Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

GbE2c Radius

Richard Crimp
Occasional Visitor

GbE2c Radius

I'm Trying to configure radius. I have configured the switches as follows.

radius-server primary-host xxx.xxx.xxx.xxx ekey "Some Secret"
radius-server timeout 10
radius-server enable
no radius-server backdoor
radius-server secure-backdoor


Using wireshark the switch sends access-request packet to the radius server and the radius server responds with an Access-Accept. But the switch logs me out.

What radius server attribute do i need to set to allow access.

Thanks
12 REPLIES
Jeff Carrell
Honored Contributor

Re: GbE2c Radius

what radius access are you wanting to achieve?

802.1X or switch authentication for access?

this will help to know which way to answer...

cheers...jeff
Richard Crimp
Occasional Visitor

Re: GbE2c Radius

We are trying to achieve radius authentication for switch access.
Jeff Carrell
Honored Contributor

Re: GbE2c Radius

ahh, for switch mgmt access, you need a few more commands:

'aaa authentication radius '

access-method = console, telnet, ssh, web

user-level = login (oper) or enable (mgr)

sec-auth-method = for console, no choice but local, for all other local -or- none

generally you will have 2 of these commands for each access-method/user-level...

refer to this link for more details:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-6-RADIUS.pdf

hth...jeff
Richard Crimp
Occasional Visitor

Re: GbE2c Radius

HI Jeff,

I tried the commands you suggested but the GbE2c uses a different command set to the procurve range.
Jeff Carrell
Honored Contributor

Re: GbE2c Radius

what is the GbE2c?

i thought some of the radius commands you showed looked a bit different...

sorry can't be of more assistance...

cheers...jeff
Richard Crimp
Occasional Visitor

Re: GbE2c Radius

The GbE2c is the blade switch used in a c-class blade enclosure.
jhodges125
Occasional Visitor

Re: GbE2c Radius

Amy am having the same issue here and was wondering if fix was ever found?

Thanks,
John

I am using Freeradius
Richard Crimp
Occasional Visitor

Re: GbE2c Radius

The solution is as below. IF you have any problems please let me know.

To get Radius working on IAS 2003

1. Open IAS Admin Tool
2. Select the correct Remote Policy
3. Set it with the following

Service-Type Administrative

If you wish to allow people access to the switch without the ability to make changes or you will need to manually edit the following file
C:\windows\system32\ias\dnary.mdb
in the Enumerators table at the bottom add the following

HP User Service-Type 255
David MF
Occasional Visitor

Re: GbE2c Radius

Hi!

We're having problems trying to authenticate with Freeradius on Gbe2c and Gbe2p Blade ethernet switches modules.

We have configured different reply attributes on freeradius for Cisco and HP Procurve swithes, but it doesn't work with blade modules.

Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = Administrative-User

When we try to authenticate by telnet we get access aceptted on freeradius, but i think the Reply attribute we're using is not correct. Any idea?

Sending Access-Accept of id 160 to 1.2.3.4 port 3010

Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = Administrative-User

Finished request 1.

Is there any way to debug radius events on the Gbe2c/Gbe2p modules?

Thanks!
David MF
Occasional Visitor

Re: GbE2c Radius

I reply myself after some additional testing ...

If you put Service-Type=Administrative-User the first one in the Reply-Attr list it works Ok on blade switches.

On Procurve/Catalyst order doesnt mind.

:)



sebwise
Occasional Visitor

Re: GbE2c Radius

I'm also looking into setting up RADIUS switch authentication via Windows IAS. Before I go any further on this, I would like to know what encryption does the Gbe2c support? I only found one tutorial with PAP authentication, but I don't want any cleartext password going through the network. As this is not configurable on the switch, does this automatically mean that it doesn't support encryption?
David MF
Occasional Visitor

Re: GbE2c Radius

I reply myself again :)

On a recent installation of Radiator i've realized that the real problemas was on Radiator's config file, we had to remove the following line:

AddToReply Service-Type = NAS-Prompt-User

The order of the reply attributes doesn't really mind