Enabling RADIUS Server Authentication

This section include many different types of RADIUS server configuration and related procedures.

Configuring RADIUS Server Username and Password Authentication

In this example, an external RADIUS server is used to authenticate management users. Upon authentication, users are assigned the default role root.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select RADIUS Server to display the Radius Server List.
a. To configure a RADIUS server, enter the name for the server (for example, rad1) and click Add.
b. Select the name to configure server parameters, such as IP address. Select the Mode checkbox to activate the server.
c. Click Apply.
3. Select Server Group to display the Server Group list.
a. Enter the name of the new server group (for example, corp_rad) and click Add.
b. Select the name to configure the server group.
c. Under Servers, click New to add a server to the group.
d. Select a server from the drop-down menu and click Add Server.
e. Click Apply.
4. Navigate to the Configuration > Management > Administration page.
a. Under Management Authentication Servers, select a management role (for example, root) for the Default Role.
b. Select (check) Mode.
c. For Server Group, select the server group that you just configured.
d. Click Apply.

In the CLI

aaa authentication-server radius rad1

  host <ipaddr>

  enable

 

aaa server-group corp_rad

  auth-server rad1

 

aaa authentication mgmt

  default-role root

  enable

  server-group corp_rad

Configuring RADIUS Server Authentication with VSA

In this scenario, an external RADIUS server authenticates management users and returns to the controller the Aruba vendor-specific attribute (VSA) called Aruba-Admin-Role that contains the name of the management role for the user. The authenticated user is placed into the management role specified by the VSA.

The controller configuration is identical to the Configuring RADIUS Server Username and Password Authentication. The only difference is the configuration of the VSA on the RADIUS server. Ensure that the value of the VSA returned by the RADIUS server is one of the predefined management roles. Otherwise, the user will have no access to the controller.

Configuring RADIUS Server Authentication with Server Derivation Rule

 

Aruba controllers do not make use of any returned attributes from a TACACS+ server.

A RADIUS server can return to the controller a standard RADIUS attribute that contains one of the following values:

The name of the management role for the user
A value from which a management role can be derived

For either situation, configure a server-derivation rule for the server group.

In the following example, the RADIUS server returns the attribute Class to the controller. The value of the attribute can be either “root” or “network-operations” depending upon the user; the returned value is the role granted to the user.

 

Ensure that the value of the attribute returned by the RADIUS server is one of the predefined management roles. Otherwise, the management user will not be granted access to the controller.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select RADIUS Server to display the Radius Server List.
a. To configure a RADIUS server, enter the name for the server (for example, rad1) and click Add.
b. Select the name to configure server parameters, such as IP address. Select the Mode checkbox to activate the server.
c. Click Apply.
3. Select Server Group to display the Server Group list.
a. Enter the name of the new server group (for example, corp_rad) and click Add.
b. Select the name to configure the server group.
c. Under Servers, click New to add a server to the group.
d. Select a server from the drop-down menu and click Add Server.
e. Under Server Rules, click New to add a server rule.
f. For Condition, select Class from the scrolling list. Select value-of from the drop-down menu. Select Set Role from the drop-down menu.
g. Click Add.
h. Click Apply.
4. Navigate to the Configuration > Management > Administration page.
a. Under Management Authentication Servers, select a management role (for example, read-only) for the Default Role.
b. Select (check) Mode.
c. For Server Group, select the server group that you just configured.
d. Click Apply.

In the CLI

aaa authentication-server radius rad1

  host <ipaddr>

  enable

 

aaa server-group corp_rad

  auth-server rad1

  set role condition Class value-of

 

aaa authentication mgmt

  default-role read-only

  enable

  server-group corp_rad

In the following example, the RADIUS server returns the attribute Class to the controller; the value of this attribute can be “it”, in which case, the user is granted the root role. If the value of the Class attribute is anything else, the user is granted the default read-only role.

Configuring a set-value server-derivation rule

In the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select RADIUS Server to display the Radius Server List.
a. To configure a RADIUS server, enter the name for the server (for example, rad1) and click Add.
b. Select the name to configure server parameters, such as IP address. Select the Mode checkbox to activate the server.
c. Click Apply.
3. Select Server Group to display the Server Group list.
a. Enter the name of the new server group (for example, corp_rad) and click Add.
b. Select the name to configure the server group.
c. Under Servers, click New to add a server to the group.
d. Select a server from the drop-down menu and click Add Server.
e. Under Server Rules, click New to add a server rule.
f. For Condition, select Class from the scrolling list. Select equals from the drop-down menu. Enter it. Select Set Role from the drop-down menu. For Value, select root from the drop-down menu.
g. Click Add.
h. Click Apply.
4. Navigate to the Configuration > Management > Administration page.
a. Under Management Authentication Servers, select a management role (for example, read-only) for the Default Role.
b. Select (check) Mode.
c. For Server Group, select the server group that you just configured.
d. Click Apply.

In the CLI

aaa authentication-server radius rad1

  host <ipaddr>

  enable

 

aaa server-group corp_rad

  auth-server rad1

  set role condition Class equals it set-value root

 

aaa authentication mgmt

  default-role read-only

  enable

  server-group corp_rad

For more information about configuring server-derivation rules, see Configuring Server-Derivation Rules.

Disabling Authentication of Local Management User Accounts

You can disable authentication of management user accounts in local switches if the configured authentication server(s) (RADIUS or TACACS+) are not available.

You can disable authentication of management users based on the results returned by the authentication server. When configured, locally-defined management accounts (for example, admin) are not allowed to log in if the server(s) are reachable and the user entry is not found in the authentication server. In this situation, if the RADIUS or TACACS+ server is unreachable, meaning it does not receive a response during authentication, or fails to authenticate a user because of a timeout, local authentication is used and you can log in with a locally-defined management account.

In the WebUI

1. Navigate to the Configuration > Management > Administration page.
2. Under Management Authentication Servers, uncheck the Local Authentication Mode checkbox.
3. Click Apply.

In the CLI

mgmt-user localauth-disable

Verifying the configuration

To verify if authentication of local management user accounts is enabled or disabled, use the following command:

show mgmt-user local-authentication-mode

Resetting the Admin or Enable Password

This section describes how to reset the password for the default administrator user account (admin) on the controller. Use this procedure if the administrator user account password is lost or forgotten.

1. Connect a local console to the serial port on the controller.
2. From the console, login in the controller using the username password and the password forgetme!.
3. Enter enable mode by typing in enable, followed by the password enable.
4. Enter configuration mode by typing in configure terminal.
5. To configure the administrator user account, enter mgmt-user admin root. Enter a new password for this account. Retype the same password to confirm.
6. Exit from the configuration mode, enable mode, and user mode.

This procedure also resets the enable mode password to enable. If you have defined a management user password policy, make sure that the new password conforms to this policy. For details, see Implementing a Specific Management Password Policy.

Figure 1 is an example of how to reset the password. The commands in bold type are what you enter.

 

Figure 1  Resetting the Password

(host)

User: password
Password: forgetme!

(host) >enable
Password: enable

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

 

(host) (config) #mgmt-user admin root
Password: ******
Re-Type password: ******

(host) (config) #exit

(host) #exit

(host) >exit

After you reset the administrator user account and password, you can login to the controller and reconfigure the enable mode password. To do this, enter configuration mode and type the enable secret command. You are prompted to enter a new password and retype it to confirm. Save the configuration by entering write memory.

Figure 2 details an example reconfigure the enable mode password. Again, the command you enter displays in bold type.

Figure 2  Reconfigure the enable mode password

User: admin
Password: ******

(host) >enable
Password: ******

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

 

(host) (config) #enable secret
Password: ******
Re-Type password: ******

(host) (config) #write memory

Bypassing the Enable Password Prompt

The bypass enable feature lets you bypass the enable password prompt and go directly to the privileged commands (config mode) after logging on to the controller. This is useful if you want to avoid changing the enable password due to company policy.

Use the enable bypass CLI command to bypass the enable prompt an go directly to the privileged commands (config mode). Use the no enable bypass CLI command to restore the enable password prompt.

Setting an Administrator Session Timeout

You can configure the number of seconds after which an Administrator’s WebUI or CLI session times out.

In the WebUI

To define a timeout interval for a WebUI session, use the command:

web-server sessiontimeout <session-timeout>

In the above command, <session-timeout> can be any number of seconds from 30 to 3600, inclusive.

In the CLI

To define a timeout interval for a CLI session, use the command:

loginsession timeout <value>

In the above command, <val> can be any number of minutes from 5 to 60 or seconds from 1 to 3600, inclusive. You can also specify a timeout value of 0 to disable CLI session timeouts.