Comware Based

Impossible to install a RADIUS SERVER on switch FlexNetwork 5130

 
ValOsmont
Occasional Visitor

Impossible to install a RADIUS SERVER on switch FlexNetwork 5130

Hello everyone, I am coming to you because I have a RADIUS authentication problem on my "FLEXNETWORK 5130 (JG932A)" switch.

I must set up a RADIUS to guarantee additional security on the interconnection equipment. So I have my RADIUS server (Win2012R2) with the parameters for RADIUS authentication inside, and on the other side my switch with this configuration :
[Val]dis cur
#
version 7.1.045, Release 3111P02
#
sysname Val
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 1012
name Admin
#
stp global enable
#
interface NULL0
#
interface Vlan-interface1012
ip address IP.IP.IP.IP MASK.MASK.MASK.MASK
#
interface GigabitEthernet1/0/1
port access vlan 1012
#
interface GigabitEthernet1/0/2
port access vlan 1012
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
#
interface GigabitEthernet1/0/17
#
interface GigabitEthernet1/0/18
#
interface GigabitEthernet1/0/19
#
interface GigabitEthernet1/0/20
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet1/0/24
port access vlan 1012
#
interface Ten-GigabitEthernet1/0/25
#
interface Ten-GigabitEthernet1/0/26
#
interface Ten-GigabitEthernet1/0/27
#
interface Ten-GigabitEthernet1/0/28
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound ssh
idle-timeout 30 5
#
ssh server enable
#
radius scheme system
primary authentication IP.IP.IP.IP key cipher izrjoifnzoienhjskdnnjkezj=jzn+ (example key)
primary accounting IP.IP.IP.IP key cipher =+jzejkljnfzpaif)+jzdqnpoi (example key)
key authentication cipher =+ojzpoopo'ikz,nopqkczd,vopzv (example key)
key accounting cipher fiozenfiiopzjcop+,kladp+$ (example key)
user-name-format without-domain
#
domain system
authentication login radius-scheme system
authorization login radius-scheme system
accounting login radius-scheme system
authentication default radius-scheme system local
authorization default radius-scheme system local
accounting default radius-scheme system local
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user val class manage
password hashopzfojzsdocnzvkldnjoviovlnmlviozvopznvnpzvonzkqpoaq,dapoz+andapoi= (example key)
service-type ssh terminal https
authorization-attribute user-role network-ope
authorization-attribute user-role network-admin
authorization-attribute user-role network-level-15
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
return

When I try to connect with my session the logs in the switch are good, I have good access as well as in my Windows 2012 R2 server the logs are also good.
But the problem is the following: when I log on to a switch in SSH connection, it closes instantly ... and I have no control.
Can you help me ?
I also try in switch A3600 and it's good I have a RADIUS SERVER show my configuration :

<Val>dis cur
#
version 5.20.99, Release 2111
#
sysname Val
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 2 priority 28
#
domain default enable radius.local
#
password-recovery enable
#
vlan 1
#
vlan 10
name Val
#
radius scheme system
primary authentication IP.IP.IP.IP
key authentication cipher poijeskfioefsmepf$qgk$aofkacjnsdkoqlz
#
domain radius.local
authentication login radius-scheme system local
authorization login radius-scheme system local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user user
password cipher opijzeoidhuzoiehflqfizqeuflqzf$zeiujd
authorization-attribute level 3
service-type ssh terminal
service-type web
#
cwmp
undo cwmp enable
#
interface NULL0
#
interface Vlan-interface10
ip address IP.IP.IP.IP MASK.MASK.MASK.MASK
#
interface Ethernet2/0/1
port link-mode bridge
port access vlan 10
#
interface Ethernet2/0/2
port link-mode bridge
#
interface Ethernet2/0/3
port link-mode bridge
port access vlan 10
#
interface Ethernet2/0/4
port link-mode bridge
#
interface Ethernet2/0/5
port link-mode bridge
#
interface Ethernet2/0/6
port link-mode bridge
#
interface Ethernet2/0/7
port link-mode bridge
#
interface Ethernet2/0/8
port link-mode bridge
#
interface Ethernet2/0/9
port link-mode bridge
#
interface Ethernet2/0/10
port link-mode bridge
#
interface Ethernet2/0/11
port link-mode bridge
#
interface Ethernet2/0/12
port link-mode bridge
#
interface Ethernet2/0/13
port link-mode bridge
#
interface Ethernet2/0/14
port link-mode bridge
#
interface Ethernet2/0/15
port link-mode bridge
#
interface Ethernet2/0/16
port link-mode bridge
#
interface Ethernet2/0/17
port link-mode bridge
#
interface Ethernet2/0/18
port link-mode bridge
#
interface Ethernet2/0/19
port link-mode bridge
#
interface Ethernet2/0/20
port link-mode bridge
#
interface Ethernet2/0/21
port link-mode bridge
#
interface Ethernet2/0/22
port link-mode bridge
#
interface Ethernet2/0/23
port link-mode bridge
#
interface Ethernet2/0/24
port link-mode bridge
#
interface Ethernet2/0/25
port link-mode bridge
#
interface Ethernet2/0/26
port link-mode bridge
#
interface Ethernet2/0/27
port link-mode bridge
#
interface Ethernet2/0/28
port link-mode bridge
#
interface Ethernet2/0/29
port link-mode bridge
#
interface Ethernet2/0/30
port link-mode bridge
#
interface Ethernet2/0/31
port link-mode bridge
#
interface Ethernet2/0/32
port link-mode bridge
#
interface Ethernet2/0/33
port link-mode bridge
#
interface Ethernet2/0/34
port link-mode bridge
#
interface Ethernet2/0/35
port link-mode bridge
#
interface Ethernet2/0/36
port link-mode bridge
#
interface Ethernet2/0/37
port link-mode bridge
#
interface Ethernet2/0/38
port link-mode bridge
#
interface Ethernet2/0/39
port link-mode bridge
#
interface Ethernet2/0/40
port link-mode bridge
#
interface Ethernet2/0/41
port link-mode bridge
#
interface Ethernet2/0/42
port link-mode bridge
#
interface Ethernet2/0/43
port link-mode bridge
#
interface Ethernet2/0/44
port link-mode bridge
#
interface Ethernet2/0/45
port link-mode bridge
#
interface Ethernet2/0/46
port link-mode bridge
#
interface Ethernet2/0/47
port link-mode bridge
#
interface Ethernet2/0/48
port link-mode bridge
#
interface GigabitEthernet2/0/51
port link-mode bridge
#
interface GigabitEthernet2/0/52
port link-mode bridge
#
interface GigabitEthernet2/0/49
#
interface GigabitEthernet2/0/50
#
ssh server enable
#
ip https enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 1
user-interface vty 0 15
authentication-mode scheme
user privilege level 3
idle-timeout 30 5
protocol inbound ssh
#
irf-port 2/1
port group interface GigabitEthernet2/0/49
#
irf-port 2/2
port group interface GigabitEthernet2/0/50
#
return
<Val>

 

5 REPLIES 5
akg7
HPE Pro

Re: Impossible to install a RADIUS SERVER on switch FlexNetwork 5130

Hello,

Are you gettign any error message while doing Radius authentication?

Thanks!

I am an HPE Employee

Accept or Kudo

drk787
HPE Pro

Re: Impossible to install a RADIUS SERVER on switch FlexNetwork 5130

Hi @ValOsmont 

Are you able to login with local user (val) which you configured, to confirm that there is no issue with SSH login locally. If yes, then we may have to do the debugging for radius (debug radius all). Also make sure that the keys are matching on both ends. Do not compare A3600 and 5130 as the first one runs on Comare5 and 5130 runs on Comware 7, there will be slight difference in the command line.

Also you may refer the blow URL that might help you in comparing you radius server configuration.

 https://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/ 

Thank You!
I am an HPE Employee

Accept or Kudo

ValOsmont
Occasional Visitor

Re: Impossible to install a RADIUS SERVER on switch FlexNetwork 5130

Hello, thank you for your response!
No I don't have an error message during radius authentication.
In the log of my RADIUS server (NPS WINDOWS) I have a message "the user is authorized to connect with all privileges"
Thank you very much!
Val
ValOsmont
Occasional Visitor

Re: Impossible to install a RADIUS SERVER on switch FlexNetwork 5130

Hello, thank you for your response !
Yes I can connect with my user (val) in SSH so no problem with the SSH connection.
How to do radius debugging?
The 2 keys correspond to the ends.
Thank you for the presion of Comware I did not have the information.
I will continue to search and help me with your url.
Thank you very much !
Val
drk787
HPE Pro

Re: Impossible to install a RADIUS SERVER on switch FlexNetwork 5130

Hi @ValOsmont 

1) Make sure you have enabled the radius services on the switch with 'radius enable' command. 

2) If you have wireshark installed on your Windows server (Radius/NPS), check if you are able to see Radius packets being exchanged between switch and server. You should be able to see the radius request from the switch, and radius accept/reject from server.

3) If there is any firewall in between, make sure that its not dropping the radius packets. By default NPS sends and receives RADIUS traffic by using User Datagram Protocol (UDP) ports 1812, 1813, 1645, and 1646.

4) verify the status/statistics using display radius statistics & display radius scheme.

5) The debugs that can be run on the switch are as follows.

<Switch>terminal debugging 

<Switch>terminal monitor

<Switch>debug radius all

Note: Once you simulate the issue, you can stop the debugging by pressing 'Ctrl+O' or typing 'undo debug all'

 

Thank You!
I am an HPE Employee

Accept or Kudo