Aruba & ProVision-based
1747988 Members
4816 Online
108756 Solutions
New Discussion

Re: NPS with procurve 2920 switches - operator and admin access issues

 
SOLVED
Go to solution
M_Oneal
Regular Visitor

NPS with procurve 2920 switches - operator and admin access issues

We have had admin and operator access configured using NPS with Active Directory groups on the Procurve 2920 switches working.  

The NPS policies were set for NAS Prompt for operator access and Administrator for admin access to the switches. 

Since the most recent software upgrade to WB.16.01.0004 both NPS policies allow admin access to the switches.  It no longer restricts the operator policy to operator access only.  This now allows manager access to the switches.

I have been unable to locate any additional documentation or information in the techincal information on HP website.  I have also opened a tech case with HP for this. 

Are there any additional specific changes that now need to be made for the new software version that need to be made?

3 REPLIES 3
M_Oneal
Regular Visitor
Solution

Re: NPS with procurve 2920 switches - operator and admin access issues

The resolution was to enable login privilege-mode.

This allowed for operator access and manager access using sepearate NPS policies. 

While this works for basic access for both It allows for manager logon enable access without the addtiional required enable authorization. 

I would prefer that the manager access still require and additional en logon for the manager accounts.

Michael Patmon
Trusted Contributor

Re: NPS with procurve 2920 switches - operator and admin access issues

Hello.  What attributes were you passing to the switch when authenticating for operator and manager?  

Login privilege-mode should just allow "managers" to log directly into enable context, as you mentioned.  

M_Oneal
Regular Visitor

Re: NPS with procurve 2920 switches - operator and admin access issues

 Attributes are set as follows:

Operators  is NAS Prompt

Managers  is Administrative.

 aaa authentication login privilege-mode  - does only allow managers enable prompt access.  I was looking to have this set up to require the username and password a second time to get to the enable prompt.

It will suffice as is.  Thank you for the follow up.

On to the Next task  - to get the Comware 5 switch set up for NPS access management.