Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

problems with RADIUS authentication

 
NextHop
Occasional Collector

problems with RADIUS authentication

Hi all,

I'm experiencing authentication problems with this configuration on HPE5510 R1309:

radius scheme system
 primary authentication 10.40.0.208
 key authentication cipher $c$3$miP5XfL7OV3vTSlz8OsyWF+O0jl2QvIj4FemMw==
 user-name-format without-domain
 nas-ip 10.99.80.6
#
domain system
 authentication login radius-scheme system local
 authorization login radius-scheme system local

The radius server is a Freeradius 3.0.16

I've enabled "debug radius all", below the output:

<TWR-F>             *Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
Got request data successfully, primitive: authentication.
*Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
Getting RADIUS server info.
*Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
Got RADIUS server info successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Created request context successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Created request packet successfully, dstIP: 10.40.0.208, dstPort: 1812, VPN instance: --(public), socketFd: 34, pktID: 56.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Added packet socketfd to epoll successfully, socketFd: 34.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Mapped PAM item to RADIUS attribute successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Got RADIUS username format successfully, format: 2.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Added attribute user-name successfully, user-name: test.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Filled RADIUS attributes in packet successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Composed request packet successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Created response timeout timer successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/PACKET:
    User-Name="test"
    NAS-Identifier="TWR-F"
    Framed-IP-Address=10.40.10.83
    NAS-Port-Type=Virtual
    Acct-Session-Id="00000001201810311423560000000108100627"
    User-Password=******
    Service-Type=Login-User
    NAS-IP-Address=10.99.80.6
    H3c-Product-Id="HPE 5510 48G 4SFP+ HI 1-slot Switch JH146A"
    H3c-Nas-Startup-Timestamp=1540985598
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Sent request packet successfully.
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/PACKET:
 01 38 00 b1 1f 73 10 14 69 b3 0a 4e 13 6f b9 17
 71 8f c8 7d 01 06 74 65 73 74 20 07 54 57 52 2d
 46 08 06 0a 28 0a 53 3d 06 00 00 00 05 2c 28 30
 30 30 30 30 30 30 31 32 30 31 38 31 30 33 31 31
 34 32 33 35 36 30 30 30 30 30 30 30 31 30 38 31
 30 30 36 32 37 02 12 7b b9 99 47 fe 2b 32 62 9b
 21 7a cf 68 e8 58 d4 06 06 00 00 00 01 04 06 0a
 63 50 06 1a 32 00 00 63 a2 ff 2c 48 50 45 20 35
 35 31 30 20 34 38 47 20 34 53 46 50 2b 20 48 49
 20 31 2d 73 6c 6f 74 20 53 77 69 74 63 68 20 4a
 48 31 34 36 41 1a 0c 00 00 63 a2 3b 06 5b d9 92
 fe
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Sent request packet and create request context successfully.
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Added request context to global table successfully.
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Processing AAA request data.
*Oct 31 14:23:56:741 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Sent authentication request successfully.
*Oct 31 14:23:56:759 2018 TWR-F RADIUS/7/EVENT:
Reply SocketFd recieved EPOLLIN event.
*Oct 31 14:23:56:759 2018 TWR-F RADIUS/7/EVENT:
Received reply packet succuessfully.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
Found request context, dstIP: 10.40.0.208, dstPort: 1812, VPN instance: --(public), socketFd: 34, pktID: 56.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
The reply packet is valid.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
Decoded reply packet successfully.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/PACKET:
 02 38 00 14 06 87 b7 fe 69 24 46 2d 01 bb f6 db
 a4 15 d3 d8
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
Sent reply message successfully.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Received authentication reply message, resultCode: 0
*Oct 31 14:23:56:762 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authorization.
*Oct 31 14:23:56:762 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: RADIUS Authorization successfully.
%Oct 31 14:23:56:763 2018 TWR-F SSHS/6/SSHS_LOG: Accepted password for test from 10.40.10.83 port 53869.

%Oct 31 14:23:57:786 2018 TWR-F SSHS/6/SSHS_CONNECT: SSH user test (IP: 10.40.10.83) connected to the server successfully.
%Oct 31 14:23:58:136 2018 TWR-F LOGIN/5/LOGIN_FAILED: test failed to log in from 10.40.10.83.
%Oct 31 14:24:01:148 2018 TWR-F SSHS/6/SSHS_LOG: User test logged out from 10.40.10.83 port 53869.
%Oct 31 14:24:01:148 2018 TWR-F SSHS/6/SSHS_DISCONNECT: SSH user test (IP: 10.40.10.83) disconnected from the server.

The authentication and authorization phases seem to be successful, but in the end I get only:

LOGIN/5/LOGIN_FAILED and  SSHS/6/SSHS_DISCONNECT:

Has anyone experienced something like this?

Thx in advance

5 REPLIES
rajkumar787
HPE Pro

Re: problems with RADIUS authentication

Hi,

Can you share the radius server configuration. Check if the Login-Service is set to 50 (SSH) in the User configuration file under the user.

Eg:
       Login-Service = 50

Thank You!
I am an HPE Employee

-----------------------------------------------------------------------------------
Was the post useful? Click on the white KUDOS! Thumb below. Kudos is a way of saying thank you to the post.
NextHop
Occasional Collector

Re: problems with RADIUS authentication

Thanks for the hint,

but I don't know how to set "Login-Service=50" with web interface of my DaloRadius.

Daloradius.JPG

I will have to ask the  server administrator if it is possible to modify the file in case it exists.

Thx again

NextHop

Highlighted
NextHop
Occasional Collector

Re: problems with RADIUS authentication

Hi rajkumar787,

I've tried to set Login-service=50 but the result is the same:

%Nov  7 12:13:56:763 2018 TWR-F SSHS/6/SSHS_LOG: Accepted password for test from 10.40.10.83 port 53869.

%Nov  7 12:13:57:786 2018 TWR-F SSHS/6/SSHS_CONNECT: SSH user test (IP: 10.40.10.83) connected to the server successfully.
%Nov  7 12:13:58:136 2018 TWR-F LOGIN/5/LOGIN_FAILED: test failed to log in from 10.40.10.83.
%Nov  7 12:14:01:148 2018 TWR-F SSHS/6/SSHS_LOG: User test logged out from 10.40.10.83 port 53869.
%Nov  7 12:14:01:148 2018 TWR-F SSHS/6/SSHS_DISCONNECT: SSH user test (IP: 10.40.10.83) disconnected from the server

IMHO, it seems not be an issue with SSH because I've an "Accepted, user connect, and user disconnect" messages from SSH.

I don't know why I've a LOGIN_FAILED on user test.

So, thx again.

NextHop

rajkumar787
HPE Pro

Re: problems with RADIUS authentication

Hi,

Try  adding 'primary accounting 10.40.0.208 &  key authentication <radius key>' under 'radius scheme system', and 'accounting  login radius-scheme system local' under the  'domain system',.

Also make sure the 'domain default enable system' is there by default.

If still you have issues to login, may be a wireshark trace on the radius server will help.
  

Thank You!
I am an HPE Employee

-----------------------------------------------------------------------------------
Was the post useful? Click on the white KUDOS! Thumb below. Kudos is a way of saying thank you to the post.
NextHop
Occasional Collector

Re: problems with RADIUS authentication

Hi rajkumar787,

first of all thx for your answer. I don't need a srv account, I don't think the problem be that.

Anyway I've tried, but unfortunately, the result is the same.

Best regards

NextHop