Developer

last person joined: yesterday 

Expand all | Collapse all

Aruba CXOS REST API with Tacacs AAA

This thread has been viewed 21 times
  • 1.  Aruba CXOS REST API with Tacacs AAA

    Posted Jan 18, 2021 09:35 AM
    I'm building a new network for a customer with some CXOS 8320 switches in two separate VSXs. I've been happily using the REST API until I setup AAA to Clearpass which has resulted in me getting a 403 every time I try to read from an endpoint.

    I can SSH into the switches and perform all commands so I suspect it has something to do with authorisation.

    Here is my AAA config

    ```
    tacacs-server host clearpass.domain.com key ciphertext 12345 vrf mgmt
    !
    aaa group server tacacs clearpass
    server clearpass.domain.com vrf mgmt
    aaa authentication login ssh group tacacs local
    aaa authentication login console group tacacs local
    aaa authentication login https-server group tacacs local
    aaa authentication login default group tacacs local
    aaa authorization commands ssh group tacacs local
    aaa authorization commands console group local
    aaa authorization commands default group tacacs local
    ```

    And my HTTP configuration

    ```
    https-server vrf mgmt
    https-server rest access-mode read-write  # this is the default
    ```

    I can't find any tips in the cxos security doc and I can see any commands in the OS itself which look like they grant permissions for the API.

    Clearpass is sending an attribute of `priv-lvl 15` which should map to the local Adminstrators group. This appears to be working as when I login via SSH I have full read-write access.

    Any help much appreciated!

    Cheers,

    Lordboringhenry
    ​​

    ------------------------------
    Conor Cunningham
    ------------------------------


  • 2.  RE: Aruba CXOS REST API with Tacacs AAA

    Posted Jan 19, 2021 05:53 AM
    Hello,

    What do you have on the log ? (show events -r)

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 3.  RE: Aruba CXOS REST API with Tacacs AAA

    Posted Jan 19, 2021 11:05 AM
    Hello,

    Thanks for the correspondence. My event log shows this (thanks for that tip, wasn't aware of that command).

    2021-01-19T16:01:00.552271+00:00 ds1-tor-01 hpe-restd[2119]: Event|4605|LOG_INFO|AMM|-|Session ended for user bob, session bSu2gMh4ZqIfC2KNvd4I8Q==
    2021-01-19T16:01:00.550404+00:00 ds1-tor-01 hpe-restd[2119]: Event|4608|LOG_INFO|AMM|-|Authorization allowed for user bob, for resource SessionMgmt, with action POST
    2021-01-19T16:01:00.518497+00:00 ds1-tor-01 hpe-restd[2119]: Event|4606|LOG_ERR|AMM|-|Authorization failed for user bob, for resource Banner, with action GET
    2021-01-19T16:01:00.508342+00:00 ds1-tor-01 hpe-restd[2119]: Event|4604|LOG_INFO|AMM|-|Session started for user bob, session bSu2gMh4ZqIfC2KNvd4I8Q==
    2021-01-19T16:01:00.507759+00:00 ds1-tor-01 hpe-restd[2119]: Event|4602|LOG_INFO|AMM|-|Authentication succeeded for user bob in session bSu2gMh4ZqIfC2KNvd4I8Q==​

    I find it strange that authorisation for GET is denied, but is permitted for POST - I would typically expect that to be the other way around.

    I'll do some more digging and come back here with any other relevant logs and info.

    ------------------------------
    Conor Cunningham
    ------------------------------



  • 4.  RE: Aruba CXOS REST API with Tacacs AAA

    Posted Jan 19, 2021 12:51 PM
    Hi Conor,
    It does appear that the REST session is trying to authenticate (and one message makes it seem like it authenticated correctly).  Does this occur with every API call made, or any particular one?

    Thanks,
    Alvin

    ------------------------------
    Alvin Castro
    ------------------------------



  • 5.  RE: Aruba CXOS REST API with Tacacs AAA

    Posted Jan 19, 2021 01:33 PM
    Hi Alvin,

    I can confirm that my POST to Login does result in a 200 OK and a valid cookie. The request that I have been testing is GET /system/vlans which is failing with 403. Your question lead me to test a POST request which I did just now. I received a 405 method not supported when POSTing 
    {"id": 50, "name": "bob"}​
    to /system/vlans. Given that the response code was not 401 but 405 leads me to think that my session auth is OK. The problem of 405 is probably with my code/url/interpretation of the API spec.

    The issue isn't only affecting API access, it also prevents me from logging into the switch's GUI. For whatever reason I'm not managing to upload the image of the login failure message, but it reads 

    Login Failed
    User not authorized to login.
    Only members of built-in groups are allowed access​

    The message makes sense, but that I'm not a member of a group doesn't. According to the docs, priv-lvl 15 corresponds to the administrators group.

    Interestingly enough, I just noticed the following
    lance-the-builder# show user-group 
    GROUP NAME     GROUP TYPE     INCLUDED GROUP     NUMBER OF RULES    
    -------------- -------------- ------------------ -------------------
    administrators built-in       n/a                n/a                
    auditors       built-in       n/a                n/a                
    operators      built-in       n/a                n/a     
    
    lance-the-builder# show user information 
    Username             : conor
    Authentication type  : TACACS
    User group           : root
    User privilege level : N/A​
    It's interesting to note that according to the switch my user group is root and not administrators and that I have no privilege level as I assume the switch sees root and goes OK, you're the boss.

    I'm guessing that my challenge is to now not end up in the root group, but rather the administrators. I'm guessing that has something to do with what Clearpass is returning to the switch. I'll keep digging.

    ------------------------------
    Conor Cunningham
    ------------------------------



  • 6.  RE: Aruba CXOS REST API with Tacacs AAA

    Posted Jan 19, 2021 02:07 PM
    Thanks for the updated info, Conor.  I'll try contacting our Clearpass experts and try to understand and reproduce it on our side as well.

    ------------------------------
    Alvin Castro
    ------------------------------



  • 7.  RE: Aruba CXOS REST API with Tacacs AAA

    Posted Jan 19, 2021 02:46 PM
    do you have try with RADIUS ? (for RBAC)

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 8.  RE: Aruba CXOS REST API with Tacacs AAA

    Posted Jan 19, 2021 03:06 PM
    Hi Alvin,

    No, I hadn't but I was prepared to. Luckily however I think I have found and resolved the issue. My Clearpass service is being used for TACACs auth for our Mobility Master, controllers, HPE Comware switches and Cisco switches. Authentication and authorisation was working well for all of them with them getting priv-lvl 15. What I hadn't noticed was that I was sending the Enforcement Profile
    [ArubaOS Wireless - TACACS Root Access] which sends Aruba-Admin-Role = root ​

    This is why the CX switch was showing my user in the root group. I still a bit confused why the switch didn't give me a privilege level but did allow me to configure the switch.

    lance-the-builder# show user information 
    Username             : conor
    Authentication type  : TACACS
    User group           : root
    User privilege level : N/A​

    I changed the order of my Enforcement profiles so that the first profile to be executed contained the following VSAs:

    shell: priv-lvl = 15
    Aruba:Common: Aruba-Admin-Role = administrators
    AMP:https: role = Admin


    After doing this my user now appears as:

    lance-the-builder# show user info
    Username             : conor
    Authentication type  : TACACS
    User group           : administrators
    User privilege level : 15

    This has allowed me to login with the requisite authorisation via the API, SSH and the web GUI.

    Hoorah!

    Thank you for your help and advice along the way, Alvin! It is much appreciated.

    Cheers,

    Conor



    ------------------------------
    Conor Cunningham
    ------------------------------