Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

This thread has been viewed 28 times
  • 1.  Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 08, 2024 07:24 AM

    Hello Aruba Community,

    I am currently working on setting up Role-Based Access Control (RBAC) for SSH and web management on an Aruba 2930F switch using Aruba OS X 16.11, integrated with ClearPass for user authentication and authorization.

    Current Setup:

    • My RADIUS connection is established.
    • I can authenticate endpoints correctly.

    RBAC Configuration:

    I have tried to configure the switch as follows:

    radius-server host <ClearPass_IP> dynamic-authorization

    aaa authentication login privilege-mode
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local
    aaa authentication console login local
    aaa authentication console enable local
    aaa authentication web login radius local
    aaa authentication web enable radius local
    aaa authorization commands radius
    aaa authorization commands access-level manager


    NB:

    I also have a working device with Comware OS, if that context is helpful for troubleshooting.

    Issues:

    Despite these configurations, the RBAC settings do not seem to be applied correctly. Users are logging in via SSH or the web interface.

    Request for Assistance:

    I am new to this technology and would greatly appreciate any guidance or insights on the following:

    1. Are there any additional configurations required on the switch to ensure RBAC functions correctly?
    2. What are the correct configurations for the profiles on ClearPass to support RBAC?
    3. Recommended troubleshooting steps to identify and resolve this issue.

    Thank you in advance for your assistance!

    Best regards,



  • 2.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 08, 2024 08:10 AM

    Hi

    Do you see any authentication requests in Access Tracker at all?

    I don't think it should be needed, but in our config we always define a server-group:

    aaa server-group radius "CPPM" host <server-ip>

    and add this group as parameter in each of the lines, like this:
    aaa authentication ssh login radius server-group "CPPM" local

    In the enforcement profile you can return the Aruba-Admin-Role attribute to assign a predefined administrative role on the switch.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 08, 2024 08:38 AM

    Hi Jonas,

    I have define a server-group (named "clearpass") and i tried to use a configuration like :

    aaa authentication web login radius server-group clearpass local
    aaa authentication web enable radius server-group clearpass local
    aaa authentication ssh login radius server-group clearpass local
    aaa authentication ssh enable radius server-group clearpass local

    But it does not work for the web and ssh.

    This is my profile on clearpass:


    If you need more information, tell me.




  • 4.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 08, 2024 09:46 AM

    Hi

    Do you get the request to ClearPass and get an Accept in Access Tracker and can you provide any logs from the switch?

    As you wrote in your initial post RADIUS does work for clients, so the RADIUS configuration on the switch should be ok and also the shared secret with ClearPass. I would like to see if the user login request hits the correct service in ClearPass and also verify that the service returns the correct enforcement profile.

    If all these steps are ok, next step is to check 



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 09, 2024 02:22 AM

    Hi,

    I do not have tracking from this, but this is the log i got when i tried to authenticate from ssh and web ui:
    W 03/03/24 15:46:19 00419 auth: Invalid user name/password on SSH session User
                '<radius_user>' is trying to login from x.x.x.254
    W 03/03/24 15:46:28 00419 auth: Invalid user name/password on SSH session User
                '<radius_user>' is trying to login from x.X.X.254
    W 03/03/24 15:46:37 00419 auth: Invalid user name/password on SSH session User
                '<radius_user>' is trying to login from x.x.x.254
    I 03/03/24 15:46:52 05933 ssl: SSL/TLS session started for WEB-UI from
                x.x.x.254.
    W 03/03/24 15:47:14 00419 auth: Invalid user name/password on WEB-UI session
                User 'unknown' is trying to login from x.x.x.254
    I 03/03/24 15:47:35 05934 ssl: SSL/TLS session closed for WEB-UI from
                x.x.x.254.
    W 03/03/24 15:47:40 00419 auth: Invalid user name/password on WEB-UI session
                User 'unknown' is trying to login from x.x.x.254

    NB: the last test were from the local admin user.

    Regards.




  • 6.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 09, 2024 02:50 AM

    Hi

    That error message looks like you have got a reject from ClearPass. Please investigate in the Access Tracker if you get any error messages. Also Herman have a good point that the 2930F doesn't use the Aruba RADUIS Directory, instead it's using the HPE directory.

    But you can always use ClearPass to authenticate the users.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 08, 2024 10:50 AM

    The admin role that you return is in an Aruba RADIUS Attribute. The 2930F uses the HPE RADIUS Dictionary.

    I don't think you can assign an admin role through RADIUS. I could not find that in the documentation.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 09, 2024 02:35 AM

    Hi,

    Thank you for the answer.

    Can you advice me, I don't know which hpe attibut I should use?

    I find this exemple (which is not working for me):
     • attribute 1 : 
          type: Radius:IETF
          name: Service-Type
          value: Administrative-User (6)

     • attribute 2 : 
          type: Radius:Hewlett-Packard-Enterprise
          name: HPE-Command-String
          value: any

     • attribute 3 : 
          type: Radius:Hewlett-Packard-Enterprise
          name: HPE-Command-Exception
         value: Deny-List (1)

    Is there any source that inform how the HPE dictonary works ?

    Regards,




  • 9.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass

    Posted Jul 09, 2024 04:58 AM

    It looks like this post can help you. I don't have personal experience with authorizing commands through RADIUS with AOS-Switch. Found some very old switch documentation covering the VSAs. I personally was not aware of this functionality and have not seen recent documentation, it may be deprecated (but still work).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
    Best Answer

    Posted Aug 23, 2024 08:48 AM

    Hi,
    I found the solution, there is my configuration:

    RBAC from the switch :

    radius-server host 10.240.3.1 dyn-authorization

    aaa authorization commands radius

    aaa authorization commands access-level manager

    aaa authentication login privilege-mode

    aaa authentication ssh login radius local

    aaa authentication web login radius local


    Enforcement profiles from the clearpass interface:


    finaly the thing that block everything in my case, a rule in a service :

    I was using "login user" instead of "NAS-Prompt-User".

    Best Regard,
    Normann