- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- 5700 FlexFabric Radius Configuration
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-26-2016 07:00 PM
тАО07-26-2016 07:00 PM
Hi All,
I am new to HP devices but have been thrown in the deepend with a new role that has mainly HP equipment installed.
I am looking to setup Radius authentication for the 5700 FlexFabric running Software Version 7.1.045. My radius server is Windows NPS.
I have attached some snapshots of my radius configuration. Note for the Network Policy Vendor Attribut I have tried the following:
- shell:allowed-roles="level-15"
- shell:allowed-roles="network-admin"
- shell:roles="level-15"
- shell:roles="network-admin"
- alowed-roles="level-15"
- allowed-roles="network-admin"
- roles="level-15"
- roles="network-admin"
Configuration Snapshot:
#
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 1
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
radius scheme radius
primary authentication <withheld) key cipher <withheld>
primary accounting <withheld> key cipher <withheld>
user-name-format without-domain
#
domain radius
authentication login radius-scheme radius local
accounting login radius-scheme radius local
#
domain system
#
domain default enable radius
#
role default-role enable
#
user-group system
#
local-user administrator class manage
password hash <withheld>
service-type ssh telnet http https
authorization-attribute user-role level-15
authorization-attribute user-role network-operator
#
This configuration when captured with wireshark I can see the an access-accept is sent back to the switch, but connection is immediately dropped by the switch, I am assuming that is because no privilege level has been provided, but I am unsure.
Under the domain radius, I have tried adding authorization default none, this allows me to connect but with practically no privilege level except for a few display commands.
Any assistance with this would be greately appreciate, I have looked over the configuration guide again and again, but seem to be getting no where.
Thanks,
Steven
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-27-2016 06:50 PM
тАО07-27-2016 06:50 PM
Re: 5700 FlexFabric Radius Configuration
I have seen in the documentation that the instructions for Free Radius require the creation of a user account, instead of making it authenticate against the AD, is this a possible limitation of this Switch. Being DC I would assume not.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-29-2016 04:09 AM
тАО07-29-2016 04:09 AM
Re: 5700 FlexFabric Radius Configuration
200 views and no response, surely someone has come across this before? I come from a mostly Cisco background and the radius commands are thoroughly documented, this is an enterprise level switch surely there is a way to use radius with this using AD credentials. Any suggestion would be appreciated, I've tried everything I can think of at this point apart from installing FreeRadius, which I don't want to do for one device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-02-2016 09:23 PM
тАО08-02-2016 09:23 PM
Re: 5700 FlexFabric Radius Configuration
I setup some 5800s to do RADIUS authentication against a Windows server (to check AD accounts) and I've looked everywhere and can't seem to find my backup configs. I'll keep looking.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2016 07:21 PM
тАО08-03-2016 07:21 PM
SolutionThanks Vince,
I have been in contact with HP Support and they have been able to provide me a solution.
Switch configuration I provided was correct.
NPS Changes as follows:
- Changed the Service-Type in "Connection Request Policies" to "Framed"
- Changed the Service-Type in "Network Policies" to "Framed"
- Moved the the HP "Network Policies" to #1, below this it wouldn't work as it was hitting other policies first
- Changed the Cisco-AV-Pair to shell:roles=network-admin - quotations have been removed in Comware7
Full guide for anyone interested is on my blog:
https://stevenandrewsblog.wordpress.com/2016/07/25/windows-nps-with-hp-and-cisco/#more-206
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-13-2017 01:24 AM
тАО02-13-2017 01:24 AM
Re: 5700 FlexFabric Radius Configuration
Hello, thank you for the information, I have a pb to configure the switch HP procurve 2610 and 2600 and switch H3C 5130 and A3600 and S3600 on the radius, I can not get different rights on the switch. Either I have admin rights or the login window closes as soon as I have the connection to the switch. Would you have the Radius attributes for these models and the setting of the radius SVP?
My Configuration HP Procurve:
hostname "ProCurve Switch 2610-24"
ip default-gateway x.x.x.x
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-28
ip address x.x.x.x x.x.x.x
exit
radius-server host x.x.x.x acct-port 1646 auth-port 1645 key "xxxxxx"
radius-server key "xxxxxx"
aaa authentication num-attempts 10
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius authorized
aaa authentication login privilege-mode
aaa port-access authenticator active
ip ssh
no dhcp config-file-update
password manager
password operator
Thanks for your help
Best regards
Mathieu