Network Management

We are using TACACS+ to perform operator's authentication on our network gears.
This works fine today as we are using an inside administration VLAN to connect into the device.

However we are seeking to use the OOBM port of the aruba switches in order to access the devices through an
external dedicated network. Unfortunatelly we figured out that the TACACS+ protocol does NOT work on the OOBM port.
We also have aruba mobility controllers, and we are using the OOBM port with TACACS+ successfully with them.

So concerning the switches, is it a port configuration mistake, undocumented feature, or is it there by "design"?

Any experience shared in his area is welcome.

Thanks
Ray

Is your OOBM port in the mgmt VRF? If so, did you assign the mgmt vrf (or vrf where your OOBM is in) to your tacacs server definition?

Documentation:

tacacs-server host {<FQDN> | <IPV4> | <IPV6>}
   [key [plaintext <PASSKEY> | ciphertext <PASSKEY>]]
   [timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]
   [auth-type {pap | chap}] [tracking {enable | disable}] [vrf <VRF-NAME>]

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 08, 2023 05:45 AM
From: RPapaux
Subject: Aruba OS-CX OOBM interface with TACACS+

We are using TACACS+ to perform operator's authentication on our network gears.
This works fine today as we are using an inside administration VLAN to connect into the device.

However we are seeking to use the OOBM port of the aruba switches in order to access the devices through an
external dedicated network. Unfortunatelly we figured out that the TACACS+ protocol does NOT work on the OOBM port.
We also have aruba mobility controllers, and we are using the OOBM port with TACACS+ successfully with them.

So concerning the switches, is it a port configuration mistake, undocumented feature, or is it there by "design"?

Any experience shared in his area is welcome.

Thanks
Ray

Sorry for that late reply, but I have away for a while.

So, as you suggested, adding the VRF "mgmt" context in TACACS, SNMP and SSH fix most of the issues I have on OOTM.
However there is still one left:

We are using IMC to manage our heterogenous park of equipments, and also using it for device backup.
Unfortunatelly I have not been able to backup my OS-CX switch connected with OOBM.

As an example, IMC uses the command "copy startup-config tftp://IMC_SERVER/backupfile.cfg cli"
If I run this command - with the same IMC credentials - I get the error "curl: (28) Network is unreachable", which is obviously not the case.
(FYI I get also the same error if I try to ping "anything" !?!.) 

So is there a ACL which prevent TFTP, ICMP (or maybe other services) to run on the OOBM port?
Shall I try with SCP or SFTP?

Any comment or suggestion is welcome.

Thanks

Original Message:
Sent: Feb 08, 2023 05:45 AM
From: RPapaux
Subject: Aruba OS-CX OOBM interface with TACACS+

We are using TACACS+ to perform operator's authentication on our network gears.
This works fine today as we are using an inside administration VLAN to connect into the device.

However we are seeking to use the OOBM port of the aruba switches in order to access the devices through an
external dedicated network. Unfortunatelly we figured out that the TACACS+ protocol does NOT work on the OOBM port.
We also have aruba mobility controllers, and we are using the OOBM port with TACACS+ successfully with them.

So concerning the switches, is it a port configuration mistake, undocumented feature, or is it there by "design"?

Any experience shared in his area is welcome.

Thanks
Ray