Comware Based

Re: Radius Authentication_Login Failed

 
Hassan2
Occasional Visitor

Radius Authentication_Login Failed

Hi,

I have implemented a new 5510 HI HPE series in my network, everything is working fine except authentication using radius. when I am trying to access through ssh after I enter the switch it gives me login fail and then the session closes automatically. I have this software version 5510_HI_7.10.R3506P02. 

I have tried to change the accounting login to none and to radius scheme but it is the same result. Now I can only access using the local user, check below my configuration details

radius scheme aaa
primary authentication 10..x.x.x key cipher xyz
secondary authentication 10..x.x.x key cipher xyz
secondary authentication 10.x.x.x key cipher xyz
key authentication cipher xyz
retry 2
timer response-timeout 4
user-name-format keep-original
#
radius scheme system
user-name-format without-domain
#
domain aaa.local
authentication login radius-scheme aaa
authorization login radius-scheme aaa
authentication lan-access radius-scheme aaa
authorization lan-access radius-scheme aaa
#
domain system
#
domain default enable system
#

!

local-user admin class manage
password xyz
service-type telnet https ssh terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator

!

line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 6
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
user-role network-operator
#
line vty 5 15
authentication-mode none
user-role network-operator
#
line vty 16 63
user-role network-operator

5 REPLIES 5
Ivan_B
HPE Pro

Re: Radius Authentication_Login Failed

Hello!

"accounting login none" should be there under the domain aaa.local context even if it is not the root cause of this issue, it will cause another one, so keep it there.

When you try to log in to the switch over the SSH, do you use username@aaa.local format for username?

Did you check with Wireshark on your RADIUS server if it gets Access-Request messages from the switch when you attempt to login? Could you check that and check the attributes the server pushes to the switch in its Access-Accept messages? If you will see no Access-Accept, but Access-Reject, then it's another story and in this case you need to check in the server why it rejects the login attempt.

 

I am an HPE employee

Accept or Kudo

Brian_Dsouza
HPE Pro

Re: Radius Authentication_Login Failed

@Hassan2  If you are using the domain aaa.local please set the domain default to "aaa.local" and not "system".

 

domain default enable system ---------X

domain default enable aaa.local--------Y

 

Let me know if that works. Otherwise please follow the directions from @Ivan_B 

Accept or Kudo

Hassan2
Occasional Visitor

Re: Radius Authentication_Login Failed

Yes I am using username@aaa.local  as per the below: 

Switch logs:

%Jan 1 09:26:54:058 2013 SW03CS SSHS/6/SSHS_AUTH_SUCCESS: SSH user admzzz@aaa.local from 10.x.x.x port 62644 passed password authentication.
%Jan 1 09:26:55:154 2013 SW03CS SSHS/6/SSHS_CONNECT: SSH user admzzz@aaa.local (IP: 10.x.x.x) connected to the server successfully.
%Jan 1 09:26:55:565 2013 SW03CS LOGIN/5/LOGIN_FAILED: admzzz@aaa.local failed to log in from 10.x.x.x.

******

AAA logs:

Reply-Message="SwitchCISCO-READWRITE"
Service-Type=NAS-Prompt-User
Class=0xb81c0b7f00000137000102000a4fe12200000000d115d20d8be480a801d5d330030ef99f000000000034def7
Cisco-AVPair="shell:priv-lvl=15"
Microsoft-Attr-14=0x00000032
Microsoft-Attr-15=0x00000078
*Jan 1 09:45:03:809 2013 SW03CS RADIUS/7/PACKET:
02 4d 00 90 ee 90 d4 a0 8d 83 1d f2 21 54 73 11
f4 94 1a 18 12 17 53 77 69 74 63 68 43 49 53 43
4f 2d 52 45 41 44 57 52 49 54 45 06 06 00 00 00
07 19 2e b8 1c 0b 7f 00 00 01 37 00 01 02 00 0a
4f e1 22 00 00 00 00 d1 15 d2 0d 8b e4 80 a8 01
d5 d3 30 03 0e f9 9f 00 00 00 00 00 34 de f7 1a
19 00 00 00 09 01 13 73 68 65 6c 6c 3a 70 72 69
76 2d 6c 76 6c 3d 31 35 1a 0c 00 00 01 37 0e 06
00 00 00 32 1a 0c 00 00 01 37 0f 06 00 00 00 78

 


*Jan 1 09:45:03:810 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Jan 1 09:45:03:810 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: Received authentication reply message, resultCode: 0
*Jan 1 09:45:03:811 2013 SW03CS RADIUS/7/EVENT: Sent reply message successfully.
*Jan 1 09:45:03:811 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authorization.
*Jan 1 09:45:03:812 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: RADIUS Authorization successfully.
%Jan 1 09:45:03:813 2013 SW03CS SSHS/6/SSHS_AUTH_SUCCESS: SSH user admzzz@aaa.local from 10..x.x.x port 55579 passed password authentication.
%Jan 1 09:45:04:190 2013 SW03CS SSHS/6/SSHS_DISCONNECT: SSH user admzzz@aaa.local (IP: 10..x.x.x) disconnected from the server.

Ivan_B
HPE Pro

Re: Radius Authentication_Login Failed

Hello!

If you already returned the 'accountinng login none' to the domain's config, the next step is to tune RADIUS attributes used for authorization. Please, set your RADIUS server to return following attributes in Access-Accept messages:

Service-Type = NAS-Prompt-User,
Login-Service = Telnet,
Cisco-AVPair = shell:roles="network-admin"

Here is the example of user's configuration in FreeRADIUS:

comware7 Cleartext-Password := "password"
         Service-Type = NAS-Prompt-User,
         Login-Service = Telnet,
         Cisco-AVPair = "shell:roles=\"network-admin\"",
         Cisco-AVPair += "shell:priv-lvl=15"
 

Please, pay attention to the format of Cisco-AVPair attribute.. Backslashes are required by FreeRADIUS in order to negate the special meaning of double-quotes sign. In packet capture that attribute should be visible as ' shell:roles="network-admin" ' (without single-quotes)

 

I am an HPE employee

Accept or Kudo

Ivan_B
HPE Pro

Re: Radius Authentication_Login Failed

Hi @Hassan2 !

Did you have time to try the solution proposed? Did it resolve the problem?

Thank you in advance!

 

I am an HPE employee

Accept or Kudo