s***@bt.com
2017-05-10 14:43:50 UTC
Hello PF gurus,
I'm testing PF 6.5.0 with an HP E5500 switch. My requirement is to provide wired 802.1X port security across all network switches. So far, I have tested this successfully on an HP test switch. Authentication is done via device certificates on Windows client machines against Windows AD using EAPTLS. The correct data vlan is returned for the switch port. I have also successfully tested authentication with user certificates over EAPTLS and with just user AD accounts but will be using device certificates in the production network.
I have an issue with controlling admin-level access to the switch CLI in ssh sessions. I have set cliAccess=Y in switch.conf but this allows ANY authenticated user with an ssh client to get to the switch login prompt. I need to lock this down for security reasons. I have no users defined locally in PF so I would prefer to restrict access to a few specific domain users (specifically, network support users). I already have an AD security group which contains network support staff users. Is it possible to assign admin-level access based on either an AD group or even by individual users?
Also, when a user logs into the switch they have only basic access so can view the basic switch settings but cannot make any configuration changes or save them. I know that this is down to the access level allowed on the switch but what do I need to configure to return the correct admin-level access to network support staff? I assume I'm going to need to configure a VSA but I haven't found any similar problems in the support forum to point me in the right direction.
Thanks
Steve
I'm testing PF 6.5.0 with an HP E5500 switch. My requirement is to provide wired 802.1X port security across all network switches. So far, I have tested this successfully on an HP test switch. Authentication is done via device certificates on Windows client machines against Windows AD using EAPTLS. The correct data vlan is returned for the switch port. I have also successfully tested authentication with user certificates over EAPTLS and with just user AD accounts but will be using device certificates in the production network.
I have an issue with controlling admin-level access to the switch CLI in ssh sessions. I have set cliAccess=Y in switch.conf but this allows ANY authenticated user with an ssh client to get to the switch login prompt. I need to lock this down for security reasons. I have no users defined locally in PF so I would prefer to restrict access to a few specific domain users (specifically, network support users). I already have an AD security group which contains network support staff users. Is it possible to assign admin-level access based on either an AD group or even by individual users?
Also, when a user logs into the switch they have only basic access so can view the basic switch settings but cannot make any configuration changes or save them. I know that this is down to the access level allowed on the switch but what do I need to configure to return the correct admin-level access to network support staff? I assume I'm going to need to configure a VSA but I haven't found any similar problems in the support forum to point me in the right direction.
Thanks
Steve