The switch knows nothing about 2FA. You just configure it to use RADIUS for authentication and enforce any authentication requirements (2FA, time of day, etc.) in the RADIUS server itself.
With regards to your actual question, it's totally configurable. If you want a factory reset to be your only means of recovery you can do that but I wouldn't recommend it :) The way I have my switches configured is like this:
radius-server host xx.xx.xx.xx key ***********
aaa authentication login privilege-mode
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
For each method of access (ie. ssh, console, web, etc.) you can configure what you want to use for both login and enable. Additionally you can configure both a primary and fallback authentication option. The primary authentication method will be tried first and, if it's not accessible, then the backup method will be used. Note that if the primary auth method (in this case RADIUS) returns an access-deny the backup method will NOT be tried. The only way to authenticate as a local user is if the RADIUS servers aren't reachable. Does that make sense?
The way I have it configured, in normal operation all users must authenticate via RADIUS and 2FA is enforced (via push notifications) for all users. It's not possible to authenticate as a local user. If the radius servers are ever unreachable (which would be a very bad day, indeed!) then you can authenticate as a local admin user and there would be no 2FA requirement.
Does that answer your questions?
------------------------------
David King
------------------------------
Original Message:
Sent: Aug 20, 2021 04:45 PM
From: Adam Forsyth
Subject: 2FA for SSH access to Aruba AOS-S switches
Does the 2FA only apply to ssh connections and not serial connections to the switch console? I'd like to set our switches up link this too, but if that's not the case, my worry would be that I could get into a situation where I accidentally did something to mess up the default gateway, management address, or switch uplink, etc and the switch wouldn't be a be able to talk to the RADIUS server any more, and I would no longer be able to log in. Or....is that just a cost of improving security, and the solution is 1.) Don't mess up like that (which is already my plan) and then 2.) if you do, you reset to factory config and put your configuration back from a backup?
------------------------------
Adam Forsyth
Original Message:
Sent: Aug 04, 2021 12:57 PM
From: David King
Subject: 2FA for SSH access to Aruba AOS-S switches
We do it for all of our switches. From the switch perspective it's just doing RADIUS auth but we enforce 2FA as a part of the RADIUS authentication process. We use ClearPass for our RADIUS server (with Duo for the 2FA portion) but it should work exactly the same for Okta. The main thing to keep in mind is that since the switch doesn't know about the 2FA step you can't really use OTP's since the switch won't prompt for the second factor. There are ways around that (appending the OTP to the normal password with a separator character, etc.) but they're not great. We do everything with push notifications and it works really well.
------------------------------
David King
Original Message:
Sent: Aug 04, 2021 12:48 PM
From: Steve Cromie
Subject: 2FA for SSH access to Aruba AOS-S switches
Has any enabled 2FA for SSH access to Aruba switches? My customer is asking to do this using Okta. From what I can tell we need a radius proxy to send the login request to Okta. The customer is currently using Cisco ISE. Any feedback is appreciated.
------------------------------
Steve
------------------------------