Aruba & ProVision-based
1748246 Members
3730 Online
108760 Solutions
New Discussion

HP Procurve NPS RADIUS authentication issue

 
sphar1970
Contributor

HP Procurve NPS RADIUS authentication issue

Hi All,

 

I would like to login to our procurve switches using AD credentials and bypass the operator level and jump to the enable/manager (SSO, single sign on)

 

I've configured a procurve J4899A switch (H.10.74) for RADIUS authentication to a NPS server

Added the Procurve switch IP / shared secret to the NPS as a RADIUS client

Access-Request messagess must contain the Message-Authenticator attribute (ticked)

 

Ive ran the NPS wizard and it created a connection request / network policies:

 

Connection request policy (NAS Port Type=Ethernet)

Network Policy (NAS Port type = ethernet, windows group = <group>)

Contraints: Authentication Methods Microsoft: secured password, EAP-MSCHAP v2, MS-CHAP (ticked), PAP, SPAP (ticked)

 

The switch is configured with aaa authentication as below:

aaa authentication login privilege-mode

aaa authentication telnet enable radius local

radius-server host w.x.y.z key xyz

 

When I telnet to the switch and enter my username/password, the switch returns:

User authentication failure

 

The "Hardening Procurve switch" whitepaper mentions:

 

To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
Service-Type = 6 allows manager-level access
Service-Type = 7 allows operator-level access
A user with Service-Type not equal to 6 or 7 is denied access
A user with no Service-Type attribute supplied is denied access when privilege mode is enabled

 

In the NPS Policy settings, there is a "Service Type" condition but which one specifies the above?

 

I've chosen "Administrative" but it still didn't work.

 

Thanks.

10 REPLIES 10
Jeff Carrell
Honored Contributor

Re: HP Procurve NPS RADIUS authentication issue

You are very close I would say....

 

I am attaching 3 screen shots, 1 for the connection policy and 2 for the network policy. These configs are on W2K8 (not R2, but may be the same if you are using R2).

 

These configurations work for 3500yl and probably all other ProVision switches, and possibly other ProCurve (non-ProVision code) switches as well.

 

This config supports the "login priviledge-mode" function.

 

 

hth...Jeff

 

 

sphar1970
Contributor

Re: HP Procurve NPS RADIUS authentication issue

All working! Thanks Jeff.

 

Meitzi
New Member

Re: HP Procurve NPS RADIUS authentication issue

Your screenshot helped me too. We were missing "Framed-protocol=PPP" HP Procurve 2910 with firmware W_14_70 was working but after W_15_08_0012 it was not. And we need add that one line to Radius to fix it. That line was not any document that I did read. (I did read many)
mdshhp
New Member

Re: HP Procurve NPS RADIUS authentication issue

Hi sphar1970/Jeff,

 

I need your help to setup radius server for switches and wireless controller access. if you have any document or screen short of all the configuration which may help to impelment on HP switch 8406 and radius server 2008.

 

Thanks

Mohammed

JohnLockie
Occasional Advisor

Re: HP Procurve NPS RADIUS authentication issue

I have this working without using a Connection Request Policy.

 

I am curious what the need is for the Connection Request Policy.  I only have a single policy (screenshot attached), and it seems to be working fine.  Basically, I am able to log in to the HP devices using specific domain credentials.

 

I use the Network Policy to grant/deny access based on conditions (AD group membership).  This is working great.  In the Network Policy I have Service-Type set to Administrative.  This supports aaa authentication login privilege-mode.  This is also very important for webui access, btw.

 

It seems the Connection Request Policy is used to redirect certain authentication requests to other AAA systems?  And if you are doing that, then you have to configure it properly.....

 

I will search around a bit for explanations, but figured I'd post here in case someone can explain it to me :)

ceetoit
New Member

Re: HP Procurve NPS RADIUS authentication issue

This was working perfectly for a year or so.  I am not sure what happened, but our 2910al switches can't authenticate anymore.  Our 5400zl switches are fine.   I'm getting an error code "16" in the logs- user credential mismatch. 


@Jeff Carrell wrote:

You are very close I would say....

 

I am attaching 3 screen shots, 1 for the connection policy and 2 for the network policy. These configs are on W2K8 (not R2, but may be the same if you are using R2).

 

These configurations work for 3500yl and probably all other ProVision switches, and possibly other ProCurve (non-ProVision code) switches as well.

 

This config supports the "login priviledge-mode" function.

 

 

hth...Jeff

 

 


 

metnet
Visitor

Re: HP Procurve NPS RADIUS authentication issue

hi all,

i'm in the same situation....try all the commands possible...

with "aaa authentication login privilege-mode" i can't login, but if i remove this command i'm able to login with operator privileges.

 

how can i fix on NPS?

 

thanks,

fabio

SiskinMike
New Member

Re: HP Procurve NPS RADIUS authentication issue

I am having the same issue with a 5412R and latest 16.01.0006 firmware.  I don't mind logging in twice on a ssh session to get to manager mode however for some of our helpdesk guys they need the web ui.  It appears there is no way to get manager access without using this command on the gui.

no aaa authentication login privilege-mode     -  and radius works fine

with    aaa authentication login privilege-mode    enable it will not login.

The radius server is Windows Server 2012R2.

Ive tried various Authentication methods.  Framed-Protocol is set to PPP and Service-Type is set to Administrative

EricAtHP
Esteemed Contributor

Re: HP Procurve NPS RADIUS authentication issue

Hi Mike,

I don't have a 5400R but I tested on a 3800 with KA.16.01.0006 and it is working for me. I have attached a screenshot of my NPS Network Policy. You might also check the RADIUS logs to verify it is using the policy you think it is. Go to Event Viewer - Custom Views - Server Roles - Network Policy and Access Services.

My switch config is very simple. The interesting parts are:

radius-server host <IPADDR> key "RADIUSKEY"
aaa authentication login privilege-mode
aaa authentication ssh login radius
aaa authentication ssh enable radius

If this doesn't help, can you share your switch config and your NPS config.

As one last test. I have seen an issue twice now where an upgrade to 16.01 caused some wierd corruption in the config and when we copied the config off to a TFTP server and then back again, everything started working.