Tuesday, 16 October 2018

HP Procurve Switch Privilege level access via Radius

Be the first to comment!

Integrating Switches with Radius Server and authenticating using AD Credential is pretty much easy to setup but the interesting and configuring part where many people may find difficulties is the  User Privilege level access through Radius Server.First lets understand how to integrate switches with Radius Server and later we can control  user level access through Radius server.

Integrating Switch With Radius Server:


Hope everyone is aware of how to make a Secure Certificate Infrastructure, With Active Windows Certificate and NPS (Network Policy Server) Role installed in your Server, You need to create Connection request policy and Network Policy as mentioned below.

NPS Policy Configuration:

Connection Request Policy: NAS Port Type=Virtual(VPN)

Network policy: NAS Port Type= Virtual (VPN) + Windows Group.






Switch End Configuration:

I've added the following fairly standard Radius Configuration to the Switch, Since I've already completed my testing phase with WEB  authentication. I'm configuring SSH.

aaa authentication SSH login radius local
aaa authentication SSH enable radius local

radius-server host 10.100.10.229 key 123456789

With this configuration I'm able to login the switch using AD Credentials but the problem hear is all the user accounts specified in NPS Network Policy windows group have full access to switch. Let's restrict user level privilege access through RADIUS Server.



User Privilege level access through Radius Server:


You can assign the privilege level access on RADIUS server by using Service-Type attribute.This will only take effect when you configure your switch with below command.

hostname(config)# aaa authentication login privilege-mode

–Service-Type 6 (Administrative) - Allows full access to any services specified by the aaa authentication console commands.

–Service-Type 7 (NAS prompt) - If you configure the aaa authentication for TELNET/SSH it allows access to CLI but Configuration Mode is blocked.Only Monitoring access is allowed.









Fahim Raza(Author)

Hi there! my name is Fahim Raza. I am a professional blogger. I like music(Linkin Park), playing games(football) and blogging...

No comments:

Post a comment