Ash Roberts
SwitchITUp

SwitchITUp

Aruba Switching CLI Lockdown with Windows Server NPS

Aruba Switching CLI Lockdown with Windows Server NPS

Ash Roberts's photo
Ash Roberts
·May 3, 2022·

5 min read

Table of contents

  • Assumptions:
  • Objectives:
  • Configure NPS Network Policy
  • Configure RADIUS clients in NPS
  • Configure the Switch for RADIUS

I have been involved with a number of Aruba switching roll-outs over the past few years and it still amazes me to this day how network security is either non existent or seriously lacking in companies.

When using SSH to manage a switch or network device most tend to use a secure password and as you should know SSH encrypts the CLI session, unlike Telnet that can expose these passwords in clear text rendering any password you use ineffective.

We are going to kick this up a notch and lock our CLI down to a Network Administrators security group in Active Directory where authentication will be passed from the switch via Windows Server Network Policy Server (NPS).

Assumptions:

  • You have a working Active Directory Domain Controller

  • You have a NPS server (192.168.200.1) with Network Policy Server Role Installed

  • Admin access to your switching

  • a management VLAN of 200 with your switch IP address 192.168.200.10

Objectives:

  • Configure NPS Network Policy

  • Configure RADIUS clients in NPS

  • Configure or switch via the CLI for RADIUS Auth

Configure NPS Network Policy

When authentication is passed to the NPS server by a valid RADIUS client, NPS evaluates the login against it's network policies. Here we can define connection conditions such as security group etc that determine if we are allowed or disallowed access. (This just scratches the surface).

For more info on NPS check out Microsoft's Documentation:
docs.microsoft.com/en-us/windows-server/net..

We are going to create a network policy called "ArubaOS-Management" that will allow connections to the switch Command line/GUI IF we are members of the Network Admins Security Group in Active Directory. See the security group I have created in AD below:

securitygroupad.jpg

On the first page of our Network Policy in NPS we will name the policy "ArubaOS-Management", Secondly, we obviously want this policy to GRANT access and ignore the users remote dial in attributes that may exist on their AD profile.

ArubaOSpolicy1.jpg

On the second page of our policy we actually stipulate what conditions are evaluated as part of our GRANT access. Here we are going to select a windows group called "Network Administrators". There are many conditions you can pick if you wish to harden your security posture further. We will keep things simple for this demo.

arubaOSpolicy2.jpg

Encryption under Constraints tab we are going to select no encryption PAP/sPAP

constraints.jpg

Configure RADIUS clients in NPS

The RADIUS client is our switch (192.168.200.10). It is also common to see Access Points as RADIUS Clients to authenticate users on corporate WiFi and 802.1x implementations (way beyond the scope of this article). We will add this switch as a RADIUS client in NPS and give it a secret of "SecretKey" this key will need to match our configuration on the switch CLI when we setup the radius settings for it to be able to initiate a connection with NPS.

createradiusclient.jpg

radiusclientsetting.jpg

Configure the Switch for RADIUS

The final phase required is to actually configure the switch.

  • We will disable the clear text protocol telnet to force connections via SSH/GUI

  • We will then tell our switch how to reach our NPS box via its IP and the secret key we created for it to authenticate with the server.

  • Because Aruba switches have a GUI we also want to lock this down to Network Admins only like our CLI.

The following CLI commands show how to achieve the above:

###Disable Telnet###
2930f-SW1(config)# no telnet-server

###define RADIUS Server IP (NPS) and secret key###
2930f-SW1(config)# radius-server host 192.168.200.1 key SecretKey

###define AAA settings to lock down WEB GUI and SSH CLI to radius authentication IF this fails failback to localDB login.###
2930f-SW1(config)# aaa authentication web login radius local
2930f-SW1(config)# aaa authentication ssh login radius local

###When authenticated put us directly in priviledge-mode###
2930f-SW1(config)# aaa authentication login priviledge-mode

to prevent locking yourself out of the switch we allow fallback to login with localDB account on the switch. This will only fail back if the Switch is unable to communicate with the NPS server. If a connection can be made but there is another error you will not be forced to use local login. Bear this in mind for testing purposes.

Talking of locking yourself out, I have done this a number of times where I have not verified my CLI commands, logged out of the switch, then can't get back in (this can easily happen with your radius key). TEST your config by keeping your current SSH session open, then create a new SSH session and making sure you can actually log in with your Active Directory credentials. If you cannot, you can use your existing session to remove your radius config or troubleshoot the commands you have issued to fix the issue!

With this setup we can login into our CLI with our Active Directory account that is a member of our Network Admins Security group. Below I created a AD user called Radius.test a member of "Network Admins" and we are authenticated and granted access to the switch.

clilogin.jpg

Also if you try and create a telnet session you won't be able to as we disabled telnet!

The commands used in this demo work on ArubaOS-S switching and most older HP iterations. I completed these on both 2930F and 2930M models

Aruba also have their own product called Clear-pass Policy Manager (CPPM) which can be used instead of Windows NPS to achieve the above, however, I do find CPPM to be a lot more complex to achieve the goal but you also get other features such as Mobile Device Management (MDM) and alot more authentication features for your network stack.

Check it out here:
arubanetworks.com/resource/clearpass-policy..

 
Share this