- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- local access doesnt work on 5130
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-03-2018 12:44 AM
тАО01-03-2018 12:44 AM
Hello,
i can log my switch trough radius authentication, but when i try to log with a local user, it doesnt work, i have this message :
Sorry, you are not allowed to have dialup access
Access denied
i use the same configuration as my older switch (3600) but on this 5130, is not working. When i try to log with local user, the swith do a request to the radius server instead request his own base :
radius scheme 802.1x
primary authentication 192.168.6.242
primary accounting 192.168.6.242
secondary authentication 10.75.4.46
secondary accounting 10.75.4.46
key authentication cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
key accounting cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
user-name-format without-domain
domain XXXX
authentication login radius-scheme 802.1x local
authorization login radius-scheme 802.1x local
accounting login radius-scheme 802.1x local
domain system
#
domain default enable XXXXX
#
local-user adminrz class manage
password hash XXXXXXX
service-type ssh
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
line vty 0 15
authentication-mode scheme
user-role network-admin
protocol inbound ssh
ssh server enable
sftp server enable
ssh user adminrz service-type all authentication-type password
thx for your help
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-04-2018 04:50 PM
тАО01-04-2018 04:50 PM
Re: local access doesnt work on 5130
Are you trying to authenticate to the web console?
ATP FLEXNETWORK V3 | ACSA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-04-2018 11:38 PM
тАО01-04-2018 11:38 PM
Re: local access doesnt work on 5130
i opened a thread about web console on this on forum also, and i found this issue, and now i think both are related. i cant log in with local user, so it doesnt work with web access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2018 03:18 AM
тАО01-05-2018 03:18 AM
Re: local access doesnt work on 5130
Hi,
your local user is regarded, in case your radius server is unreachable, as fallback only. If the radius server is reachable, you cannot log in with the configured local user in the same domain.
However, you can login using another domain, where your authentication is set to local.
So on a switch called "test-switch".
line vty 0 63 authentication-mode scheme user-role network-operator protocol inbound ssh idle-timeout 120 0 local-user testuser class manage password hash <hashedpassword> service-type ssh authorization-attribute user-role network-admin domain normal authentication default hwtacacs-scheme normal-tac-scheme local authorization default hwtacacs-scheme normal-tac-scheme local domain test authentication login local authorization command local domain default enable normal
Above I've configured a local-user called testuser and a domian called test. Also as you can see, the default domain is "normal" and it uses tacacs as primary method, and local as fallback.
so if i do (from example from linux bash-shell):
ssh testuser@test-switch
, it will try logging into the switch via the default domain, which in the above configuration is "normal". And the login will fail (unless the user "test" is also existing on the tacacs-server with the same password). If the tacacs-server is not responding. The switch will fall back to the local-user test.
If you want to use the local-user "test" while the tacacs-server is online, you can do it via the above configured domain "test", which specifies only "local" as its primary method. You need to do:
ssh testuser@test@test-switch
it will use the test domain and you can log in.
Regards
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2018 03:31 AM
тАО01-05-2018 03:31 AM
Re: local access doesnt work on 5130
it's pretty weird to set 2 domain to log with radius and local-user.
I opened a case yesterday on HP support. it was a bug on older switch version, because with these param on my 3600, local login and radius work both.
In 5130, some param dont exist anymore :
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
cf : https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0129258
why the same thing is not working on 5130 ? :D
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2018 05:12 AM
тАО01-05-2018 05:12 AM
SolutionHi,
1: I don't think its weird to use several domains to have several different login methods. If you use radius and need a new user login, just create that user on the radius? I think its working as intented.
2: The 3600 is a comware 5 switch, the 5130 is a comware 7 switch. You cannot expect the syntax and features to be exactly the same.
3: "idle-cut" is replaced with "authorization-attribute idle-cut"
4: "state active" is default, and therefore you do no see it.
5: "access-limit" can be set pr user, or else you need to look into authorization-attribute for the domain. The same might be true for the url, I have not checked.
Regards
Region Midtjylland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2018 05:30 AM
тАО01-05-2018 05:30 AM
Re: local access doesnt work on 5130
yeah, i know the difference between com5 and 7 :(
sadly, the support take my case and look for solution maybe it's a bug, or they didnt think to that, but i keep your advice to create another domain for local user, im waiting for hp return, and i'll try your solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2018 12:22 AM
тАО01-12-2018 12:22 AM
Re: local access doesnt work on 5130
hi !
thx for your help, it is the only way (so the only solution)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-17-2019 12:16 PM
тАО12-17-2019 12:16 PM
Re: local access doesnt work on 5130
hello, the command set you gave is for tacacs
I am having a similar issue with DOT1X authetication. when radius server is reachable , machine is getting IP and getting DOT1X authetication via the radius (Clearpass). but when radius is not reachable machine not getting IP
configuration done as under
user VLAN is VLAN 100
*************************
Global
domain default enable cppm
radius scheme cppm
primary authentication x.x.x.x key simple x.x.x.x
secondary authentication x.x.x.x key simple x.x.x.x
primary accounting x.x.x.x key simple x.x.x.x
Secondary accounting x.x.x.x key simple x.x.x.x
accounting-on enable
user-name-format without-domain
nas-ip x.x.x.x
domain cppm
authentication lan-access radius-scheme cppm local
authorization lan-access radius-scheme cppm local
accounting lan-access radius-scheme cppm local
radius nas-ip x.x.x.x
radius dynamic-author server
client ip x.x.x.x key simple x.x.x.x
client ip x.x.x.x key simple x.x.x.x
port-security enable
port-security mac-move permit
dot1x authentication-method eap
mac-authentication domain cppm
*********************
Interface level
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 untagged
port hybrid pvid vlan 100
mac-vlan enable
stp root-protection
stp edged-port
lldp compliance admin-status cdp txrx
qos trust dscp
poe enable
dot1x mandatory-domain cppm
undo dot1x handshake
undo dot1x multicast-trigger
mac-authentication domain cppm
mac-authentication timer auth-delay 10
port-security port-mode userlogin-secure-or-mac-ext
loopback-detection action shutdown
Dot1x critical vlan 100
Dot1x critical eapol