Setting up AAA for REST

Enable the following command to get manager privilege for RADIUS and TACACS authorization.

aaa authentication login privilege-mode

Syntax

aaa authentication login privilege-mode

Usage

[no] aaa authentication login privilege-mode

Description

Specify that switch respects the authentication server's privilege level.

The following sections list the procedure to setup AAA for REST on Local, RADIUS, and TACACS+. For command details, see CLI Commands

RADIUS

The RADIUS server must be configured and the configuration file must be available on the RADIUS server.

  • Authentication - Configure Operator and Manager with primary authentication method as RADIUS and backup method as Local. The commands are:
    (config)# aaa authentication rest login radius (config)# aaa authentication rest enable radius
  • Authorization - Configure the HP-URI-Exception, HP-URI-Json-String, HP-URI-Access in the RADIUS configuration file. Use the following command to configure URI authorization on the switch:
    (config)# aaa authorization rest-uri radius
  • Accounting - Enable the URI, exec and system accounting on RADIUS for REST interface using the aaa accounting command. For example,
    (config)# aaa accounting exec start-stop radius (config)# aaa accounting system start-stop radius (config)# aaa accounting rest-uri stop-only radius

TACACS+

  • Authentication

    Configure Operator and Manager with primary authentication method as TACACS and backup method as Local. The commands are:
    (config)# aaa authentication rest login tacacs (config)# aaa authentication rest enable tacacs
  • Authorization
    • Configure the rules for authorization in the TACACS configuration file.
    • Enable TACACS authorization using the following command:
      (config)# aaa authorization rest-uri tacacs

  • Accounting

    Enable the URI, exec and system accounting on TACACS+ server for REST interface using the aaa accounting command with appropriate options. For example,

    (config)# aaa accounting exec start-stop tacacs (config)# aaa accounting system start-stop tacacs (config)# aaa accounting rest-uri stop-only tacacs

Local

  • Authentication

    Configure Operator and Manager with primary authentication method as Local. The commands are:
    (config)# aaa authentication rest login local (config)# aaa authentication rest enable local

  • Authorization

    The following is an example illustrates the configuration to authorize admin1 to execute authentication GET URIs:
    • Enable Local authorization:
      (config)# aaa authorization rest-uri local
    • Create a group, group1 with the following parameters and command:
      URI: v6/aaa Json attribute: authentication URI Access: GET Exception: permit (config)# aaa authorization group group1 uri-seq 23 match-uri v6/aaa match-json authentication uri-access get permit
    • Create Local user and associate the user with the group.
      (config)# aaa authentication local-user admin1 group group1 password plaintext New password for user1: ********* Please retype new password for user1: *********
      With the execution of the above two commands, admin1 is part of group1, which has authorization set to execute authentication GET URIs.