Wired Intelligent Edge

 View Only
last person joined: 23 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

How to authorize "sh run " in operator level access

This thread has been viewed 24 times

  • 1.  How to authorize "sh run " in operator level access

    Posted Jun 29, 2022 02:19 PM
    Hi All

    We are using Radius authentication for accessing Aruba switch .we have some requirement to give access to run command "show running config" to the Read only access user ,

    We are using FreeRADIUS  for Giving access to the user through by following .Request your  help to authorize "show runn" command for RO user.

    Service-Type = NAS-prompt-user

    Any help much appreciate 
     
    Regards


  • 2.  RE: How to authorize "sh run " in operator level access

    EMPLOYEE
    Posted Jun 30, 2022 05:50 AM

    Hi,

     

    You should specify what are the switches in use.

    For Procurve there is some similar guide for command authorization with/on FreeRadius:  https://techhub.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch06s09.html#s_Configuring_commands_authorization_on_a_RADIUS_server

    For CX devices, command authorization on a remote server is supported with TACACS+ only. RADIUS authentication can be used with local authorization (you have to create an user-group and define the permitted/denied commands in a list, where * can be used as well). I haven't tried this, but the RADIUS needs to return the proper user-group as well (three built-in groups on the switch /administrators/auditors/operators (no changes for these groups available) + locally defined (what you need to create)).

    For reference you can search for the Security Guide of your device (https://www.arubanetworks.com/techdocs/AOS-CX/help_portal/Content/home.htm) and take a look at command authorization and user-groups.


    Original Message


  • 3.  RE: How to authorize "sh run " in operator level access

    Posted Jun 30, 2022 11:57 AM
    Hello ,

    Thanks for your reply ,Its awesome 

    Initially I tried 
     Service-Type = NAS-prompt-user
    HP-Command-Exception = 0
    HP-Command-String = "show;ping;traceroute"
    Every thing was working except "show run " finally I found that " show run " is not in the list of command in "operator" level access

    Then I tried the following and its working 

    Service-Type = Administrative-User
    HP-Command-Exception = 0
    HP-Command-String = "show;ping;traceroute"

    Need advice : Is it possible to enable " show run " in "operator" level access ?

    Will wait for your answer 

    Regards


    Original Message


  • 4.  RE: How to authorize "sh run " in operator level access

    Posted Jun 30, 2022 02:25 PM
    Hi,

    Further I noticed 

    When I am enabling "aaa authorization commands radius " I can't login to web management ,
    HTTPD service got stuck and disabling automatically 

    Any suggestion please 

    Thanks

    Original Message


  • 5.  RE: How to authorize "sh run " in operator level access

    Posted Jul 04, 2022 12:47 AM
    Hi,

    Have you enabled "aaa authentication login privilege-mode" for https access ?

    ------------------------------
    Shobana
    Aruba
    ------------------------------

    Original Message


  • 6.  RE: How to authorize "sh run " in operator level access

    Posted Jul 15, 2022 07:03 AM
    Hi

    Have you enabled "aaa authentication login privilege-mode" for https access ? Yes

    Thanks
    Original Message