HPE Community
Comware Based
1753716 Members
4791 Online
108799 Solutions
New Discussion

Re: Local account access using public-key pair with TACACS enabled

 
AdamT2
Member

‎01-11-2021 03:30 PM - edited ‎01-11-2021 04:40 PM

‎01-11-2021 03:30 PM - edited ‎01-11-2021 04:40 PM

Local account access using public-key pair with TACACS enabled

I've recently configured TACACS access for a switch and encountered an issue when trying to access using a local account. The TACACS access is working without issues, however the local backup account is experiencing login issues:.

When logging in as zbxbackup historically, the public key peer would allow the backup server to log in immediately. When attempting to login using zbxbackup@localadmin after the default domain was changed, it now prompts for a password incorrectly.

In the meantime I have reverted the default domain back to localadmin so the backup functions correctly. Is there a way around this, or is there something misconfigured?

 

EDIT: Just noticed that using zbxbackup@localadmin and entering passed the password allows access from anywhere ignoring the public key.. will probably need to switch to password based because of this.

 

 

HPE Comware Software, Version 7.1.070, Release 2612P02

HPE FF 5940

 

 

hwtacacs scheme tacacs
primary authentication xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
primary authorization xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
primary accounting xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
secondary authentication xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
secondary authorization xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
secondary accounting xxx.xxx.xxx.xxx vpn-instance INTERNAL_ACCESS
key authentication cipher XXXXXXXX
key authorization cipher XXXXXXXX
key accounting cipher XXXXXXXX
user-name-format without-domain
nas-ip xxx.xxx.xxx.xxx
#
domain domain.com
authentication login hwtacacs-scheme tacacs local
authorization login hwtacacs-scheme tacacs local
accounting login hwtacacs-scheme tacacs
#
domain localadmin
authentication login local
authorization login local
accounting login local
#
domain default enable domain.com
#
local-user zbxbackup class manage
service-type ssh terminal
authorization-attribute user-role network-operator
#
public-key peer zbxbackup
public-key-code begin
XXXXXXXXXXXXXXXXXXXXXXX
public-key-code end
peer-public-key end

0 Kudos
5 REPLIES 5
Ivan_B
HPE Pro

‎01-12-2021 03:37 AM

‎01-12-2021 03:37 AM

Re: Local account access using public-key pair with TACACS enabled

Hi @AdamT2 !

If I'm not mistaken, you need to specify authentication method as 'publickey' for your local user, like in this example:

[Switch] ssh user zbxbackup service-type stelnet authentication-type publickey assign publickey zbxbackup

 

 

I am an HPE employee

Accept or Kudo

0 Kudos
AdamT2
Member

‎01-12-2021 01:32 PM

‎01-12-2021 01:32 PM

Re: Local account access using public-key pair with TACACS enabled

Hi Ivan,

There are no configuration options for 'authentication-type' available within the local-user configuration:


[dou-dpl-swc-1]local-user zbxbackup class manage
[dou-dpl-swc-1-luser-manage-zbxbackup]?
Local-user protocol view commands:
  access-limit             Specify the maximum concurrent access number for the
                           local user
  authorization-attribute  Specify authorization attributes for the user group
  bind-attribute           Specify binding attributes of local user
  cfd                      Connectivity Fault Detection (CFD) module
  diagnostic-logfile       Diagnostic log file configuration
  display                  Display current system information
  emulate-ping             Emulate ping function
  end                      Alias for 'return'
  exit                     Alias for 'quit'
  group                    Specify user group of local user
  ip                       Specify IP configuration
  lock                     Lock the current line
  logfile                  Log file configuration
  monitor                  System monitor
  mtrace                   Configure the multicast traceroute
  no                       Alias for 'undo'
  password                 Specify password of local user
  password-control         Password control feature
  ping                     Ping function
  quit                     Exit from current command view
  repeat                   Repeat executing history commands
  reset                    Reset operation
  return                   Exit to User View
  save                     Save current configuration
  security-logfile         Security log file configuration
  service-type             Specify a service type for the local user
  show                     Alias for 'display'
  state                    Specify state of local user
  tracert                  Tracert function
  undo                     Cancel current setting
  write                    Alias for 'save'
0 Kudos
Ivan_B
HPE Pro

‎01-12-2021 09:51 PM

‎01-12-2021 09:51 PM

Re: Local account access using public-key pair with TACACS enabled

Hi Adam!

I didn't mention local-user configuration context anywhere . Please, check the example I gave you carefully, this is global command, not a command under local-user configuration context.

I am sure this guide will be extremely helpful to you - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00041206en_us , page 563.

P.S. Just to be sure I decided to check this command on one of my lab switches. Not like I don't believe guides, but you never know, lol:

<HPE>sys
System View: return to User View with Ctrl+Z.
[HPE]

[HPE]ssh user ?
  STRING<1-80>  SSH user name

[HPE]ssh user zxbackup ?
  service-type  Specify a service type

[HPE]ssh user zxbackup ser
[HPE]ssh user zxbackup service-type ?
  all      All service types
  netconf  NETCONF
  scp      SCP
  sftp     SFTP
  stelnet  Stelnet

[HPE]ssh user zxbackup service-type stel
[HPE]ssh user zxbackup service-type stelnet ?
  authentication-type  Specify an authentication method

[HPE]ssh user zxbackup service-type stelnet auth
[HPE]ssh user zxbackup service-type stelnet authentication-type ?
  any                 Any authentication method
  password            Password authentication
  password-publickey  Password-publickey authentication
  publickey           Publickey authentication

[HPE]ssh user zxbackup service-type stelnet authentication-type publ
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey ?
  assign  Specify the parameter for client verification
  <cr>

[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assi
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
 ?
  pki-domain  Use a PKI domain
  publickey   Use a public key of the client

[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
 pub
[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
 publickey zxbackup ?
  STRING<1-64>  Public key name
  <cr>

[HPE]ssh user zxbackup service-type stelnet authentication-type publickey assign
 publickey zxbackup
[HPE]
[HPE]dis curr | i ssh
 ssh user zxbackup service-type stelnet authentication-type publickey assign publickey zxbackup
[HPE]
[HPE]

 

 

I am an HPE employee

Accept or Kudo

0 Kudos
AdamT2
Member

‎01-14-2021 02:52 PM

‎01-14-2021 02:52 PM

Re: Local account access using public-key pair with TACACS enabled

Hi Ivan,

I've reviewed the configuration and can confirm that the provided configuration is already present (existed further up in the configuration away from the other local user and public key commands).

 

 

#
 ssh server enable
 ssh user zbxbackup service-type stelnet authentication-type publickey assign publickey zbxbackup
 ssh server acl 2500
#

 

 

 

Seems to be that public keys do not work if you point the username to a specific authentication domain using @domain.  In the meantime I've configured the backup account with a password to protect against the unauthenticated access anyone can use when pointing to a domain configured with local access.

0 Kudos
Ivan_B
HPE Pro

‎01-21-2021 12:35 AM

‎01-21-2021 12:35 AM

Re: Local account access using public-key pair with TACACS enabled

Ok, since that line is in the config, I am afraid this requires deeper troubleshooting than we do on this forum. I suggest you to contact our Support and open a case for this issue.

 

I am an HPE employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.