HPE Community
Comware Based
1753288 Members
5471 Online
108792 Solutions
New Discussion

Re: HP 5900 RADIUS and SSH disconnection

 
lscharf
Occasional Collector

‎12-02-2014 05:55 AM

‎12-02-2014 05:55 AM

HP 5900 RADIUS and SSH disconnection

Hello,

 

I have an IRF stack composed of 2x 5900 and 2x5920 switches.

I have a Windows NPS and configured the stack to use RADIUS.

 

I can successfuly connect to my switches with an AD login, but when I connect using ssh, I don't get a prompt and I am instantaneously disconnected.

 

For example :

 

ssh 10.xxx.xxx.xxx -l lscharf
lscharf@xxx@10.xxx.xxx.xxx's password:

******************************************************************************
* Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.          *
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

Connection to 10.xxx.xxx.xxx closed.

 

Configuration looks like that :

 

line vty 0 63
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh
 idle-timeout 30 5

 


radius scheme xxx
 primary authentication 10.xxx.xxx.1
 primary accounting 10.xxx.xxx.1
 secondary authentication 10.xxx.xxx.2
 secondary accounting 10.xxx.xxx.2
 key authentication cipher xxx
 key accounting cipher xxx
 user-name-format without-domain
#
radius scheme system
 user-name-format without-domain
#
domain xxx
 authentication login radius-scheme xxx local
 authorization login radius-scheme xxx local
 accounting login radius-scheme xxx local

 

In the Windows Event Viewer, nothing abnormal, the connection is granted.

In the logbuffer I have SSHS/6/SSHS_LOG: Accepted password for lscharf@xxx from 10.xxx.xxx.xxx port 33420 ssh2.

 

So everything looks OK but that SSH connection is actually not working.

Anyone experienced that already and might have a solution for me ?

 

Thanks !

0 Kudos
3 REPLIES 3
sdide
Respected Contributor

‎12-03-2014 03:57 AM

‎12-03-2014 03:57 AM

Re: HP 5900 RADIUS and SSH disconnection

Hi lscharf

 

1 : Have you enabled the ssh server?

 

] ssh server enable

 

2: Have you genereated the key infrastructure

 

]  public-key local create dsa

]  public-key local create rsa

 

3: looks like you might need to configure radius authorisatuin server in your  raduis scheme

In your domain xxx , you ask to use  "authorization login radius-scheme xxx local",  but you have no radius athorization in the raduis scheme xxx.

 

4: also remember to set the default domain to xxx

] domain default enable xxx

 

if you use "ssh -l lscharf <management_ipaddress_of_switch>" and do not specify the domain explicitly.

 

NB: What software version are you running.

 

Regards

 

 

Søren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
lscharf
Occasional Collector

‎12-03-2014 04:48 AM - edited ‎12-03-2014 05:06 AM

‎12-03-2014 04:48 AM - edited ‎12-03-2014 05:06 AM

Re: HP 5900 RADIUS and SSH disconnection

Hello sdide,

 

I have ssh enabled and key generated as I am able to connect using the local admin account.

 

How to configure that authorization in the radius scheme ? As far as I'm aware, authorization uses the authentication setup.

 

[HP-radius-xxx]primary ?
  accounting      Specify the primary RADIUS accounting server
  authentication  Specify the primary RADIUS authentication server

 

If I remove the authorization attribute in the domain setup, I am unable to ssh the device with my AD login, I don't even get the warning anymore.

 

Regarding the version, I'm running the following :

 

HP Comware Software, Version 7.1.045, Release 2311P01
Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.
HP 5900AF-48XG-4QSFP+ Switch uptime is 10 weeks, 5 days, 23 hours, 12 minutes
Last reboot reason : Power on

Boot image: flash:/5900_5920-cmw710-boot-r2311p01.bin
Boot image version: 7.1.045P15, Release 2311P01
  Compiled Jul 16 2014 12:17:18
System image: flash:/5900_5920-cmw710-system-r2311p01.bin
System image version: 7.1.045, Release 2311P01
  Compiled Jul 16 2014 12:17:28

 

Thanks for your help.

0 Kudos
sdide
Respected Contributor

‎12-03-2014 05:10 AM

‎12-03-2014 05:10 AM

Re: HP 5900 RADIUS and SSH disconnection

Hi lscharf

 

I had a lot of trouble getting hwtacacs working on my 5900s.

I was using some old software and did a lot of debugging, but when i upgraded the software, the "problem" vanished (or rather the switch starting behaving like intended), so thats why i asked about the software version.

 

Apart from that.

try playing with :

<user-view>terminal monitor

<user-view>terminal logging level 7

<user-view> debugging radius [all, error, event]

<user-view> debugging ssh server  [all, error, event, message] 

<user-view> debugging role [all, error, event]

 

(what log-messages do you see)

and see what happens when you try logging on via the radius, if you can make such a setup.

 

Regards

 

Søren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.