Wired Intelligent Edge

last person joined: 6 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

2FA for SSH access to Aruba AOS-S switches

This thread has been viewed 24 times
  • 1.  2FA for SSH access to Aruba AOS-S switches

    Posted Aug 04, 2021 12:48 PM
    Has any enabled 2FA for SSH access to Aruba switches? My customer is asking to do this using Okta. From what I can tell we need a radius proxy to send the login request to Okta. The customer is currently using Cisco ISE. Any feedback is appreciated.

    ------------------------------
    Steve
    ------------------------------


  • 2.  RE: 2FA for SSH access to Aruba AOS-S switches

    Posted Aug 04, 2021 12:57 PM
    We do it for all of our switches.  From the switch perspective it's just doing RADIUS auth but we enforce 2FA as a part of the RADIUS authentication process.  We use ClearPass for our RADIUS server (with Duo for the 2FA portion) but it should work exactly the same for Okta.  The main thing to keep in mind is that since the switch doesn't know about the 2FA step you can't really use OTP's since the switch won't prompt for the second factor.  There are ways around that (appending the OTP to the normal password with a separator character, etc.) but they're not great.  We do everything with push notifications and it works really well.

    ------------------------------
    David King
    ------------------------------



  • 3.  RE: 2FA for SSH access to Aruba AOS-S switches

    Posted Aug 04, 2021 02:05 PM

    Thank you David, this is very helpful!

     

    Regards,

    Steve

     

    Steve Cromie

    Enterprise Architect

    Dasher Technologies, A Converge Company

    We take IT personally

     

    M: 408-442-6682
    steve.cromie@dasher.com

     






  • 4.  RE: 2FA for SSH access to Aruba AOS-S switches

    Posted Aug 20, 2021 04:46 PM
    Does the 2FA only apply to ssh connections and not serial connections to the switch console?  I'd like to set our switches up link this too, but if that's not the case, my worry would be that I could get into a situation where I accidentally did something to mess up the default gateway, management address, or switch uplink, etc and the switch wouldn't be a be able to talk to the RADIUS server any more, and I would no longer be able to log in.  Or....is that just a cost of improving security, and the solution is 1.) Don't mess up like that (which is already my plan) and then 2.) if you do, you reset to factory config and put your configuration back from a backup?

    ------------------------------
    Adam Forsyth
    ------------------------------



  • 5.  RE: 2FA for SSH access to Aruba AOS-S switches

    Posted Aug 22, 2021 01:53 PM
    The switch knows nothing about 2FA.  You just configure it to use RADIUS for authentication and enforce any authentication requirements (2FA, time of day, etc.) in the RADIUS server itself.

    With regards to your actual question, it's totally configurable.  If you want a factory reset to be your only means of recovery you can do that but I wouldn't recommend it :)  The way I have my switches configured is like this:

    radius-server host xx.xx.xx.xx key ***********
    aaa authentication login privilege-mode
    aaa authentication console login radius local
    aaa authentication console enable radius local
    aaa authentication telnet login radius local
    aaa authentication telnet enable radius local
    aaa authentication web login radius local
    aaa authentication web enable radius local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local


    For each method of access (ie. ssh, console, web, etc.) you can configure what you want to use for both login and enable.  Additionally you can configure both a primary and fallback authentication option.  The primary authentication method will be tried first and, if it's not accessible, then the backup method will be used.  Note that if the primary auth method (in this case RADIUS) returns an access-deny the backup method will NOT be tried.  The only way to authenticate as a local user is if the RADIUS servers aren't reachable.  Does that make sense?

    The way I have it configured, in normal operation all users must authenticate via RADIUS and 2FA is enforced (via push notifications) for all users.  It's not possible to authenticate as a local user.  If the radius servers are ever unreachable (which would be a very bad day, indeed!) then you can authenticate as a local admin user and there would be no 2FA requirement.

    Does that answer your questions?


    ------------------------------
    David King
    ------------------------------