Wired Intelligent Edge

last person joined: 6 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

radius authentication methods for SSH on AOS-S switches

This thread has been viewed 13 times
  • 1.  radius authentication methods for SSH on AOS-S switches

    Posted 12 days ago
    Hi  All,

    I posted before about using Okta service for "2FA". Clearpass is not part the solution right now, and it was decided to use the Okta radius proxy agent. However it looks like the following are the only authentication protocols it supports.  

    The Okta RADIUS Server agent:

    • Is a lightweight program that runs as a system service.
    • Tunnels communication between on-premises services and Okta's cloud service.
    • Delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA).
    • Supports the Password Authentication Protocol (PAP).
    • Supports EAP Generic Token Card (EAP-GTC).
      Currently only supported by NetMotion mobility.
    • Supports EAP Tunneled Transport Layer Security (EAP-TTLS).
      Currently the Cisco Meraki and Cisco ASA RADIUS apps support configuration for EAP-TTLS.
    • Supports UDP, defaulting to port 1812, using multiple ports simultaneously.

    I believe the switches only support CHAP and MSCHAPv2.  Is there anything on the AOS-S switches that can support one of these other methods?

    Thanks,
    Steve


    ------------------------------
    Steve
    ------------------------------


  • 2.  RE: radius authentication methods for SSH on AOS-S switches

    Posted 11 days ago
    My AOS-S (and AOS-CX) switches are using PAP for RADIUS auth.  If you need to do CHAP or MSCHAPv2 I'm guessing you could get that working with EAP-TTLS but it wouldn't be straight forward.

    ------------------------------
    David King
    ------------------------------



  • 3.  RE: radius authentication methods for SSH on AOS-S switches

    Posted 10 days ago
    What does your config look like ? This is the options I see on mine.
    (config)# aaa authentication ssh login
    local Use local switch user/password database.
    tacacs Use TACACS+ server.
    radius Use RADIUS server.
    peap-mschapv2 Use RADIUS server with PEAP-MSChapv2.
    public-key Use local switch public key authentication database.
    certificate Use the X.509 certificate.

    ------------------------------
    Steve
    ------------------------------



  • 4.  RE: radius authentication methods for SSH on AOS-S switches

    Posted 10 days ago
    The 'radius' option is PAP in disguise.  Here's what my config looks like

    aaa authentication login privilege-mode
    aaa authentication console login radius local
    aaa authentication console enable radius local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local

    ------------------------------
    David King
    ------------------------------



  • 5.  RE: radius authentication methods for SSH on AOS-S switches

    Posted 10 days ago
    Oh man.....the documentation shows this.

    aaa authentication <console|telnet|ssh|web|<enable|login <local|radius>> web-based|mac-based <chap-radius|peap-radius>>

    And the CLI shows these two as the only options.
    radius Use RADIUS server.
    peap-mschapv2 Use RADIUS server with PEAP-MSChapv2.

    So I assumed radius = chap-radius.

    I'll give it a try. Thanks you!



    ------------------------------
    Steve
    ------------------------------