- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: HP 5900 radius access authentication with com...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2014 07:14 AM
02-19-2014 07:14 AM
hi
we using hp 5900 switches with comware 7.1 release 2210.
we have configured ssh/telnet radius authentication. When the authentication is successfull the radius server send an attribute. the attribute we had to use : AV cisco pair with value : shell:network-admin.
this was working fine with the release 2210.
now we upgrade to the release 2307.
the radius authentication is not working any more. however on the radius server we see that the authentication is succesfull; the radius send an accept to the switch with the attribute.
So it looks that in release 2307 the attributes are changed ?
Do someone know this ?
regards
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2014 10:45 AM
02-19-2014 10:45 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
I was digging through the release notes for 2307 and couldnt find any changing regarding radius or AAA in 2307 compared to 2210.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2014 12:48 AM
02-20-2014 12:48 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Yes I know.
This is why I ask it on the forum.
do someone have the same issue ?
regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2014 03:43 AM
03-16-2014 03:43 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Hi Dirk,
I just had time to verify the config on a 5900 R2307 and it just works for me.
See http://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/ for the setup,
Best regards,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2014 02:56 AM
03-17-2014 02:56 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Hi Peter,
I take a look to your provided document.
But my setup is more or less already the same. But I do not use windows 2008 NPS server. but AVAYA ID engine.
the setup was working fine with the releases before 2307.
We use the cisco AV pair.
The authentication is successfull because the radius server send an accept radius message. But the release 2307 refuse this message.
I did the test with the double quotes but result is the same.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2014 04:05 AM
03-17-2014 04:05 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Hi,
I did redo the test with a NPS server. So my labo is the same as you now. But my results are negative.
I did enable radius debugging on the HP 5900. see attachement.
I also put a screenshot of a sniffertrace on the radius server
you can see the radius server send an accept message with the correct attributes fields.
in the debug file you can see the switch received the attributes.
so what is the different between my setup and yours?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2014 06:16 AM
03-17-2014 06:16 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Your debug says:
Decoded reply packet successfully.
*Jan 20 22:10:09:525 2011 HP RADIUS/7/PACKET:
Framed-Protocol=PPP
Service-Type=Framed-User
class="0x547c04fc00000137000102000a0500f700000000000000000000000001cf41ce9e9336700000000000000004"
Cisco-AVPair="shell:roles="network-admin""
However the stuff at http://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/ says it should be:
Cisco-AV-Pair
note the dash between AV and Pair which your debug is missing.
However the wireshark screenshot in the end says "Cisco-AVPair" so I dunno...
Googling on the subject shows both strings - but could be worth a try in your case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2014 06:37 AM
03-17-2014 06:37 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Hi,
You can not change the syntax of the cisco attribute.
in the NPS server the syntax for this attribute is : Cisco-AV-Pair.
How the nps server it send to the NAS, you can not control it. But as you can see it is without the dash between AV and Pair.
regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2014 07:58 AM
03-17-2014 07:58 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Hi,
* do not worry about the Cisco-AV-Pair or Cisco-AVPair, that is just the display name (the actual vendor code 9 (cisco) and attribute code 1 (=Cisco-AV-Pair) are matching, so that is all that matters).
* was this an upgraded config ? Did you try to make a complete new radius scheme on R2307 ? (some comware version upgrades had this habit of doing something strange with the key encryption coding, so e.g. you had to re-initialize the ssh keys)
* if creating new config does not work, could you post the (cleaned up) full config of the 5900 and the actual wireshark trace (not screenshot) ?
Anyway, not normaly behavior and certainy looks very strange to me...
Best regards,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2014 01:46 AM
03-18-2014 01:46 AM
Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem
Hi Peter,
is was an upgraded config. config was created with release 2210.
But I just redo the test, starting from a scatch config. reboot the switch with empty config and make a new config.
but the result stay the same. :-(
see attachment for :
debug output.
config of the switch
sniffer trace at the radius server (NPS)
regards