FortiAuthenticator Radius Authentication with HP Aruba Switch

Author
aestremera
New Member
  • Total Posts : 2
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/02/08 14:35:00
  • Status: offline
2020/02/10 12:36:59 (permalink)
0

FortiAuthenticator Radius Authentication with HP Aruba Switch

Hi All,
 
I am using FortiAuthenticator as a radius server and attempting to utilize it to authenticate for 250 HP Aruba switches.  I believe the problem I am having is finding the correct Attribute to use in Fortiauthenticator to send to the HP Aruba switches to allow user the manager or operator privilege.  The FortiAuthenticator Debug shows that its sending the info to the HP Aruba switch but the switch logs show invalid user id/password.  Has anyone been able to use Fortiauthenticator as RADIUS with HP Aruba switches?
 
Fortiauthenticator:
Created User Group: Attribute is Aruba-Priv-Admin-user with value 6 and vendor Aruba
Also tried: Attribute is HP-Privilege-Level with value 6 and vendor HP
RADIUS Service > Clients > Correctly configured with the right Group
 
HP Aruba Switch radius config:
conf t
radius-server host xxx.xxx.xxx.xxx key PASSWORD
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode (if I remove this command, I can log into the switch successfully with operator privilege but when when I enter command enable, it allows me to use my credentials again to authenticate to manager level.  But I need it to authenticate to manager/operator user at first authentication point).
 
 
#1

2 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 472
    • Scores: 117
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: FortiAuthenticator Radius Authentication with HP Aruba Switch 2020/02/13 02:45:02 (permalink)
    0
    Hi,
    this seems to me more like question on Aruba support/web/documentation to figure out which RADIUS attributes they need and what values are expected in those AVPs.
    Then set FortiAuthenticator per group or per user with those RADIUS Attributes (bottom of user/group config in 'Authentication / User Management' section).
    Then even simple packet capture on FortiAuthenticator should reveal what is requested and what is sent (AVPs) in dialog with those Aruba units.
     
    FortiAuthenticator is in this role nothing more then generic RADIUS server. Nothing Forti* special here.
     

    Kind Regards,
    Tomas
    #2
    aestremera
    New Member
    • Total Posts : 2
    • Scores: 2
    • Reward points: 0
    • Joined: 2019/02/08 14:35:00
    • Status: offline
    Re: FortiAuthenticator Radius Authentication with HP Aruba Switch 2020/02/14 11:19:20 (permalink)
    5 (1)
    Thank you for the response and you are correct.  I ended up finding the answer in the Aruba forums, link below.  I had my managed switch tester configured correctly but needed to find out what attributes the switch needed to receive to authenticate me as manager(full access) or operator(view only).  I found that the HP and Aruba switches need to authenticate via value 6 for manager and 7 for operator.  On the Fortiauthenticator side the attribute that worked was Vendor: Default > Attribute ID: Service-Type > Value: Administrative-User for 6 and NAS-Prompt-user for 7.  With this information I was able to authenticate successfully!!  Hope this helps anyone else who had a similar issue as I did.  
     
    https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/How-to-configure-Web-GUI-authentication-with-Radius-on-HPE/ta-p/393105
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5