Wired Intelligent Edge

Hello Airheads,

I am assigned task to implement TACACS on few Aruba 2930F switches. We have CPPM server 172.16.101.149 (server VLAN) & dedicated Radius server 172.16.8.149 in the network.

Both servers are reachable from switches. Administrators will be required to access switch through their Domain credentials. I have prepared following configuration in the particular order to implement TACACS. 

tacacs-server host 172.16.101.149 key "ArubaOS123"
tacacs-server host 172.16.8.149 key "ArubaOS123"

aaa authentication login privilege-mode
aaa authentication ssh login tacacs
aaa authentication ssh enable tacacs
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication enable
aaa authorization commands tacacs
aaa accounting commands stop-only tacacs
aaa accounting exec start-stop tacacs
aaa accounting system stop-only tacacs

Please verify if any additional commands or rectification is required. Any precautions I need to take before implementing these. I have ssh access to switch and physical access to switch is not possible.

Hey,

Just a thought.

You maybe want to add Local authentication as a secondary SSH method if your TACACS server goes offline?

Just take this scenario, your TACACS goes offline and you want to troubleshoot the switch where it is connected. But you can't login to the switch because its offline.

Maybe not a real scenario in your case though.

Sure dojjan, It is a good practice to have a secondary method local. Any more suggestions in this case that could help sir?

---

@kingdumb wrote:

Sure dojjan, It is a good practice to have a secondary method local. Any more suggestions in this case that could help sir?

---

Temporary enable telnet... with only local account ;-)

Greetings!

If you're still looking for any other suggestions for controlling access to your switches, you may wish to refer ro the ArubaOS-Switch Hardening Guide — it covers TACACS authentication, authorization, and accounting, as well as numerous other recommendations for preventing unauthorized access or denial of service. 

Hello,
I am trying to integrate 2930F switches to our TACACS+.

As TACACS server we are using Linux with TAC_Plus packages.

I am not able to authenticate users. I followed configuration from configuration guides and it is the same as provided by MKK in this thread.

I know It is a problem of settings on TACACS side. I tried integration with Cisco/H3C/Manual template, but without luck.

###Service ARUBA_SW_RW START###
    service = shell {
      set priv-lvl = 15
      default attribute = permit
      default cmd = permit
    } #END OF Cisco Router/Switch Service
    service = shell {
      set priv-lvl = 15
      default attribute = permit
      default cmd = permit
    } #END OF H3C General Service
###MANUAL CONFIGURATION START###
service = Aruba {
  optional protocol = common
  set priv-lvl = 15
}
###MANUAL CONFIGURATION END###
    ###Service ARUBA_SW_RW END###

With manual configuration we were able to integrate WLC & IAP, so I followed the same syntaxt.

Could you point me what TACACS AV Pairs are expected on ArubaOS-SW 2930F/M in order work for authentication and authorization for mgmt access ?

Thank you for reply.
BR Martin