Wired

last person joined: an hour ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Allow local "manager" account even if RADIUS is available

Jump to Best Answer
  • 1.  Allow local "manager" account even if RADIUS is available

    Posted May 07, 2018 11:18 AM

    I have configured my 2920 switch to do RADIUS authentication, which works as expected, however I would also like to allow the local "manager" account to log in even if RADIUS is responding in the case where the RADIUS server is up but maybe the back-end user database is not responding correctly. I realize this is an edge case. Is there a way to do this in Aruba OS? I'm on version 16.02.

     

    -Scott



  • 2.  RE: Allow local "manager" account even if RADIUS is available

    Posted May 07, 2018 02:51 PM

    Greetings!

     

    When configuring access methods for switch management access, the 'aaa authentication <feature>' commands provide the ability to configure both a primary and secondary authentication method. If you'd like RADIUS to be the primary method and local username/password to be the secondary, you would use the following commands (these cover console/SSH login and enable access, as well as access to the Web UI):

     

    switch(config)# aaa authentication console login radius local 
    switch(config)# aaa authentication console enable radius local 
    switch(config)# aaa authentication ssh login radius local 
    switch(config)# aaa authentication ssh enable radius local 
    switch(config)# aaa authentication web login radius local 
    switch(config)# aaa authentication web enable radius local 
    

    You can find more background info and suggestions in the ArubaOS-Switch Hardening Guide, as well as the Access Security Guide.



  • 3.  RE: Allow local "manager" account even if RADIUS is available
    Best Answer

    Posted May 07, 2018 03:05 PM

    Thanks for the reply, however that's not exactly what I was asking. I actually opened a support ticket with the HPE support portal, and they confirmed that there is no configuration which allows the local user database to be used when the RADIUS server is available.