Wired Intelligent Edge (Campus Switching and Routing)

HPE Switch Management Authentication with ClearPass

Not applicable

Courtesy of and created by: @vrajasimhan


This article walks thru CPPPM & HPE Switch config needed for Management auth using CPPM. We are going to look at using HP VSAs as part of RADIUS Accept from CPPM to control what commands an user can execute.


This was tested using Clearpass 6.5 and HPE 2920 Switch running 16.01 (Beta) / 15.17 versions.


Switch Side Config ::

Add CPPM as RADIUS server

radius-server host key <value>

Create a Server Group with the server(s)..

aaa server-group radius "mgmt" host

Map the server-group as Primary Source of auth for WebUI & SSH.

aaa authentication web login radius server-group "mgmt" local

aaa authentication ssh login radius server-group "mgmt" local

Add config to drop to admin (In HPE world; Manager mode) directly with below config and send service-type VSA as 6 as part of RADIUS Accept.

aaa authentication login privilege-mode

Add config to allow command authorization as part of RADIUS Accept. This would allow us to send thru HP VSAs what commands can the user use.

aaa authorization commands radius


ClearPass Config ::

Create new service with below attributes (which is unique HP Switches) 

Below attributes are unique to HPE Switch MGMT auth. If you want to limit to a switch; you can add NAS IP as well.


Specify auth method as PAP and speify auth source. In this case; I have used local DB. If you do this; ensure you have some user in local-db.. I have a user called hpadmin for testing this.


No Role mapping is required.


Enforcement Policy : For now; use the default “Sample Allow Access Policy”.  We would create a new enforcement profile / policy and map it to this service.


Enforcement Profile : We would create an enforcement which would return the attributes we required as part of RADIUS Accept.


Atttributes ::

Service-Type = 6 for setting the user to Admin. If you want Read-Only; you need to send 7.

The HP VSAs are used to specify what commands are allowed / disallowed.


Enforcement Policy  :: Map the Enforcement Profile to Policy



Finally, map the Enforcement Policy to the Service we have already created.




Testing ::

Clearpass :: Access Tracker sent RADIUS Accept with right Enforcement Policy / RADIUS return attributes.

HP Switch ::

Login Successful and any command with "Config" fails while other commands work..


VJ-Edge-2530# show running-config

Not authorized to execute this command.

VJ-Edge-2530# configure

Not authorized to execute this command.

VJ-Edge-2530# configure terminal

Not authorized to execute this command.

VJ-Edge-2530# show run Not authorized to execute this command.

VJ-Edge-2530# show version

Image stamp: /ws/swbuildm/rel_portland_qaoff/code/build/lakes(swbuildm_rel_portland_qaoff_rel_portland)

Aug 24 2015 12:18:22             



Boot Image: Secondary

Boot ROM Version: YA.15.17

The command list VSA can be used to deny any commands and I have used config as an example. We can use meta characters ^,$ to sepcify start and end of word and it would be exactly matched i.e. ^configure$ would block only configure not the others. We can also specify multiple commands with ";"(without space) i.e.  HP-Command-String = “^configure$;^show running-config$”



Version history
Revision #:
2 of 2
Last update:
‎01-04-2016 07:58 AM
Updated by:
Labels (2)



Is it possible to have both switch management authentication with Clearpass and Manager username/password?


Since we have enabled ssh login authentication with ClearPass, it is not possible to log in to switches using the manager password, only our AD usernames/passwords. 


We need to be able to login with manager password since we want to add the switches to AirWave and in order to do that we need to provide username/password and we do not want to put some username/password from AD. 


Best Regards,



Search Airheads
Showing results for 
Search instead for 
Did you mean: