Authorising commands on ProCurve/AOSS with RADIUS
02-06-2018 05:28 AM - edited 02-06-2018 05:35 AM
A RADIUS server such as ClearPass can be used to control what commands an authenticated user can run on the CLI of that switch. Different users or user groups can be assigned granular access to CLI commands, based on white or black lists.
How it works
When the NAS (switch) sends the RADIUS server a valid user name and password, the RADIUS server (ClearPass) sends an Access-Accept packet that contains two additional attributes (command list and the command exception flag). When an authenticated user enters a command on the switch, the switch checks whether the user has permission to execute that command.
After the Access-Accept packet is delivered, the command list resides on the switch. Any changes to the user's command list on the RADIUS server are not seen until the user is authenticated again.
The table "HPE command string and exception" in the Access Security Guide shows how to combine the HP-Command-String and HP-Command-Exception attributes for various outcomes.
This document assumes a working ClearPass and switch configuration, with switch logins already authenticated by RADIUS, and focusses on the additional config to enable command authorisation. It extends and updates Jamie's "HPE Switch Management Authentication with ClearPass".
The key additional command on the switch is:
aaa authorization commands radius
You may want to keep an SSH session open on the switch as you test to make sure you don't lock yourself out.
Make sure you have the latest RADIUS dictionary installed for Hewlett Packard Enterprise (31 or more entries). CPPM:Administration\Dictionaries\RADIUS
I already had the Service "Switch Authentication - ProCurve_AOSS" for RADIUS logins to switches.
The existing profile was renamed to "Allow Access Profile - ProCurve AOSS Admin", and an additional profile created "Allow Access Profile - ProCurve AOSS Operator"
The admin profile needed to be modified to enable all commands to be run (otherwise the login would not complete). All commands will run except those listed (and none are listed).
The operator profile has a much more restrictive set of commands. Only the commands in the list will run:
These enforcement profile need to be linked in the Service.
Admin Group User
Logged in as "nadmin", a member of network admins group
bvcore01# conf bvcore01(config)#
Successful login and full access to all commands.
Operator Group User
Logged in as "operator1", a member of the operators group
bvcore01# conf Not authorized to execute this command. bvcore01# sh ver Image stamp: /ws/swbuildm/maint_spokane_qaoff/code/build/btm(swbuildm_maint_spokane_qaoff_ma int_spokane) Dec 21 2017 21:31:18 K.16.02.0022m 435 Boot Image: Primary Boot ROM Version: K.15.30 bvcore01# chassislocate blink 1 bvcore01# ssh 172.20.100.9 Not authorized to execute this command.
Only commands in the enforcement profile for operators are able to run.
The Access Tracker view
Currently not configured for RADIUS login, so you can always connect with a serial console cable.
- HPE Switch Management Authentication with ClearPass by Jamie Easley
- Access Security Guide for ArubaOS-Switch 16.05
Richard Litchfield, HPE Aruba
Consulting System Engineer