Security

There doesn;t seem to be much docn ( i.e. examples)  on using the  changing TACACS+ password on next login option in a CPPM Local User  account.

I have a 2930 switch running  fairly new firmware

as part of the confgi I have aaa authentication login privilege-mode set up so  when i log in I don;t have to type  enable<cr> enter username/password 

I can quite happily set the cppm checkbox and log into t e switch. at no point an i prompted to enter another password  burt looking in the cppm local user  table, the change tacacs password  checkbox has been cleared.


Tried removing the  login privilege-mode statement so I had to type enable .... no differnce .
Anyone using this in conjunction with  arubsa 2930 switrches

Cppm is 6.9.5 BTW

Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

Hi Alex,

Maybe my TACACS template will help you.

tacacs-server host 1.2.3.4 key "mysecret"
tacacs-server host 1.2.3.5 key "mysecret"
tacacs-server timeout 5
aaa authentication login privilege-mode

###SSH###
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local

###TELNET###
aaa authentication telnet login tacacs local
aaa authentication telnet enable tacacs local

###CONSOLE###
aaa authentication console login tacacs local
aaa authentication console enable tacacs local

aaa authorization commands auto

no web-management management-url
no telnet-server
​

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Apr 01, 2021 06:24 PM
From: Alex Sharaz
Subject: Changing tacacs+ password

There doesn;t seem to be much docn ( i.e. examples)  on using the  changing TACACS+ password on next login option in a CPPM Local User  account.

I have a 2930 switch running  fairly new firmware

as part of the confgi I have aaa authentication login privilege-mode set up so  when i log in I don;t have to type  enable<cr> enter username/password 

I can quite happily set the cppm checkbox and log into t e switch. at no point an i prompted to enter another password  burt looking in the cppm local user  table, the change tacacs password  checkbox has been cleared.


Tried removing the  login privilege-mode statement so I had to type enable .... no differnce .
Anyone using this in conjunction with  arubsa 2930 switrches

Cppm is 6.9.5 BTW

Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

If I remember correctly, the ArubaOS Switch does not support password changes over TACACS+. You can ask your Aruba Partner or Aruba SE to add your request for this feature which is already registered as SWITCH-I-509.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 01, 2021 06:24 PM
From: Alex Sharaz
Subject: Changing tacacs+ password

There doesn;t seem to be much docn ( i.e. examples)  on using the  changing TACACS+ password on next login option in a CPPM Local User  account.

I have a 2930 switch running  fairly new firmware

as part of the confgi I have aaa authentication login privilege-mode set up so  when i log in I don;t have to type  enable<cr> enter username/password 

I can quite happily set the cppm checkbox and log into t e switch. at no point an i prompted to enter another password  burt looking in the cppm local user  table, the change tacacs password  checkbox has been cleared.


Tried removing the  login privilege-mode statement so I had to type enable .... no differnce .
Anyone using this in conjunction with  arubsa 2930 switrches

Cppm is 6.9.5 BTW

Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

Ah!

ok. Many thanks

Rgds
Alex


Original Message:
Sent: 4/8/2021 5:29:00 AM
From: Herman Robers
Subject: RE: Changing tacacs+ password

If I remember correctly, the ArubaOS Switch does not support password changes over TACACS+. You can ask your Aruba Partner or Aruba SE to add your request for this feature which is already registered as SWITCH-I-509.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 01, 2021 06:24 PM
From: Alex Sharaz
Subject: Changing tacacs+ password

There doesn;t seem to be much docn ( i.e. examples)  on using the  changing TACACS+ password on next login option in a CPPM Local User  account.

I have a 2930 switch running  fairly new firmware

as part of the confgi I have aaa authentication login privilege-mode set up so  when i log in I don;t have to type  enable<cr> enter username/password 

I can quite happily set the cppm checkbox and log into t e switch. at no point an i prompted to enter another password  burt looking in the cppm local user  table, the change tacacs password  checkbox has been cleared.


Tried removing the  login privilege-mode statement so I had to type enable .... no differnce .
Anyone using this in conjunction with  arubsa 2930 switrches

Cppm is 6.9.5 BTW

Rgds
Alex

------------------------------
Alex Sharaz
------------------------------