Comware Based

HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

 
SOLVED
Go to solution
verpoest
Occasional Advisor

HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

hi

we using hp 5900 switches with comware 7.1 release 2210.

we have configured ssh/telnet radius authentication. When the authentication is successfull the radius server send an attribute. the attribute we had to use : AV cisco pair with value : shell:network-admin.

 

this was working fine with the release 2210.

 

now we upgrade to the release 2307.

the radius authentication is not working any more. however on the radius server we see that the authentication is succesfull; the radius send an accept to the switch with the attribute.

So it looks that in release 2307 the attributes are changed ?

Do someone know this ?

 

regards

 

15 REPLIES 15
Apachez-
Trusted Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

I was digging through the release notes for 2307 and couldnt find any changing regarding radius or AAA in 2307 compared to 2210.

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Yes I know.

 

This is why I ask it on the forum.

do  someone have the same issue ?

 

regards

 

Peter_Debruyne
Honored Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Dirk,

 

I just had time to verify the config on a 5900 R2307 and it just works for me.

See http://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/ for the setup,

 

Best regards,Peter

 

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Peter,

I take a look to your provided document.

But my setup is more or less already the same. But I do not use windows 2008 NPS server. but AVAYA ID engine.

the setup was working fine with the releases before 2307.

We use the cisco AV pair.

The authentication is successfull because the radius server send an accept radius message. But the release 2307 refuse this message.

 

I did the test with the double quotes but result is the same.

 

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi,

 

I did redo the test with a NPS server. So my labo is the same as you now. But my results are negative.

I did enable radius debugging on the HP 5900. see attachement.

I also put a screenshot of a sniffertrace on the radius server

 

you can see the radius server send an accept message with the correct attributes fields.

in the debug file you can see the switch received the attributes.

 

so what is the different between my setup and yours?

 

 

Apachez-
Trusted Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Your debug says:

Decoded reply packet successfully.
*Jan 20 22:10:09:525 2011 HP RADIUS/7/PACKET:
    Framed-Protocol=PPP
    Service-Type=Framed-User
    class="0x547c04fc00000137000102000a0500f700000000000000000000000001cf41ce9e9336700000000000000004"
    Cisco-AVPair="shell:roles="network-admin""

However the stuff at http://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/ says it should be:

Cisco-AV-Pair

note the dash between AV and Pair which your debug is missing.

However the wireshark screenshot in the end says "Cisco-AVPair" so I dunno...

 

Googling on the subject shows both strings - but could be worth a try in your case?

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi,

 

You can not change the syntax of the cisco attribute.

in the NPS server the syntax for this attribute is : Cisco-AV-Pair.

 

How the nps server it send to the NAS, you can not control it. But as you can see it is without the dash between AV and Pair.

 

regards

 

Peter_Debruyne
Honored Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi,

 

* do not worry about the Cisco-AV-Pair or Cisco-AVPair, that is just the display name (the actual vendor code 9 (cisco) and attribute code 1 (=Cisco-AV-Pair) are matching, so that is all that matters).

 

* was this an upgraded config ? Did you try to make a complete new radius scheme on R2307 ? (some comware version upgrades had this habit of doing something strange with the key encryption coding, so e.g. you had to re-initialize the ssh keys)

* if creating new config does not work, could you post the (cleaned up) full config of the 5900 and the actual wireshark trace (not screenshot) ?

 

Anyway, not normaly behavior and certainy looks very strange to me...

 

Best regards,Peter

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Peter,

 

is was an upgraded config. config was created with release 2210.

But I just redo the test, starting from a scatch config. reboot the switch with empty config and make a new config.

but the result stay the same. :-(

 

see attachment for :

debug output.

config of the switch

sniffer trace at the radius server (NPS)

 

regards