RADIUS authentication

Authenticating users through RADIUS provides a centralized way to manage access to the switch. This allows the administrator to make modifications to the set of authorized users without having to make changes on every network device. RADIUS authentication is supported by Aruba ClearPass Policy Manager.

In the following example, a RADIUS server at IP address 10.100.0.253, with the authentication key "secret", is configured to be used for authentication on the switch:

switch(config)# radius-server host 10.100.0.253 key secret

To enable RADIUS authentication for serial console, SSH, and web interface login and enable access as the primary authentication method, with local authentication as the secondary method, use the following configuration commands:

switch(config)# aaa authentication console login radius local 
switch(config)# aaa authentication console enable radius local 
switch(config)# aaa authentication ssh login radius local 
switch(config)# aaa authentication ssh enable radius local 
switch(config)# aaa authentication web login radius local 
switch(config)# aaa authentication web enable radius local

SSH also includes authentication for SCP and SFTP file transfers.

NOTE:

If the secondary access method is “None” or “Local” with no passwords configured, the user will be granted manager-level access if the primary method fails for any reason (for example, RADIUS server is unreachable, incorrect RADIUS server key is configured, and so on).

For more details, refer to the chapter titled “RADIUS Authentication and Accounting” in the ArubaOS-Switch Access Security Guide.