Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

SOLVED
Go to solution
verpoest
Occasional Advisor

HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

hi

we using hp 5900 switches with comware 7.1 release 2210.

we have configured ssh/telnet radius authentication. When the authentication is successfull the radius server send an attribute. the attribute we had to use : AV cisco pair with value : shell:network-admin.

 

this was working fine with the release 2210.

 

now we upgrade to the release 2307.

the radius authentication is not working any more. however on the radius server we see that the authentication is succesfull; the radius send an accept to the switch with the attribute.

So it looks that in release 2307 the attributes are changed ?

Do someone know this ?

 

regards

 

15 REPLIES
Apachez-
Trusted Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

I was digging through the release notes for 2307 and couldnt find any changing regarding radius or AAA in 2307 compared to 2210.

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Yes I know.

 

This is why I ask it on the forum.

do  someone have the same issue ?

 

regards

 

Peter_Debruyne
Honored Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Dirk,

 

I just had time to verify the config on a 5900 R2307 and it just works for me.

See http://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/ for the setup,

 

Best regards,Peter

 

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Peter,

I take a look to your provided document.

But my setup is more or less already the same. But I do not use windows 2008 NPS server. but AVAYA ID engine.

the setup was working fine with the releases before 2307.

We use the cisco AV pair.

The authentication is successfull because the radius server send an accept radius message. But the release 2307 refuse this message.

 

I did the test with the double quotes but result is the same.

 

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi,

 

I did redo the test with a NPS server. So my labo is the same as you now. But my results are negative.

I did enable radius debugging on the HP 5900. see attachement.

I also put a screenshot of a sniffertrace on the radius server

 

you can see the radius server send an accept message with the correct attributes fields.

in the debug file you can see the switch received the attributes.

 

so what is the different between my setup and yours?

 

 

Apachez-
Trusted Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Your debug says:

Decoded reply packet successfully.
*Jan 20 22:10:09:525 2011 HP RADIUS/7/PACKET:
    Framed-Protocol=PPP
    Service-Type=Framed-User
    class="0x547c04fc00000137000102000a0500f700000000000000000000000001cf41ce9e9336700000000000000004"
    Cisco-AVPair="shell:roles="network-admin""

However the stuff at http://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/ says it should be:

Cisco-AV-Pair

note the dash between AV and Pair which your debug is missing.

However the wireshark screenshot in the end says "Cisco-AVPair" so I dunno...

 

Googling on the subject shows both strings - but could be worth a try in your case?

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi,

 

You can not change the syntax of the cisco attribute.

in the NPS server the syntax for this attribute is : Cisco-AV-Pair.

 

How the nps server it send to the NAS, you can not control it. But as you can see it is without the dash between AV and Pair.

 

regards

 

Peter_Debruyne
Honored Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi,

 

* do not worry about the Cisco-AV-Pair or Cisco-AVPair, that is just the display name (the actual vendor code 9 (cisco) and attribute code 1 (=Cisco-AV-Pair) are matching, so that is all that matters).

 

* was this an upgraded config ? Did you try to make a complete new radius scheme on R2307 ? (some comware version upgrades had this habit of doing something strange with the key encryption coding, so e.g. you had to re-initialize the ssh keys)

* if creating new config does not work, could you post the (cleaned up) full config of the 5900 and the actual wireshark trace (not screenshot) ?

 

Anyway, not normaly behavior and certainy looks very strange to me...

 

Best regards,Peter

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Peter,

 

is was an upgraded config. config was created with release 2210.

But I just redo the test, starting from a scatch config. reboot the switch with empty config and make a new config.

but the result stay the same. :-(

 

see attachment for :

debug output.

config of the switch

sniffer trace at the radius server (NPS)

 

regards

Peter_Debruyne
Honored Contributor
Solution

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Dirk,

 

The domain system is missing the accounting configuration for the "login" application. This may be a difference in default value compared to the previous release.

 

Anyway, I verified your config (failed in my setup as well), but when the accounting for login is configured, it works.

 

I my sample setup, I used radius accounting (which is not configured in your example). If you do not want the accounting, configure:

 

domain system

 accounting login none

 

Then it works,

 

Best regards,Peter.

 

verpoest
Occasional Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

Hi Peter,

 

Thank you for the feedback. I will change my config next monday. and I let you know what the result is.

 

But when the issue is caused by the accounting then :

 

I do not understand the way HP is implementing undocumented features changes !

this is for me a major issue. why ? our customer runs release 2210 in production with telnet/ssh radius authentication without the accounting . Why configure accounting when you do not need it.

after upgrade to 2307, we did not have any remote access anymore to our network. luckily we did not configere yet radius authentication on the console port.

It bothers me that HP change the authentication concept and not mentioned in the release notes!

What guarantee do we have that this is the only concept change is in release 2307?

 

Let me be clear I do not shoot on the pianist. I do appreciate  your effort and you knowledge.

regards

 

cpatino29
Occasional Visitor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

I was having the same issue after upgrading to version 7.1 r2311p03. Setting the accouting to none under my domain config fix the problem. Thank you for posting this. 

sdide
Respected Contributor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

hi,

Just for the record - I ran into the exact same problem during an upgrade on a production unit, where I had to issue a command after the upgrade ...  The time-window for the upgrade involved more units. Since out oob management was not up in that location yet, I had to grab the console cable and go to the switches which were luckily in close proximity.

 

Could have been a mess ...  

 

Not cool that HP changes things with no mention in the release notes.

 

Regards

 

Søren Dideriksen, Network Administrator
Region Midtjylland
spgsitsupport
Frequent Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

I did follow:

https://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/#comment-5353

and I can not login via SSH, I never get to the prompt, it just sits there

Server 2012 R2 NPS (event log does not show anything for switch IP)

login as: seb@mydomain
seb@mydomain@10.0.1.190's password:

******************************************************************************
* Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************

 Any ideas anybody?

Thanks

Seb

 

 

spgsitsupport
Frequent Advisor

Re: HP 5900 radius access authentication with comware 7.1.045 release 2307 : problem

The post I used missed (obviou when I re-read it) creation of Connection Request Policy!

Once that is done, auth works fine