Hi
Do you get the request to ClearPass and get an Accept in Access Tracker and can you provide any logs from the switch?
As you wrote in your initial post RADIUS does work for clients, so the RADIUS configuration on the switch should be ok and also the shared secret with ClearPass. I would like to see if the user login request hits the correct service in ClearPass and also verify that the service returns the correct enforcement profile.
If all these steps are ok, next step is to check
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jul 08, 2024 08:37 AM
From: Normann
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
Hi Jonas,
I have define a server-group (named "clearpass") and i tried to use a configuration like :
aaa authentication web login radius server-group clearpass local
aaa authentication web enable radius server-group clearpass local
aaa authentication ssh login radius server-group clearpass local
aaa authentication ssh enable radius server-group clearpass local
But it does not work for the web and ssh.
This is my profile on clearpass:
If you need more information, tell me.
Original Message:
Sent: Jul 08, 2024 08:09 AM
From: jonas.hammarback
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
Hi
Do you see any authentication requests in Access Tracker at all?
I don't think it should be needed, but in our config we always define a server-group:
aaa server-group radius "CPPM" host <server-ip>
and add this group as parameter in each of the lines, like this:
aaa authentication ssh login radius server-group "CPPM" local
In the enforcement profile you can return the Aruba-Admin-Role attribute to assign a predefined administrative role on the switch.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 08, 2024 03:30 AM
From: Normann
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
Hello Aruba Community,
I am currently working on setting up Role-Based Access Control (RBAC) for SSH and web management on an Aruba 2930F switch using Aruba OS X 16.11, integrated with ClearPass for user authentication and authorization.
Current Setup:
- My RADIUS connection is established.
- I can authenticate endpoints correctly.
RBAC Configuration:
I have tried to configure the switch as follows:
radius-server host <ClearPass_IP> dynamic-authorization
aaa authentication login privilege-mode
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication console login local
aaa authentication console enable local
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authorization commands radius
aaa authorization commands access-level manager
NB:
I also have a working device with Comware OS, if that context is helpful for troubleshooting.
Issues:
Despite these configurations, the RBAC settings do not seem to be applied correctly. Users are logging in via SSH or the web interface.
Request for Assistance:
I am new to this technology and would greatly appreciate any guidance or insights on the following:
- Are there any additional configurations required on the switch to ensure RBAC functions correctly?
- What are the correct configurations for the profiles on ClearPass to support RBAC?
- Recommended troubleshooting steps to identify and resolve this issue.
Thank you in advance for your assistance!
Best regards,