- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: HP 5900 hwtacacs comware 7.
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-20-2013 06:44 AM
тАО09-20-2013 06:44 AM
HP 5900 hwtacacs comware 7.
Hey,
I'm trying to make the HP5900 run AAA against a tacacs server.
Problem is, I can't seem to figure out how to make it work.
I have a problem somewhere either configuring the tac_plus server or configureing the switch.
The symptoms are that I log on and immidiately gets logged off.
If I enable default user role "role default-role enable", I can log on, but I'm being assigned the default role network-operator, and i need network-admin.
using: "debugging hwtacacs all", and "debugging role all", this is (shortened to the last entries) what I see when i try logging on (undo role default-role enable):
<beginquote>
*Jan 9 05:41:53:109 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Sending request packet.
*Jan 9 05:41:53:109 2011 <switch> TACACS/7/send_packet:
version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 44
authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN
user_len: 5 port_len: 0 rem_len: 12 arg_cnt: 2
arg0_len: 13 arg1_len: 4
user: <user>
port:
rem_addr: <tac-plus_server>
arg0: service=shell arg1: cmd*
*Jan 9 05:41:53:110 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Receiving reply packet.
*Jan 9 05:41:53:117 2011 <switch> TACACS/7/recv_packet:
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 69
Status: STATUS_PASS_ADD arg_cnt: 3 server_msg len: 0 data len: 0
arg0_len: 12 arg1_len: 21 arg2_len: 27
server_msg:
data:
arg0: idletime=120 arg1: roles="network-admin"
arg2: shell:roles="network-admin"
*Jan 9 05:41:53:117 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Processing authorization reply packet.
*Jan 9 05:41:53:117 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Processing authorization reply data, Reply Type: SUCCESS.
*Jan 9 05:41:53:118 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Succeeding in processing TACACS authorization.
%Jan 9 05:41:53:118 2011 <switch> SSHS/6/SSHLOG: Accepted password for <user> from <tac-plus_server> port 51298 ssh2.
*Jan 9 05:41:53:185 2011 <switch> RBAC/7/ERROR: Failed to set the user role.
%Jan 9 05:41:53:195 2011 <switch> SSHS/6/SSHLOG: User <user> logged out from <tac-plus_server> port 51298.
<endquote>
In this instance I send: roles="network-admin", and shell:roles="network-admin", and i trust me I have tried many permutations of AVpairs.
The 5900 runs "System image version: 7.1.023, Release 2108P03"
The 5900 is configured (tacacs-wise) as:
"
user-interface vty 0 15
authentication-mode scheme
user-role network-admin
idle-timeout 30 0
ssh server enable
undo ssh server compatible-ssh1x
hwtacacs scheme <tac-scheme>
primary authentication <tac-plus_server>
primary authorization <tac-plus_server>
key authentication cipher <keycipher1>
key authorization cipher <keycipher1>
user-name-format keep-original
domain <domain-name>
authentication default hwtacacs-scheme <tac-scheme>
authorization default hwtacacs-scheme <tac-scheme>
domain default enable <domain-name>
"
What AVpairs do i need to send to the switch to give me network-admin privilege?
Regards S├╕ren
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-22-2013 01:29 AM
тАО09-22-2013 01:29 AM
Re: HP 5900 hwtacacs comware 7.
Hi.
Just another comment. (I haven't solved the issue.)
But if someone using tacacs, comware 7 and have a working setup, could enable hwtacacs debugging ("debugging hwtacacs all") on the switch and send me what they receive on the switch.
Especially the : TACACS/7/recv_packet:
Mine was (my clock is off, need to check my ntp settings aswell i think :)
"
*Jan 9 05:41:53:117 2011 <switch> TACACS/7/recv_packet:
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 69
Status: STATUS_PASS_ADD arg_cnt: 3 server_msg len: 0 data len: 0
arg0_len: 12 arg1_len: 21 arg2_len: 27
server_msg:
data:
arg0: idletime=120 arg1: roles="network-admin"
arg2: shell:roles="network-admin"
"
as you'll note from the log in my previous post the error i get (later in the log) is not a tacacs one, but and RBAC one, namely:
"
*Jan 9 05:41:53:185 2011 <switch> RBAC/7/ERROR: Failed to set the user role.
"
And imidiately after that i get logged off.
I'm thinking this is because I send the wrong avpairs. But I traversed what documentation i could find, which is sparse, and I can't seem to find it.
On a side note: In the beforementioned sparse documentation (e.g http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf) , I read - and i quote page 44 the note:
Of couse i tried to set a bunch of different Exec Privilege AV pairs also, to no avail.
Regards
S├╕ren Dideriksen
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-22-2013 02:04 PM
тАО09-22-2013 02:04 PM
Re: HP 5900 hwtacacs comware 7.
Hi,
Did you check these posts:
http://h30499.www3.hp.com/t5/Comware-Based/5900-v7-2-and-Radius/m-p/6049491/highlight/true#M4165
For radius, the AV-pair to be used is the Cisco-AV pair and the service-type telnet/ssh, not sure on the tacacs however, still need to test that one,
Best regards,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-23-2013 02:04 AM
тАО09-23-2013 02:04 AM
Re: HP 5900 hwtacacs comware 7.
Hi Peter,
I already read
which is where i got a lot of ideas to try out, but it did not help me.
the other thread
http://h30499.www3.hp.com/t5/Comware-Based/5900-v7-2-and-Radius/m-p/6049491/highlight/true#M4165
is interesting because it seems to be the exact same problem just with a radius server. The original poster hasn't replied, so I'm not sure if the proposed solution worked.
Regards
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-23-2013 02:31 PM
тАО09-23-2013 02:31 PM
Re: HP 5900 hwtacacs comware 7.
Hi S├╕ren,
I verified the config with the free tacacs.net server. It was a bit of trial and error (I got confused with the cisco-avpair which is used in the Radius config, which does not seem to be used on the tacacs config).
So on the tacacs.net server there were 2 methods to get it working:
1/ CMW7 compatibility behavior : configure the old priv level 15 and comware 7 will interprete it as level-15 role.
Sample tacacs.net authorization (needs inserting in the authorization.xml file) :
<Authorization>
<UserGroups>
<UserGroup>Local System Administrators</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>HP-Switches</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>priv-lvl=15</Set>
</AutoExec>
<Shell>
<Permit>.*</Permit>
</Shell>
<Services>
</Services>
</Authorization>
2/ CMW7 role assignment : configure the role name.
<Authorizations>
<Authorization>
<UserGroups>
<UserGroup>Local System Administrators</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>HP-Switches</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>roles="network-admin"</Set>
</AutoExec>
<Shell>
<Permit>.*</Permit>
</Shell>
<Services>
</Services>
</Authorization>
Hope this works for you,
Best regards,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2014 03:23 AM
тАО05-07-2014 03:23 AM
Re: HP 5900 hwtacacs comware 7.
Any update on this issue?
did you manage to find a solution?
Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2014 03:28 AM
тАО05-07-2014 03:28 AM
Re: HP 5900 hwtacacs comware 7.
the two attributes assigned on OMC Tacacs are:
priv-lvl=15
roles="network-admin"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2014 04:22 AM
тАО06-24-2014 04:22 AM
Re: HP 5900 hwtacacs comware 7.
Hi Sam,
I have solved the issue.
I think the problem was in the software version.
I currently run 7.1.035, Release 2210, and 7.1.045, Release 2307 on various 5900s.
Here is what i configured.
] display current-configuration configuration hwtacacs
hwtacacs scheme <tacacs-scheme-name>
primary authentication <ip-of-primary-tac+-server>
primary authorization <ip-of-primary-tac+-server>
primary accounting <ip-of-primary-tac+-server>
secondary authentication <ip-of-secondary-tac+-server>
secondary authorization <ip-of-secondary-tac+-server>
secondary accounting <ip-of-secondary-tac+-server>
key authentication cipher <authen-cipher>
key authorization cipher <autho-cipher>
key accounting cipher <accounting-cipher>
user-name-format keep-original
] display current-configuration configuration isp
domain <domain-name>
authentication login hwtacacs-scheme <tacacs-scheme-name>
authorization login hwtacacs-scheme <tacacs-scheme-name>
accounting login hwtacacs-scheme <tacacs-scheme-name>
]display current-configuration configuration system
...
domain default enable <domain-name>
The only thing the tacplus server sends is
priv-lvl = 15
So that works for me now.
Regards
S├╕ren Dideriksen
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-26-2018 03:11 AM
тАО07-26-2018 03:11 AM
Re: HP 5900 hwtacacs comware 7.
Hi,
Thanks a lot for your post, it saved a lot of my time.
Thanks and regards,
Ashok Kumar Sunkara.