Authorization

URI authorization is supported through Local, RADIUS and TACACS+. URI authorization is performed based on the following attributes:
  • URI access method (PUT, POST, DELETE, GET).

  • URI (URI string along with the JSON attributes).

Considerations

  • If the URI authorization is not configured for local, radius, tacacs user but URI authorization is enabled, then access to any URI execution is denied. This is the same behavior as command authorization.

  • The URI-Access, URI-String and URI-JSON attributes are mandatory. The default value for the URI Exception is permit. Only one attribute is allowed for URI-Access and URI-String .The URI-JSON can have single or multiple attributes with comma as separator.

  • If the authentication and authorization methods are different for a user, the authorization URI does not have any impact. This is the same behavior as command authorization.

  • The cli_batch URI has encoded attributes that are denied or allowed in the authorized list of URIs. The encoded data is not authorized. Aruba recommends to permit this only on need basis.

  • URI authorization is disabled by default like command authorization and must be enabled through aaa authorization command.

  • With permit option, all the JSON attributes must match for successful URI execution.

  • With deny option, at least one JSON attribute match will result in the denying of URI execution.

  • The match is performed only on the JSON attributes and not on the JSON values.

Local authorization

A group for URI authorization must have the following parameters configured:
  • URI

  • JSON attribute

  • URI access method

  • permit or deny

A group can be created to have the above configuration for URI authorization for REST interface, or the existing local groups can be extended to configure the REST URIs, JSON strings, and URI access methods. A group can have both command and URI authorizations configured. For the user associated with such a group, URI authorization is applicable for REST interface and command authorization for other supported management interfaces.
The following table illustrates an example for local authorization:
Example URI Executed:
curl -X PUT http://10.100.106.244/rest/v2/vlans 
{"collection_result":{"total_elements_count":1,"filtered_elements_count":1},
"vlan_element":[{"uri":"/vlans/1","vlan_id":1,"name":"DEFAULT_VLAN","status":
"VS_PORT_BASED","type":"VT_STATIC","is_voice_enabled":false,"is_jumbo_enabled":false,
"is_dsnoop_enabled":false,"is_dhcp_server_enabled":false}]}

The match-uri, match-json and uri-access in the following table are the parameters of aaa authorization group command:

match-uri match-json uri-access Exception Behavior
.* .* .* permit All URIs will be allowed to execute.The above URI will be successful.
v2 .* .* permit All URI options with v2 will be allowed. The URIs with other versions will not be allowed. The above URI execution will be successful.
v2/vlans is_jumbo_enabled PUT permit The URI with the Json parameter is_jumbo_enabled will be executed for PUT method. The above URI execution will not be successful since all JSON parameters in the URI being executed do not match.
.* is_jumbo_enabled PUT permit Error is returned during configuration.
v2/vlans .* .* permit The execution of all URIs that belongs to v2/vlans will be allowed for all access methods. The execution of the above URI will be successful.
v2 is_jumbo_enabled .* permit Any URIs that belong to v2 having the JSON attribute as is_jumbo_enabled will be allowed for execution. If there are any other JSON attributes, they will have the response as FAIL.
.* is_jumbo_enabled .* permit Error is returned during configuration.
.* .* GET permit All URIs with GET access method will be allowed for execution. The execution of the above URI will fail.
v2/vlans .* PUT permit All URI options with v2/vlans will be allowed for PUT. The execution of the above URI will be successful.
.* .* .* deny All URIs will be rejected.
v2 .* .* deny All URI options with v2 (version v2) will not be allowed for execution. The URIs with other versions will be allowed.
v2/vlans is_jumbo_enabled PUT deny The URI with v2/vlans and JSON attribute is_jumbo_enabled and access_method as PUT will be denied and any other URI execution will be permitted.
.* is_jumbo_enabled PUT deny Error is returned during configuration.
v2/vlans .* .* deny The execution of URIs that belong to v2/vlans will not be allowed for all access methods.
v2 is_jumbo_enabled .* deny Any URIs that belong to v2 having the JSON parameter is_jumbo_enabled will not be allowed.
.* is_jumbo_enabled .* deny Error is returned during configuration.
.* .* GET deny All GET URIs will not be allowed. Any URIs with other URI access methods will be successful.
v2/vlans .* PUT deny All URI options with v2/vlans will not be allowed for PUT. Any other URIs or with any other URI access method will be allowed.

RADIUS

The following RADIUS VSAs are provided to configure the URI, JSON and Access methods for URI authorization:
Attribute Value String/Integer
HP-URI-String (mandatory) 80 String
HP-URI-Json-String (mandatory) 81 String
HP-URI-Access (mandatory) 82 String
HP-URI-Exception 83 Integer
  • The value for HP-URI-Exception is 0 (permit) and 1 (deny). By default, HP-URI-Exception is permit and is optional.

  • The value for HP-URI-Access must be "GET", "POST", "PUT", "DELETE" and ".*"only (".*" refers to all access methods).

  • If HP-URI-String is configured with ".*", HP-URI-Json-String must be configured with ".*" only.

  • The attributes HP-URI-String, HP-URI-Access, and HP-URI-Exception must be configured with single value and the HP-URI-Json-String can be configured with single or multiple values with comma separator.

  • If any of the mandatory VSAs are not configured or if the HP-URI-Json-String is not the last attribute, authentication fails.

  • Both command and REST URI authorization parameters can be configured for a user in RADIUS configuration file.

A sample RADIUS user file:
user Cleartext-Password:="user123"
Service-Type = Administrative-User, reply-Message = "Hello",
HP-URI-String = ".*", 
HP-URI-Access = "PUT",
HP-URI-Exception = 1,
HP-URI-Json-String = ".*", 
HP-URI-String += ".*",
HP-URI-Access += "GET",
HP-URI-Json-String += ".*"

TACACS+

The TACACS+ authorization is performed by configuring the rules for the URI authorization in the configuration file on the TACACS+ server. A sample is shown below:
group = admin {
default service = permit service = shell {
priv-lvl = 15
}
deny "/rest/v3/vlans vlan_id name POST" permit .*

}
user = user1 { member = admin
login = cleartext testing service = exec {
priv-lvl = 15
}


NOTE:

All the attributes must match to permit or deny.