Centralized authentication - configuration

Information

Authenticating users through RADIUS provides a centralized way to manage access to the switch. This allows the administrator to make modifications to the set of authorized users without having to make changes on every network device. RADIUS authentication is supported by Aruba ClearPass Policy Manager.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To enable RADIUS authentication for serial console, SSH, and web interface login and enable access as the primary authentication method, with local authentication as the secondary method, use the following configuration commands:

switch(config)# aaa authentication console login radius local
switch(config)# aaa authentication console enable radius local
switch(config)# aaa authentication ssh login radius local
switch(config)# aaa authentication ssh enable radius local
switch(config)# aaa authentication web login radius local
switch(config)# aaa authentication web enable radius local

SSH also includes authentication for SCP and SFTP file transfers.

To enable TACACS authentication as the primary method and local authentication as the secondary method for console or SSH management access, use the following configuration commands:

switch(config)# aaa authentication console login tacacs local
switch(config)# aaa authentication console enable tacacs local
switch(config)# aaa authentication ssh login tacacs local
switch(config)# aaa authentication ssh enable tacacs local

TACACS authentication is not supported for web management UI access.

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2

Plugin: ArubaOS

Control ID: 7d98bc35369b9dae24b96f7b2084e43314365a88e1926c49b2c22a9146e73c62