HPE Community
Aruba & ProVision-based
1752323 Members
5350 Online
108786 Solutions
New Discussion

Aruba 2930 user config permision/restriction with radius server policy

 
Trenuci
Occasional Contributor

‎06-26-2020 01:18 AM - edited ‎06-26-2020 01:23 AM

‎06-26-2020 01:18 AM - edited ‎06-26-2020 01:23 AM

Aruba 2930 user config permision/restriction with radius server policy

Hi, I have several Aruba switches in our network.

Currently, there is local authentication for several users. Two of them are apprentice.

Right now, I am using command below to permit only some commands for them:

aaa authorization group "apprentice" 100 match-command "command:enable" permit log

aaa authorization group "apprentice" 110 match-command "command:show" permit log

aaa authentication local-user "apprentice1" group "apprentice"

Now we want to move to radius type of authentication (it s working) and question is:
Is there a way (and how) to configure on radius server or switch some policy to classify permission based on user that logged in.

So, if it regular admin user, they has a full rights, and if it's apprentice user, to enable just few command.

0 Kudos
1 REPLY 1
Emil_G
HPE Pro

‎06-26-2020 03:20 AM - edited ‎06-26-2020 03:25 AM

‎06-26-2020 03:20 AM - edited ‎06-26-2020 03:25 AM

Re: Aruba 2930 user config permision/restriction with radius server policy

Hello, 

The RADIUS server should be configured to return a pair of HP vendor specific RADIUS attributes in the ACCESS ACCEPT which instruct the switch which commands to allow for an authenticated user- HP-Command-String and HP-Command-Exception. The HP-Command-Strings specifies the list of commands which are allowed or denied, the HP-Command-Exception specifies if the commands are denied (allowing everything else) or allowed (denying everything else)

Check the Access Security Guide from page 222 to 226

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091304en_us

 

or the same information is also available here

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s08.html

Here is an example how it can be configured on ClearPass Policy Manager

https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Authorising-commands-on-ProCurve-AOSS-with-RADIUS/gpm-p/375100

I am an HPE employee

Accept or Kudo


0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.