HPE Community
BladeSystem - General
1752291 Members
5119 Online
108786 Solutions
New Discussion юеВ

Re: GbE2c and RADIUS Management Auth failing

 
mrwallis2
New Member

тАО08-03-2009 05:52 AM

тАО08-03-2009 05:52 AM

GbE2c and RADIUS Management Auth failing

Hi,

I am struggling to get a HP cClass GbE2c blade switch using RADIUS to authenticate administrators. I have a Windows 2003 IAS setup for RADIUS.

I have configured the switch and can see it talking to the server, plus the credentials are successfully authenticated and a reply sent back. However the user is disconnected from SSH immediately after this or the web interface just prompts for credentials again.

I guess I am missing a "Service-Type" or other attribute that the switch wants to see in the reply but can find no inforamtion on what the RADIUS attributes should be in the profile.

I have tried the standard "Service-Type" attribute as the value "Administrative" but it does not work.

Can anbody help?
0 Kudos
Reply
7 REPLIES 7
HEM_2
Honored Contributor

тАО08-03-2009 06:56 AM

тАО08-03-2009 06:56 AM

Re: GbE2c and RADIUS Management Auth failing

try this:

In IAS, you need to add a Service type:
Service-Type | Value | Client Access Level
--------------------------------------------
Administrative | 6 | Manager
NAS-Prompt | 7 | Operator

0 Kudos
Reply
mrwallis2
New Member

тАО08-03-2009 07:18 AM

тАО08-03-2009 07:18 AM

Re: GbE2c and RADIUS Management Auth failing

Thanks for the quick reply HEM, could you tell me how I can add this? I cannot see an option to create a new value for the "service-type" attribute in the IAS console. I thought these were defined by a couple of RFC's and so not changeable.

Are there vendor specific values required for these switches? I don't know what values I would enter though.

M
0 Kudos
Reply
Pieter 't Hart
Honored Contributor

тАО08-05-2009 01:18 AM

тАО08-05-2009 01:18 AM

Re: GbE2c and RADIUS Management Auth failing

>>>
can see it talking to the server, plus the credentials are successfully authenticated and a reply sent back
<<<

double-check the "shared secret" configured between GbE2c and the IAS.
if different, this logs only a few times at first connection between radius client and IAS in the windows eventlog.

all other are logged "authenticated" because packets from radius client are succesfully sent to IAS and authenticated at the user-database (AD), but the response from the IAS to the radius-client (the switch) cannot be "decoded" because of mismatched shared secret.
(may be seen by on cisco using
"debug aaa authentication" + "debug radius authentication" don't know exact syntax on procurve)
0 Kudos
Reply
Adrian Clint
Honored Contributor

тАО08-05-2009 07:18 AM

тАО08-05-2009 07:18 AM

Re: GbE2c and RADIUS Management Auth failing

Try calling/emailing Errol or Igor at Bnt
Details on here
http://www.bladeconnect.com/
0 Kudos
Reply
Ruslan R. Laishev
Super Advisor

тАО08-06-2009 02:14 AM

тАО08-06-2009 02:14 AM

Re: GbE2c and RADIUS Management Auth failing


I guess I am missing a "Service-Type" or other attribute that the switch wants to see in the reply but can find no inforamtion on what the RADIUS attributes should be in the profile.


Psosible values for the Service-Type AVP:

! Service Types

VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt-User 7
VALUE Service-Type Authenticate-Only 8
VALUE Service-Type Callback-NAS-Prompt 9
VALUE Service-Type Call-Check 10
VALUE Service-Type Callback-Administrative 11
0 Kudos
Reply
Pieter 't Hart
Honored Contributor

тАО08-06-2009 02:59 AM

тАО08-06-2009 02:59 AM

Re: GbE2c and RADIUS Management Auth failing

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00291272/c00291272.pdf

mentions attributes on page-20

Pieter
0 Kudos
Reply
Pieter 't Hart
Honored Contributor

тАО08-07-2009 06:14 AM

тАО08-07-2009 06:14 AM

Re: GbE2c and RADIUS Management Auth failing

maybe trivial, but did you enable ssh?

from the GbE2c Application Guide :
>> # /cfg/sys/sshd/on
>> # /cfg/sys/sshd/ena (Enable SCP apply and save)
SSHD# apply (Apply the changes to start generating RSA host and server keys)
NOTE: Secure Shell can be configured using the console port only. SSH menus do not display if you access the GbE2 Interconnect Switch using Telnet or the Browser-Based Interface.

When the SSH server is first enabled and applied, the GbE2 Interconnect Switch automatically generates the RSA host and server keys and is stored in the flash memory.

To configure RSA host and server keys, first connect to the GbE2 Interconnect Switch console connection (commands are not available via Telnet connection), and enter the following commands to generate them manually:
>> # /cfg/sys/sshd/hkeygen (Generates the host key)
>> # /cfg/sys/sshd/skeygen (Generates the server key)
These two commands take effect immediately without the need of an apply command.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.