BladeSystem - General
cancel
Showing results for 
Search instead for 
Did you mean: 

GbE2c and RADIUS Management Auth failing

 
mrwallis2
Occasional Visitor

GbE2c and RADIUS Management Auth failing

Hi,

I am struggling to get a HP cClass GbE2c blade switch using RADIUS to authenticate administrators. I have a Windows 2003 IAS setup for RADIUS.

I have configured the switch and can see it talking to the server, plus the credentials are successfully authenticated and a reply sent back. However the user is disconnected from SSH immediately after this or the web interface just prompts for credentials again.

I guess I am missing a "Service-Type" or other attribute that the switch wants to see in the reply but can find no inforamtion on what the RADIUS attributes should be in the profile.

I have tried the standard "Service-Type" attribute as the value "Administrative" but it does not work.

Can anbody help?
7 REPLIES
HEM_2
Honored Contributor

Re: GbE2c and RADIUS Management Auth failing

try this:

In IAS, you need to add a Service type:
Service-Type | Value | Client Access Level
--------------------------------------------
Administrative | 6 | Manager
NAS-Prompt | 7 | Operator

mrwallis2
Occasional Visitor

Re: GbE2c and RADIUS Management Auth failing

Thanks for the quick reply HEM, could you tell me how I can add this? I cannot see an option to create a new value for the "service-type" attribute in the IAS console. I thought these were defined by a couple of RFC's and so not changeable.

Are there vendor specific values required for these switches? I don't know what values I would enter though.

M
Pieter 't Hart
Honored Contributor

Re: GbE2c and RADIUS Management Auth failing

>>>
can see it talking to the server, plus the credentials are successfully authenticated and a reply sent back
<<<

double-check the "shared secret" configured between GbE2c and the IAS.
if different, this logs only a few times at first connection between radius client and IAS in the windows eventlog.

all other are logged "authenticated" because packets from radius client are succesfully sent to IAS and authenticated at the user-database (AD), but the response from the IAS to the radius-client (the switch) cannot be "decoded" because of mismatched shared secret.
(may be seen by on cisco using
"debug aaa authentication" + "debug radius authentication" don't know exact syntax on procurve)
Adrian Clint
Honored Contributor

Re: GbE2c and RADIUS Management Auth failing

Try calling/emailing Errol or Igor at Bnt
Details on here
http://www.bladeconnect.com/
Ruslan R. Laishev
Super Advisor

Re: GbE2c and RADIUS Management Auth failing


I guess I am missing a "Service-Type" or other attribute that the switch wants to see in the reply but can find no inforamtion on what the RADIUS attributes should be in the profile.


Psosible values for the Service-Type AVP:

! Service Types

VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt-User 7
VALUE Service-Type Authenticate-Only 8
VALUE Service-Type Callback-NAS-Prompt 9
VALUE Service-Type Call-Check 10
VALUE Service-Type Callback-Administrative 11
Pieter 't Hart
Honored Contributor

Re: GbE2c and RADIUS Management Auth failing

Pieter 't Hart
Honored Contributor

Re: GbE2c and RADIUS Management Auth failing

maybe trivial, but did you enable ssh?

from the GbE2c Application Guide :
>> # /cfg/sys/sshd/on
>> # /cfg/sys/sshd/ena (Enable SCP apply and save)
SSHD# apply (Apply the changes to start generating RSA host and server keys)
NOTE: Secure Shell can be configured using the console port only. SSH menus do not display if you access the GbE2 Interconnect Switch using Telnet or the Browser-Based Interface.

When the SSH server is first enabled and applied, the GbE2 Interconnect Switch automatically generates the RSA host and server keys and is stored in the flash memory.

To configure RSA host and server keys, first connect to the GbE2 Interconnect Switch console connection (commands are not available via Telnet connection), and enter the following commands to generate them manually:
>> # /cfg/sys/sshd/hkeygen (Generates the host key)
>> # /cfg/sys/sshd/skeygen (Generates the server key)
These two commands take effect immediately without the need of an apply command.