HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with Radius authentication with 5900 switch

 
polevoym
Occasional Contributor

Problem with Radius authentication with 5900 switch

Hi

I have 5900 switch running 7.1.045, Release 2311P05

I have implemented the below config for radius authentication:

radius scheme infra.mms

primary authentication 1.1.1.1 key simple xxxxxxxx

user-name-format keep-original

quit

 

domain infra.mms

authentication login radius-scheme infra.mms local

authorization login radius-scheme infra.mms local

accounting login radius-scheme infra.mms local

authentication default radius-scheme infra.mms local

quit

 

domain default enable infra.mms

 

user-interface vty 0 15

authentication-mode scheme

user-role network-admin

user-role network-operator

quit

 

Althogh the user is authenticated successfuly the switch is disconnecting the SSH connection.

 

I have the same configuration with another switch with older version Version 7.1.023, Release 2108P02 which works without a problem.

 

Can someone help figuring the problem?

 

 

Below are the debug from the switch

*Sep  7 06:13:40:438 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Get authentication methods: password
*Sep  7 06:13:40:438 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[51].
*Sep  7 06:13:40:695 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.
*Sep  7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 50.
*Sep  7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_USERAUTH_REQUEST.
*Sep  7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Username: user@infra.mms, service: ssh-connection, method: password
*Sep  7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Try authentication method password.
*Sep  7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Password authentication and authorization.
*Sep  7 06:13:52:196 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authentication.
*Sep  7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Sent authentication request successfully.
*Sep  7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Processing AAA request data.
*Sep  7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got request data successfully, primitive: authentication.
*Sep  7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Getting RADIUS server info.
*Sep  7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got RADIUS server info successfully.
*Sep  7 06:13:52:198 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Created request context successfully.
*Sep  7 06:13:52:198 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Created request packet successfully, dstIP: 15.224.192.139, dstPort: 1812, VPN instance: --(public), socketFd: 22, pktID: 249.
*Sep  7 06:13:52:198 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Added packet socketfd to epoll successfully, socketFd: 22.
*Sep  7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Mapped PAM item to RADIUS attribute successfully.
*Sep  7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got RADIUS username format successfully, format: 0.
*Sep  7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Added attribute user-name successfully, user-name: user@infra.mms.
*Sep  7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Filled RADIUS attributes in packet successfully.
*Sep  7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Composed request packet successfully.
*Sep  7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Created response timeout timer successfully.
*Sep  7 06:13:52:292 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
    User-Name=user@infra.mms
    User-Password=******
    Service-Type=Login-User
    Framed-IP-Address=5.5.5.5
    NAS-IP-Address=3.3.3.3
*Sep  7 06:13:52:292 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent request packet successfully.
*Sep  7 06:13:52:293 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
 01 f9 00 53 af fb ee 97 ad ca c6 6c d1 0d 1a 84
 6a 88 a1 36 01 1b 6d 69 63 68 61 65 6c 2e 70 6f
 6c 65 76 6f 79 40 69 6e 66 72 61 2e 6d 6d 73 02
 12 33 d5 88 e7 70 1b a6 8c 6f a6 93 e5 7d e6 ad
 5b 06 06 00 00 00 01 08 06 d5 08 6f 84 04 06 0a
 77 00 6b
 
*Sep  7 06:13:52:293 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent request packet and create request context successfully.
*Sep  7 06:13:52:294 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Added request context to global table successfully.
*Sep  7 06:13:52:747 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.
*Sep  7 06:13:54:396 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Reply SocketFd received EPOLLIN event.
*Sep  7 06:13:54:396 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Received reply packet succuessfully.
*Sep  7 06:13:54:396 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Found request context, dstIP: 15.224.192.139, dstPort: 1812, VPN instance: --(public), socketFd: 22, pktID: 249.
*Sep  7 06:13:54:397 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
The reply packet is valid.
*Sep  7 06:13:54:397 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Decoded reply packet successfully.
*Sep  7 06:13:54:397 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
    Class=0x53425232434c93c4f89daab1bd84ef8011803a0180038198ce8002801d81b6daacb6c385caec979c8df6e395ecefbcd08d96f399e4e1979badd79812800e8193c4f89daab1bd84ef808087c0bc
    Cisco-AVPair=shell:roles=network-admin
    Service-Type=NAS-Prompt-User
*Sep  7 06:13:54:398 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
 02 f9 00 8b 7e 0c d6 4d e8 7d 3e 7c ea d4 02 f6
 ed 01 1f 58 19 4f 53 42 52 32 43 4c 93 c4 f8 9d
 aa b1 bd 84 ef 80 11 80 3a 01 80 03 81 98 ce 80
 02 80 1d 81 b6 da ac b6 c3 85 ca ec 97 9c 8d f6
 e3 95 ec ef bc d0 8d 96 f3 99 e4 e1 97 9b ad d7
 98 12 80 0e 81 93 c4 f8 9d aa b1 bd 84 ef 80 80
 87 c0 bc 1a 22 00 00 00 09 01 1c 73 68 65 6c 6c
 3a 72 6f 6c 65 73 3d 6e 65 74 77 6f 72 6b 2d 61
 64 6d 69 6e 00 06 06 00 00 00 07
 
*Sep  7 06:13:54:398 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent reply message successfully.
*Sep  7 06:13:54:398 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Sep  7 06:13:54:399 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Received authentication reply message, resultCode: 0
*Sep  7 06:13:54:405 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authorization.
*Sep  7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: RADIUS Authorization successfully.
*Sep  7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: Get work directory flash:.
*Sep  7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: Get role list network-admin.
*Sep  7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: password authentication accepted for user@infra.mms.
*Sep  7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: accounting.
*Sep  7 06:13:54:412 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: account management : 0 (success)
%Sep  7 06:13:54:412 2015 CA-KAM-DC-R1.4-01 SSHS/6/SSHS_LOG: Accepted password for user@infra.mms from 5.5.5.5 port 41606 ssh2.

*Sep  7 06:13:54:412 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[52].
*Sep  7 06:13:54:413 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Entering interactive session for SSH2.
*Sep  7 06:13:54:414 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Initiate server message dispatch, compatibility:1/0
*Sep  7 06:13:54:631 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 90.
*Sep  7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_CHANNEL_OPEN: ctype session, rchan 0, win 16384, max 8192
*Sep  7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received session request.
*Sep  7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: new [server-session]
*Sep  7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Session id 0 unused.
*Sep  7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Session opened: session 0, link with channel 0
*Sep  7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[91].
*Sep  7 06:13:54:846 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 98.
*Sep  7 06:13:54:847 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_CHANNEL_REQUEST: channel 0, request pty-req, reply 1
*Sep  7 06:13:54:847 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel request: user user@infra.mms, service type 1
*Sep  7 06:13:54:859 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Open pty: pseudo-terminal-master(25), pseudo-terminal-sub(24)
*Sep  7 06:13:54:860 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[99].
*Sep  7 06:13:55:074 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 98.
*Sep  7 06:13:55:074 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_CHANNEL_REQUEST: channel 0, request shell, reply 1
*Sep  7 06:13:55:074 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel request: user user@infra.mms, service type 1
*Sep  7 06:13:55:077 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: read_fd 27 is a TTY.
*Sep  7 06:13:55:077 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[93].
*Sep  7 06:13:55:078 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[99].
*Sep  7 06:13:55:079 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: opening session.
*Sep  7 06:13:55:086 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Setup environment: user=user@infra.mms, work directory=flash:, level=0
*Sep  7 06:13:55:087 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Get default work dir: flash:, return:0
%Sep  7 06:13:55:088 2015 CA-KAM-DC-R1.4-01 SSHS/6/SSHS_CONNECT: SSH user user@infra.mms (IP: 5.5.5.5) connected to the server successfully.
*Sep  7 06:13:55:109 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.
*Sep  7 06:13:55:230 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: RADIUS accounting started.
*Sep  7 06:13:55:231 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Sent accounting-start request successfully.
*Sep  7 06:13:55:231 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Processing AAA request data.
*Sep  7 06:13:55:231 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got request data successfully, primitive: accounting-start.
*Sep  7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Getting RADIUS server info.
*Sep  7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/ERROR:
Failed to get server info.
*Sep  7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent reply message successfully.
*Sep  7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Fetched accounting-start reply-data successfully, resultCode: 3
*Sep  7 06:13:55:233 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Received accounting-start reply message, resultCode: 3
%Sep  7 06:13:55:248 2015 CA-KAM-DC-R1.4-01 LOGIN/6/LOGIN_FAILED: user@infra.mms failed to log in from 5.5.5.5.
*Sep  7 06:13:58:251 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: read failed
*Sep  7 06:13:58:252 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: input state changed (open - drain)
*Sep  7 06:13:58:252 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: send EOF
*Sep  7 06:13:58:252 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[96].
*Sep  7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: input state changed (drain - closed)
*Sep  7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SIGCHLD.
*Sep  7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: request exit-status confirm 0
*Sep  7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[98].
*Sep  7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Release channel 0
*Sep  7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: write failed
*Sep  7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: send EOW
*Sep  7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: output state changed (open - closed)
*Sep  7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(24)
*Sep  7 06:13:58:256 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: send SSH2_MSG_CHANNEL_CLOSE
*Sep  7 06:13:58:256 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[97].
*Sep  7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 96.
*Sep  7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: received EOF
*Sep  7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 97.
*Sep  7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: received SSH2_MSG_CHANNEL_CLOSE
*Sep  7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Close session: session 0, pid 0
*Sep  7 06:13:58:471 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(-1)
*Sep  7 06:13:58:471 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Session id 0 unused.
*Sep  7 06:13:58:471 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: garbage collecting
*Sep  7 06:13:58:472 2015 CA-KAM-DC-R1.4-01 SSHS/7/ERROR: Read error from remote host 5.5.5.5: Connection reset by peer
%Sep  7 06:13:58:472 2015 CA-KAM-DC-R1.4-01 SSHS/6/SSHS_DISCONNECT: SSH user user@infra.mms (IP: 5.5.5.5) disconnected from the server.
*Sep  7 06:13:58:472 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: cleanup
*Sep  7 06:13:58:696 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.;

 

 

2 REPLIES
TerjeAFK
Respected Contributor

Re: Problem with Radius authentication with 5900 switch

We are running software 7.1.045 2311P06 on our 5900 switches, and this config works for us:

 

radius scheme scheme-ahfk
 primary authentication <Radius server>
 key authentication cipher xxxxxxxxxx

user-name-format without-domain
 nas-ip <switch ip address>
#
domain ahfk
 authentication login radius-scheme scheme-ahfk
 authorization login radius-scheme scheme-ahfk
 #

line vty 0 15
 terminal type vt100
 authentication-mode scheme
 user-role network-admin
 user-role privilege
 protocol inbound ssh
 idle-timeout 0 0

#

 

We use Aruba ClearPass for Radius.

 

sdide
Respected Contributor

Re: Problem with Radius authentication with 5900 switch

Hi polevoym,

you have

 

radius scheme infra.mms

 primary authentication 1.1.1.1 key simple xxxxxxxx

...

 

I think you need to add a line for the primary accounting server aswell, since you in your  domain infra.mms

are doing accounting.

 

 

Regards

Søren Dideriksen, Network Administrator
Region Midtjylland