- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: 5920: RADIUS attributes for SSH login on HP 59...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2013 04:49 AM
03-25-2013 04:49 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
It will also be possible to add a condition to the network policy that can match the comWare 5 devices using their IP addresses ( if you have for example all comWare 5 device in 1 to 100 of their subnet, then it will be simple); or even creating connection requestes that will match each NAS IPv4 Address of the comWare 5 and another the comWare 7 devices. However, you can also (simpler) duplicate the current policy and changes accordingly the condition: when the NAS IPv4 Address is xx.xx.xx.01 to xx.xx.xx.50 in one policy and in the other policy if NAS IPv4 Address is xx.xx.xx.51 to xx.xx.xx.100.
For each policy you NPS returns the attribute that corresponds to the version of comWare.
IF you have time and you are interested going into this way you can test. Anyway having both privilege levels returned does not harm, but it is not clean.
Thank you again, and
Kind regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2013 01:12 AM
03-26-2013 01:12 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF - Packet trace ?
Hi,
Great replies, this will help a lot of people !
I do not have a 5900 to test, but if anyone can post a radius packet trace of the login request, I could see if there are any differences in the radius access-request packet compared to the comware 5 devices.
This would allow an additional condition to be configured on the radius server...
thanks,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2013 10:03 AM
03-27-2013 10:03 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF - Packet trace ?
Thanks Peter!
The condition contraints using the NAS IP address is a character string attribute and when setting this condition in NPS (or IAS) we can use pattern matching syntax to specify IP networks.
The syntax is defined from here http://technet.microsoft.com/en-us/library/cc737419(v=ws.10).aspx
As to the user role that can be returned:
First you have to approach the “FEATURE GROUP”. The feature group will allow binding access to permission commands to an enabled feature set of the command. However, if you do not use this “FEATURE GROUP” it will also work, since there are predefined “FEATURE GROUPS”. Look at the document from HP from here http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf. In addition to these predefined “FEATURE GROUPS” you can also create your own.
Then you have to approach the “USER ROLE”. The user role is a kind of “policy/ACL” that will define what the user can do from the command prompt (CLI). There is also a predefined user role; however it is per default disable. It can be enabled to allow access for any user authenticated from AAA WHO is not bound to any user role.
See also in the HP document: http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf
So, after you have configured the user role (you do not have to, if you want to use a predefined user role that will be set using the returned attribute), then you configure in radius the cisco av pair with this user role to be returned to the NAS.
For example, let’s suppose that you create a user role called “rolex” - that is not the famous watch -and that you created a feature group to which you wish binding this user; you want then the commands this user executes, after he/she has passed the RADIUS authentication to be limited to his/her feature group and user role AND you want also that his/her user role is correctly returned as an attribute:
So, then first you create the feature group; let’s named “feature-groupx”.
role feature-group name feature-groupx
.
.
.
Then you configure the set of feature for this group. When you have finished, then you configure the user role (“rolex” in our example):
role name rolex
rule x permit read write feature-group feature-groupx
.
.
.
When you have finished configuring the policy for this user role “rolex”, you then configure the following cisco av pair to be returned by RADIUS to the NAS after successful authentication of a RADIUS user:
shell:roles=rolex
Thanks again, and,
Kind regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2016 08:06 AM
12-15-2016 08:06 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
Hello Jeff, great finding Jeff about the VSA. I added this attribute into my NPS and it resolved my authenticated user privilege.
Thanks again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2018 12:28 PM
06-08-2018 12:28 PM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
Hi,
I've configured correctly the policy for Comware 7 , and either Comware 5, and I can autenticate to the appliance.
Now I'm trying to authenticate with different protocol (SSH, telnet, cli ) with Comware 7 there aren't problem, basically if the attribute "Login-service" is missed I can autenticate with every protocol. But with Comware 5 I need to specify the "Login-service" in order to login, so if I specify telnet, I can't autenticate with SSH. I use Microsoft NPS (Win 2012) , and I can't have more policy with different login service neither all login service in the same policy.
So I ask if it's possible to autenticate without specify the "login-service" attribute on Comware 5, maybe specify to the appliance to ignore it.
Thank you,
Marco
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2019 08:34 AM
02-08-2019 08:34 AM
Re: 5920: RADIUS attributes for SSH login on HP 5920AF
So, did you end up getting an answer? I am stuck with the same situation with my Comware 5 switches.
- « Previous
-
- 1
- 2
- Next »