Requirement:RADIUS authentication for REST has been introduced in Aruba switches in 16.08. However, not all switches support this feature.
Setup used:
- 3810 - Running on software - KB.16.09.0001
- Clearpass Server - Running on 6.7.0.101814
Solution:
On the switch the following configuration is required:
- Configure a RADIUS server
- Enable authentication for REST for login mode
- Enable authentication for REST for enable mode
- Enable REST Interface
Also, make sure that http and/or https is enabled on the switch.
On the RADIUS Server (Clearpass):
- Add the switch in Devices
- Create a PROFILE
- Create a POLICY
- Create a Service
- Call the Policy in the Service Enforcement
Also make sure that the User is added in the Local User Repository or any other Authentication source that will be used.
Configuration:Now, in order to achieve RADIUS Authentication for REST, configure the switch with the following configuration:
These are the REST specific commands that are required.
The IP address 10.13.13.12 is of the Clearpass server.
The command "rest-interface" is used to enable REST on the switch.
The rest of the configuration has to be done on the Clearpass server as follows:
1) Add the switch in the Clearpass server in Devices and use the same key as the one used on the switch in the "radius-server host " command.
The switch IP used in this example is 10.13.13.13.
2) Create a profile :
You can name the profile as you desire.
Click on the Attributes TAB and configure the following:
3) Configure the Service as follows:
4) Under the authentication TAB select PAP and Local User Repository in the Authentication Methods and Authentication Sources respectively:
5) Finally, click on the Enforcement TAB and select the policy that defines the condition:
VerificationOn the switch verify with the command:
show rest-interface
show logging -------- Very useful while troubleshooting
On the Clearpass Server check the Access Tracker once a login attempt is made.