ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

HP Procurve 2524, ssh authenticated with radius, couldn't login privilege mode automatically

vovochka83
Occasional Visitor

HP Procurve 2524, ssh authenticated with radius, couldn't login privilege mode automatically

As mentioned in hardening white paper, in radius server:

 

Service-Type = 6 allows manager-level access
Service-Type = 7 allows operator-level access
A user with Service-Type not equal to 6 or 7 is denied access
A user with no Service-Type attribute supplied is denied access when privilege mode is enabled

 

Then configure the switch with below commands:

 

aaa authentication login privilege-mode
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

 

above configuration is working fine for most of the switches, except HP J4813A ProCurve Switch 2524, which is command "aaa authentication login privilege-mode"  is not available. So i have to enter twice login before i get into th enable mode, what can i do so that i can make it automatically enter into privilege mode as other switches?

 

 

P.S. This thread has been moved from LAN Routing to ProCurve / ProVision-Based. - Hp Forum Moderator

 

 

4 REPLIES
lissacoffey
Advisor

Re: HP Procurve 2524, ssh authenticated with radius, couldn't login privilege mode automatically

Hi all

 

I've configured a couple of switches for RADIUS use, and set up NPS on Windows Server 2008 R2. 

 

The first switch, a 3500-24, works flawlessly. The second one (5412zl) is slightly different.

 

If I enable local authentication as the secondary authentication method, via:

 

aaa authentication ssh login peap-mschapv2 local

 

Then I don't appear to be being authenticated properly via RADIUS. Here's what happens:

 

1) Switch prompts for username, I enter my domain username, which works for the other switch

2) I am then taken straight to operator mode ( > at each prompt). without being prompted for a password

3) I'll type enable, and the local password is required

 

If I then alter the config to this

 

aaa authentication ssh login peap-mschapv2 none

 

Then I am able to log into the switch with my AD credentials, just as it should do. However, I now no longer have a secondary means of authentication if the RADIUS server breaks.

 

Has anyone heard of this before? I am trying to avoid a firmware upgrade as this is a production switch. I just wonder if anyone can think of a reason for this happening, if I'm doing something wrong

Thanks,

Lisa
(Sky Support Manager)
EricAtHP
Esteemed Contributor

Re: HP Procurve 2524, ssh authenticated with radius, couldn't login privilege mode automatically

I am able to get directly to the enable prompt (HP-5406-zl#) on a 5406 running K.15.16.0004 with these config parameters:

 

aaa authentication login privilege-mode
aaa authentication console login peap-mschapv2 local
aaa authentication console enable peap-mschapv2 local
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable peap-mschapv2 local

password manager
password operator

 

I configured the console with the same parameters as ssh so that i could test the secondary local login. When I disconnected the switch from the network, including the radius server, this is what happened. Notice that the prompt is different depending on which authentiction method the switch is using. Please Enter Login Name: = RADIUS and Username: = local.

 

Please Enter Login Name: eric
Please Enter Password:
Attempting to authenticate.
Attempting to authenticate.
Attempting to authenticate.
Attempting to authenticate.
Unable to authenticate user.
Username: admin
Password:
Your previous successful login (as manager) was on 2015-05-22 14:36:15  from the console

 

My guess is that you both are on older software. It is possible that the 2524's may not work even with a software update as it is an older switch. But it might too, there was a software update a year ago. I checked the release notes for F.05.79 and didn't see anything related to RADIUS or authentication but those release notes don't cover the whole life of the product. You might get your switch version and look at the release notes for every newer switch release.

 

If you need more, please let us know what software version you are running and if possible share the switch config.

vovochka83
Occasional Visitor

Re: HP Procurve 2524, ssh authenticated with radius, couldn't login privilege mode automatically

i did upgraded to the latest version :

 

Image stamp: /sw/code/build/info
May 15 2014 18:20:03
F.05.79
1373

 

but still can't get privilege mode automatically...and the command "aaa authetication login privilege mode" is not available as well...

Pete W
Valued Contributor

Re: HP Procurve 2524, ssh authenticated with radius, couldn't login privilege mode automatically

Did you find a solution to this issue?

I thought I'd seen the last of this problem, but am now working for a client who still uses 2524s. 

 

 

MASE
CCNP
Meru MCSE