Comware Based
1748194 Members
3430 Online
108759 Solutions
New Discussion

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

 
tveng
Established Member

5920: RADIUS attributes for SSH login on HP 5920AF

We are using a HP 5920AF Comware 7.10 r2108p03
We would like to have administrators log into the switch using ssh2 and radius authentication
We are using a Microsift IAS radius (2003)

We are able to login to the switch but apparently the exec_priviliged are wrong as we only have a limited commands set available allthough we have configured the user-role as network admin

 

user-interface vty 0 15
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh

 

When using a locally configured user (non-radius) the user get the correct privilige (network admin)
So i guess that the HW-Exec privilege are wrong - possible the vendor ID which a havent been able to find

 

Any ideas ??

 

Decoded reply packet successfully.
*Nov  5 00:39:21:244 2012 HP RADIUS/7/PACKET:
    Hw-Exec-Privilege=3
    Framed-Protocol=PPP
    Login-Service=50
    Service-Type=Administrative-User
    class="0x2f26051f0000013700010a0c011001cd83175317db320000000001849dbd"
*Nov  5 00:39:21:245 2012 HP RADIUS/7/PACKET:
 02 ec 00 52 67 14 18 6c 57 f9 46 79 c7 02 65 d7
 80 67 95 e0 1a 0c 00 00 07 db 1d 06 00 00 00 03
 07 06 00 00 00 01 0f 06 00 00 00 32 06 06 00 00
 00 06 19 20 2f 26 05 1f 00 00 01 37 00 01 0a 0c
 01 10 01 cd 83 17 53 17 db 32 00 00 00 00 01 84
 9d bd

15 REPLIES 15
Jeff Carrell
Honored Contributor

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Yes, this is a not-very-well documented configuration.

 

The info I have worked for Comware version 5.20, I do not have Comware 7, but at least you could try this.

 

You need to configure a VSA in IAS and you must modify the IAS dnary.mdb file for ssh support.

 

See the attachment for the info, specifically pages 22-25.  That config worked for me for Comware 5.

 

hth...Jeff

tveng
Established Member

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Thank's for the document - it's best best i ever seen...

Unfortunately it dosnt solve our problem :(

We managed to have administrative radius authenentication for 5500 switches both 3Com and H3C, but apparently it's not quite the same for 5920 (comware 7)

br

Torben

Jeff Carrell
Honored Contributor

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Well, I did have to make a change when I used W2K8-R2_NPS and latest Comware 5.20 on an H3C S5500EI.

 

Attached is a scrn shot of what I did to make it work, instead of the older VSA config as in the doc.

 

hth...Jeff

Paul.Kraus
Occasional Advisor

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Hi Torben,

 

Have you been able to resolve this problem?  I am also trying to implement Radius authentication for both Comware 5 and Comware 7 switches.   The Comware 7 switches now use "roles" instead of "levels".  The "Fundimentals Guide" for the 5900 just tells you to look in the documentation of the Radius server.  But for HWTACACS it does say that the roles are specified as a list ....

 

"For remote AAA authentication users, user roles are configured on the remote authentication server. For

information about configuring user roles for RADIUS users, see the RADIUS server documentation. For

HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1, and level-2 to an HWTACACS user "

 

I assume there must be a similar RADIUS attribute that can be used to specify the Comware 7 roles assigned to a user.

 

Thanks to anyone who can provide some insight on how to configure user roles on RADIUS.

 

Paul

tveng
Established Member

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Hi Paul
No, i havent been able to solve the problem yet.
HP has just released firmaware version 2207 - with a lot of radius commands
But sofar i havent had any success

 

Torben

3comold
Advisor

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Paul.Kraus
Occasional Advisor

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

I have been looking at the Fundamentals Configuration guide, but if you can tell me on which page it specifies the Radius attribute and format to be returned to specify the RBAC "user role", I would be grateful!

 

I got an answer from HP L3 support stating that I should just use the same HP vendor specifc attribute for Exec-Privilege (29), but give it the values 0-15 corresponding to the user roles level-0 through level-15.  And, looking through the Fundamentals Configuration guide again, I found these notes on page 44:

 

"NOTE:

To be compatible with privilege-based access control, the device automatically converts privilege-based

user levels (0 to 15) assigned by an AAA server to RBAC user roles (level-0 to level-15).

If the AAA server assigns a privilege-based user level and a user role to a user, the user can use the

collection of commands and resources accessible to both the user level and the user role.    "

 

The first note would confirm the answer that I received from HP L3 support.  However, in a mixed Comware5/Comware7 environment, I now have to figure out how to send the old 0-3 Exec-Privilege values to the Comware5 devices and the new 0-15 Exec-Privilege values to the Comware7 devices.  May just have to do this based on NAS IP address.

 

However, the second note confirms that there is some other Radius attribute that can be returned to specify a "user role".  The HP Radius attribute 29 is the "privilege-based user role", so what attribute is used to specify a "user role"?

 

Paul

Paul.Kraus
Occasional Advisor

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Sorry, it was actually there in the Configuration guide under the example for RBAC with Radius on page 51.

The user roles are specified by using the Cisco-AVPair attribute. We tested this with a MS NPS server, setting the Cisco-AVPair attribute equal to "shell:roles=network-admin". The Comware7 switch accepts this and gives the user access to the commands defined for the network-admin role.

Paul
Paul.Kraus
Occasional Advisor

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

An update on this solution....

 

We tested the following combinations using an MS NPS as the Radius server.

 

Radius returns the Huawei attribute 29 for Exec-Privilege set to "1": The Comware7 switch gives access to the commands preconfigured for user role level-1.   This also works for a Comware5 switch as Userlevel 1 on Comware5 and user role "level-1" on Comware7 have pretty much the same command set.

 

Radius returns the Huawei attribute 29 for Exec-Privilege set to "15":  The Comware7 switch gives access to the commands preconfigured for user role level-15.   This does not work with a Comware5 switch, which denies access.

 

Radius returns the Huawei attribute 29 for Exec-Privilege set to "1" and also returns the Cisco-AVPair attribute set to "shell:roles=network-operator":    The Comware7 switch gives the command set assigned to the role "newtork-operator".  The Comware5 swtich sets the Userlevel to "1".

 

Radius returns the Huawei attribute 29 for Exec-Privilege set to "3" and also returns the Cisco-AVPair attribute set to "shell:roles=network-admin":   The Comware7 switch gives the command set assigned to the role "newtork-admin".  The Comware5 switch sets the Userlevel to "3".

 

Unfortunately, we could not find any way to display the actual "user role" of an authenticated user on the Comware7 swtich.  Neither the "display users" nor the "display user-interface" commands give any information about the assigned user role.  So we had to base the results on the command set available to the user after authenticated.  (On Comware5, the "display users" command does show the Userlevel that is assigned to a connected user.)

 

Hope this is of help to others :-)

 

Paul