Setting up AAA for REST

The following sections list the procedure to setup AAA for REST on Local, RADIUS, and TACACS+. For command details, see CLI Commands

RADIUS

The RADIUS server must be configured and the configuration file must be available on the RADIUS server.
  • Authentication - Configure Operator and Manager with primary authentication method as RADIUS and backup method as Local. The commands are: 
    (config)# aaa authentication rest login radius
(config)# aaa authentication rest enable radius
  • Authorization - Configure the HP-URI-Exception, HP-URI-Json-String, HP-URI-Access in the RADIUS configuration file. Use the following command to configure URI authorization on the switch: 
    (config)# aaa authorization rest-uri radius
  • Accounting - Enable the URI, exec and system accounting on RADIUS for REST interface using the aaa accounting command. For example, 
    (config)# aaa accounting exec start-stop radius
(config)# aaa accounting system start-stop radius
(config)# aaa accounting rest-uri stop-only radius

TACACS+

  • Authentication

    Configure Operator and Manager with primary authentication method as TACACS and backup method as Local. The commands are: 
    (config)# aaa authentication rest login tacacs
(config)# aaa authentication rest enable tacacs
  • Authorization

    • Configure the rules for authorization in the TACACS configuration file.

    • Enable TACACS authorization using the following command: 
      (config)# aaa authorization rest-uri tacacs

  • Accounting

    Enable the URI, exec and system accounting on TACACS+ server for REST interface using the aaa accounting command with appropriate options. For example, 
    (config)# aaa accounting exec start-stop tacacs
(config)# aaa accounting system start-stop tacacs
(config)# aaa accounting rest-uri stop-only tacacs

Local

  • Authentication

    Configure Operator and Manager with primary authentication method as Local. The commands are: 
    (config)# aaa authentication rest login local 
(config)# aaa authentication rest enable local

  • Authorization

    The following is an example illustrates the configuration to authorize admin1 to execute authentication GET URIs:
    • Enable Local authorization: 
      (config)# aaa authorization rest-uri local
    • Create a group, group1 with the following parameters and command: 
      URI:            v6/aaa
Json attribute: authentication
URI Access:     GET
Exception:      permit

(config)# aaa authorization group group1 uri-seq 23 match-uri v6/aaa 
match-json authentication uri-access get permit
    • Create Local user and associate the user with the group. 
      (config)# aaa authentication local-user admin1 group group1 password plaintext
New password for user1: *********
Please retype new password for user1: *********
      With the execution of the above two commands, admin1 is part of group1, which has authorization set to execute authentication GET URIs.