RADIUS Authentication For REST On Aruba switch

MVP Expert
MVP Expert
Requirement:

RADIUS authentication for REST has been introduced in Aruba switches in 16.08. However, not all switches support this feature.

Setup used:

  • 3810 - Running on software - KB.16.09.0001
  • Clearpass Server - Running on 6.7.0.101814

 



Solution:

 

On the switch the following configuration is required:

  • Configure a RADIUS server
  • Enable authentication for REST for login mode
  • Enable authentication for REST for enable mode
  • Enable REST Interface

Also, make sure that http and/or https is enabled on the switch.

 

On the RADIUS Server (Clearpass):

  • Add the switch in Devices
  • Create a PROFILE
  • Create a POLICY
  • Create a Service
  • Call the Policy in the Service Enforcement

Also make sure that the User is added in the Local User Repository or any other Authentication source that will be used.

 



Configuration:

Now, in order to achieve RADIUS Authentication for REST, configure the switch with the following configuration:

 

These are the REST specific commands that are required.

The IP address 10.13.13.12 is of the Clearpass server.

The command "rest-interface" is used to enable REST on the switch.

 

The rest of the configuration has to be done on the Clearpass server as follows:

1) Add the switch in the Clearpass server in Devices and use the same key as the one used on the switch in the "radius-server host " command.

 

The switch IP used in this example is 10.13.13.13.

 

2) Create a profile :

You can name the profile as you desire.

 

Click on the Attributes TAB and configure the following:

 

3) Configure the Service as follows:

 

4) Under the authentication TAB select PAP and Local User Repository in the Authentication Methods and Authentication Sources respectively:

5) Finally, click on the Enforcement TAB and select the policy that defines the condition:

 

 

 

 



Verification

On the switch verify with the command:

show rest-interface

show logging   -------- Very useful while troubleshooting

 

On the Clearpass Server check the Access Tracker once a login attempt is made.

Version history
Revision #:
1 of 1
Last update:
a week ago
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: