Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Occasional Contributor I

Admin logins to AOS-CX switches with Clearpass

Good morining,

 

We are moving from Windows NPS to Clearpass, amongst other things for logging on to our infrastructure devices. We have a mix of Aruba, ArubaOS-CX and Comware switches that are using NPS for admin logins with AD credentials without problems.

 

I've created the same RADIUS service in Clearpass and changed the radius-server host to Clearpass. Login works for all 3 switch types, but for the ArubaOS-CX switches I am unable to execute any command with the message "Cannot execute command. Command not allowed."

 

some screenshots of the working NPS return attributes:

krisv_1-1596704483534.png

krisv_3-1596704527877.png

how this translates to Clearpass:

krisv_4-1596704625748.png

This works for ArubaOS and Comware, but for ArubaOS-CX I cant get any commands executed.

 

The AOS-CX device in Clearpass is configured with vendor name "Aruba"

 

What I've tried:

- move to TACACS instead of RADIUS - same thing, logon works but no commands

- configure extra VSA's on the Clearpass enforcement profile to return to the switch: aruba-command-string (with some test commands), aruba-priv-admin-user (value 7 and other) - same thing, aruba-user-group (administrators)  - same thing

 

AOS-CX version is:

krisv_5-1596704799036.png

Any idea what I am missing?

 

Kind regards,

Kris


Accepted Solutions
Highlighted
New Contributor

Re: Admin logins to AOS-CX switches with Clearpass

Haven't tried with radius but I had the same issue logging into an aos-cx switch using clearpass tacacs, resolved it by changing the return value for Aruba-Admin-Role to administrators.cp tac.JPG

View solution in original post


All Replies
Highlighted
Occasional Contributor I

Re: Admin logins to AOS-CX switches with Clearpass

No ideas anybody?

 

Thx,

Kris

Highlighted
New Contributor

Re: Admin logins to AOS-CX switches with Clearpass

Haven't tried with radius but I had the same issue logging into an aos-cx switch using clearpass tacacs, resolved it by changing the return value for Aruba-Admin-Role to administrators.cp tac.JPG

View solution in original post

Highlighted
Super Contributor II

Re: Admin logins to AOS-CX switches with Clearpass

Steve_L has a correct configuration. The administrator role will need to be returned to map a user to the right administrative role on the switch. administrators, auditors, and operators are built in. You can creat your own roles with rules with the "user-group <groupname>" command. You can then set a set of cli commands that are allowed to run, or what ones to deny.

Dustin-Burns_0-1600864757023.png

 

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: