IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

iMC UAM Device management users, YES login on device but NO enter in sys mode

SOLVED
Go to solution
battagfe
Advisor

iMC UAM Device management users, YES login on device but NO enter in sys mode

Hi all,

I’m writing this message because I have a problem with authentication of network devices with the UAM module (device management feature).

I configured everything as described in the UAM (Chapter 14 Device management users) and at present I can access to the device, log-in, but then I can’t enter in sys mode.

Is like I don’t have the necessary authorization!

The device in question is a HP-5120, and on IMC I have set “H3C” on Access Device Type field on Access Device configuration. In addition, the username/account with whom I can’t enter in sys mode I used EXEC Priority set as 1, 3 and 15. But at the end the result doesn’t change.

Anyone have any suggestions for me?

 

The process I followed was as follows:

1. Adding users to device management and configuring the UAM users.

2. Configuring the related devices as access devices in UAM.

3. Configuring AAA authentication on the devices.

 

Could it be that define the device as H3C and not HP will give problems?

2 REPLIES
Peter_Debruyne
Honored Contributor

Re: iMC UAM Device management users, YES login on device but NO enter in sys mode

Hi,

 

I had some confusing results as well with the UAM device management users and stopped using it (that was on 5.1, still need to check on 5.2).

The main issue was that the radius vendor attribute for the device auth was the h3c/huawei code, and the device was expecting the other code.

Since you are running the HP branded comware, it may be a similar issue, but I am not sure.

 

The reason why I stopped using it is that the UAM only allows a single service-type (either telnet or ssh) for the user, so you cannot grant both at the same time, or allow terminal service-type as well (for UAM based console auth).

 

This probably is better handled by the TAM (tacacs module of IMC) software module, but I do not have experience with that module so far.

 

Best regards,Peter.

 

 

battagfe
Advisor
Solution

Re: iMC UAM Device management users, YES login on device but NO enter in sys mode

Hi Peter!

In the end, together with a colleague, I realized the reason for this strange behavior.
IMC was well configured, but the device had not been included lines for the management dell'authorization and server-type.
Once we have configured the device as below, everything started to work properly:

 

radius scheme auth_radius
server-type extended
primary authentication <IP_server_IMC>
key authentication <password>
user-name-format keep-original

domain radius_domain_imc
authentication default radius-scheme auth_radius local
authorization default radius-scheme auth_radius local
authentication login radius-scheme auth_radius local
authorization login radius-scheme auth_radius local


user-interface vty 0 15
authentication-mode scheme

domain default enable radius_domain_imc

 

A greeting and thank you for your answer.

 

FB