RADIUS authentication for REST has been introduced in Aruba switches in 16.08. However, not all switches support this feature.
- 3810 - Running on software - KB.16.09.0001
- Clearpass Server - Running on 188.8.131.52814
On the switch the following configuration is required:
- Configure a RADIUS server
- Enable authentication for REST for login mode
- Enable authentication for REST for enable mode
- Enable REST Interface
Also, make sure that http and/or https is enabled on the switch.
On the RADIUS Server (Clearpass):
- Add the switch in Devices
- Create a PROFILE
- Create a POLICY
- Create a Service
- Call the Policy in the Service Enforcement
Also make sure that the User is added in the Local User Repository or any other Authentication source that will be used.
Now, in order to achieve RADIUS Authentication for REST, configure the switch with the following configuration:
These are the REST specific commands that are required.
The IP address 10.13.13.12 is of the Clearpass server.
The command "rest-interface" is used to enable REST on the switch.
The rest of the configuration has to be done on the Clearpass server as follows:
1) Add the switch in the Clearpass server in Devices and use the same key as the one used on the switch in the "radius-server host " command.
The switch IP used in this example is 10.13.13.13.
2) Create a profile :
You can name the profile as you desire.
Click on the Attributes TAB and configure the following:
3) Configure the Service as follows:
4) Under the authentication TAB select PAP and Local User Repository in the Authentication Methods and Authentication Sources respectively:
5) Finally, click on the Enforcement TAB and select the policy that defines the condition:
On the switch verify with the command:
show logging -------- Very useful while troubleshooting
On the Clearpass Server check the Access Tracker once a login attempt is made.