Wired

I am researching using VSAs but I need to setup RADIUS first before I can start testing this feature. Is it required to have Clearpass for this?

I cannot seem to get the switch to authenticate with the NPS at all. 

Here are the following commands I entered into the CLI of the 2540:
radius-server host....
aaa authentication login privilege-mode
aaa authentication web enable radius local
wr mem

When I access the Web GUI in the browser it does not accept any of my domain user account logins. Any suggestions? I have read the Aruba Security Guide for ArubaOS but they do not go into great detail on how to get this configured. Very cryptic language if you ask me but I am not a network guru.

Thanks.

------------------------------
Anthony Berger
------------------------------

Hello, 

Did you test without "aaa authentication login privilege-mode"?
When you have this line in the configuration the switch expects to receive an Access Accept with the RADIUS attribute Service-Type and value 6 (manager) or 7 (operator).

While this option is enabled, a Service-Type value other than 6 or 7, or an unconfigured (null) Service-Type causes the switch to deny access to the requesting client.

So if your NPS is not configured to return this values please disable this option "no aaa authentication login privilege-mode"

More details about this command can be found here

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html

------------------------------
Emil Gogushev
------------------------------

Original Message:
Sent: Feb 28, 2022 10:26 PM
From: Anthony Berger
Subject: RADIUS Authentication/Authorization

I am researching using VSAs but I need to setup RADIUS first before I can start testing this feature. Is it required to have Clearpass for this?

I cannot seem to get the switch to authenticate with the NPS at all. 

Here are the following commands I entered into the CLI of the 2540:
radius-server host....
aaa authentication login privilege-mode
aaa authentication web enable radius local
wr mem

When I access the Web GUI in the browser it does not accept any of my domain user account logins. Any suggestions? I have read the Aruba Security Guide for ArubaOS but they do not go into great detail on how to get this configured. Very cryptic language if you ask me but I am not a network guru.

Thanks.

------------------------------
Anthony Berger
------------------------------

Emil,

I have read that document already but it is not specific on what to enter in the NPS for it to authenticate user access to the switch either via SSH or Web.

------------------------------
Anthony Berger
------------------------------

Original Message:
Sent: Mar 01, 2022 02:48 AM
From: Emil Gogushev
Subject: RADIUS Authentication/Authorization

Hello, 

Did you test without "aaa authentication login privilege-mode"?
When you have this line in the configuration the switch expects to receive an Access Accept with the RADIUS attribute Service-Type and value 6 (manager) or 7 (operator).

While this option is enabled, a Service-Type value other than 6 or 7, or an unconfigured (null) Service-Type causes the switch to deny access to the requesting client.

So if your NPS is not configured to return this values please disable this option "no aaa authentication login privilege-mode"

More details about this command can be found here

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html

------------------------------
Emil Gogushev

Original Message:
Sent: Feb 28, 2022 10:26 PM
From: Anthony Berger
Subject: RADIUS Authentication/Authorization

I am researching using VSAs but I need to setup RADIUS first before I can start testing this feature. Is it required to have Clearpass for this?

I cannot seem to get the switch to authenticate with the NPS at all. 

Here are the following commands I entered into the CLI of the 2540:
radius-server host....
aaa authentication login privilege-mode
aaa authentication web enable radius local
wr mem

When I access the Web GUI in the browser it does not accept any of my domain user account logins. Any suggestions? I have read the Aruba Security Guide for ArubaOS but they do not go into great detail on how to get this configured. Very cryptic language if you ask me but I am not a network guru.

Thanks.

------------------------------
Anthony Berger
------------------------------

Have to admin this is ridiculous that I cannot setup RADIUS authentication on a switch with NPS out of the box. No documentation on what to do on the NPS side of things. This was not difficult to do with Cisco but not everyone has the budget for that caddy. I guess you get what you pay for in the end....

I even found this tidbit hoping it would help but its for Aruba's controller and didnt work even trying to perform similar steps on the NPS...

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=10129

------------------------------
Anthony Berger
------------------------------

Original Message:
Sent: Mar 01, 2022 07:42 PM
From: Anthony Berger
Subject: RADIUS Authentication/Authorization

Emil,

I have read that document already but it is not specific on what to enter in the NPS for it to authenticate user access to the switch either via SSH or Web.

------------------------------
Anthony Berger

Original Message:
Sent: Mar 01, 2022 02:48 AM
From: Emil Gogushev
Subject: RADIUS Authentication/Authorization

Hello, 

Did you test without "aaa authentication login privilege-mode"?
When you have this line in the configuration the switch expects to receive an Access Accept with the RADIUS attribute Service-Type and value 6 (manager) or 7 (operator).

While this option is enabled, a Service-Type value other than 6 or 7, or an unconfigured (null) Service-Type causes the switch to deny access to the requesting client.

So if your NPS is not configured to return this values please disable this option "no aaa authentication login privilege-mode"

More details about this command can be found here

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html

------------------------------
Emil Gogushev

Original Message:
Sent: Feb 28, 2022 10:26 PM
From: Anthony Berger
Subject: RADIUS Authentication/Authorization

I am researching using VSAs but I need to setup RADIUS first before I can start testing this feature. Is it required to have Clearpass for this?

I cannot seem to get the switch to authenticate with the NPS at all. 

Here are the following commands I entered into the CLI of the 2540:
radius-server host....
aaa authentication login privilege-mode
aaa authentication web enable radius local
wr mem

When I access the Web GUI in the browser it does not accept any of my domain user account logins. Any suggestions? I have read the Aruba Security Guide for ArubaOS but they do not go into great detail on how to get this configured. Very cryptic language if you ask me but I am not a network guru.

Thanks.

------------------------------
Anthony Berger
------------------------------