Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

User roles with AAA through Radius authentication HP A series

Avi_Nash
Occasional Visitor

User roles with AAA through Radius authentication HP A series

Hello there,

 

Currently we are implementing AAA for authentication on our network devices. Before implementing I tested the configuration on a HP A-5120, a HP Procurve3500 and some Cisco switches. Microsoft NPS acts as the radius server.

 

In my PoC everything was accepted so I proceeded to the implementation in the production network at the main site. I started with a HP A5830. This is where the problem started.

 

While all the configuration is identical as the perfect working PoC, I cannot seem to get the right privilege levels in the production.

 

I tried to authenticate through the radius server in the PoC so the same already proven policy was used but that did not change anything. The only difference is the type of switch HP A5120 vs HP A5830.

 

Did I forget something in my configuration?

 

The HP A5830 config is:

 

domain default enable domain.local

 

radius scheme radius
primary authentication 10.1.17.1
secondary authentication 10.1.17.2
primary accounting 10.1.17.1
secondary accounting 10.1.17.2
key authentication KEY
key accounting KEY
user-name-format without-domain

 

domain domain.lan
authentication default radius-scheme radius
authorization default radius-scheme radius
authentication login radius-scheme radius
accounting login radius-scheme radius


user-interface vty 0 15
acl 2022 inbound
authentication-mode scheme
user privilege level 3
idle-timeout 60 0

 

 

 

Any help would be kindly appreciated.

 

Thanks,

 

Avi

2 REPLIES
sdide
Respected Contributor

Re: User roles with AAA through Radius authentication HP A series

Hello,

 

I'm not sure if its on purpose, but it looks like you did not configure athorization in the radius scheme

e.g

 

radius scheme radius

 primary authorization 10.1.17.1

 secondary authorization 10.1.17.2

 quit

!

 

also, you enable the  default domain as domain.local

(domain default enable domain.local)

 


but its in your domain "domain.lan" that you use the radius scheme "radius".

maybe you you need to try to set the default domain to domain.lan.

 

also remember to enable the ssh server if you want to use ssh.

ssh server enable

 

regards

Søren Dideriksen

 

Søren Dideriksen, Network Administrator
Region Midtjylland
D0natas
Occasional Advisor

Re: User roles with AAA through Radius authentication HP A series

Hello,

 

If I understad correctly AAA authentication works, only you can't get right privilege level.

I had the same problem with A5820. My switches have comware v5. So:

1. In the radius scheme radius you have to write "server-type extended"

2. Provide correct privilege level in the Radius. You should add Vendor-Specific attribute: Vendor code - 25506, value - the privilege level you want.