Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS/SSH OR LOCAL ACCESS REJECT

SOLVED
Go to solution
slimbens
Occasional Contributor

RADIUS/SSH OR LOCAL ACCESS REJECT

Hello !

 

I have a problem to access on my 5700 in local or Radius Access ,

 

I replace provision switch by comware 5700 and since this change i cannot access to my switch .

 

On provision i had this configuration for RADIUS/SSH access and its worked fine :

 

aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
aaa accounting system start-stop radius
radius-server host x;x;x;x;x

ip ssh
ip ssh key-size 1024

 

Now on my comware device i did this ( there is no ACL for the moment ):

 

for local access :

line vty 0 4
 authentication-mode scheme
 user-role network-admin
 user-role network-operator
 protocol inbound ssh
 idle-timeout 30 5

 

ssh server enable

 

for radius access :

 

radius scheme xxxx
 primary authentication x.x.x.x key cipher
 primary accounting x.x.x.x. key cipher
 key authentication cipher
 key accounting cipher
 user-name-format without-domain

#
domain system
 authentication login radius-scheme xxxxx
 authorization login radius-scheme xxxx
 accounting login radius-scheme xxxxx xxxx
 authentication default radius-scheme xxxx local
 authorization default radius-scheme xxxx local
 accounting default radius-scheme xxxx local
#
 domain default enable system

 

When a user try to connect using Radius ssh he got this error message( the user is instantly disconnected from the session ):

 

%Feb  9 19:24:50:167 2015 FR-CORE-01 SSHS/6/SSHS_LOG: Accepted password for kanchana from xx.x.x.x port 54603ssh2.

%Feb  9 19:24:50:198 2015 FR-CORE-01 SSHS/6/SSHS_CONNECT: SSH user  (IP: ) connected to the server successfully.
%Feb  9 19:24:51:845 2015 FR-CORE-01 SSHS/6/SSHS_DISCONNECT: SSH user  (IP:) disconnected from the server.


 

And in local access using ssh :

 

Access permission denied

 

 

On the user ssh interface we just see this and we are always disconnected :

 

******************************************************************************
* Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.          *
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************


Shared connection to  x;x;x;x closed.


 

 

Please , can you help me ?

 

 

 

Thanks in advance for your help.

 

 

7 REPLIES
sdide
Respected Contributor
Solution

Re: RADIUS/SSH OR LOCAL ACCESS REJECT

Hi Slimbens,

 

A few things you need to remember.

 

1: Have you created the rsa and/or dsa keys needed for ssh?

 

] public-key local create rsa

] public-key local create dsa

 

You use only "line vty 0 4", burt there are in fact 64 vty lines (so you might want to use "line vty 0 63").

 

If you want to fall back to local login, you need to look through your "domain system"-commands

there are a few "local" missing in the end of the aaa login-statements. (you don't need the default statements if you just need ssh login)

 

and - you need to make a local user if you want to log in locally.

]local-user mylocaluser

]password simple <cleartext-password>

]authorization-attribut user-role <the-user-role-you-want>

 

So if somehow the radius-service cannot be reached, you can do a fallback*) login using mylocaluser in the system domain.

 

*The fallback-login is enabled in the "domain " (in your case the "system") using the

"authentication login radius-scheme parrot local"-command (and the same for the authorization and accounting)

the last "local"-in these lines makes the fallback. You can only use this fallback in case the radius service cannot be reached.

 

If you want to make a local user that can be enabled at the same time as a functioning radius-service, you can make a new domain, and log onto that with the local user.

 

Regards.

 

Søren Dideriksen, Network Administrator
Region Midtjylland
Apachez-
Trusted Contributor

Re: RADIUS/SSH OR LOCAL ACCESS REJECT

When creating the local private keys dont forget to define their size.

 

I think default is 1024 which is NOT recommended nowadays. They should be at least 2048.

 

So press ? key after the last command of each line to see which sizes are available and pick the largest possible.

slimbens
Occasional Contributor

Re: RADIUS/SSH OR LOCAL ACCESS REJECT

Thanks you very much for your quick reply , i already created the RSA / DSA KEY FILES but after reading your advise i can see some mistakes in my configuration so im trying to fix it and i come back to you with some news.

 

Best regards !

 

Slim

slimbens
Occasional Contributor

Re: RADIUS/SSH OR LOCAL ACCESS REJECT

Hello everyone,

After testing on your tips, the fallback for local access For SSH service type and local users is worked fine.
However, to make it work, i have changed the modulus encryption of public key RSA and DSA from 2048 to 1024, it doesnt worked with 2048 modulus, but now its ok for local SSH access.

 

But i always have a problem for RADIUS session, the SSH users have a public key peer and these command :

 

ssh users ....service type all authentication any ( password/public key ) assign 'key...."

the key peer was imported in the flash directory by command :

 

public key peer .....

The RADIUS ( 802.1x) users connect correctly to the 5700 by radius but they are automatically/instantly disconnected....

 

Debugging Radius and ssh were displayed and recovered. if you want i can share the debug comment.

 

Did you have any idea of the problem ? is there a problem with the key , i think is useless because we never specified a key peer or other on provision switches.

 

Thanks in advance for ur precious help .

 

Best regards.

 

Slim

slimbens
Occasional Contributor

Re: RADIUS/SSH OR LOCAL ACCESS REJECT

for information, here under your can find what is displayed on the client screen when i try radius connexion :

 

9d [Slimbens@grenache:/home/Slimbens] $ ssh r1                                                                                                                                                                                                                                        

Slimbens@192.168.99.1’s password:

Permission denied, please try again.

Slimbens@192.168.99.1’s password:

 

******************************************************************************

* Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.         *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                  *

******************************************************************************

                                        

 

##### PERSONAL AUTHORIZED ONLY // ACCES IS FORBIDDEN #####

 

Shared connection to 192.168.99.1 closed.

 

 

and on the switch i have this :

 

 

*Feb 20 11:07:09:461 2015 SWITCH1SSHS/7/EVENT: Received SSH2_MSG_DISCONNECT from 192.168.99.99: reason '11', message "disconnected by user".

%Feb 20 11:07:09:461 2015 SWITCH1SSHS/6/SSHS_DISCONNECT: SSH user Slimbens (IP: 192.168.99.99) disconnected from the server.

*Feb 20 11:07:09:461 2015 SWITCH1SSHS/7/EVENT: PAM: cleanup

Peter_Debruyne
Honored Contributor

Re: RADIUS/SSH OR LOCAL ACCESS REJECT

Did you configure the radius server profile to send service-type login and either the cmw5 based priv level (0/1/2/3) or the cmw7 based user-role (using cisco-av-pair) ?

slimbens
Occasional Contributor

Re: RADIUS/SSH OR LOCAL ACCESS REJECT

Thanks for your reply !

 

for information :

Using the cisco av pair attributes 'level-x or network-admin"or creating a specific role attributes  on device its OK we can connect to the device with a radius account,

but now we must to fix the rules and privilege cause we only have a reading access

 

regards

 

Slim