How to configure Web GUI authentication with Radius on HPE Switches
You might have a requirement to configure Radius authentication for Web GUI access to HPE Switches. This allows users from a variety of groups to access the Web GUI of the switch with the appropriate level of access.
This solution has been tested and found to be working with Aruba-2930F running WC.16.04.0009, but this should more or less work with other models of Aruba OS switches as well.
This article covers the steps needed for getting the Web GUI authentication work with Radius
Firstly we need to configure the Radius server on the HPE Switch
(config)#radius-server host <Radius Server IP> key <Radius Shared Secret>
And then you could create a server group and map that server, however this step is optional and will help in cases where you have multiple Radius servers all of which can be added to the server group
aaa server-group radius <Server Group Name> host <IP address of the Radius server created>
The commands to enable Radius authentication for Web GUI access with local fallback are as below
(conf)#aaa authentication web login radius server-group <Server Group> local
(conf)#aaa authentication web enable radius server-group <Server Group> local
Please make sure that "local" is always added at the end so that the switch's local credentials allow you to get in incase of a Radius server failure.
Once this is done, the switch configuration is done and we can move on to the Radius server configuration.
There are 2 pre-defined access levels for HPE Switches "manager" and "operator" and they also apply to the WebGUI.
The attribute that you need to return from the Radius server for getting a manager level of access which is full access to everything is
Radius:IETF Service-Type = Administrative-User(6)
For letting a user login as operator, the attribute that you need to return is
Radius:IETF Service-Type = NAS-Prompt-User (7)
Once the Radius server is configured to return these attributes for Manager and operator level of access respectively you should be able to have users login to the Web GUI with appropriate levels of access
You can verify that users are able to login as Managers and operators depending on the attributes returned by the Radius server
After entering credentials and clicking login
You can see that the role is manager
Based on the attributes returned by the Radius server which are
for Manager role
Similarly for an operator we could see that they are getting the operator role
As per the attributes returned by the Radius server
for Operator level access