HPE Community
Comware Based
1753809 Members
8306 Online
108805 Solutions
New Discussion

Re: Can not log to administer router using Radius (Server 2008 r2)

 
Diego1
New Member

‎09-25-2015 12:36 PM

‎09-25-2015 12:36 PM

Can not log to administer router using Radius (Server 2008 r2)

 

I'm working with this switch, trying to force use radius to log to an SSH or web admin sesion.

 

CoreDim]display version
HP Comware Platform Software
Comware Software, Version 5.20.99, Release 2220P02
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
HP A5500-24G EI Switch with 2 Interface Slots uptime is 21 weeks, 3 days, 15 hou
rs, 3 minutes

HP A5500-24G EI Switch with 2 Interface Slots with 1 Processor
256M    bytes SDRAM
32768K  bytes Flash Memory

Hardware Version is REV.C
CPLD Version is 002
Bootrom Version is 715
[SubSlot 0] 24GE+4SFP Hardware Version is REV.C
[SubSlot 2] 2 CX4 Hardware Version is REV.A

 

Current_Configuration

 

radius scheme radius
 server-type extended
 primary authentication 192.168.6.6 key cipher $c$3$XH5nG4/6YISxvYA9Po8Fcfx9W8lCLBc0nGR4
 user-name-format without-domain
 nas-ip 192.168.6.1

 

domain dimad
 authentication login radius-scheme radius local
 accounting login none
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

 

 

The radius server is Windows 2008R2 Server.

 

I type "domain default enable dimad"

And then try to log via SSH (using local auth works fine)

using user "die1fue"

 

Consoloe display rhis warning

SSH/4/TrapAuthFailed:
SSH authentication fail trap information

 

In syslog

Sep 25 16:31:24:203 2015 SHELL Notification SHELL_LOGINFAIL SSH user die1fue failed to log in from 192.168.6.75 on VTY0.. Sep 25 16:31:24:198 2015 SC Notification SC_AAA_FAILURE -AAAType=AUTHEN-AAAScheme= radius-scheme radius-Service=login-UserName=die1fue@dimad; AAA is failed. Common. Sep 25 16:31:24:061 2015 SC Information SC_AAA_LAUNCH -AAAType=AUTHEN-AAAScheme= radius-scheme radius-Service=login-UserName=die1fue@dimad; AAA launched.

 

If some one can give me some help I will agree

 

regards

Diego

 

 

0 Kudos
3 REPLIES 3
TerjeAFK
Respected Contributor

‎09-29-2015 12:25 AM

‎09-29-2015 12:25 AM

Re: Can not log to administer router using Radius (Server 2008 r2)

We are using Radius login on our Comware switches (5900), and here is our config which is working.

x.x.x.x is switch management IP address

y.y.y.y and z.z.z.z are our Radius servers

 

radius nas-ip x.x.x.x
#
radius scheme ourscheme
 primary authentication y.y.y.y
 primary accounting y.y.y.y
 secondary authentication z.z.z.z
 secondary accounting z.z.z.z
 key authentication cipher !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 key accounting cipher ##############

 user-name-format without-domain
 nas-ip x.x.x.x
#
domain ourdom
 authentication login radius-scheme ourscheme

 authorization login radius-scheme ourscheme
 accounting login radius-scheme ourscheme
#
 domain default enable ourdom
#

 

 

We use Aruba ClearPass as Radius servers, not NPS. One thing we had some problems with is the value that Radius should return to the Comware switch upon successful authentication. We finally got it to work with this attribute:

 

Type                       Name                    Value

Radius:Cisco       Cisco-AVPair       shell:roles=network-admin  

 

Hope this helps.

 

0 Kudos
Emithez
Occasional Advisor

‎01-14-2016 01:59 PM

‎01-14-2016 01:59 PM

Re: Can not log to administer router using Radius (Server 2008 r2)

Any luck with this? I am having the same issue and no matter what vendor attribute/value combo I use I can't get logged in with admin privileges using admin RADIUS accounts. I can get in with diagnostic privileges only.

 

Thanks

0 Kudos
AndreasSem
Occasional Visitor

‎06-17-2016 05:45 AM - edited ‎06-17-2016 05:46 AM

‎06-17-2016 05:45 AM - edited ‎06-17-2016 05:46 AM

Re: Can not log to administer router using Radius (Server 2008 r2)

To fix this make sure you have defined the "server-type extended" parameter in your radius scheme on the switch.

See the following excerpt:

server-type extended
primary authentication 1.1.1.1
primary accounting 1.1.1.1
secondary authentication 2.2.2.2
secondary accounting 2.2.2.2
key authentication cipher $c$3$12345678
key accounting cipher $c$3$12345678
user-name-format without-domain

 

I've just encountered the same issue and resolved it by altering the switch config that way.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.