Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Compatible radius commands for AOS-CX ver 10.10.1040

This thread has been viewed 21 times

  • 1.  Compatible radius commands for AOS-CX ver 10.10.1040

    Posted Feb 27, 2023 12:30 AM

    Hi All,
    We are doing hardware refresh for customer where in we are replacing old hp switches with AOS-CX 6100 switches ver 10.10.1040.
    If somebody can help for configuring AAA commands equivalent to what customer is having currently on HP switches.
    AAA commands on HP switches which are in use are as below & need your help for equivalent commands to configure the same feature.

    ########################################################

    radius-server host 10.20.20.87 key ***
    radius-server host 10.20.20.87 dyn-authorization
    radius-server host 10.20.20.87 time-window 0
    radius-server host 10.40.20.87 key ***
    radius-server host 10.40.20.87 dyn-authorization
    radius-server host 10.40.20.87 time-window 0

    radius-server host 10.20.20.87 dyn-authorization
    radius-server host 10.20.20.87 time-window 0
    radius-server host 10.40.20.87 dyn-authorization
    radius-server host 10.40.20.87 time-window 0

    aaa server-group radius "RADGRP" host 10.20.20.87
    aaa server-group radius "RADGRP" host 10.40.20.87

    aaa accounting update periodic 5
    aaa accounting network start-stop radius server-group "RADGRP"

    aaa authentication login privilege-mode

    aaa authentication web login radius server-group "RADGRP" local
    aaa authentication web enable radius server-group "RADGRP" local

    aaa authentication ssh login radius server-group "RADGRP" local
    aaa authentication ssh enable radius server-group "RADGRP" local

    aaa authentication port-access eap-radius server-group "RADGRP"

    aaa authentication mac-based chap-radius server-group "RADGRP"

    aaa port-access authenticator active

    aaa port-access authenticator 1-2

    aaa port-access authenticator 1 tx-period 10
    aaa port-access authenticator 1 supplicant-timeout 10
    aaa port-access authenticator 1 client-limit 2

    aaa port-access authenticator 2 tx-period 10
    aaa port-access authenticator 2 supplicant-timeout 10
    aaa port-access authenticator 2 client-limit 2

    aaa port-access mac-based 3
    aaa port-access mac-based 3 logoff-period 9999999

    aaa port-access 3 controlled-direction in

    aaa authentication port-access eap-radius server-group "RADGRP"
    aaa authentication mac-based chap-radius server-group "RADGRP"

    ##################################################

    I have currently figured out below commands for AOS-CX but want somebody to help verifying them if it can serve the purpose.

    radius-server host 10.20.20.87 key ciphertext ***
    radius-server host 10.40.20.87 key ciphertext ***
    aaa authentication allow-fail-through
    !
    aaa group server radius RADGRP
        server 10.20.20.87
        server 10.40.20.87
    aaa authentication login ssh group RADGRP local
    aaa authentication login default group RADGRP local
    aaa authentication login https-server group RADGRP local
    aaa accounting port-access start-stop interim 5 group RADGRP

    aaa authentication port-access dot1x authenticator
        radius server-group RADGRP
        enable
    aaa authentication port-access mac-auth
        radius server-group RADGRP
        enable

    interface 1/1/7
        no shutdown 
        vlan access 1
        aaa authentication port-access client-limit 2
        aaa authentication port-access dot1x authenticator
            eapol-timeout 10
            enable
        exit
        
    interface 1/1/8
        no shutdown 
        vlan access 1
        aaa authentication port-access client-limit 2
        aaa authentication port-access mac-auth
            reauth
            reauth-period 9999999
            enable
        exit

    TIA -

    Nilesh.



  • 2.  RE: Compatible radius commands for AOS-CX ver 10.10.1040

    Posted Feb 27, 2023 01:39 AM

    Hi Nilesh

    you config looks quite good. However, out of experience, I have some more things you should consider doing:

    • "aaa port-access 3 controlled-direction in" translates to "port-access allow-flood-traffic enable" which is especially important for devices which go into sleep mode and are passive during that time (such as printers). 
    • "aaa authentication port-access allow-lldp-bpdu" may be of help if using with phones etc. which are dependent on LLDP information
    • in mixed environments where you have dot1x and MAB active in parallel, there is another very useful command: "initial-auth-response-timeout XXX" where XXX is an amount of seconds to wait for the 1st EAPOL signal. I typically use 20sec here.
    • on ports where you have a client-limit configured, these two commands are very useful: "port-access security violation action shutdown auto-recovery enable" and "port-access security violation action shutdown recovery-timer 600"

    Regards, 

    Thomas



  • 3.  RE: Compatible radius commands for AOS-CX ver 10.10.1040

    Posted Feb 27, 2023 01:59 AM

    Hi Thomas,

    These are very valuable inputs, I will definitely consider them in my config script.

    Thanks,

    Nilesh.



    ------------------------------

    ------------------------------