Wired Intelligent Edge

 View Only
last person joined: 15 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

radius authentication methods for SSH on AOS-S switches

This thread has been viewed 28 times

  • 1.  radius authentication methods for SSH on AOS-S switches

    Posted Sep 13, 2021 05:18 PM
    Hi  All,

    I posted before about using Okta service for "2FA". Clearpass is not part the solution right now, and it was decided to use the Okta radius proxy agent. However it looks like the following are the only authentication protocols it supports.  

    The Okta RADIUS Server agent:

    • Is a lightweight program that runs as a system service.
    • Tunnels communication between on-premises services and Okta's cloud service.
    • Delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA).
    • Supports the Password Authentication Protocol (PAP).
    • Supports EAP Generic Token Card (EAP-GTC).
      Currently only supported by NetMotion mobility.
    • Supports EAP Tunneled Transport Layer Security (EAP-TTLS).
      Currently the Cisco Meraki and Cisco ASA RADIUS apps support configuration for EAP-TTLS.
    • Supports UDP, defaulting to port 1812, using multiple ports simultaneously.

    I believe the switches only support CHAP and MSCHAPv2.  Is there anything on the AOS-S switches that can support one of these other methods?

    Thanks,
    Steve


    ------------------------------
    Steve
    ------------------------------


  • 2.  RE: radius authentication methods for SSH on AOS-S switches

    Posted Sep 14, 2021 09:16 AM
    My AOS-S (and AOS-CX) switches are using PAP for RADIUS auth.  If you need to do CHAP or MSCHAPv2 I'm guessing you could get that working with EAP-TTLS but it wouldn't be straight forward.

    ------------------------------
    David King
    ------------------------------

    Original Message


  • 3.  RE: radius authentication methods for SSH on AOS-S switches

    Posted Sep 15, 2021 12:00 PM
    What does your config look like ? This is the options I see on mine.
    (config)# aaa authentication ssh login
    local Use local switch user/password database.
    tacacs Use TACACS+ server.
    radius Use RADIUS server.
    peap-mschapv2 Use RADIUS server with PEAP-MSChapv2.
    public-key Use local switch public key authentication database.
    certificate Use the X.509 certificate.

    ------------------------------
    Steve
    ------------------------------

    Original Message


  • 4.  RE: radius authentication methods for SSH on AOS-S switches

    Posted Sep 15, 2021 12:03 PM
    The 'radius' option is PAP in disguise.  Here's what my config looks like

    aaa authentication login privilege-mode
    aaa authentication console login radius local
    aaa authentication console enable radius local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local

    ------------------------------
    David King
    ------------------------------

    Original Message


  • 5.  RE: radius authentication methods for SSH on AOS-S switches

    Posted Sep 15, 2021 07:32 PM
    Oh man.....the documentation shows this.

    aaa authentication <console|telnet|ssh|web|<enable|login <local|radius>> web-based|mac-based <chap-radius|peap-radius>>

    And the CLI shows these two as the only options.
    radius Use RADIUS server.
    peap-mschapv2 Use RADIUS server with PEAP-MSChapv2.

    So I assumed radius = chap-radius.

    I'll give it a try. Thanks you!


    ------------------------------
    Steve
    ------------------------------

    Original Message