HPE Community
Aruba & ProVision-based
1753795 Members
7134 Online
108799 Solutions
New Discussion

Re: Unable to get RADIUS to work with HP Procure Switch 2848

 
SOLVED
Go to solution
lagp
Occasional Advisor

‎03-26-2013 07:44 PM

‎03-26-2013 07:44 PM

Unable to get RADIUS to work with HP Procurve Switch 2848

I am trying to establish RADIUS authentication / authorization for an HP Procurve Switch 2848 running firmware I.10.101.  I have the following commands enabled on the switch for RADIUS

 

aaa authentication login privilege-mode
aaa authentication ssh login radius local
aaa accounting exec start-stop radius
aaa accounting system start-stop radius
radius-server host 172.20.1.28 key <key-string>

 

I am running RADIUS on a Microsoft Server 2008 R2 Standard Network Policy and Access Services.

 

I have a client created for the switch and a network policy with the following attributes

 

Conditions - If the following conditions are met:

 

Windows Groups: Our Domain\FW Administration

Authentication Type: PAP

Client Friendly Name: Switch-Name

Client IPv4 Address: Switch-Management-Address

 

Settings - Then the following settings are applied:

Extended State  <Blank>

Access Permission Grant Access

Authentication Method Unencrypted auhtentication [PAP, SPAP] OR Encryption authentication (CHAP) OR MS-CHAP v1

                                             OR MS-CHAP v1 (User can change password after it has expired) OR MS-CHAP v2 (User can

                                             change password after it has expired)

NAP Enforcement Allow full network access

Update Noncompliant Clients False

Framed-Protocol PPP

Service-Type Administrative

BAP Percentage of Capacity Reduce Multilink if server reaches 50% for 2 minutes

NAS Port Type Virtual (VPN)

 

Each time I attempt to log onto the device, I receive the following response on the switch

 

auth: Invalid user name/password on SSH session

 

On the RADIUS Server, I receive the following error:

 

Event ID: 6273

The user's authentication attempts have exceeded the maximum allowed number of failed attempts specified by the account lockout threshold setting in Account Lockout Policy in Group Policy. To unlock the account, edit the user account properties.

 

The username and password I am using is correct.  I am using this same configuration on other HP Procure Switches: 2910 and 5412zl with no problems.  I suspect the problem is with the VSA "Administrative" that I am passing back to the switch.

 

There seems to be limited debugging capabilities on the 2800 series switches.

 

Thanks in advance.

0 Kudos
8 REPLIES 8
lagp
Occasional Advisor

‎03-26-2013 08:30 PM

‎03-26-2013 08:30 PM

Re: Unable to get RADIUS to work with HP Procurve Switch 2848

I realized I copied the event when my account becomes locked out.  The event I was referring to reports the uername and password do not match.  The issue is not a fat finger of login crdentials.  I wish it was this easy.

0 Kudos
Matcol
Frequent Advisor

‎03-27-2013 12:35 AM

‎03-27-2013 12:35 AM

Re: Unable to get RADIUS to work with HP Procurve Switch 2848

Maybe try simplifying things by trying to get it working with telnet first.

 

This eliminates one factor for the purpose of troubleshooting.

 

Also, I don't use your

aaa authentication login privilege-mode

but, I do use
aaa authentication telnet login radius local
aaa authentication telnet enable radius local

 

Apart from that, my

radius-server host nnn....

(I have more than one)

is on a seperate line to my

radius-server key blah

But I don't see what difference that would make.

0 Kudos
lagp
Occasional Advisor

‎03-27-2013 12:19 PM

‎03-27-2013 12:19 PM

Re: Unable to get RADIUS to work with HP Procure Switch 2848

Sure I can try allowing telnet; for troubleshooting purposes it aids because I can login via SSH using the local credentials and test using Telnet.  From the documentation on RADIUS, I suspect you set a Global Key versus a host key which I am using.  I don't think it will matter either way.  I have already tried a couple times ensuring the key matched and one of the tests I performed I deliberately typed the key incorrect and the RADIUS server logged a key mismatched occurred so I rule out a key issue.  I continue to read blogs and I believe the firmware may be the problem.  I may try to roll the switch back to the oldest version posted on HP's site and see if the problem follows.  I am currently waiting on the firewall administrator to add telnet to my list of protocols allowed through the ISA Firewall.  Currently we have SSH, radius, ping, snmp allowed.

 

More to follow.

0 Kudos
lagp
Occasional Advisor

‎03-28-2013 02:39 PM

‎03-28-2013 02:39 PM

Re: Unable to get RADIUS to work with HP Procurve Switch 2848

Once Telnet was established through the Firewall; no change in the outcome.  I didn't see in your first post regarding the login privilege command, so I removed it leaving only the aaa authentication telnet login and aaa authentication telnet enable commands - no change.  I find the HP 2848 has limited debug capabilities; and the documentation I've found online doesn't really provide much help.  I have put in a quote to replace the HP 2848 switches we have with Procurve 2530's which support RADIUS in the manner I have it configured.  Another shortfall I've found with the 2848 is the switch doesn't support authenticated NTP; the 2530 will.  I am new to HP switches; I have years of experience with Cisco.  Unfortunatley for us, we do not have software maintenance the the HP 2848 switch.  I guess I will live with the local login capability until we get the new switches. 

0 Kudos
Peter_Debruyne
Honored Contributor

‎03-28-2013 03:28 PM

‎03-28-2013 03:28 PM

Re: Unable to get RADIUS to work with HP Procurve Switch 2848

Hi there,

 

Keep in mind that the windows server by default does not support the clear text password protocols (like chap/pap). Altough it is supported as an option in the radius server, the NPS will use the back-end windows user db for the login validation (there are no direct users defined inside NPS).

It is this backend Windows user db which does not allow the clear text auth.

 

In case of an AD, you should open the user account - properties - account. Look for the option "store password with reversiable encryption" and enable it.

This will allow the AD to store both the "one-way" password (default of windows) and the password which can be decrypted for the purpose of pap and chap protocols.

Remember that enabling this option alone is not enough. It means that any FUTURE password change will be saved in both password formats, so you MUST change the user password again after applying this change, even when you change it to the same password.

 

I am not sure for the 2848, but the K series (5400/3500 etc) can be configured to use a fake EAP-PEAP-MSCHAPv2 session to the radius to submit the admin credentials.

Just configure the radius like you would for an 802.1x auth (with cert etc) instead of the PAP, and enable this option on the switch.

 

I just posted an NPS config doc in this post:

http://h30499.www3.hp.com/t5/IMC/Help-in-local-user-and-iMC/td-p/6006581

which also explains the steps for EAP assisted management logins on the procurve K series switches.

 

Hope this helps,

Best regards,Peter

 

 

 

 

0 Kudos
John Gelten
Regular Advisor

‎03-29-2013 08:26 AM

‎03-29-2013 08:26 AM

Re: Unable to get RADIUS to work with HP Procurve Switch 2848

         'Unfortunatley for us, we do not have software maintenance the the HP 2848 switch.'

 

Software is available without support-contract at :

https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J4904A

But that doesn't help, because your I.10.101 is already the most recent version.

 

0 Kudos
lagp
Occasional Advisor

‎04-02-2013 09:19 AM

‎04-02-2013 09:19 AM

Solution

Re: Unable to get RADIUS to work with HP Procurve Switch 2848

I made the necessary changes to my account as suggested and no change in problem; unable to login.  We are going to proceed with replacing the HP 2800 series switches on our network.

 

Thanks for the inputs.

 

 

0 Kudos
ceetoit
New Member

‎04-26-2014 10:26 PM

‎04-26-2014 10:26 PM

Re: Unable to get RADIUS to work with HP Procurve Switch 2848

cheers

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.