- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Radius Authentication_Login Failed
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā04-09-2020 04:13 AM
ā04-09-2020 04:13 AM
Radius Authentication_Login Failed
Hi,
I have implemented a new 5510 HI HPE series in my network, everything is working fine except authentication using radius. when I am trying to access through ssh after I enter the switch it gives me login fail and then the session closes automatically. I have this software version 5510_HI_7.10.R3506P02.
I have tried to change the accounting login to none and to radius scheme but it is the same result. Now I can only access using the local user, check below my configuration details
radius scheme aaa
primary authentication 10..x.x.x key cipher xyz
secondary authentication 10..x.x.x key cipher xyz
secondary authentication 10.x.x.x key cipher xyz
key authentication cipher xyz
retry 2
timer response-timeout 4
user-name-format keep-original
#
radius scheme system
user-name-format without-domain
#
domain aaa.local
authentication login radius-scheme aaa
authorization login radius-scheme aaa
authentication lan-access radius-scheme aaa
authorization lan-access radius-scheme aaa
#
domain system
#
domain default enable system
#
!
local-user admin class manage
password xyz
service-type telnet https ssh terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
!
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0 6
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
user-role network-operator
#
line vty 5 15
authentication-mode none
user-role network-operator
#
line vty 16 63
user-role network-operator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā04-09-2020 07:36 AM
ā04-09-2020 07:36 AM
Re: Radius Authentication_Login Failed
Hello!
"accounting login none" should be there under the domain aaa.local context even if it is not the root cause of this issue, it will cause another one, so keep it there.
When you try to log in to the switch over the SSH, do you use username@aaa.local format for username?
Did you check with Wireshark on your RADIUS server if it gets Access-Request messages from the switch when you attempt to login? Could you check that and check the attributes the server pushes to the switch in its Access-Accept messages? If you will see no Access-Accept, but Access-Reject, then it's another story and in this case you need to check in the server why it rejects the login attempt.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā04-10-2020 07:41 AM
ā04-10-2020 07:41 AM
Re: Radius Authentication_Login Failed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā04-13-2020 04:09 AM
ā04-13-2020 04:09 AM
Re: Radius Authentication_Login Failed
Yes I am using username@aaa.local as per the below:
Switch logs:
%Jan 1 09:26:54:058 2013 SW03CS SSHS/6/SSHS_AUTH_SUCCESS: SSH user admzzz@aaa.local from 10.x.x.x port 62644 passed password authentication.
%Jan 1 09:26:55:154 2013 SW03CS SSHS/6/SSHS_CONNECT: SSH user admzzz@aaa.local (IP: 10.x.x.x) connected to the server successfully.
%Jan 1 09:26:55:565 2013 SW03CS LOGIN/5/LOGIN_FAILED: admzzz@aaa.local failed to log in from 10.x.x.x.
******
AAA logs:
Reply-Message="SwitchCISCO-READWRITE"
Service-Type=NAS-Prompt-User
Class=0xb81c0b7f00000137000102000a4fe12200000000d115d20d8be480a801d5d330030ef99f000000000034def7
Cisco-AVPair="shell:priv-lvl=15"
Microsoft-Attr-14=0x00000032
Microsoft-Attr-15=0x00000078
*Jan 1 09:45:03:809 2013 SW03CS RADIUS/7/PACKET:
02 4d 00 90 ee 90 d4 a0 8d 83 1d f2 21 54 73 11
f4 94 1a 18 12 17 53 77 69 74 63 68 43 49 53 43
4f 2d 52 45 41 44 57 52 49 54 45 06 06 00 00 00
07 19 2e b8 1c 0b 7f 00 00 01 37 00 01 02 00 0a
4f e1 22 00 00 00 00 d1 15 d2 0d 8b e4 80 a8 01
d5 d3 30 03 0e f9 9f 00 00 00 00 00 34 de f7 1a
19 00 00 00 09 01 13 73 68 65 6c 6c 3a 70 72 69
76 2d 6c 76 6c 3d 31 35 1a 0c 00 00 01 37 0e 06
00 00 00 32 1a 0c 00 00 01 37 0f 06 00 00 00 78
*Jan 1 09:45:03:810 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Jan 1 09:45:03:810 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: Received authentication reply message, resultCode: 0
*Jan 1 09:45:03:811 2013 SW03CS RADIUS/7/EVENT: Sent reply message successfully.
*Jan 1 09:45:03:811 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authorization.
*Jan 1 09:45:03:812 2013 SW03CS RADIUS/7/EVENT: PAM_RADIUS: RADIUS Authorization successfully.
%Jan 1 09:45:03:813 2013 SW03CS SSHS/6/SSHS_AUTH_SUCCESS: SSH user admzzz@aaa.local from 10..x.x.x port 55579 passed password authentication.
%Jan 1 09:45:04:190 2013 SW03CS SSHS/6/SSHS_DISCONNECT: SSH user admzzz@aaa.local (IP: 10..x.x.x) disconnected from the server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā04-13-2020 08:56 AM
ā04-13-2020 08:56 AM
Re: Radius Authentication_Login Failed
Hello!
If you already returned the 'accountinng login none' to the domain's config, the next step is to tune RADIUS attributes used for authorization. Please, set your RADIUS server to return following attributes in Access-Accept messages:
Service-Type = NAS-Prompt-User,
Login-Service = Telnet,
Cisco-AVPair = shell:roles="network-admin"
Here is the example of user's configuration in FreeRADIUS:
comware7 Cleartext-Password := "password"
Service-Type = NAS-Prompt-User,
Login-Service = Telnet,
Cisco-AVPair = "shell:roles=\"network-admin\"",
Cisco-AVPair += "shell:priv-lvl=15"
Please, pay attention to the format of Cisco-AVPair attribute.. Backslashes are required by FreeRADIUS in order to negate the special meaning of double-quotes sign. In packet capture that attribute should be visible as ' shell:roles="network-admin" ' (without single-quotes)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā04-29-2020 07:24 AM
ā04-29-2020 07:24 AM
Re: Radius Authentication_Login Failed
Hi @Hassan2 !
Did you have time to try the solution proposed? Did it resolve the problem?
Thank you in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā09-23-2021 05:42 AM - edited ā09-24-2021 12:47 PM
ā09-23-2021 05:42 AM - edited ā09-24-2021 12:47 PM
Re: Radius Authentication_Login Failed
Thank you so much! It works for virtual switch in H3C Cloud Lab (HCL v2.1.2.1) :
H3C S5820V2-54QS-GE , H3C Comware Software, Version 7.1.075, Alpha 7571
------------
Freeradius user:
testuser Cleartext-Password := "password"
Service-Type = NAS-Prompt-User,
Login-Service = Telnet,
Cisco-AVPair = "shell:roles=\"network-admin\""
------------