Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

How to authorize "sh run " in operator level access

This thread has been viewed 21 times
  • 1.  How to authorize "sh run " in operator level access

    Posted Jun 29, 2022 02:19 PM
    Hi All

    We are using Radius authentication for accessing Aruba switch .we have some requirement to give access to run command "show running config" to the Read only access user ,

    We are using FreeRADIUS  for Giving access to the user through by following .Request your  help to authorize "show runn" command for RO user.

    Service-Type = NAS-prompt-user

    Any help much appreciate 
     
    Regards


  • 2.  RE: How to authorize "sh run " in operator level access

    EMPLOYEE
    Posted Jun 30, 2022 05:50 AM

    Hi,

     

    You should specify what are the switches in use.

    For Procurve there is some similar guide for command authorization with/on FreeRadius:  https://techhub.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch06s09.html#s_Configuring_commands_authorization_on_a_RADIUS_server

    For CX devices, command authorization on a remote server is supported with TACACS+ only. RADIUS authentication can be used with local authorization (you have to create an user-group and define the permitted/denied commands in a list, where * can be used as well). I haven't tried this, but the RADIUS needs to return the proper user-group as well (three built-in groups on the switch /administrators/auditors/operators (no changes for these groups available) + locally defined (what you need to create)).

    For reference you can search for the Security Guide of your device (https://www.arubanetworks.com/techdocs/AOS-CX/help_portal/Content/home.htm) and take a look at command authorization and user-groups.




  • 3.  RE: How to authorize "sh run " in operator level access

    Posted Jun 30, 2022 11:57 AM
    Hello ,

    Thanks for your reply ,Its awesome 

    Initially I tried 
     Service-Type = NAS-prompt-user
    HP-Command-Exception = 0
    HP-Command-String = "show;ping;traceroute"
    Every thing was working except "show run " finally I found that " show run " is not in the list of command in "operator" level access

    Then I tried the following and its working 

    Service-Type = Administrative-User
    HP-Command-Exception = 0
    HP-Command-String = "show;ping;traceroute"

    Need advice : Is it possible to enable " show run " in "operator" level access ?

    Will wait for your answer 

    Regards




  • 4.  RE: How to authorize "sh run " in operator level access

    Posted Jun 30, 2022 02:25 PM
    Hi,

    Further I noticed 

    When I am enabling "aaa authorization commands radius " I can't login to web management ,
    HTTPD service got stuck and disabling automatically 

    Any suggestion please 

    Thanks



  • 5.  RE: How to authorize "sh run " in operator level access

    Posted Jul 04, 2022 12:47 AM
    Hi,

    Have you enabled "aaa authentication login privilege-mode" for https access ?

    ------------------------------
    Shobana
    Aruba
    ------------------------------



  • 6.  RE: How to authorize "sh run " in operator level access

    Posted Jul 15, 2022 07:03 AM
    Hi

    Have you enabled "aaa authentication login privilege-mode" for https access ? Yes

    Thanks