HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

local access doesnt work on 5130

 
SOLVED
Go to solution
tetzPeha
Advisor

local access doesnt work on 5130

Hello,

i can log my switch trough radius authentication, but when i try to log with a local user, it doesnt work, i have this message :

Sorry, you are not allowed to have dialup access
Access denied

i use the same configuration as my older switch (3600) but on this 5130, is not working. When i try to log with local user, the swith do a request to the radius server instead request his own base :

radius scheme 802.1x
 primary authentication 192.168.6.242
 primary accounting 192.168.6.242
 secondary authentication 10.75.4.46
 secondary accounting 10.75.4.46
 key authentication cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 key accounting cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 user-name-format without-domain

domain XXXX
 authentication login radius-scheme 802.1x local
 authorization login radius-scheme 802.1x local
 accounting login radius-scheme 802.1x local

domain system
#
 domain default enable XXXXX
#

 

local-user adminrz class manage
 password hash XXXXXXX
 service-type ssh
 authorization-attribute user-role level-15
 authorization-attribute user-role network-admin

line vty 0 15
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh

ssh server enable
 sftp server enable
 ssh user adminrz service-type all authentication-type password

thx for your help

 

 

7 REPLIES
johnk3r
Respected Contributor

Re: local access doesnt work on 5130

Are you trying to authenticate to the web console?

**************************************
ATP FLEXNETWORK V3 | ACSA
tetzPeha
Advisor

Re: local access doesnt work on 5130

i opened a thread about web  console on this on forum also, and i found this issue, and now i think both are related. i cant log in with local user, so it doesnt work with web access

sdide
Respected Contributor

Re: local access doesnt work on 5130

Hi,

your local user is regarded, in case your radius server is unreachable, as fallback only. If the radius server is reachable, you cannot log in with the configured local user in the same domain.

However, you can login using another domain, where your authentication is set to local.

So on a switch called "test-switch".

line vty 0 63
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh
 idle-timeout 120 0

local-user testuser class manage
 password hash <hashedpassword>
 service-type ssh
 authorization-attribute user-role network-admin

domain normal
 authentication default hwtacacs-scheme normal-tac-scheme local
 authorization default hwtacacs-scheme normal-tac-scheme local

domain test
 authentication login local
 authorization command local

domain default enable normal

Above I've configured a local-user called testuser and a domian called test. Also as you can see, the default domain is "normal" and it uses tacacs as primary method, and local as fallback. 

so if i do (from example from linux bash-shell):

ssh testuser@test-switch

,  it will try logging into the switch via the default domain, which in the above configuration is "normal". And the login will fail (unless the user "test" is also existing on the tacacs-server with the same password). If the tacacs-server is not responding. The switch will fall back to the local-user test.

If you want to use the local-user "test" while the tacacs-server is online, you can do it via the above configured domain "test", which specifies only "local" as its primary method. You need to do:

ssh testuser@test@test-switch

it will use the test domain and you can log in.

Regards

 

Søren Dideriksen, Network Administrator
Region Midtjylland
tetzPeha
Advisor

Re: local access doesnt work on 5130

it's pretty weird to set 2 domain to log with radius and local-user.

I opened a case yesterday on HP support. it was a bug on older switch version, because with these param on my 3600, local login and radius work both.

In 5130, some param dont exist anymore :

domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

cf : https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0129258

why the same thing is not working on 5130 ? :D

 

sdide
Respected Contributor
Solution

Re: local access doesnt work on 5130

Hi,

1: I don't think its weird to use several domains to have several different login methods. If you use radius and need a new user login, just create that user on the radius? I think its working as intented.

2: The 3600 is a comware 5 switch, the 5130 is a comware 7 switch. You cannot expect the syntax and features to be exactly the same.

3: "idle-cut" is replaced with "authorization-attribute idle-cut"

4: "state active" is default, and therefore you do no see it.

5: "access-limit" can be set pr user, or else you need to look into authorization-attribute for the domain. The same might be true for the url, I have not checked.

Regards

Søren Dideriksen, Network Administrator
Region Midtjylland
tetzPeha
Advisor

Re: local access doesnt work on 5130

yeah, i know the difference between com5 and 7 :(

sadly, the support take my case and look for solution maybe it's a bug, or they didnt think to that, but i keep your advice to create another domain for local user, im waiting for hp return, and i'll try your solution

tetzPeha
Advisor

Re: local access doesnt work on 5130

hi !

thx for your help, it is the only way (so the only solution)