If you have a management VLAN that is only on your switch uplinks, and switches and uplinks are in a locked dataroom, you can be quite sure that no user have access to the management traffic.
For RadSec on CX, this blog post by @ariyap may be useful.
On why CX has not implemented mschapv2, I can only speculate that it may be because the protocol does not add too much security above pap, and when CX was developed that was known already, and not too many customers have been asking for it or after understanding either separated management traffic in separate VLAN/VRF and/or moved to RadSec. But if you want a real answer, you can check with your local Aruba team if they can find out.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Feb 09, 2024 06:08 PM
From: Youmedina10
Subject: Radius Authentication on CX switches using peap-mschapv2
Thank you so much for the information provided @Herman Robers. My understanding is that peap-mschapv2 was considered a secure protocol. This protocol is available to use in Aruba AOS-S models, could you confirm if for security reasons have been removed from Aruba CXs?.
My understanding is that management traffic can only be separated on those switches that have a physically dedicated mgmt port or am I wrong? I am not super familiar with the concept of RadSec if you could direct me to Aruba documentation on how to implement it, I would really appreciate it.
Thank you so much for your assistance,
Original Message:
Sent: Feb 09, 2024 07:14 AM
From: Herman Robers
Subject: Radius Authentication on CX switches using peap-mschapv2
RADIUS is not secure, PAP is not secure, CHAP and MSCHAPv2 is also not secure. It's highly recommended to keep your management traffic separated from production traffic to reduce the risk of people snooping the traffic. And/or switch to RadSec to encrypt all traffic, but not sure if that is supported on both ends.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 08, 2024 07:09 PM
From: Youmedina10
Subject: Radius Authentication on CX switches using peap-mschapv2
Greetings,
For some time now we have been using Microsoft NPS (Radius Server) to support AAA authentication to manage our Aruba AOS-S switches (2930F, 2530, 2540). These models work perfectly using the protocol "peap-mschapv2".
We recently added some new Aruba CXs to our production environment (CX6000 and CX6200F). However, these models don't seem to have that protocol available for radius authentication. I am only able to find "PAP" and "CHAP", which according to my research, are way less secure protocols.
Could you please help me confirm if "peap-mschapv2" is actually available and I might not be looking in the right place or using the right commands?
In advance I appreciate your assistance on this matter.
See screenshots below for reference:
Aruba AOS-S switches:
Aruba CX Switches:
