Wired Intelligent Edge

last person joined: 20 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Allow local "manager" account even if RADIUS is available

This thread has been viewed 47 times
  • 1.  Allow local "manager" account even if RADIUS is available

    Posted May 07, 2018 11:18 AM

    I have configured my 2920 switch to do RADIUS authentication, which works as expected, however I would also like to allow the local "manager" account to log in even if RADIUS is responding in the case where the RADIUS server is up but maybe the back-end user database is not responding correctly. I realize this is an edge case. Is there a way to do this in Aruba OS? I'm on version 16.02.

     

    -Scott



  • 2.  RE: Allow local "manager" account even if RADIUS is available

    EMPLOYEE
    Posted May 07, 2018 02:51 PM

    Greetings!

     

    When configuring access methods for switch management access, the 'aaa authentication <feature>' commands provide the ability to configure both a primary and secondary authentication method. If you'd like RADIUS to be the primary method and local username/password to be the secondary, you would use the following commands (these cover console/SSH login and enable access, as well as access to the Web UI):

     

    switch(config)# aaa authentication console login radius local 
    switch(config)# aaa authentication console enable radius local 
    switch(config)# aaa authentication ssh login radius local 
    switch(config)# aaa authentication ssh enable radius local 
    switch(config)# aaa authentication web login radius local 
    switch(config)# aaa authentication web enable radius local 
    

    You can find more background info and suggestions in the ArubaOS-Switch Hardening Guide, as well as the Access Security Guide.



  • 3.  RE: Allow local "manager" account even if RADIUS is available
    Best Answer

    Posted May 07, 2018 03:05 PM

    Thanks for the reply, however that's not exactly what I was asking. I actually opened a support ticket with the HPE support portal, and they confirmed that there is no configuration which allows the local user database to be used when the RADIUS server is available.



  • 4.  RE: Allow local "manager" account even if RADIUS is available

    Posted Mar 21, 2023 02:43 PM

    Hi Scott,

    I'm having same issue using Ansible.

    Does support help you with this subject?

    Regards




  • 5.  RE: Allow local "manager" account even if RADIUS is available

    Posted Mar 21, 2023 02:44 PM

    Hi Scott,

    I have the similar problem using Ansible.

    Does support help you with it?

    Regards




  • 6.  RE: Allow local "manager" account even if RADIUS is available

    Posted Mar 23, 2023 01:03 PM

    I'm surprised TAC told you this isn't possible... my switches are configured this way, it works fine.  I just tested to confirm--I can use a radius login, or a local login, even with the radius server available.  Have you tried adding aaa authentication allow-failthrough to your config?




  • 7.  RE: Allow local "manager" account even if RADIUS is available

    EMPLOYEE
    Posted Mar 28, 2023 04:09 AM

    The aaa authentication allow-failthrough command is for AOS-CX, not available on AOS-Switch, like the 2920.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Allow local "manager" account even if RADIUS is available

    Posted Mar 28, 2023 09:07 AM

    My mistake, for some reason I thought this was a CX topic. 




  • 9.  RE: Allow local "manager" account even if RADIUS is available

    EMPLOYEE
    Posted Mar 29, 2023 06:20 AM

    No problem, it's not always clear what equipment and versions posters use. And it's good to know that it is supported in AOS-CX.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Allow local "manager" account even if RADIUS is available

    Posted Mar 28, 2023 09:26 AM

    Thank you very much Herman for your answer,

    This year our 2920's will be replaced by models supporting AOS-CX software, so it is good to know.

    Regards

    Rafal