HPE Community
HPE Aruba Networking & ProVision-based
1824941 Members
3627 Online
109678 Solutions
New Discussion юеВ

TACACS

 
Jeff-the-Dude
Occasional Contributor

тАО06-06-2018 08:22 AM

тАО06-06-2018 08:22 AM

TACACS

I have some Aruba 5412R switches deployed and I have successfully configured aaa authentication through our RADIUS server for TACACS access. However, whenever someone logs into the web access, it only allows that person in as an operator, not as a manager, thus prohibiting any changes via the web interface....we like to use this feature for the CLI-challenged, change a vlan, modify a port description, etc.  There must be some command(s) I am missing,,,please help.

0 Kudos
5 REPLIES 5
racowi
Frequent Advisor

тАО06-18-2018 09:47 AM

тАО06-18-2018 09:47 AM

Re: TACACS

Did you tried "aaa authentication web login radius" command?

0 Kudos
maguanglongMike
HPE Pro

тАО06-19-2018 12:21 AM

тАО06-19-2018 12:21 AM

Re: TACACS

Hi,

can you share your configuration?

Accept or Kudo

0 Kudos
Jeff-the-Dude
Occasional Contributor

тАО07-25-2018 11:40 AM - edited тАО07-25-2018 12:08 PM

тАО07-25-2018 11:40 AM - edited тАО07-25-2018 12:08 PM

Re: TACACS

This is what I have configured...(sorry...I haven't gotten back as soon as I wanted, but other projects have taken precedence).  Now, the web login screen comes up, but no one, including myself, can even login via the web interface, with RADIUS credentials nor the original manager username and password that I originally configured.  After I enter credentials, it gives the appearance that it logs in, but then loops back to the login screen.  CLI ssh access, however, works flawlessly.  

 

radius-server host XXX.XX.X.XXX key "XXXXXXXXXXX"

tacacs-server host XXX.XX.X.XXX key "XXXXXXXXXXX"
no telnet-server

aaa accounting update periodic 10
aaa accounting commands interim-update tacacs
aaa accounting exec start-stop tacacs
aaa accounting system start-stop tacacs
aaa authentication login privilege-mode
aaa authentication web login radius
aaa authentication ssh login tacacs
aaa authentication ssh enable tacacs

0 Kudos
Jeff-the-Dude
Occasional Contributor

тАО07-25-2018 03:39 PM

тАО07-25-2018 03:39 PM

Re: TACACS

Upon further review, it may only be the fact that we need to add a policy to CPPM...when that person (not all of us have access) comes back from his vacation, I will give that a shot.  But thanks for your input...

0 Kudos
Jeff-the-Dude
Occasional Contributor

тАО10-25-2018 01:23 PM

тАО10-25-2018 01:23 PM

Re: TACACS

So...this what I currently have configured on one of my Aruba 5412R ZL2 switches.  I have configured/modified the 'manager' account with a password for console access.  I used to (but can not anymore) be able to log in via the web...I prefer CLI, some of the upper management are CLI-challenged...

I can ssh into any of the two dozen zl2 switches (eventually will be about 150) that I have deployed utilizing TACACS access/credentials, which is bounced off our Active Directory...it seems that the--

aaa authentication web login radius
aaa authentication web enable radius

--commands have prohibited me from logging in to the switch via the web altogether.

radius-server host xxx.xx.x.xx key "shared key"
tacacs-server host xxx.xx.x.xxx key "shared key"
no telnet-server
aaa accounting update periodic 10
aaa accounting commands interim-update tacacs
aaa accounting exec start-stop tacacs
aaa accounting system start-stop tacacs

aaa authentication web login radius
aaa authentication web enable radius

aaa authentication login privilege-mode
aaa authentication ssh login tacacs
aaa authentication ssh enable tacacs

 

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.