting a user login as operator, the attribute that you need to return is 

Radius:IETF Service-Type = NAS-Prompt-User (7)

Once the Radius server is configured to return these attributes for Manager and operator level of access respectively you should be able to have users login to the Web GUI with appropriate levels of access 

 



Verification

You can verify that users are able to login as Managers and operators depending on the attributes returned by the Radius server

Login page

After entering credentials and clicking login

 

You can see that the role is manager 

 

Based on the attributes returned by the Radius server which are 

 

for Manager role

Similarly for an operator we could see that they are getting the operator role

As per the attributes returned by the Radius server

for Operator level access

 

Version history
Revision #:
1 of 1
Last update:
‎02-27-2018 04:13 PM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: