- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Authentication radius in local connection on c...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2020 12:59 AM
02-25-2020 12:59 AM
Hello
I would like to know if it is possible to connect with a raduis server during a local connection?
If yes, how?
Tt worked well on older versions but since comware 7 I can't do it anymore.
Thank you for your help.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2020 11:12 PM
03-01-2020 11:12 PM
Re: Authentication radius in local connection on comware 7
Hello fantomas06,
The radius authentication is the same and enhanced, new features are added in comware 7.
Please advise with an example which radius authentication is not working in comware 7 for you which has been working in comware 5 and on which device in order to provide you with more details.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2020 11:54 PM
03-01-2020 11:54 PM
Re: Authentication radius in local connection on comware 7
Hello
Thanks for your answer.
Here is a bit of the configuration that works on com 5 and don't works on com 7 :
#
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
authentication-mode scheme
user-role network-admin
idle-timeout 5 0
#
line vty 0 15
authentication-mode scheme
user-role network-operator
protocol inbound ssh
idle-timeout 2 0
#
line vty 16 63
user-role network-operator
#
ssh server enable
#
radius scheme system
user-name-format without-domain
#
radius scheme tl47
primary authentication @Ip
primary accounting @Ip
key authentication cipher password
key accounting cipher password
user-name-format without-domain
#
domain mpy47
authentication login radius-scheme tl47 none
authorization login radius-scheme tl47 none
accounting login radius-scheme tl47 none
#
domain system
#
domain default enable mpy47
#
local-user admin class manage
password hash password
service-type ssh telnet terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user monitor class manage
password hash password
service-type ssh telnet terminal
authorization-attribute user-role network-operator
#
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2020 06:58 AM
03-02-2020 06:58 AM
Re: Authentication radius in local connection on comware 7
Hello fantomas06,
You may try "line vty 0 63" or add for all vty lines the same configuration as it is under vty 0-15.:
line vty 0 15
authentication-mode scheme
user-role network-operator
protocol inbound ssh
idle-timeout 2 0
This is if the issue is loggin in using SSH. Please let me know the device and its software version, also if the issue is for the SSH if this does not help.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2020 07:08 AM
03-02-2020 07:08 AM
Re: Authentication radius in local connection on comware 7
Hello
the problem does not come from the SSH connection but from the local connection through the console port
I have this problem on all comware 7 but I test on a 5130
version: 7.1.070, Release 3506P02
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 05:10 AM
03-03-2020 05:10 AM
Re: Authentication radius in local connection on comware 7
Hello fantomas06,
Does this configuration work for the SSH Radius authentication and fials only for the console connection?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 05:17 AM
03-03-2020 05:17 AM
Re: Authentication radius in local connection on comware 7
Hello
Yes quite!
This same configuration works perfectly on comware 5 whether in SSH or console
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 06:03 AM
03-03-2020 06:03 AM
Re: Authentication radius in local connection on comware 7
Hello fantomas06,
Thank you for your answer!
Please show the output from "display radius scheme" from 5130 and remove any sensitive information (e.g. ip by replacing with "x" and "y", etc).
Check if RADIUS is active and not blocked.
Check if there is some blank space after some of the names. If it is working in 5130 for SSH, but not for console- a debug needs to be run.
Do you see requests for the console connection in the RADIUS server?
What are the attributes which are returned for the user if you are seeing the communication between the RADIUS and 5130 for the console connection?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 07:14 AM - edited 03-03-2020 07:16 AM
03-03-2020 07:14 AM - edited 03-03-2020 07:16 AM
SolutionHello
I think I found the problem. The exchanges between the equipment and the raduis server have been modified since the comware 7 update.
On my raduis account, the "login type" is SSH and it worked very well on comware 5 with local connection but not on conware 7. I created a second account by putting the "login type" on Terminal and it's works .
It's more diy than a real solution but it works!
Sorry for my very bad English.
Thank you Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 07:54 AM
03-03-2020 07:54 AM
Re: Authentication radius in local connection on comware 7
Hello fantomas06,
Great news that it is working now! Thank you for sharing the solution and your cooperation!
I will post the following in case the Login service attribute is used in the RADIUS setup from the Fundamentals configuraton guide of the 5130EI switch:
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users About Login-Service attribute check methods
The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users:
• Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
• Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
An Access-Accept packet received for a user must contain the matching attribute value. Otherwise, the user cannot log in to the device.
Restrictions and guidelines
Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Configure the Login-Service attribute check method for SSH, FTP, and terminal users.
attribute 15 check-mode { loose | strict }
The default check method is strict.