HPE Community
Comware Based
1752812 Members
5692 Online
108789 Solutions
New Discussion юеВ

Re: HP 5900 hwtacacs comware 7.

 
sdide
Respected Contributor

тАО09-20-2013 06:44 AM

тАО09-20-2013 06:44 AM

HP 5900 hwtacacs comware 7.

Hey,

I'm trying to make the HP5900 run AAA against a tacacs server.

 

Problem is, I can't seem to figure out how to make it work.

I have a problem somewhere either configuring the tac_plus server or configureing the switch.

 

The symptoms are that I log on and immidiately gets logged off.

If I enable default user role "role default-role enable", I can log on, but I'm being assigned the default role network-operator, and i need network-admin.

 

using: "debugging hwtacacs all", and "debugging role all", this is (shortened to the last entries) what I see when i try logging on (undo role default-role enable):

 

<beginquote>

*Jan  9 05:41:53:109 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Sending request packet.
*Jan  9 05:41:53:109 2011 <switch> TACACS/7/send_packet:
version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 44
authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN
user_len: 5   port_len: 0   rem_len: 12   arg_cnt: 2
arg0_len: 13    arg1_len: 4
user: <user>
port:
rem_addr: <tac-plus_server>
arg0: service=shell  arg1: cmd*
*Jan  9 05:41:53:110 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Receiving reply packet.
*Jan  9 05:41:53:117 2011 <switch> TACACS/7/recv_packet:
version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 69
Status: STATUS_PASS_ADD  arg_cnt: 3  server_msg len: 0  data len: 0
arg0_len: 12    arg1_len: 21    arg2_len: 27
server_msg:
data&colon;
arg0: idletime=120  arg1: roles="network-admin"
arg2: shell:roles="network-admin"
*Jan  9 05:41:53:117 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Processing authorization reply packet.
*Jan  9 05:41:53:117 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Processing authorization reply data, Reply Type: SUCCESS.
*Jan  9 05:41:53:118 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Succeeding in processing TACACS authorization.
%Jan  9 05:41:53:118 2011 <switch> SSHS/6/SSHLOG: Accepted password for <user> from <tac-plus_server> port 51298 ssh2.

*Jan  9 05:41:53:185 2011 <switch> RBAC/7/ERROR: Failed to set the user role.
%Jan  9 05:41:53:195 2011 <switch> SSHS/6/SSHLOG: User <user> logged out from <tac-plus_server> port 51298.
<endquote>

 

In this instance I send: roles="network-admin", and shell:roles="network-admin", and i trust me I have tried many permutations of AVpairs.

The 5900 runs "System image version: 7.1.023, Release 2108P03"

 

The 5900 is configured  (tacacs-wise) as:

"

user-interface vty 0 15
 authentication-mode scheme
 user-role network-admin
 idle-timeout 30 0

 

ssh server enable

undo ssh server compatible-ssh1x

 

hwtacacs scheme <tac-scheme>
 primary authentication <tac-plus_server>
 primary authorization <tac-plus_server>
 key authentication cipher <keycipher1>
 key authorization cipher <keycipher1>
 user-name-format keep-original

domain <domain-name>
 authentication default hwtacacs-scheme <tac-scheme>
 authorization default hwtacacs-scheme <tac-scheme>

domain default enable <domain-name>
"

 

What AVpairs do i need to send to the switch to give me network-admin privilege?

 

Regards S├╕ren

 

 

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
8 REPLIES 8
sdide
Respected Contributor

тАО09-22-2013 01:29 AM

тАО09-22-2013 01:29 AM

Re: HP 5900 hwtacacs comware 7.

Hi.

Just another comment. (I haven't solved the issue.)

But if someone using tacacs,  comware 7 and have a working setup, could enable hwtacacs debugging ("debugging hwtacacs all") on the switch and send me what they receive on the switch.

Especially the : TACACS/7/recv_packet:

Mine was (my clock is off, need to check my ntp settings aswell i think :)

 

"

*Jan  9 05:41:53:117 2011 <switch> TACACS/7/recv_packet:
version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 69
Status: STATUS_PASS_ADD  arg_cnt: 3  server_msg len: 0  data len: 0
arg0_len: 12    arg1_len: 21    arg2_len: 27
server_msg:
data&colon;
arg0: idletime=120  arg1: roles="network-admin"
arg2: shell:roles="network-admin"


"

as you'll note from the log in my previous post the error i get (later in the log) is not a tacacs one, but and RBAC one, namely:

"

*Jan  9 05:41:53:185 2011 <switch> RBAC/7/ERROR: Failed to set the user role.

"

And imidiately after that i get logged off.

I'm thinking this is because I send the wrong avpairs. But I traversed what documentation i could find, which is sparse, and I can't seem to find it.

 

On a side note: In the beforementioned sparse documentation (e.g http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf) , I read - and i quote page 44 the note:

 

To be compatible with privilege-based access control, the device automatically converts privilege-based
user levels (0 to 15) assigned by an AAA server to RBAC user roles (level-0 to level-15).
If the AAA server assigns a privilege-based user level and a user role to a user, the user can use the
collection of commands and resources accessible to both the user level and the user role.

 

Of couse i tried to set a bunch of different Exec Privilege  AV pairs also, to no avail.

 

Regards

S├╕ren Dideriksen

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
Peter_Debruyne
Honored Contributor

тАО09-22-2013 02:04 PM

тАО09-22-2013 02:04 PM

Re: HP 5900 hwtacacs comware 7.

Hi,

 

Did you check these posts:

http://h30499.www3.hp.com/t5/Comware-Based/5900-v7-2-and-Radius/m-p/6049491/highlight/true#M4165

http://h30499.www3.hp.com/t5/Comware-Based/5920-RADIUS-attributes-for-SSH-login-on-HP-5920AF/m-p/5855277/highlight/true#M3656

 

For radius, the AV-pair to be used is the Cisco-AV pair and the service-type telnet/ssh, not sure on the tacacs however, still need to test that one,

 

Best regards,Peter

0 Kudos
sdide
Respected Contributor

тАО09-23-2013 02:04 AM

тАО09-23-2013 02:04 AM

Re: HP 5900 hwtacacs comware 7.

Hi Peter,

 

I already read

http://h30499.www3.hp.com/t5/Comware-Based/5920-RADIUS-attributes-for-SSH-login-on-HP-5920AF/m-p/5855277/highlight/true#M3656

 

which is where i got a lot of ideas to try out, but it did not help me.

 

the other thread

http://h30499.www3.hp.com/t5/Comware-Based/5900-v7-2-and-Radius/m-p/6049491/highlight/true#M4165

 

is interesting because it seems to be the exact same problem just with a radius server. The original poster hasn't replied, so I'm not sure if the proposed solution worked.

 

Regards

 

 

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
Peter_Debruyne
Honored Contributor

тАО09-23-2013 02:31 PM

тАО09-23-2013 02:31 PM

Re: HP 5900 hwtacacs comware 7.

Hi S├╕ren,

 

I verified the config with the free tacacs.net server. It was a bit of trial and error (I got confused with the cisco-avpair which is used in the Radius config, which does not seem to be used on the tacacs config).

So on the tacacs.net server there were 2 methods to get it working:

1/ CMW7 compatibility behavior : configure the old priv level 15 and comware 7 will interprete it as level-15 role.

Sample tacacs.net authorization (needs inserting in the authorization.xml file) :

 


<Authorization>
<UserGroups>
<UserGroup>Local System Administrators</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>HP-Switches</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>priv-lvl=15</Set>
</AutoExec>
<Shell>
<Permit>.*</Permit>
</Shell>
<Services>
</Services>
</Authorization>

 

 

2/ CMW7 role assignment : configure the role name.

 

<Authorizations>
<Authorization>
<UserGroups>
<UserGroup>Local System Administrators</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>HP-Switches</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>roles="network-admin"</Set>
</AutoExec>
<Shell>
<Permit>.*</Permit>
</Shell>
<Services>
</Services>
</Authorization>

 

 

Hope this works for you,

 

Best regards,Peter

 

0 Kudos
Sam-GA
New Member

тАО05-07-2014 03:23 AM

тАО05-07-2014 03:23 AM

Re: HP 5900 hwtacacs comware 7.

Hi Soren,
Any update on this issue?
did you manage to find a solution?
Thanks in advance
0 Kudos
Sam-GA
New Member

тАО05-07-2014 03:28 AM

тАО05-07-2014 03:28 AM

Re: HP 5900 hwtacacs comware 7.

I tried to change the same two attributes on the IMC shell profile but did not work and the logged user is still has network-operator privileges.

the two attributes assigned on OMC Tacacs are:
priv-lvl=15
roles="network-admin"
0 Kudos
sdide
Respected Contributor

тАО06-24-2014 04:22 AM

тАО06-24-2014 04:22 AM

Re: HP 5900 hwtacacs comware 7.

Hi Sam,

 

I have solved the issue.

 

I think the problem was in the software version.

 

I currently run 7.1.035, Release 2210, and 7.1.045, Release 2307 on various 5900s.

 

Here is what i configured.

] display current-configuration configuration hwtacacs

hwtacacs scheme <tacacs-scheme-name>
 primary authentication <ip-of-primary-tac+-server>
 primary authorization <ip-of-primary-tac+-server>
 primary accounting <ip-of-primary-tac+-server>
 secondary authentication <ip-of-secondary-tac+-server>
 secondary authorization <ip-of-secondary-tac+-server>
 secondary accounting <ip-of-secondary-tac+-server>
 key authentication cipher <authen-cipher>
 key authorization cipher <autho-cipher>
 key accounting cipher <accounting-cipher>
 user-name-format keep-original

] display current-configuration configuration isp

domain <domain-name>
 authentication login hwtacacs-scheme <tacacs-scheme-name>
 authorization login hwtacacs-scheme <tacacs-scheme-name>
 accounting login hwtacacs-scheme <tacacs-scheme-name>

]display current-configuration configuration system

...

domain default enable <domain-name>

 

The only thing the tacplus server sends is

priv-lvl = 15

 

So that works for me now.

 

Regards

S├╕ren Dideriksen

 

 

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
Ashoksunkara
Occasional Contributor

тАО07-26-2018 03:11 AM

тАО07-26-2018 03:11 AM

Re: HP 5900 hwtacacs comware 7.

Hi,

Thanks a lot for your post, it saved a lot of my time.

Thanks and regards,

Ashok Kumar Sunkara.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.