- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: 5920: RADIUS attributes for SSH login on HP 59...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2012 09:04 AM
11-04-2012 09:04 AM
5920: RADIUS attributes for SSH login on HP 5920AF
We are using a HP 5920AF Comware 7.10 r2108p03
We would like to have administrators log into the switch using ssh2 and radius authentication
We are using a Microsift IAS radius (2003)
We are able to login to the switch but apparently the exec_priviliged are wrong as we only have a limited commands set available allthough we have configured the user-role as network admin
user-interface vty 0 15
authentication-mode scheme
user-role network-admin
protocol inbound ssh
When using a locally configured user (non-radius) the user get the correct privilige (network admin)
So i guess that the HW-Exec privilege are wrong - possible the vendor ID which a havent been able to find
Any ideas ??
Decoded reply packet successfully.
*Nov 5 00:39:21:244 2012 HP RADIUS/7/PACKET:
Hw-Exec-Privilege=3
Framed-Protocol=PPP
Login-Service=50
Service-Type=Administrative-User
class="0x2f26051f0000013700010a0c011001cd83175317db320000000001849dbd"
*Nov 5 00:39:21:245 2012 HP RADIUS/7/PACKET:
02 ec 00 52 67 14 18 6c 57 f9 46 79 c7 02 65 d7
80 67 95 e0 1a 0c 00 00 07 db 1d 06 00 00 00 03
07 06 00 00 00 01 0f 06 00 00 00 32 06 06 00 00
00 06 19 20 2f 26 05 1f 00 00 01 37 00 01 0a 0c
01 10 01 cd 83 17 53 17 db 32 00 00 00 00 01 84
9d bd
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2012 09:52 AM
11-04-2012 09:52 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
Yes, this is a not-very-well documented configuration.
The info I have worked for Comware version 5.20, I do not have Comware 7, but at least you could try this.
You need to configure a VSA in IAS and you must modify the IAS dnary.mdb file for ssh support.
See the attachment for the info, specifically pages 22-25. That config worked for me for Comware 5.
hth...Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2012 12:11 PM
11-04-2012 12:11 PM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
Thank's for the document - it's best best i ever seen...
Unfortunately it dosnt solve our problem :(
We managed to have administrative radius authenentication for 5500 switches both 3Com and H3C, but apparently it's not quite the same for 5920 (comware 7)
br
Torben
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2012 12:46 PM
11-04-2012 12:46 PM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
Well, I did have to make a change when I used W2K8-R2_NPS and latest Comware 5.20 on an H3C S5500EI.
Attached is a scrn shot of what I did to make it work, instead of the older VSA config as in the doc.
hth...Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2013 12:44 AM
02-08-2013 12:44 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
Hi Torben,
Have you been able to resolve this problem? I am also trying to implement Radius authentication for both Comware 5 and Comware 7 switches. The Comware 7 switches now use "roles" instead of "levels". The "Fundimentals Guide" for the 5900 just tells you to look in the documentation of the Radius server. But for HWTACACS it does say that the roles are specified as a list ....
"For remote AAA authentication users, user roles are configured on the remote authentication server. For
information about configuring user roles for RADIUS users, see the RADIUS server documentation. For
HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1, and level-2 to an HWTACACS user "
I assume there must be a similar RADIUS attribute that can be used to specify the Comware 7 roles assigned to a user.
Thanks to anyone who can provide some insight on how to configure user roles on RADIUS.
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 05:39 AM
02-18-2013 05:39 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
Hi Paul
No, i havent been able to solve the problem yet.
HP has just released firmaware version 2207 - with a lot of radius commands
But sofar i havent had any success
Torben
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 11:22 AM
02-18-2013 11:22 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
it's a little different and btw well documented by HP: http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2013 11:25 PM
02-19-2013 11:25 PM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
I have been looking at the Fundamentals Configuration guide, but if you can tell me on which page it specifies the Radius attribute and format to be returned to specify the RBAC "user role", I would be grateful!
I got an answer from HP L3 support stating that I should just use the same HP vendor specifc attribute for Exec-Privilege (29), but give it the values 0-15 corresponding to the user roles level-0 through level-15. And, looking through the Fundamentals Configuration guide again, I found these notes on page 44:
"NOTE:
•
To be compatible with privilege-based access control, the device automatically converts privilege-based
user levels (0 to 15) assigned by an AAA server to RBAC user roles (level-0 to level-15).
•
If the AAA server assigns a privilege-based user level and a user role to a user, the user can use the
collection of commands and resources accessible to both the user level and the user role. "
The first note would confirm the answer that I received from HP L3 support. However, in a mixed Comware5/Comware7 environment, I now have to figure out how to send the old 0-3 Exec-Privilege values to the Comware5 devices and the new 0-15 Exec-Privilege values to the Comware7 devices. May just have to do this based on NAS IP address.
However, the second note confirms that there is some other Radius attribute that can be returned to specify a "user role". The HP Radius attribute 29 is the "privilege-based user role", so what attribute is used to specify a "user role"?
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2013 04:26 AM
02-20-2013 04:26 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
The user roles are specified by using the Cisco-AVPair attribute. We tested this with a MS NPS server, setting the Cisco-AVPair attribute equal to "shell:roles=network-admin". The Comware7 switch accepts this and gives the user access to the commands defined for the network-admin role.
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2013 10:59 AM
02-20-2013 10:59 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
An update on this solution....
We tested the following combinations using an MS NPS as the Radius server.
Radius returns the Huawei attribute 29 for Exec-Privilege set to "1": The Comware7 switch gives access to the commands preconfigured for user role level-1. This also works for a Comware5 switch as Userlevel 1 on Comware5 and user role "level-1" on Comware7 have pretty much the same command set.
Radius returns the Huawei attribute 29 for Exec-Privilege set to "15": The Comware7 switch gives access to the commands preconfigured for user role level-15. This does not work with a Comware5 switch, which denies access.
Radius returns the Huawei attribute 29 for Exec-Privilege set to "1" and also returns the Cisco-AVPair attribute set to "shell:roles=network-operator": The Comware7 switch gives the command set assigned to the role "newtork-operator". The Comware5 swtich sets the Userlevel to "1".
Radius returns the Huawei attribute 29 for Exec-Privilege set to "3" and also returns the Cisco-AVPair attribute set to "shell:roles=network-admin": The Comware7 switch gives the command set assigned to the role "newtork-admin". The Comware5 switch sets the Userlevel to "3".
Unfortunately, we could not find any way to display the actual "user role" of an authenticated user on the Comware7 swtich. Neither the "display users" nor the "display user-interface" commands give any information about the assigned user role. So we had to base the results on the command set available to the user after authenticated. (On Comware5, the "display users" command does show the Userlevel that is assigned to a connected user.)
Hope this is of help to others :-)
Paul