Network Management

 View Only
Expand all | Collapse all

aaa authentication ssh login radius local, local admin still cannot login

This thread has been viewed 44 times
  • 1.  aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 09, 2023 07:03 PM
    Edited by manly009 Feb 09, 2023 07:25 PM

    Dear friends,

    I have got Radius configured for SSH as follow:

    aaa authentication num-attempts 2

    aaa authentication login privilege-mode

    aaa authentication web login peap-mschapv2 local

    aaa authentication web enable peap-mschapv2 local

    aaa authentication ssh login peap-mschapv2 local

    aaa authentication ssh enable peap-mschapv2 local

    aaa authentication port-access chap-radius

    aaa port-access authenticator 1 tx-period 10

    aaa port-access authenticator 1 client-limit 2

    aaa port-access authenticator active

    Enabled SSH login with Radius as primary and Local as secondary. But when I was trying to log in as the local user, it just could not log in....Can or should I configure it login as both Radius and Local? How do they work? 

    Also, if I use MsChap-PeapV2, am I supposed to load the CA on switches to have better security? Seems it is already working by using MsChapV2 and Peap on NPS server...

    Also, I do not quite understand, what this one "aaa authentication port-access chap-radius" does? Do I still need it? 

    Thanks

    ML



  • 2.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 12, 2023 02:45 AM

    Hi, on the first of these questions, this is by design and desired by most. If the switch has a route to the IP of the radius server it will use that method solely. It falls to the next method in the line (local in your case) when it can't get to the radius server. 

    This is good because you don't allow an insecure method permanently. This is one that can be brute forced. It allows the actual admin to be recorded against actions and not anyone who knows the local password. 

    The behaviour changes depending on OS. For old procurve the switch tries to get a radius response about 7 times, then allows local credentials. If health checking radius server is available (like CX) then a failed health check drops you to the next method in the row. 

    But in all OSs the first method remains while it believes the radius server is contactable. 

    One exception is comware which has a complicated domain system of you choose to invoke. You can have a second domain that uses local first while the primary goes to radius. Here you allow the less secure method all the time so likely put other mechanisms in place to protect like extra secure passwords and ACLs to restrict which subnet can SSH. 




  • 3.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 12, 2023 05:38 PM

    Hi IAN,

    Thanks for your answer,

    Do I need these two lines?

    aaa port-access authenticator 1 tx-period 10

    aaa port-access authenticator 1 client-limit 2

    Thanks
    ML




  • 4.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 13, 2023 02:19 AM

    Hi,

    I can't tell you if you need those two lines. It depends on what you want to achieve. 

    The description for what they do can be found in this manual. Note the 1 in each line means port 1. Expand to more ports to cover more than port 1.

    I can't be sure it is relevant to your switch OS but this manual describes the fallback to local with similar commands to yours. It also describes other aspects of radius config that might help.




  • 5.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 15, 2023 05:18 AM

    Answered as well in this duplicate post:

    aaa port-access is for 802.1X authentication of devices that connect to your switch (interface 1 in your example) and it not related to SSH or Web login. If your NPS is not configures to respond to device authentication, you probably can't connect to interface 1.

    port-access authenticator = 802.1X
    port-access mac-based = MAC Authentication (MAB)

    and you can configure both on the same port to provide 802.1X authentication for clients/devices that support it, and fallback to MAC authentication for devices that can't do 802.1X.

    So, if you just want to do authentication of your admins using SSH to the switch, you can remove all of the port-access configuration.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 15, 2023 08:14 PM

    Hi Herman,

    Yes, you are correct. I only want SSH and WebUI Login for Admin users by pointing to an external Radius server. 

    I will remove anything for port access:

    aaa port-access authenticator 1 tx-period 10

    aaa port-access authenticator 1 client-limit 2

     

    Thanks

    ML




  • 7.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 19, 2023 10:00 PM

    Hi Herman,

    I think it is all working fine. 

    Also, how can I do the actual logging or recording for any changes done by network admin >?

    thanks a lot

    ML




  • 8.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 20, 2023 06:55 PM

    @Herman Robers 

    Hi Herman,

    I think it is all working fine. 

    Also, how can I do the actual logging or recording for any changes done by network admin >?

    thanks a lot

    ML




  • 9.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 24, 2023 04:08 AM

    As far as I know, for command accounting on ArubaOS Switch you would need to change to TACACS instead of RADIUS for your admin login. You may check with support if that is indeed the case.

    For the keys, you may try the include-credentials command:

    sw01-12p(config)# include-credentials
     clearpass-key         Include ClearPass key along with other sensitive keys in the show configuration.
     radius-tacacs-only    Include RADIUS and TACACS+ credentials when saving configuration files remotely.
     store-in-config       Store passwords and SSH authorized keys in the configuration files.
     <cr>

    With 'no include-credentials', I would expect the radius secrets (and other) no longer visible in the configuration.

    Or are you on AOS-CX or other switch operating system?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 24, 2023 06:06 AM

    We are on ArubaOS switches 2930m + 5300 series ....Cannot afford ClearPass haha. Can you please have a look this thread? https://community.arubanetworks.com/discussion/radius-aaa-auth-vlans-with-windows-nps-server




  • 11.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 21, 2023 12:41 AM

    Also, with this line, radius-server host 192.168.0.55 key "xxxxxxx", how can I encrypt this key? 

    Thanks,

    ML




  • 12.  RE: aaa authentication ssh login radius local, local admin still cannot login

    Posted Feb 27, 2023 04:18 AM

    The credentials can be encrypted with the command encrypt-credentials.



    ------------------------------
    William Bargeman
    Systems Engineer Aruba
    ------------------------------