Education - Australia / New Zealand

last person joined: 20 days ago 

A local community of Aruba education customers across Australia/NZ. This group will be moderated by Aruba staff and kept up to date with any upcoming training or events that are relevant to the EDU space.

Authorising commands on ProCurve/AOSS with RADIUS

This thread has been viewed 1 times
  • 1.  Authorising commands on ProCurve/AOSS with RADIUS

    Posted Feb 06, 2018 08:29 AM

    Overview

    A RADIUS server such as ClearPass can be used to control what commands an authenticated user can run on the CLI of that switch. Different users or user groups can be assigned granular access to CLI commands, based on white or black lists.

     

    How it works

    When the NAS (switch) sends the RADIUS server a valid user name and password, the RADIUS server (ClearPass) sends an Access-Accept packet that contains two additional attributes (command list and the command exception flag). When an authenticated user enters a command on the switch, the switch checks whether the user has permission to execute that command.


    After the Access-Accept packet is delivered, the command list resides on the switch. Any changes to the user's command list on the RADIUS server are not seen until the user is authenticated again.

     

    The table "HPE command string and exception" in the Access Security Guide shows how to combine the HP-Command-String and HP-Command-Exception attributes for various outcomes.

     

    Process

    This document assumes a working ClearPass and switch configuration, with switch logins already authenticated by RADIUS, and focusses on the additional config to enable command authorisation. It extends and updates Jamie's "HPE Switch Management Authentication with ClearPass".

     

    Switch Configuration

    The key additional command on the switch is:

    aaa authorization commands radius

    You may want to keep an SSH session open on the switch as you test to make sure you don't lock yourself out.

     

    ClearPass Configuration

    Preparation

    Make sure you have the latest RADIUS dictionary installed for Hewlett Packard Enterprise (31 or more entries). CPPM:Administration\Dictionaries\RADIUS

    HPE RADIUS dictionary.jpg

    Existing Service

    I already had the Service "Switch Authentication - ProCurve_AOSS" for RADIUS logins to switches.

    Service Switch Authentication - ProCurve_AOSS.png

    Enforcement Profile

    The existing profile was renamed to "Allow Access Profile - ProCurve AOSS Admin", and an additional profile created "Allow Access Profile - ProCurve AOSS Operator"

    ProCurve Switch enforcement profiles.png

    The admin profile needed to be modified to enable all commands to be run (otherwise the login would not complete). All commands will run except those listed (and none are listed).

    ProCurve Switch enforcement profiles - admin.png

    The operator profile has a much more restrictive set of commands. Only the commands in the list will run:

    ProCurve Switch enforcement profiles - operator.png

    These enforcement profile need to be linked in the Service.

    Service Switch Authentication - ProCurve enforcement.png

     

    Testing

    Admin Group User

    Logged in as "nadmin", a member of network admins group

    bvcore01# conf
    bvcore01(config)#

    Successful login and full access to all commands.

     

    Operator Group User

    Logged in as "operator1", a member of the operators group

    bvcore01# conf
    Not authorized to execute this command.
    bvcore01# sh ver
    Image stamp:
     /ws/swbuildm/maint_spokane_qaoff/code/build/btm(swbuildm_maint_spokane_qaoff_ma
    int_spokane)
                    Dec 21 2017 21:31:18
                    K.16.02.0022m
                    435
    Boot Image:     Primary
    
    Boot ROM Version:    K.15.30
    bvcore01# chassislocate blink 1
    bvcore01# ssh 172.20.100.9
    Not authorized to execute this command.

    Only commands in the enforcement profile for operators are able to run.

    The Access Tracker view

    AccessTracker output for operator1.png

     

    Console

    Currently not configured for RADIUS login, so you can always connect with a serial console cable.

     

     

    References