HPE Community
Comware Based
1753559 Members
5778 Online
108796 Solutions
New Discussion

Re: Authentication radius in local connection on comware 7

 
SOLVED
Go to solution
fantomas06
Occasional Advisor

‎02-25-2020 12:59 AM

‎02-25-2020 12:59 AM

Authentication radius in local connection on comware 7

Hello

I would like to know if it is possible to connect with a raduis server during a local connection?
If yes, how?

Tt worked well on older versions but since comware 7 I can't do it anymore.
Thank you for your help.

 

0 Kudos
9 REPLIES 9
-Alex-
HPE Pro

‎03-01-2020 11:12 PM

‎03-01-2020 11:12 PM

Re: Authentication radius in local connection on comware 7

Hello  fantomas06,

The radius authentication is the same and enhanced, new features are added in comware 7.

Please advise with an example which radius authentication is not working  in comware 7 for you which has been working in comware 5 and on which device in order to provide you with more details.

Thank you!

I am an HPE Employee

Accept or Kudo

0 Kudos
fantomas06
Occasional Advisor

‎03-01-2020 11:54 PM

‎03-01-2020 11:54 PM

Re: Authentication radius in local connection on comware 7

Hello

Thanks for your answer.

Here is a bit of the configuration that works on com 5 and don't works on com 7 :

#
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
authentication-mode scheme
user-role network-admin
idle-timeout 5 0
#
line vty 0 15
authentication-mode scheme
user-role network-operator
protocol inbound ssh
idle-timeout 2 0
#
line vty 16 63
user-role network-operator
#
ssh server enable
#
radius scheme system
user-name-format without-domain
#
radius scheme tl47
primary authentication @Ip
primary accounting @Ip
key authentication cipher password
key accounting cipher password
user-name-format without-domain
#
domain mpy47
authentication login radius-scheme tl47 none
authorization login radius-scheme tl47 none
accounting login radius-scheme tl47 none
#
domain system
#
domain default enable mpy47

#
local-user admin class manage
password hash password
service-type ssh telnet terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user monitor class manage
password hash password
service-type ssh telnet terminal
authorization-attribute user-role network-operator
#

 

Thank you

0 Kudos
-Alex-
HPE Pro

‎03-02-2020 06:58 AM

‎03-02-2020 06:58 AM

Re: Authentication radius in local connection on comware 7

Hello  fantomas06,

You may try "line vty 0 63" or add for all vty lines the same configuration as it is under vty 0-15.:

line vty 0 15

authentication-mode scheme
user-role network-operator
protocol inbound ssh
idle-timeout 2 0

This is if the issue is loggin in using SSH. Please let me know the device and its software version, also if the issue is for the SSH  if this does not help.

Hope this helps.

I am an HPE Employee

Accept or Kudo

0 Kudos
fantomas06
Occasional Advisor

‎03-02-2020 07:08 AM

‎03-02-2020 07:08 AM

Re: Authentication radius in local connection on comware 7

Hello

the problem does not come from the SSH connection but from the local connection through the console port

I have this problem on all comware 7 but I test on a 5130

version: 7.1.070, Release 3506P02

 

0 Kudos
-Alex-
HPE Pro

‎03-03-2020 05:10 AM

‎03-03-2020 05:10 AM

Re: Authentication radius in local connection on comware 7

Hello  fantomas06,

 

Does this configuration work for the SSH Radius authentication and fials only for the console connection?

 

I am an HPE Employee

Accept or Kudo

0 Kudos
fantomas06
Occasional Advisor

‎03-03-2020 05:17 AM

‎03-03-2020 05:17 AM

Re: Authentication radius in local connection on comware 7

Hello

Yes quite!

This same configuration works perfectly on comware 5 whether in SSH or console

0 Kudos
-Alex-
HPE Pro

‎03-03-2020 06:03 AM

‎03-03-2020 06:03 AM

Re: Authentication radius in local connection on comware 7

Hello  fantomas06,

 

Thank you for your answer!

Please show the output from "display radius scheme" from 5130 and remove any sensitive information (e.g. ip by replacing with "x" and "y", etc).

Check if RADIUS is active and not blocked.

Check if there is some  blank space after some of the names. If it is working in 5130 for SSH, but not for console- a debug needs to be run. 

Do you see requests for the console connection in the RADIUS server?

What are the attributes which are returned for the user if you are seeing the communication between the RADIUS and 5130 for the console connection?

 

I am an HPE Employee

Accept or Kudo

0 Kudos
fantomas06
Occasional Advisor

‎03-03-2020 07:14 AM - edited ‎03-03-2020 07:16 AM

‎03-03-2020 07:14 AM - edited ‎03-03-2020 07:16 AM

Solution

Re: Authentication radius in local connection on comware 7

Hello

I think I found the problem. The exchanges between the equipment and the raduis server have been modified since the comware 7 update.

On my raduis account, the "login type" is SSH and it worked very well on comware 5 with local connection but not on conware 7. I created a second account by putting the "login type" on Terminal and it's works .

It's more diy than a real solution but it works!

Sorry for my very bad English.

Thank you Alex

 

 

0 Kudos
-Alex-
HPE Pro

‎03-03-2020 07:54 AM

‎03-03-2020 07:54 AM

Re: Authentication radius in local connection on comware 7

Hello fantomas06,

Great news that it is working now! Thank you for sharing the solution and your cooperation!

I will post the following in case the Login service attribute is used in the RADIUS setup from the Fundamentals configuraton guide of the 5130EI switch:

Configuring the Login-Service attribute check method for SSH, FTP, and terminal users About Login-Service attribute check methods
The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users:
• Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
• Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
An Access-Accept packet received for a user must contain the matching attribute value. Otherwise, the user cannot log in to the device.

Restrictions and guidelines
Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Configure the Login-Service attribute check method for SSH, FTP, and terminal users.
attribute 15 check-mode { loose | strict }
The default check method is strict.

I am an HPE Employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.