Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Admin logins to AOS-CX switches with Clearpass

This thread has been viewed 102 times

  • 1.  Admin logins to AOS-CX switches with Clearpass

    Posted Aug 06, 2020 05:10 AM

    Good morining,

     

    We are moving from Windows NPS to Clearpass, amongst other things for logging on to our infrastructure devices. We have a mix of Aruba, ArubaOS-CX and Comware switches that are using NPS for admin logins with AD credentials without problems.

     

    I've created the same RADIUS service in Clearpass and changed the radius-server host to Clearpass. Login works for all 3 switch types, but for the ArubaOS-CX switches I am unable to execute any command with the message "Cannot execute command. Command not allowed."

     

    some screenshots of the working NPS return attributes:

    krisv_1-1596704483534.png

    krisv_3-1596704527877.png

    how this translates to Clearpass:

    krisv_4-1596704625748.png

    This works for ArubaOS and Comware, but for ArubaOS-CX I cant get any commands executed.

     

    The AOS-CX device in Clearpass is configured with vendor name "Aruba"

     

    What I've tried:

    - move to TACACS instead of RADIUS - same thing, logon works but no commands

    - configure extra VSA's on the Clearpass enforcement profile to return to the switch: aruba-command-string (with some test commands), aruba-priv-admin-user (value 7 and other) - same thing, aruba-user-group (administrators)  - same thing

     

    AOS-CX version is:

    krisv_5-1596704799036.png

    Any idea what I am missing?

     

    Kind regards,

    Kris



  • 2.  RE: Admin logins to AOS-CX switches with Clearpass

    Posted Aug 18, 2020 05:12 AM

    No ideas anybody?

     

    Thx,

    Kris



  • 3.  RE: Admin logins to AOS-CX switches with Clearpass
    Best Answer

    Posted Sep 23, 2020 08:21 AM

    Haven't tried with radius but I had the same issue logging into an aos-cx switch using clearpass tacacs, resolved it by changing the return value for Aruba-Admin-Role to administrators.cp tac.JPG



  • 4.  RE: Admin logins to AOS-CX switches with Clearpass

    MVP GURU
    Posted Sep 23, 2020 08:36 AM

    Steve_L has a correct configuration. The administrator role will need to be returned to map a user to the right administrative role on the switch. administrators, auditors, and operators are built in. You can creat your own roles with rules with the "user-group <groupname>" command. You can then set a set of cli commands that are allowed to run, or what ones to deny.

    Dustin-Burns_0-1600864757023.png

     

     

     



  • 5.  RE: Admin logins to AOS-CX switches with Clearpass

    Posted Feb 22, 2021 10:36 AM
    I am also stuck here. I am getting an accept in access tracker with the following profile assigned. But the switch will randomly deny the connection even with ClearPass accepting it.

    I must be missing something. Here is the 6300 switch config for TACACS:






    ------------------------------
    Christopher Calhoun
    ------------------------------

    Original Message


  • 6.  RE: Admin logins to AOS-CX switches with Clearpass

    EMPLOYEE
    Posted Mar 15, 2021 10:23 AM
    If you want to make it work using radius. check this link.

    https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6715/index.html#GUID-A6EDF055-3EAF-4409-B9EE-954C444A3770.html

    You need to return "Aruba-Admin-Role" and these are the defaults on the CX switch.

    6300-01# show user-group
    GROUP NAME GROUP TYPE INCLUDED GROUP NUMBER OF RULES
    -------------- -------------- ------------------ -------------------
    administrators built-in n/a n/a
    auditors built-in n/a n/a
    operators built-in n/a n/a

    ------------------------------
    Glenn Firth
    ------------------------------

    Original Message