HPE Community
Comware Based
1751961 Members
4997 Online
108783 Solutions
New Discussion юеВ

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

 
3comold
Advisor

тАО03-25-2013 04:49 AM

тАО03-25-2013 04:49 AM

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Thanks Paul!
It will also be possible to add a condition to the network policy that can match the comWare 5 devices using their IP addresses ( if you have for example all comWare 5 device in 1 to 100 of their subnet, then it will be simple); or even creating connection requestes that will match each NAS IPv4 Address of the comWare 5 and another the comWare 7 devices. However, you can also (simpler) duplicate the current policy and changes accordingly the condition: when the NAS IPv4 Address is xx.xx.xx.01 to xx.xx.xx.50 in one policy and in the other policy if NAS IPv4 Address is xx.xx.xx.51 to xx.xx.xx.100.
For each policy you NPS returns the attribute that corresponds to the version of comWare.

IF you have time and you are interested going into this way you can test. Anyway having both privilege levels returned does not harm, but it is not clean.

Thank you again, and
Kind regards
0 Kudos
Peter_Debruyne
Honored Contributor

тАО03-26-2013 01:12 AM

тАО03-26-2013 01:12 AM

Re: 5920: RADIUS attributes for SSH login on HP 5920AF - Packet trace ?

Hi,

 

Great replies, this will help a lot of people !

 

I do not have a 5900 to test, but if anyone can post a radius packet trace of the login request, I could see if there are any differences in the radius access-request packet compared to the comware 5 devices.

This would allow an additional condition to be configured on the radius server...

 

thanks,Peter

0 Kudos
3comold
Advisor

тАО03-27-2013 10:03 AM

тАО03-27-2013 10:03 AM

Re: 5920: RADIUS attributes for SSH login on HP 5920AF - Packet trace ?

Thanks Peter!

 


The condition contraints using the NAS IP address is a character string attribute and when setting this condition in NPS (or IAS) we can use pattern matching syntax to specify IP networks.
The syntax is defined from here http://technet.microsoft.com/en-us/library/cc737419(v=ws.10).aspx

 

As to the user role that can be returned:

 

First you have to approach the тАЬFEATURE GROUPтАЭ. The feature group will allow binding access to permission commands to an enabled feature set of the command. However, if you do not use this тАЬFEATURE GROUPтАЭ it will also work, since there are predefined тАЬFEATURE GROUPSтАЭ. Look at the document from HP from here http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf. In addition to these predefined тАЬFEATURE GROUPSтАЭ you can also create your own.
Then you have to approach the тАЬUSER ROLEтАЭ. The user role is a kind of тАЬpolicy/ACLтАЭ that will define what the user can do from the command prompt (CLI). There is also a predefined user role; however it is per default disable. It can be enabled to allow access for any user authenticated from AAA WHO is not bound to any user role.
See also in the HP document: http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf


So, after you have configured the user role (you do not have to, if you want to use a predefined user role that will be set using the returned attribute), then you configure in radius the cisco av pair with this user role to be returned to the NAS.


For example, letтАЩs suppose that you create a user role called тАЬrolexтАЭ - that is not the famous watch яБК -and that you created a feature group to which you wish binding this user; you want then the commands this user executes, after he/she has passed the RADIUS authentication to be limited to his/her feature group and user role AND you want also that his/her user role is correctly returned as an attribute:

 

So, then first you create the feature group; letтАЩs named тАЬfeature-groupxтАЭ.
role feature-group name feature-groupx
.
.
.

Then you configure the set of feature for this group. When you have finished, then you configure the user role (тАЬrolexтАЭ in our example):

 

role name rolex
rule x permit read write feature-group feature-groupx
.
.
.

When you have finished configuring the policy for this user role тАЬrolexтАЭ, you then configure the following cisco av pair to be returned by RADIUS to the NAS after successful authentication of a RADIUS user:


shell:roles=rolex

 

Thanks again, and,

Kind regards

0 Kudos
HPRamin
Visitor

тАО12-15-2016 08:06 AM

тАО12-15-2016 08:06 AM

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Hello Jeff, great finding Jeff about the VSA. I added this attribute into my NPS and it resolved my authenticated user privilege.

Thanks again

0 Kudos
Marcusz97
New Member

тАО06-08-2018 12:28 PM

тАО06-08-2018 12:28 PM

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Hi,

I've configured correctly the policy for Comware 7 , and either Comware 5, and I can autenticate to the appliance.

Now I'm trying to authenticate with different protocol (SSH, telnet, cli ) with Comware 7 there aren't problem, basically if the attribute "Login-service" is missed I can autenticate with every protocol. But with Comware 5 I need to specify the "Login-service" in order to login, so if I specify telnet, I can't autenticate with SSH. I use Microsoft NPS (Win 2012) , and I can't have more policy with different login service neither all login service in the same policy.

So I ask  if it's possible to autenticate without specify the "login-service" attribute on Comware 5, maybe specify to the appliance to ignore it.

Thank you,

Marco

0 Kudos
paag
New Member

тАО02-08-2019 08:34 AM

тАО02-08-2019 08:34 AM

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

So, did you end up getting an answer? I am stuck with the same situation with my Comware 5 switches.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.