- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: HP 5900 RADIUS and SSH disconnection
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2014 05:55 AM
12-02-2014 05:55 AM
HP 5900 RADIUS and SSH disconnection
Hello,
I have an IRF stack composed of 2x 5900 and 2x5920 switches.
I have a Windows NPS and configured the stack to use RADIUS.
I can successfuly connect to my switches with an AD login, but when I connect using ssh, I don't get a prompt and I am instantaneously disconnected.
For example :
ssh 10.xxx.xxx.xxx -l lscharf
lscharf@xxx@10.xxx.xxx.xxx's password:
******************************************************************************
* Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Connection to 10.xxx.xxx.xxx closed.
Configuration looks like that :
line vty 0 63
authentication-mode scheme
user-role network-operator
protocol inbound ssh
idle-timeout 30 5
radius scheme xxx
primary authentication 10.xxx.xxx.1
primary accounting 10.xxx.xxx.1
secondary authentication 10.xxx.xxx.2
secondary accounting 10.xxx.xxx.2
key authentication cipher xxx
key accounting cipher xxx
user-name-format without-domain
#
radius scheme system
user-name-format without-domain
#
domain xxx
authentication login radius-scheme xxx local
authorization login radius-scheme xxx local
accounting login radius-scheme xxx local
In the Windows Event Viewer, nothing abnormal, the connection is granted.
In the logbuffer I have SSHS/6/SSHS_LOG: Accepted password for lscharf@xxx from 10.xxx.xxx.xxx port 33420 ssh2.
So everything looks OK but that SSH connection is actually not working.
Anyone experienced that already and might have a solution for me ?
Thanks !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 03:57 AM
12-03-2014 03:57 AM
Re: HP 5900 RADIUS and SSH disconnection
Hi lscharf
1 : Have you enabled the ssh server?
] ssh server enable
2: Have you genereated the key infrastructure
] public-key local create dsa
] public-key local create rsa
3: looks like you might need to configure radius authorisatuin server in your raduis scheme
In your domain xxx , you ask to use "authorization login radius-scheme xxx local", but you have no radius athorization in the raduis scheme xxx.
4: also remember to set the default domain to xxx
] domain default enable xxx
if you use "ssh -l lscharf <management_ipaddress_of_switch>" and do not specify the domain explicitly.
NB: What software version are you running.
Regards
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 04:48 AM - edited 12-03-2014 05:06 AM
12-03-2014 04:48 AM - edited 12-03-2014 05:06 AM
Re: HP 5900 RADIUS and SSH disconnection
Hello sdide,
I have ssh enabled and key generated as I am able to connect using the local admin account.
How to configure that authorization in the radius scheme ? As far as I'm aware, authorization uses the authentication setup.
[HP-radius-xxx]primary ?
accounting Specify the primary RADIUS accounting server
authentication Specify the primary RADIUS authentication server
If I remove the authorization attribute in the domain setup, I am unable to ssh the device with my AD login, I don't even get the warning anymore.
Regarding the version, I'm running the following :
HP Comware Software, Version 7.1.045, Release 2311P01
Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.
HP 5900AF-48XG-4QSFP+ Switch uptime is 10 weeks, 5 days, 23 hours, 12 minutes
Last reboot reason : Power on
Boot image: flash:/5900_5920-cmw710-boot-r2311p01.bin
Boot image version: 7.1.045P15, Release 2311P01
Compiled Jul 16 2014 12:17:18
System image: flash:/5900_5920-cmw710-system-r2311p01.bin
System image version: 7.1.045, Release 2311P01
Compiled Jul 16 2014 12:17:28
Thanks for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 05:10 AM
12-03-2014 05:10 AM
Re: HP 5900 RADIUS and SSH disconnection
Hi lscharf
I had a lot of trouble getting hwtacacs working on my 5900s.
I was using some old software and did a lot of debugging, but when i upgraded the software, the "problem" vanished (or rather the switch starting behaving like intended), so thats why i asked about the software version.
Apart from that.
try playing with :
<user-view>terminal monitor
<user-view>terminal logging level 7
<user-view> debugging radius [all, error, event]
<user-view> debugging ssh server [all, error, event, message]
<user-view> debugging role [all, error, event]
(what log-messages do you see)
and see what happens when you try logging on via the radius, if you can make such a setup.
Regards
Region Midtjylland