Original Message:
Sent: Jul 09, 2024 04:57 AM
From: Herman Robers
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
It looks like this post can help you. I don't have personal experience with authorizing commands through RADIUS with AOS-Switch. Found some very old switch documentation covering the VSAs. I personally was not aware of this functionality and have not seen recent documentation, it may be deprecated (but still work).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 09, 2024 02:34 AM
From: Normann
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
Hi,
Thank you for the answer.
Can you advice me, I don't know which hpe attibut I should use?
I find this exemple (which is not working for me):
• attribute 1 :
type: Radius:IETF
name: Service-Type
value: Administrative-User (6)
• attribute 2 :
type: Radius:Hewlett-Packard-Enterprise
name: HPE-Command-String
value: any
• attribute 3 :
type: Radius:Hewlett-Packard-Enterprise
name: HPE-Command-Exception
value: Deny-List (1)
Is there any source that inform how the HPE dictonary works ?
Regards,
Original Message:
Sent: Jul 08, 2024 10:49 AM
From: Herman Robers
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
The admin role that you return is in an Aruba RADIUS Attribute. The 2930F uses the HPE RADIUS Dictionary.
I don't think you can assign an admin role through RADIUS. I could not find that in the documentation.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 08, 2024 08:37 AM
From: Normann
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
Hi Jonas,
I have define a server-group (named "clearpass") and i tried to use a configuration like :
aaa authentication web login radius server-group clearpass local
aaa authentication web enable radius server-group clearpass local
aaa authentication ssh login radius server-group clearpass local
aaa authentication ssh enable radius server-group clearpass local
But it does not work for the web and ssh.
This is my profile on clearpass:
If you need more information, tell me.
Original Message:
Sent: Jul 08, 2024 08:09 AM
From: jonas.hammarback
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
Hi
Do you see any authentication requests in Access Tracker at all?
I don't think it should be needed, but in our config we always define a server-group:
aaa server-group radius "CPPM" host <server-ip>
and add this group as parameter in each of the lines, like this:
aaa authentication ssh login radius server-group "CPPM" local
In the enforcement profile you can return the Aruba-Admin-Role attribute to assign a predefined administrative role on the switch.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 08, 2024 03:30 AM
From: Normann
Subject: Subject: Assistance Needed: Configuring RBAC on Aruba 2930F with ClearPass
Hello Aruba Community,
I am currently working on setting up Role-Based Access Control (RBAC) for SSH and web management on an Aruba 2930F switch using Aruba OS X 16.11, integrated with ClearPass for user authentication and authorization.
Current Setup:
- My RADIUS connection is established.
- I can authenticate endpoints correctly.
RBAC Configuration:
I have tried to configure the switch as follows:
radius-server host <ClearPass_IP> dynamic-authorization
aaa authentication login privilege-mode
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication console login local
aaa authentication console enable local
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authorization commands radius
aaa authorization commands access-level manager
NB:
I also have a working device with Comware OS, if that context is helpful for troubleshooting.
Issues:
Despite these configurations, the RBAC settings do not seem to be applied correctly. Users are logging in via SSH or the web interface.
Request for Assistance:
I am new to this technology and would greatly appreciate any guidance or insights on the following:
- Are there any additional configurations required on the switch to ensure RBAC functions correctly?
- What are the correct configurations for the profiles on ClearPass to support RBAC?
- Recommended troubleshooting steps to identify and resolve this issue.
Thank you in advance for your assistance!
Best regards,