Thanks, I got it to work now.
But it seems this is only PAP, Which is unencrypted between the User and the NAS Client.
The next step would be TLS (RadSec) but Windows NPS doesn't support this.
We're looking at other AAA options now that do work with Aruba CX.
Nevertheless, mholden and mkk, thank you for the elaborate answer.
Original Message:
Sent: Sep 06, 2023 08:54 AM
From: Michael Holden
Subject: OS-CX and RADIUS using Microsoft NPS for admin access
Switch Configuration:
clock timezone <Your Time Zone>
ntp server <NTP Server 1> iburst version 3 minpoll 4 maxpoll 4 prefer
ntp server <NTP Server 2> iburst version 3 minpoll 4 maxpoll 4
no ntp server pool.ntp.org
ntp enable
radius-server host <NPS1> vrf <mgmt|default> key plaintext <PSK>
radius-server host <NPS2> vrf <mgmt|default> key plaintext <PSK>
aaa group server radius NPS-RADIUS
server <NPS1> vrf <mgmt|default>
server <NPS2> vrf <mgmt|default>
aaa authentication login console group NPS-RADIUS local
aaa authentication login default group NPS-RADIUS local
aaa authentication login ssh group NPS-RADIUS local
aaa authentication login https-server group NPS-RADIUS local
aaa radius-attribute group NPS-RADIUS
aaa authentication limit-login-attempts 3 lockout-time 5
https-server max-user-sessions 2
https-server session-timeout 15
cli-session
max-per-user 2
timeout 45
exit
NPS Configuration:
For NPS make sure you're sending back the additional VSA for Aruba-Priv-Admin-User 15
https://community.arubanetworks.com/community-home/digestviewer/viewthread?GroupId=25&MessageKey=cceb5ac0-bf31-4711-bc54-5ad539b154de&CommunityKey=22dc38ea-a1e1-4059-b55e-a622fedecf32&tab=digestviewer
Check Here for other NPS configuration information.
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=10129
Original Message:
Sent: Sep 05, 2023 03:41 AM
From: pieterm
Subject: OS-CX and RADIUS using Microsoft NPS for admin access
I'm well aware I'm reviving an old thread, however:
I can't get this to work.
We have a large multi-tenant multi-vendor environment and it works for everyone (including 2930F's and other Aruba switch OS switches), except for the new CX switch I'm testing.
Even with a separate Connection Request Policy where I specify "Accept users without validating credentials" the switch won't budge.
I can see the Radius server sending an accept message back to the switch, however the switch just decides to return Access denied.
Am I missing something in your explanation mkk?
Original Message:
Sent: Mar 29, 2022 12:51 PM
From: mkk
Subject: OS-CX and RADIUS using Microsoft NPS for admin access
Hi Neil,
Aruba-CX also use the shell:priv-lvl:15 methode, maybe this topic helps you.
https://www.expertnetworkconsultant.com/configuring/network-device-management-with-radius-authentication-using-windows-nps/
Edit: I can confirm you that i test the above solution for you on a Aruba-CX virtual switch and it's working.
Switch configuration below:
radius-server host "IP of NPS Server" key ***!aaa group server radius nps server "IP of NPS Server"!aaa authentication login default group nps local!
------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
Original Message:
Sent: Mar 25, 2022 11:08 AM
From: Neil Behagg
Subject: OS-CX and RADIUS using Microsoft NPS for admin access
Hi all,
Apologies if this has been asked before, I've been searching but had no luck so far. I'm hoping to set up radius authentication for the Aruba OS-CX switches using Microsoft NPS for admin access but am struggling to find any decent guides. Is there a step-by-step anywhere on how to configure this?
Thanks
------------------------------
Neil Behagg
------------------------------