Wired Intelligent Edge

 View Only
  • 1.  ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down

    Posted 24 days ago

    Hello,

    I have a RADIUS Server configured and working with my ArubaOS switches, but I am having trouble with my ArubaOS-CX switches. I am using the following command for the RADIUS Server, but I am not sure how to configure the switch to use the RADIUS Server, but if down, use a local login.

    config

    radius-server host RADIUS_SERVER_IP key ciphertext MY_SECRET_KEY

    aaa authentication login ssh group radius local

    The second command is where I am not sure, I am not able to login with the RADIUS Server, only local. The Server is up. My goal is to use the RADIUS Server, but if it is down, use a local login. Any suggestions would be appreciated.



    ------------------------------
    rford1219
    ------------------------------


  • 2.  RE: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down

    Posted 24 days ago
    Edited by rford1219 24 days ago

    Was reading the configuration guide and it seems like this is what I need to do if I am reading it right?

    radius-server host SERVER_IP vrf default
    aaa group server radius rg1
    server SERVER_IP vrf default
     
    radius-server key plaintext SECRET_KEY
    radius-server auth-type pap
    aaa authentication allow-fail-through
     
     
    aaa authentication login default group rg1 local
    aaa authentication login https-server group rg1 local
    aaa authentication allow-fail-through



    ------------------------------
    rford1219
    ------------------------------



  • 3.  RE: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down

    Posted 23 days ago
    Edited by frmeunier 23 days ago

    Hello rford1219

    Yes , allow-fail-through should give what you expect : if RADIUS authentication fails, for any reason, the second method (local) should be tried.

    (If you don't set the fail-through, doc says "The system only attempts to reach the next server or accounting method if there is an accounting failure due to an unreachable TACACS+ or RADIUS server or a shared key mismatch error between the switch and the server." In this case, if RADIUS is reachable, local will never be sollicited )



    ------------------------------
    Frederic
    (kudos welcome)
    ------------------------------



  • 4.  RE: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down

    Posted 23 days ago

    Hi

    Be careful with "allow-fail-through". Depending on your security needs, this may not be the best option. Please also consider using tracking options to detect non-working RADIUS servers. Allow-fail-through will enable a local user to always login no matter whether RADIUS servers are reachable or not, given the username is not existing in the central auth system. 

    If you need a backdoor, I usually configure local auth on the serial console, so, you have a fallback available which is more secure than the other option.

    Regards, 

    Thomas




  • 5.  RE: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down

    Posted 23 days ago

    Hi
    This is what I use in my OVA CX lab.

    radius-server host x.x.x.x key ciphertext xxxxxxxxx
    aaa group server radius rad_grp1
    aaa authentication login default group rad_grp1 radius local
    aaa accounting all-mgmt default start-stop group rad_grp1 radius
    aaa radius-attribute group rad_grp1

    I haven't spent any time to have this optimized but it's working. I use freeradius as Radius server.

    clients.conf file

    client aruba {
    ipaddr = x.x.x.x
    secret = password
    nastype = other
    shortname = arubacx
    }

    users file
    "username" Auth-Type = Pam, NAS-IP-Address = "x.x.x.x"
                    Aruba-Priv-Admin-User = 15

    Hope this gets you further :)



    ------------------------------
    Torro
    ------------------------------



  • 6.  RE: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down

    Posted 23 days ago
    Edited by rford1219 23 days ago

    After some digging around I was looking at event logs and a different client IP was being used, I changed it and all works now with 3 exceptions... 

    I have two VSX VClusters. Each Cluster has a J479A and a J581A. They are cross connected for redundancy and all. I have the upper switch on the one cluster configured and working, but the others are not letting me log in through the RADIUS Server. The local works fine, but the second switch in the cluster doesn't want to use the RADIUS. When I look at the event logs on the NPS Server, it shows that client ip of the upper switch in the cluster...