Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Comware 7 RADIUS Question

SOLVED
Go to solution
Dan17
Occasional Visitor

Comware 7 RADIUS Question

So we have recently moved to Comware 7 switches. We are using 5130's and 5510's.

I have been fiddling for the last few days trying to get RADIUS up and running on them and I managed to just about get it working. What I have to do to have a successful logon is add the FQDN to the end of the username so it looks something like this - admin@domain.nhs.local

On my current Comware 5 switches, i do not have to do this. I also have a few Procurves and Ciscos about and they don't require it either.

Here is the RADIUS config I have on my test 5130 (I have obviously removed a few lines):

version 7.1.070, Release 3208P03
#
 sysname RX219-ESW-18
#
 irf domain 5130
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 32
#
 port-security enable
 port-security timer autolearn aging 5
#
 ip unreachables enable
 ip ttl-expires enable
#
 lldp global enable
#
 password-recovery enable
#
vlan 1
#
vlan 100
 name [Management]
#
interface Vlan-interface1
 shutdown
#
interface Vlan-interface100
 description [Management-L3]
 ip address 192.168.0.2 255.255.255.0
#
line class aux
 user-role network-admin
#
line class vty
 user-role network-operator
#
line aux 0
 authentication-mode scheme
 user-role network-admin
#
line vty 0 63
 authentication-mode scheme
 user-role network-operator
#
 ip route-static 0.0.0.0 0 192.168.0.1
#
 ssh server enable
#
 super password role network-admin hash XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#
radius scheme nhs
 primary authentication 192.168.0.3
 secondary authentication 192.168.0.4
 key authentication cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 user-name-format without-domain
#
domain #
#
domain domain.nhs.local
 authentication login radius-scheme rx2 none
 authorization login radius-scheme rx2 none
 accounting login radius-scheme rx2 none
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user Admin class manage
 password hash XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 service-type ssh terminal
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
return

 

 

Thanks for taking the time to look. It's not a show stopper, but it is really annoying :)

 

Dan

3 REPLIES
HP-Browniee
Respected Contributor
Solution

Re: Comware 7 RADIUS Question

Hello

I think you should review your domain config on your switch.  I have it working on one of my switches and the config looks like this:

radius scheme RadiusServer
 primary authentication 192.168.0.1
 key authentication cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 user-name-format without-domain
#
radius scheme system
 user-name-format without-domain
#
domain system
 authentication login radius-scheme RadiusServer local
 authorization login radius-scheme RadiusServer local
 accounting login none

Hope this helps you further.

 

Kind regards

TerjeAFK
Respected Contributor

Re: Comware 7 RADIUS Question

We use this config on our 5900 switches (Comware 7).

radius nas-ip x.x.x.x (switch mgmt-IP)
#
radius scheme ourscheme
 primary authentication y.y.y.y (IP address of primary Radius server)
 primary accounting y.y.y.y
 secondary authentication z.z.z.z (IP address of secondary Radius server)
 secondary accounting z.z.z.z
 key authentication cipher <secretcode>
 key accounting cipher <secretcode>
 user-name-format without-domain
 nas-ip x.x.x.x (switch mgmt-IP)
#
radius scheme system
 user-name-format without-domain
#
domain ourdomain
 authentication login radius-scheme ourscheme
 authorization login radius-scheme ourscheme
 accounting login radius-scheme ourscheme
#
domain system
 accounting login none
#
 domain default enable ourdomain
#

 

 

Dan17
Occasional Visitor

Re: Comware 7 RADIUS Question

Thanks so much for your replies. I made the assumption that the domain would like to be the same as our actual domain.

 

 

Thanks you!

 

Dan