Comware Based
1748198 Members
2575 Online
108759 Solutions
New Discussion юеВ

local access doesnt work on 5130

 
SOLVED
Go to solution
tetzPeha
Advisor

local access doesnt work on 5130

Hello,

i can log my switch trough radius authentication, but when i try to log with a local user, it doesnt work, i have this message :

Sorry, you are not allowed to have dialup access
Access denied

i use the same configuration as my older switch (3600) but on this 5130, is not working. When i try to log with local user, the swith do a request to the radius server instead request his own base :

radius scheme 802.1x
 primary authentication 192.168.6.242
 primary accounting 192.168.6.242
 secondary authentication 10.75.4.46
 secondary accounting 10.75.4.46
 key authentication cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 key accounting cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 user-name-format without-domain

domain XXXX
 authentication login radius-scheme 802.1x local
 authorization login radius-scheme 802.1x local
 accounting login radius-scheme 802.1x local

domain system
#
 domain default enable XXXXX
#

 

local-user adminrz class manage
 password hash XXXXXXX
 service-type ssh
 authorization-attribute user-role level-15
 authorization-attribute user-role network-admin

line vty 0 15
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh

ssh server enable
 sftp server enable
 ssh user adminrz service-type all authentication-type password

thx for your help

 

 

8 REPLIES 8
johnk3r
Respected Contributor

Re: local access doesnt work on 5130

Are you trying to authenticate to the web console?

**************************************
ATP FLEXNETWORK V3 | ACSA
tetzPeha
Advisor

Re: local access doesnt work on 5130

i opened a thread about web  console on this on forum also, and i found this issue, and now i think both are related. i cant log in with local user, so it doesnt work with web access

sdide
Respected Contributor

Re: local access doesnt work on 5130

Hi,

your local user is regarded, in case your radius server is unreachable, as fallback only. If the radius server is reachable, you cannot log in with the configured local user in the same domain.

However, you can login using another domain, where your authentication is set to local.

So on a switch called "test-switch".

line vty 0 63
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh
 idle-timeout 120 0

local-user testuser class manage
 password hash <hashedpassword>
 service-type ssh
 authorization-attribute user-role network-admin

domain normal
 authentication default hwtacacs-scheme normal-tac-scheme local
 authorization default hwtacacs-scheme normal-tac-scheme local

domain test
 authentication login local
 authorization command local

domain default enable normal

Above I've configured a local-user called testuser and a domian called test. Also as you can see, the default domain is "normal" and it uses tacacs as primary method, and local as fallback. 

so if i do (from example from linux bash-shell):

ssh testuser@test-switch

,  it will try logging into the switch via the default domain, which in the above configuration is "normal". And the login will fail (unless the user "test" is also existing on the tacacs-server with the same password). If the tacacs-server is not responding. The switch will fall back to the local-user test.

If you want to use the local-user "test" while the tacacs-server is online, you can do it via the above configured domain "test", which specifies only "local" as its primary method. You need to do:

ssh testuser@test@test-switch

it will use the test domain and you can log in.

Regards

 

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
tetzPeha
Advisor

Re: local access doesnt work on 5130

it's pretty weird to set 2 domain to log with radius and local-user.

I opened a case yesterday on HP support. it was a bug on older switch version, because with these param on my 3600, local login and radius work both.

In 5130, some param dont exist anymore :

domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

cf : https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0129258

why the same thing is not working on 5130 ? :D

 

sdide
Respected Contributor
Solution

Re: local access doesnt work on 5130

Hi,

1: I don't think its weird to use several domains to have several different login methods. If you use radius and need a new user login, just create that user on the radius? I think its working as intented.

2: The 3600 is a comware 5 switch, the 5130 is a comware 7 switch. You cannot expect the syntax and features to be exactly the same.

3: "idle-cut" is replaced with "authorization-attribute idle-cut"

4: "state active" is default, and therefore you do no see it.

5: "access-limit" can be set pr user, or else you need to look into authorization-attribute for the domain. The same might be true for the url, I have not checked.

Regards

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
tetzPeha
Advisor

Re: local access doesnt work on 5130

yeah, i know the difference between com5 and 7 :(

sadly, the support take my case and look for solution maybe it's a bug, or they didnt think to that, but i keep your advice to create another domain for local user, im waiting for hp return, and i'll try your solution

tetzPeha
Advisor

Re: local access doesnt work on 5130

hi !

thx for your help, it is the only way (so the only solution)

PSabharwal
New Member

Re: local access doesnt work on 5130

hello, the command set you gave is for tacacs

I am having a similar issue with DOT1X authetication. when radius server is reachable , machine is getting IP and getting DOT1X authetication via the radius (Clearpass). but when radius is not reachable machine not getting IP

configuration done as under 

user VLAN is VLAN 100

*************************

Global

domain default enable cppm

 

radius scheme cppm                   

primary authentication x.x.x.x key simple x.x.x.x

secondary authentication x.x.x.x key simple x.x.x.x

primary accounting x.x.x.x key simple x.x.x.x

Secondary accounting x.x.x.x key simple x.x.x.x

accounting-on enable                    

user-name-format without-domain                   

nas-ip x.x.x.x

                   

domain cppm                     

authentication lan-access radius-scheme cppm local                 

authorization lan-access radius-scheme cppm local             

accounting lan-access radius-scheme cppm local                    

                    

radius nas-ip x.x.x.x

radius dynamic-author server                    

client ip x.x.x.x key simple x.x.x.x

client ip x.x.x.x key simple x.x.x.x

 

port-security enable                   

port-security mac-move permit                   

                    

dot1x authentication-method eap                    

mac-authentication domain cppm    

 

*********************

Interface level

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 100 untagged

port hybrid pvid vlan 100

mac-vlan enable

 stp root-protection

stp edged-port

lldp compliance admin-status cdp txrx

qos trust dscp

poe enable

dot1x mandatory-domain cppm

undo dot1x handshake

undo dot1x multicast-trigger

mac-authentication domain cppm

mac-authentication timer auth-delay 10

port-security port-mode userlogin-secure-or-mac-ext

loopback-detection action shutdown

Dot1x critical vlan 100

Dot1x critical eapol