HPE Community
HPE Aruba Networking & ProVision-based
1855167 Members
3497 Online
104109 Solutions
New Discussion

Re: Aruba 2930/2920/2530 RADIUS authentication

 
SOLVED
Go to solution
Anonymous
Not applicable

‎12-01-2020 05:14 AM

‎12-01-2020 05:14 AM

Aruba 2930/2920/2530 RADIUS authentication

I'm trying to get my switches to do RADIUS authentication.

I setup the NPS server on Windows Server 2019, setup the policies, etc.

I then enter the following lines on a test switch:
radius-server host 10.1.1.7 key asdfasdf
radius-server host 10.2.1.7 key asdfasdf
radius-server timeout 10
radius-server retransmit 2
aaa authentication login privilege-mode
aaa authentication ssh enable radius local
aaa authentication web enable radius local
aaa authentication web login local
aaa authentication ssh login local

When I attempt to login with AD credentials, the NPS logs show that it granted access to the user, but the switch just prompts for the password again. The switch event log shows: 00419 auth: Invalid user name/password on SSH session User 'domain\username' is trying to login from <my ip address>

0 Kudos
5 REPLIES 5
Emil_G
HPE Pro

‎12-01-2020 05:29 AM

‎12-01-2020 05:29 AM

Solution

Re: Aruba 2930/2920/2530 RADIUS authentication

Hello @Anonymous 

Is you NPS server configured to return the RADIUS attrubute Service-type with the value 6 (manager) or 7(operator) in the Access Accept packet?

You have enabled the privilege-mode ( aaa authentication login privilege-mode). With this option the switch will check in the Access Accept packets for the value of the service type attribute. If the values is different than 6 or 7 or no attribute is available access is blocked.

If NPS doesnt send this attributes please test what happens if you disable it  with " no aaa authentication login privilege-mode"

I am an HPE employee

Accept or Kudo


0 Kudos
Anonymous
Not applicable

‎12-01-2020 08:15 AM

‎12-01-2020 08:15 AM

Re: Aruba 2930/2920/2530 RADIUS authentication



I think I have the option you are referring to checked.

I also just tried removing the privileged-mode line but I still can't login to the switch with AD credentials.

0 Kudos
Anonymous
Not applicable

‎12-02-2020 08:09 PM

‎12-02-2020 08:09 PM

Re: Aruba 2930/2920/2530 RADIUS authentication

I take it back.  I somehow fat-fingered a command and did not remove the "aaa authentication login privilege-mode".

Removing that does indeed enable me to login through RADIUS.

Thank you.

0 Kudos
Anonymous
Not applicable

‎12-02-2020 08:13 PM

‎12-02-2020 08:13 PM

Re: Aruba 2930/2920/2530 RADIUS authentication

But the user can't do much.  I would like these RADIUS authenticated users to be "manager" level.  How do I accomplish this?

0 Kudos
Anonymous
Not applicable

‎12-02-2020 08:45 PM

‎12-02-2020 08:45 PM

Re: Aruba 2930/2920/2530 RADIUS authentication

Ok, I was defining the Service-Type in the Network Policies section of NPS.  I moved it to the Connection Request Policies and now it's working as expected. 

Thanks.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.