HPE Community
Comware Based
1753878 Members
7052 Online
108809 Solutions
New Discussion юеВ

Re: SSH Login & 802.1x

 
psniech
Occasional Contributor

тАО11-06-2009 08:51 AM

тАО11-06-2009 08:51 AM

SSH Login & 802.1x

How to configure on the same switch (4210, 5500) 802.1x authentication with remote Radius server and loging to the switch with SSH using local user's database, at the same time ? If the default domain points to Radius, it is impossible to login via local SSH. If the default domain has a local scheme authentication, it is impossible to use external Radius...

0 Kudos
3 REPLIES 3
Fred_Mancen_1
Super Advisor

тАО11-12-2009 06:12 AM

тАО11-12-2009 06:12 AM

Re: SSH Login & 802.1x

Hi.



Could you copy and paste your switches settings here?



This is a strange behavior, probably you are missing some settings. You can enable 802.1X with authentication on a RADIUS server and have a local SSH users authentication at the same time.



In my experience, the settings will be:



domain default enable

#

dhcp-server 1 ip

#

dot1x

dot1x timer supp-timeout 10

dot1x timer reauth-period 60

dot1x authentication-method eap

#

radius scheme system

radius scheme

server-type standard

primary authentication

accounting optional

key authentication

user-name-format without-domain

#

domain

scheme radius-scheme

vlan-assignment-mode string

domain system

#

In the client switch port:



interface GigabitEthernet1/0/10

stp edged-port enable

dot1x

#



SSH settings:



local-user

service-type ssh



Global configuration:



ssh user service-type all

ssh user authentication-type password



rsa local-key-pair create



In the interface vty:



user-interface vty 0 4

protocol inbound ssh
Regards,
Fred Mancen
0 Kudos
psniech
Occasional Contributor

тАО11-12-2009 06:37 AM

тАО11-12-2009 06:37 AM

Re: SSH Login & 802.1x

Hi,

In a given by you configuration, shall I login using as a login name: "admin@system" or simply "admin" ?

May be I did a mistake, because in my configuration I used "system domain" as a domain for 802.1x logging and another domain for local logging. So because I had to point to system as a default logging I was no able to login locally.

Thank you for an advice with complete configuration ! :)

Pawel

0 Kudos
Fred_Mancen_1
Super Advisor

тАО11-12-2009 08:11 AM

тАО11-12-2009 08:11 AM

Re: SSH Login & 802.1x

The user is just "admin". Actually, these features are independent in the configuration above, that's why you was not able to log on the switch using SSH.



Regards

Regards,
Fred Mancen
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.