Original Message:
Sent: Feb 24, 2023 04:07 AM
From: Herman Robers
Subject: aaa authentication ssh login radius local, local admin still cannot login
As far as I know, for command accounting on ArubaOS Switch you would need to change to TACACS instead of RADIUS for your admin login. You may check with support if that is indeed the case.
For the keys, you may try the include-credentials command:
sw01-12p(config)# include-credentials clearpass-key Include ClearPass key along with other sensitive keys in the show configuration. radius-tacacs-only Include RADIUS and TACACS+ credentials when saving configuration files remotely. store-in-config Store passwords and SSH authorized keys in the configuration files. <cr>
With 'no include-credentials', I would expect the radius secrets (and other) no longer visible in the configuration.
Or are you on AOS-CX or other switch operating system?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 20, 2023 06:55 PM
From: manly009
Subject: aaa authentication ssh login radius local, local admin still cannot login
@Herman Robers
Hi Herman,
I think it is all working fine.
Also, how can I do the actual logging or recording for any changes done by network admin >?
thanks a lot
ML
Original Message:
Sent: Feb 15, 2023 05:18 AM
From: Herman Robers
Subject: aaa authentication ssh login radius local, local admin still cannot login
Answered as well in this duplicate post:
aaa port-access is for 802.1X authentication of devices that connect to your switch (interface 1 in your example) and it not related to SSH or Web login. If your NPS is not configures to respond to device authentication, you probably can't connect to interface 1.
port-access authenticator = 802.1X
port-access mac-based = MAC Authentication (MAB)
and you can configure both on the same port to provide 802.1X authentication for clients/devices that support it, and fallback to MAC authentication for devices that can't do 802.1X.
So, if you just want to do authentication of your admins using SSH to the switch, you can remove all of the port-access configuration.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 12, 2023 05:38 PM
From: manly009
Subject: aaa authentication ssh login radius local, local admin still cannot login
Hi IAN,
Thanks for your answer,
Do I need these two lines?
aaa port-access authenticator 1 tx-period 10
aaa port-access authenticator 1 client-limit 2
Thanks
ML
Original Message:
Sent: Feb 12, 2023 02:44 AM
From: IanNightingale
Subject: aaa authentication ssh login radius local, local admin still cannot login
Hi, on the first of these questions, this is by design and desired by most. If the switch has a route to the IP of the radius server it will use that method solely. It falls to the next method in the line (local in your case) when it can't get to the radius server.
This is good because you don't allow an insecure method permanently. This is one that can be brute forced. It allows the actual admin to be recorded against actions and not anyone who knows the local password.
The behaviour changes depending on OS. For old procurve the switch tries to get a radius response about 7 times, then allows local credentials. If health checking radius server is available (like CX) then a failed health check drops you to the next method in the row.
But in all OSs the first method remains while it believes the radius server is contactable.
One exception is comware which has a complicated domain system of you choose to invoke. You can have a second domain that uses local first while the primary goes to radius. Here you allow the less secure method all the time so likely put other mechanisms in place to protect like extra secure passwords and ACLs to restrict which subnet can SSH.
Original Message:
Sent: Feb 09, 2023 07:03 PM
From: manly009
Subject: aaa authentication ssh login radius local, local admin still cannot login
Dear friends,
I have got Radius configured for SSH as follow:
aaa authentication num-attempts 2
aaa authentication login privilege-mode
aaa authentication web login peap-mschapv2 local
aaa authentication web enable peap-mschapv2 local
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable peap-mschapv2 local
aaa authentication port-access chap-radius
aaa port-access authenticator 1 tx-period 10
aaa port-access authenticator 1 client-limit 2
aaa port-access authenticator active
Enabled SSH login with Radius as primary and Local as secondary. But when I was trying to log in as the local user, it just could not log in....Can or should I configure it login as both Radius and Local? How do they work?
Also, if I use MsChap-PeapV2, am I supposed to load the CA on switches to have better security? Seems it is already working by using MsChapV2 and Peap on NPS server...
Also, I do not quite understand, what this one "aaa authentication port-access chap-radius" does? Do I still need it?
Thanks
ML