AOS-CX Switch Simulator

 View Only

  • 1.  Radius account with Operators level on ArubaOS-CX (6200F) switches

    Posted Feb 10, 2025 08:11 PM

    I have RADIUS configured and work fine, but the current users have Administrators priviledge.

    I need to create a new read/only RADIUS user to run Show .*  (all) commands. I fail to find clear instructions in the documentation on how to do that chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://arubanetworking.hpe.com/techdocs/AOS-CX/10.13/PDF/security_6200-6300-6400.pdf 

    Can someone please work me through this process?



  • 2.  RE: Radius account with Operators level on ArubaOS-CX (6200F) switches

    Posted Feb 11, 2025 09:48 AM

    Create a user group that permits all show commands and return Aruba-Admin-role attribute with the local user group name. 

    You may also return priv level using Aruba-Priv-Admin-User attribute.

    Command authorization is not possible with Radius.  Check the following link:

    https://arubanetworking.hpe.com/techdocs/AOS-CX/10.07/HTML/5200-7886/Content/Chp_Rem_AAA_RADIUS/use-rol-ass-usi-rad-att-10.htm 


    Original Message


  • 3.  RE: Radius account with Operators level on ArubaOS-CX (6200F) switches

    Posted Feb 11, 2025 12:45 PM

    Thank you for your reply. I made some progress.

    I have created a policy from the NPS server with Service-Type = NAS Prompt. It allows me to log with radius into the switch but as you know no cli command works.

    I know hot to create "a user group that permits all show commands"

    but I don't know how to " return Aruba-Admin-role attribute with the local user group name"

    Or

    Return priv level using Aruba-Priv-Admin-User attribute

    Let's say my is called oxidized, can you please give some syntax example on how to do that?

    Again, thank you very much.

    Adias


    Original Message


  • 4.  RE: Radius account with Operators level on ArubaOS-CX (6200F) switches

    Posted Feb 11, 2025 02:34 PM

    I have followed instructions in the following article to configure NPS https://community.arubanetworks.com/discussion/aruba-aos-cx-radius-authentication-with-microsoft-nps 

    I have created a local group and permit cli command "Show .*" and assign the monitoring user to that group.

    Now I can login with the user and run most Show commands... except Show Running-Config. Show Running-Config returns "command incomplete" ... Show Running-Config system for example works.

    How can I have Show Running-Config to work?


    Original Message


  • 5.  RE: Radius account with Operators level on ArubaOS-CX (6200F) switches

    Posted Feb 12, 2025 03:28 AM
    Edited by GorazdKikelj Feb 12, 2025 03:30 AM

    Check configuration of your local group.  I created a group readonly-user and it work as expected. 

    user-group readonly-user
        10 permit cli command "show .*"
        20 permit cli command "exit"
        30 deny cli command ".*"

    switch# help
    Invalid input: help
    switch#
    switch# show run
    Current configuration:
    !
    !Version AOS-CX Virtual.10.15.0005
    !export-password: default

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2025
    ------------------------------

    Original Message


Related Content