Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

2530 switch Read Only access via Radius Authentication

This thread has been viewed 19 times

  • 1.  2530 switch Read Only access via Radius Authentication

    Posted Jul 22, 2020 11:45 AM

    We have Aruba 2530 switches authenticating CLI logons against a FortiAuthenticator Radius server setup for multi-factor.

     

    We are now trying to setup Solarwinds Kiwi Cattools to log in and retrieve the configuration on a schedule to alert for changes and report them to our security team.


    We want the user account used by this application to have read-only access to the full configuration, is there a way to grant this via a Radius Attribute? I'd rather not provide full admin access to this account.



  • 2.  RE: 2530 switch Read Only access via Radius Authentication

    MVP GURU
    Posted Jul 22, 2020 01:25 PM

    See below to make sure the switch honors the privilege level returned by the radius server. This is a standard Radius attribute to send back:

     

    Server-Supplied Privilege Level 

     

    Login privilege level instructs the switch to accept the authenticating user’s command level (manager or operator) that is supplied by the server. This allows manager-level users to skip the login context and proceed immediately to enable context, 21 thus eliminating the need for a manager-level user to login twice. 

     

    To allow the switch to accept the privilege level provided by the server, use the following configuration command: 

    switch(config)# aaa authentication login privilege-mode 

     

    To supply a privilege level for a user account on a RADIUS server, specify the “Service-Type” attribute in the user’s credentials: 

    • Service-Type = 6 allows manager-level access 
    • Service-Type = 7 allows operator-level access 
    • A user with no Service-Type, or a Service-Type not equal to 6 or 7, is denied access 

     

    To supply a privilege level for a user account on a TACACS server, specify the “Max Privilege” level in the user’s credentials: 

    • Max-privilege = 15 allows manager-level access 
    • Max-privilege = 0 allows only operator-level access

     



  • 3.  RE: 2530 switch Read Only access via Radius Authentication

    Posted Jul 22, 2020 02:12 PM

    Thank you for the suggestion. I've already tried this one, however, service-type=7 doesn't allow a "show run".

     

    What I need is a manager level with read-only capabilities.



  • 4.  RE: 2530 switch Read Only access via Radius Authentication

    Posted Dec 16, 2021 02:55 AM
    Did you find a solution to achieve this ?

    ------------------------------
    Thomas Heymans
    ------------------------------

    Original Message