Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Aruba 2930 user config permision/restriction with radius server policy

 
Highlighted
Occasional Contributor

Aruba 2930 user config permision/restriction with radius server policy

Hi, I have several Aruba switches in our network.

Currently, there is local authentication for several users. Two of them are apprentice.

Right now, I am using command below to permit only some commands for them:

aaa authorization group "apprentice" 100 match-command "command:enable" permit log

aaa authorization group "apprentice" 110 match-command "command:show" permit log

aaa authentication local-user "apprentice1" group "apprentice"

Now we want to move to radius type of authentication (it s working) and question is:
Is there a way (and how) to configure on radius server or switch some policy to classify permission based on user that logged in.

So, if it regular admin user, they has a full rights, and if it's apprentice user, to enable just few command.

1 REPLY 1
Highlighted

Re: Aruba 2930 user config permision/restriction with radius server policy

Hello, 

The RADIUS server should be configured to return a pair of HP vendor specific RADIUS attributes in the ACCESS ACCEPT which instruct the switch which commands to allow for an authenticated user- HP-Command-String and HP-Command-Exception. The HP-Command-Strings specifies the list of commands which are allowed or denied, the HP-Command-Exception specifies if the commands are denied (allowing everything else) or allowed (denying everything else)

Check the Access Security Guide from page 222 to 226

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091304en_us

 

or the same information is also available here

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s08.html

Here is an example how it can be configured on ClearPass Policy Manager

https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Authorising-commands-on-ProCurve-AOSS-with-RADIUS/gpm-p/375100

I am an HPE employee

Accept or Kudo