- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- HP 5900 RADIUS and SSH disconnection
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-02-2014 05:55 AM
12-02-2014 05:55 AM
HP 5900 RADIUS and SSH disconnection
Hello,
I have an IRF stack composed of 2x 5900 and 2x5920 switches.
I have a Windows NPS and configured the stack to use RADIUS.
I can successfuly connect to my switches with an AD login, but when I connect using ssh, I don't get a prompt and I am instantaneously disconnected.
For example :
ssh 10.xxx.xxx.xxx -l lscharf
lscharf@xxx@10.xxx.xxx.xxx's password:
******************************************************************************
* Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Connection to 10.xxx.xxx.xxx closed.
Configuration looks like that :
line vty 0 63
authentication-mode scheme
user-role network-operator
protocol inbound ssh
idle-timeout 30 5
radius scheme xxx
primary authentication 10.xxx.xxx.1
primary accounting 10.xxx.xxx.1
secondary authentication 10.xxx.xxx.2
secondary accounting 10.xxx.xxx.2
key authentication cipher xxx
key accounting cipher xxx
user-name-format without-domain
#
radius scheme system
user-name-format without-domain
#
domain xxx
authentication login radius-scheme xxx local
authorization login radius-scheme xxx local
accounting login radius-scheme xxx local
In the Windows Event Viewer, nothing abnormal, the connection is granted.
In the logbuffer I have SSHS/6/SSHS_LOG: Accepted password for lscharf@xxx from 10.xxx.xxx.xxx port 33420 ssh2.
So everything looks OK but that SSH connection is actually not working.
Anyone experienced that already and might have a solution for me ?
Thanks !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-03-2014 03:57 AM
12-03-2014 03:57 AM
Re: HP 5900 RADIUS and SSH disconnection
Hi lscharf
1 : Have you enabled the ssh server?
] ssh server enable
2: Have you genereated the key infrastructure
] public-key local create dsa
] public-key local create rsa
3: looks like you might need to configure radius authorisatuin server in your raduis scheme
In your domain xxx , you ask to use "authorization login radius-scheme xxx local", but you have no radius athorization in the raduis scheme xxx.
4: also remember to set the default domain to xxx
] domain default enable xxx
if you use "ssh -l lscharf <management_ipaddress_of_switch>" and do not specify the domain explicitly.
NB: What software version are you running.
Regards
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-03-2014 04:48 AM - edited 12-03-2014 05:06 AM
12-03-2014 04:48 AM - edited 12-03-2014 05:06 AM
Re: HP 5900 RADIUS and SSH disconnection
Hello sdide,
I have ssh enabled and key generated as I am able to connect using the local admin account.
How to configure that authorization in the radius scheme ? As far as I'm aware, authorization uses the authentication setup.
[HP-radius-xxx]primary ?
accounting Specify the primary RADIUS accounting server
authentication Specify the primary RADIUS authentication server
If I remove the authorization attribute in the domain setup, I am unable to ssh the device with my AD login, I don't even get the warning anymore.
Regarding the version, I'm running the following :
HP Comware Software, Version 7.1.045, Release 2311P01
Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.
HP 5900AF-48XG-4QSFP+ Switch uptime is 10 weeks, 5 days, 23 hours, 12 minutes
Last reboot reason : Power on
Boot image: flash:/5900_5920-cmw710-boot-r2311p01.bin
Boot image version: 7.1.045P15, Release 2311P01
Compiled Jul 16 2014 12:17:18
System image: flash:/5900_5920-cmw710-system-r2311p01.bin
System image version: 7.1.045, Release 2311P01
Compiled Jul 16 2014 12:17:28
Thanks for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-03-2014 05:10 AM
12-03-2014 05:10 AM
Re: HP 5900 RADIUS and SSH disconnection
Hi lscharf
I had a lot of trouble getting hwtacacs working on my 5900s.
I was using some old software and did a lot of debugging, but when i upgraded the software, the "problem" vanished (or rather the switch starting behaving like intended), so thats why i asked about the software version.
Apart from that.
try playing with :
<user-view>terminal monitor
<user-view>terminal logging level 7
<user-view> debugging radius [all, error, event]
<user-view> debugging ssh server [all, error, event, message]
<user-view> debugging role [all, error, event]
(what log-messages do you see)
and see what happens when you try logging on via the radius, if you can make such a setup.
Regards
Region Midtjylland
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP