Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
New Contributor

2530 switch Read Only access via Radius Authentication

We have Aruba 2530 switches authenticating CLI logons against a FortiAuthenticator Radius server setup for multi-factor.

 

We are now trying to setup Solarwinds Kiwi Cattools to log in and retrieve the configuration on a schedule to alert for changes and report them to our security team.


We want the user account used by this application to have read-only access to the full configuration, is there a way to grant this via a Radius Attribute? I'd rather not provide full admin access to this account.

Highlighted
Super Contributor II

Re: 2530 switch Read Only access via Radius Authentication

See below to make sure the switch honors the privilege level returned by the radius server. This is a standard Radius attribute to send back:

 

Server-Supplied Privilege Level 

 

Login privilege level instructs the switch to accept the authenticating user’s command level (manager or operator) that is supplied by the server. This allows manager-level users to skip the login context and proceed immediately to enable context, 21 thus eliminating the need for a manager-level user to login twice. 

 

To allow the switch to accept the privilege level provided by the server, use the following configuration command: 

switch(config)# aaa authentication login privilege-mode 

 

To supply a privilege level for a user account on a RADIUS server, specify the “Service-Type” attribute in the user’s credentials: 

  • Service-Type = 6 allows manager-level access 
  • Service-Type = 7 allows operator-level access 
  • A user with no Service-Type, or a Service-Type not equal to 6 or 7, is denied access 

 

To supply a privilege level for a user account on a TACACS server, specify the “Max Privilege” level in the user’s credentials: 

  • Max-privilege = 15 allows manager-level access 
  • Max-privilege = 0 allows only operator-level access

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
New Contributor

Re: 2530 switch Read Only access via Radius Authentication

Thank you for the suggestion. I've already tried this one, however, service-type=7 doesn't allow a "show run".

 

What I need is a manager level with read-only capabilities.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: