Network Management

 View Only
Expand all | Collapse all

aaa authentication for Radius Remote management for 2030M Switch

This thread has been viewed 14 times
  • 1.  aaa authentication for Radius Remote management for 2030M Switch

    Posted Feb 09, 2023 01:36 AM

    Dear Friends, 

    I am currently planning to roll out Radius for Switch Remote Management. I was thinking to use Tacacs+, but we only have Windows NPS server, so we will use Radius...

    Now I have configured aaa authentication for port-access, seems I can now login with my domain credentials to switch SSH and webUI. 

    Here are my commands:

    aaa authentication num-attempts 2
    aaa authentication login privilege-mode
    aaa authentication web login radius local
    aaa authentication web enable radius
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local
    aaa authentication port-access eap-radius
    aaa port-access authenticator 1
    aaa port-access authenticator 1 tx-period 10
    aaa port-access authenticator 1 client-limit 2
    aaa port-access authenticator active

    I am really confused by "aaa authentication port-access eap-radius". Is this secure to use? I only configured NPS to use PAP at the moment. What would be the best practise or better practise if I want to have proper SSH in to manage the switch? 

    What is difference between port-access and mac-based? Can I use them at the same time? 

    Thanks a lot,

    ML 



  • 2.  RE: aaa authentication for Radius Remote management for 2030M Switch

    Posted Feb 14, 2023 05:57 AM

    aaa port-access is for 802.1X authentication of devices that connect to your switch (interface 1 in your example) and it not related to SSH or Web login. If your NPS is not configures to respond to device authentication, you probably can't connect to interface 1.

    port-access authenticator = 802.1X
    port-access mac-based = MAC Authentication (MAB)

    and you can configure both on the same port to provide 802.1X authentication for clients/devices that support it, and fallback to MAC authentication for devices that can't do 802.1X.

    So, if you just want to do authentication of your admins using SSH to the switch, you can remove all of the port-access configuration.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: aaa authentication for Radius Remote management for 2030M Switch

    Posted Feb 15, 2023 05:17 AM

    duplicate of this discussion



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------