Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor I

ArubaOS 2930F TACACS integration assistance

Hello Airheads,

I am assigned task to implement TACACS on few Aruba 2930F switches. We have CPPM server 172.16.101.149 (server VLAN) & dedicated Radius server 172.16.8.149 in the network.

 

Both servers are reachable from switches. Administrators will be required to access switch through their Domain credentials. I have prepared following configuration in the particular order to implement TACACS. 

 

tacacs-server host 172.16.101.149 key "ArubaOS123"
tacacs-server host 172.16.8.149 key "ArubaOS123"

aaa authentication login privilege-mode
aaa authentication ssh login tacacs
aaa authentication ssh enable tacacs
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication enable
aaa authorization commands tacacs
aaa accounting commands stop-only tacacs
aaa accounting exec start-stop tacacs
aaa accounting system stop-only tacacs

 

Please verify if any additional commands or rectification is required. Any precautions I need to take before implementing these. I have ssh access to switch and physical access to switch is not possible.

MVP

Re: ArubaOS 2930F TACACS integration assistance

Hey,

 

Just a thought.

You maybe want to add Local authentication as a secondary SSH method if your TACACS server goes offline?

 

Just take this scenario, your TACACS goes offline and you want to troubleshoot the switch where it is connected. But you can't login to the switch because its offline.

Maybe not a real scenario in your case though.

Aranya AB, Sweden
ACMP, ACCA, CWNA, CWDP
Occasional Contributor I

Re: ArubaOS 2930F TACACS integration assistance

Sure dojjan, It is a good practice to have a secondary method local. Any more suggestions in this case that could help sir?

MVP
MVP

Re: ArubaOS 2930F TACACS integration assistance

Here is my typicall 2930 tacacs template

tacacs-server host 172.16.10.3 key "RADIUSKEY"
tacacs-server timeout 5
aaa authentication login privilege-mode

###SSH###
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local

###TELNET###
aaa authentication telnet login tacacs local
aaa authentication telnet enable tacacs local

###CONSOLE###
aaa authentication console login tacacs local
aaa authentication console enable tacacs local

aaa authorization commands auto

no web-management management-url
no telnet-server
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
MVP Expert

Re: ArubaOS 2930F TACACS integration assistance

 


@kingdumb wrote:

Sure dojjan, It is a good practice to have a secondary method local. Any more suggestions in this case that could help sir?


Temporary enable telnet... with only local account ;-)




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
MVP Expert

Re: ArubaOS 2930F TACACS integration assistance

Greetings!

 

If you're still looking for any other suggestions for controlling access to your switches, you may wish to refer ro the ArubaOS-Switch Hardening Guide — it covers TACACS authentication, authorization, and accounting, as well as numerous other recommendations for preventing unauthorized access or denial of service. 



Matt Fern
Technical Marketing Engineer, Wired Intelligent Edge

Aruba, a Hewlett Packard Enterprise company

8000 FOOTHILLS BLVD  |  ROSEVILLE, CA 95747
T: 916.540.1759  |  E: mfern@hpe.com   |   Matt @ Twitter
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: