HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH users don't have full permission to configure H3c Switches through ssh using free radius

 
johnnynguyen
Occasional Visitor

SSH users don't have full permission to configure H3c Switches through ssh using free radius

dear all

i'm new member here and really need help from you all. my company bought many H3c Switches and use them with Cisco switches we also use a freeradius server to authenticate ssh user for both types of switch. cisco switches work well but H3c switches don't work well. it's successful to login but have no permission to configure it.

more details.

switches models : H3C Comware Platform Software
Comware Software, Version 5.20.99, Release 1108
Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5024PV2-EI-PWR uptime is 7 weeks, 0 day, 1 hour, 28 minutes

H3C S5024PV2-EI-PWR
128M    bytes DRAM
32M     bytes Flash Memory
Config Register points to Flash

Hardware Version is REV.A
Bootrom Version is 110
[SubSlot 0] 24GE+4SFP Hardware Version is REV.A

i already configure radius scheme for it with the followin content :

radius scheme 2000
 primary authentication 172.19.16.12
 primary accounting 172.19.16.12
 key authentication cipher $c$3$FLwitDuepyryEo99M8/mX4QfJLaJ
 key accounting cipher $c$3$Ihu/Owx+stq0yxjWPxj6Pyxbu7wn
 user-name-format without-domain
 nas-ip 172.19.3.182
#
domain 2000
 authentication default radius-scheme 2000
 authorization default radius-scheme 2000
 accounting default radius-scheme 2000
 authentication login radius-scheme 2000 local
 authorization login radius-scheme 2000 local
 accounting login radius-scheme 2000 local
 authorization command local

here is the user's information i declare on freeradius ( centos 6.6 final)

boss Cleartext-Password := "boss"
       Service-Type = NAS-Prompt-User,
       H3C-Exec-Privilege = "3",
       Login-Service = 50,
       Cisco-AVPair = "shell:roles=network-operator"

and here is the result when i ssh to h3c switches. in fact i'm successful to access the switch but have no permission to configure just have permission to use display command.

<FacB_H3C_Parking_187>?
User view commands:
  cluster  Run cluster command
  display  Display current system information
  ping     Ping function
  quit     Exit from current command view
  ssh2     Establish a secure shell client connection
  super    Set the current user priority level
  telnet   Establish one TELNET connection
  tracert  Trace route function
<FacB_H3C_Parking_187>

can annyone have the same problem ? please help me

 

1 REPLY
TerjeAFK
Respected Contributor

Re: SSH users don't have full permission to configure H3c Switches through ssh using free radius

Change the Cisco-AVPair attribute in FreeRadius from "shell:roles=network-operator" to "shell:roles=network-admin"