- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Aruba 2930 user config permision/restriction with ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2020 01:18 AM - edited 06-26-2020 01:23 AM
06-26-2020 01:18 AM - edited 06-26-2020 01:23 AM
Aruba 2930 user config permision/restriction with radius server policy
Hi, I have several Aruba switches in our network.
Currently, there is local authentication for several users. Two of them are apprentice.
Right now, I am using command below to permit only some commands for them:
aaa authorization group "apprentice" 100 match-command "command:enable" permit log
aaa authorization group "apprentice" 110 match-command "command:show" permit log
aaa authentication local-user "apprentice1" group "apprentice"
Now we want to move to radius type of authentication (it s working) and question is:
Is there a way (and how) to configure on radius server or switch some policy to classify permission based on user that logged in.
So, if it regular admin user, they has a full rights, and if it's apprentice user, to enable just few command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2020 03:20 AM - edited 06-26-2020 03:25 AM
06-26-2020 03:20 AM - edited 06-26-2020 03:25 AM
Re: Aruba 2930 user config permision/restriction with radius server policy
Hello,
The RADIUS server should be configured to return a pair of HP vendor specific RADIUS attributes in the ACCESS ACCEPT which instruct the switch which commands to allow for an authenticated user- HP-Command-String and HP-Command-Exception. The HP-Command-Strings specifies the list of commands which are allowed or denied, the HP-Command-Exception specifies if the commands are denied (allowing everything else) or allowed (denying everything else)
Check the Access Security Guide from page 222 to 226
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091304en_us
or the same information is also available here
Here is an example how it can be configured on ClearPass Policy Manager