Setting up AAA for REST

The following sections list the procedure to setup AAA for REST on Local, RADIUS, and TACACS+. For command details, see CLI Commands

RADIUS

The RADIUS server must be configured and the configuration file must be available on the RADIUS server.
  • Authentication - Configure Operator and Manager with primary authentication method as RADIUS and backup method as Local. The commands are:
    (config)# aaa authentication rest login radius
    (config)# aaa authentication rest enable radius
    
  • Authorization - Configure the HP-URI-Exception, HP-URI-Json-String, HP-URI-Access in the RADIUS configuration file. Use the following command to configure URI authorization on the switch:
    (config)# aaa authorization rest-uri radius
  • Accounting - Enable the URI, exec and system accounting on RADIUS for REST interface using the aaa accounting command. For example,
    (config)# aaa accounting exec start-stop radius
    (config)# aaa accounting system start-stop radius
    (config)# aaa accounting rest-uri stop-only radius
    

TACACS+

  • Authentication

    Configure Operator and Manager with primary authentication method as TACACS and backup method as Local. The commands are:
    (config)# aaa authentication rest login tacacs
    (config)# aaa authentication rest enable tacacs
    
  • Authorization
    • Configure the rules for authorization in the TACACS configuration file.

    • Enable TACACS authorization using the following command:
      (config)# aaa authorization rest-uri tacacs
  • Accounting

    Enable the URI, exec and system accounting on TACACS+ server for REST interface using the aaa accounting command with appropriate options. For example,
    (config)# aaa accounting exec start-stop tacacs
    (config)# aaa accounting system start-stop tacacs
    (config)# aaa accounting rest-uri stop-only tacacs
    

Local

  • Authentication

    Configure Operator and Manager with primary authentication method as Local. The commands are:
    (config)# aaa authentication rest login local 
    (config)# aaa authentication rest enable local
    
  • Authorization

    The following is an example illustrates the configuration to authorize admin1 to execute authentication GET URIs:
    • Enable Local authorization:
      (config)# aaa authorization rest-uri local
    • Create a group, group1 with the following parameters and command:
      URI:            v6/aaa
      Json attribute: authentication
      URI Access:     GET
      Exception:      permit
      
      (config)# aaa authorization group group1 uri-seq 23 match-uri v6/aaa 
      match-json authentication uri-access get permit 
    • Create Local user and associate the user with the group.
      (config)# aaa authentication local-user admin1 group group1 password plaintext
      New password for user1: *********
      Please retype new password for user1: *********
      With the execution of the above two commands, admin1 is part of group1, which has authorization set to execute authentication GET URIs.