Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

5900 v7.2 and Radius

 
Joey_joejoe
Occasional Visitor

5900 v7.2 and Radius

I've got a 5900 firmware 7.2 and I'm trying to get SSH to work. I've set it up with FreeRadius and I'm able to SSH in however the accounts have no permissions. I can get into system-view but I'm unable to do anything other that use the 'display' command. 

 

Config:

----------------

user-interface vty 0 15
authentication-mode scheme
user-role network-admin
protocol inbound ssh

#

ssh server enable

#

radius scheme rad
primary authentication $IPADDRESS
primary accounting $IPADDRESS
key authentication cipher $KEY
key accounting cipher $KEY
user-name-format keep-original

#

domain system
authentication login radius-scheme rad
authorization login radius-scheme rad

#

domain default enable system

#

role default-role enable

 

 

FreeRadius:

----------------------

 

ADMIN1 Auth-Type = System
Service-Type = Administrative-User,
Login-Service = 50,
Huawei-Exec-Privilege = 3

 

ADMIN2 Cleartext-Password := "password"
Service-Type += Login-User,
Login-Service += SSH,
H3C-Exec_Privilege = 3,
3Com-User-Access-Level = 3Com-Administrator

 

--------

I've tried both ADMIN1 and ADMIN2 but I get the same issue. I can SSH in, get to system-view but I keep getting "Permission Denied" whenever I try to execute commands (Ping, Edit Radius Scheme etc)

 

How do I give these accounts network-admin access? This radius configurartin works fine on a 10500 we have but an earlier version that doesn't have 'roles'. 

 

Thanks!

 

1 REPLY
SRuiter
Occasional Visitor

Re: 5900 v7.2 and Radius

Hi,

 

You should return the attribute Cisco-AVPair. For example:

Cisco-AVPair += "shell:roles=network-admin"

 

Don't use H3C-Exec_Privilege and/or 3Com-User-Access-Level in the return to the 5920. It will not work when you combine "old" and "new". Good luck!

 

Best regards,

Sander Ruiter