Wired

I have configured my 2920 switch to do RADIUS authentication, which works as expected, however I would also like to allow the local "manager" account to log in even if RADIUS is responding in the case where the RADIUS server is up but maybe the back-end user database is not responding correctly. I realize this is an edge case. Is there a way to do this in Aruba OS? I'm on version 16.02.

-Scott

Greetings!

When configuring access methods for switch management access, the 'aaa authentication <feature>' commands provide the ability to configure both a primary and secondary authentication method. If you'd like RADIUS to be the primary method and local username/password to be the secondary, you would use the following commands (these cover console/SSH login and enable access, as well as access to the Web UI):

switch(config)# aaa authentication console login radius local 
switch(config)# aaa authentication console enable radius local 
switch(config)# aaa authentication ssh login radius local 
switch(config)# aaa authentication ssh enable radius local 
switch(config)# aaa authentication web login radius local 
switch(config)# aaa authentication web enable radius local 

You can find more background info and suggestions in the ArubaOS-Switch Hardening Guide, as well as the Access Security Guide.

Thanks for the reply, however that's not exactly what I was asking. I actually opened a support ticket with the HPE support portal, and they confirmed that there is no configuration which allows the local user database to be used when the RADIUS server is available.