Comware Based
Showing results for 
Search instead for 
Did you mean: 

Re: 5900 v7.2 and Radius

New Member

5900 v7.2 and Radius

I've got a 5900 firmware 7.2 and I'm trying to get SSH to work. I've set it up with FreeRadius and I'm able to SSH in however the accounts have no permissions. I can get into system-view but I'm unable to do anything other that use the 'display' command. 




user-interface vty 0 15
authentication-mode scheme
user-role network-admin
protocol inbound ssh


ssh server enable


radius scheme rad
primary authentication $IPADDRESS
primary accounting $IPADDRESS
key authentication cipher $KEY
key accounting cipher $KEY
user-name-format keep-original


domain system
authentication login radius-scheme rad
authorization login radius-scheme rad


domain default enable system


role default-role enable






ADMIN1 Auth-Type = System
Service-Type = Administrative-User,
Login-Service = 50,
Huawei-Exec-Privilege = 3


ADMIN2 Cleartext-Password := "password"
Service-Type += Login-User,
Login-Service += SSH,
H3C-Exec_Privilege = 3,
3Com-User-Access-Level = 3Com-Administrator



I've tried both ADMIN1 and ADMIN2 but I get the same issue. I can SSH in, get to system-view but I keep getting "Permission Denied" whenever I try to execute commands (Ping, Edit Radius Scheme etc)


How do I give these accounts network-admin access? This radius configurartin works fine on a 10500 we have but an earlier version that doesn't have 'roles'. 




New Member

Re: 5900 v7.2 and Radius



You should return the attribute Cisco-AVPair. For example:

Cisco-AVPair += "shell:roles=network-admin"


Don't use H3C-Exec_Privilege and/or 3Com-User-Access-Level in the return to the 5920. It will not work when you combine "old" and "new". Good luck!


Best regards,

Sander Ruiter