HPE Community
Switches, Hubs, and Modems
1752806 Members
6645 Online
108789 Solutions
New Discussion юеВ

Re: PC 5300 and MS IAS. Can't get rid of the web double login

 
MsE
Advisor

тАО07-05-2006 12:43 AM

тАО07-05-2006 12:43 AM

PC 5300 and MS IAS. Can't get rid of the web double login

Hi,
I have configured a ProCurve 5308xl switch to authenticate users that want to use its web interface over RADIUS using the Microsoft Internet Authentication Service. Upon login into the web interface it asks for my user and password. When I supply my login credentials, a second password prompt (a java one) pops up and asks for my credentials a second time. I have read about that issue in the manual. The manual says that I have to toggle the "aaa authentication login privilege-mode" option on the switch to get rid of the second login but it won't work with me.

My aaa-related lines in the config are the following:

aaa authentication web login radius none
aaa authentication login privilege-mode
radius-server host aaa.bbb.ccc.ddd key mysecretkey

I tried to use both, the "web login" and "web enable" options alone and together but with no success.

In the IAS's ras policies profile options, I defined the "Service-Type" attribute to be "Administrative" as mentioned in the manual.

Right now I'm only running a config with the "... web enable radius ..." option set which will use radius authentication for actions which require the manager access level.
I'd really like to have one single password prompt which will get you into the web interface with manager rights.

What am I doing wrong?

Thanks in advance.
0 Kudos
4 REPLIES 4
Matt Hobbs
Honored Contributor

тАО07-05-2006 01:03 AM

тАО07-05-2006 01:03 AM

Re: PC 5300 and MS IAS. Can't get rid of the web double login

What you've done looks to be right. If you were to enable the same thing on the telnet interface you should be logged straight into the manager mode #.

The issue in this case I think is more simple - it's just a java / browser problem.

Even with just a basic operator/manager password only on the switch, I believe you'd get the same problem (I see it myself but I just accept that I have to put up with it). From memory when using the Microsoft VM I never saw this issue.

Les also mentioned it at the bottom of this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1030556

0 Kudos
Werner Weiss
Occasional Advisor

тАО07-05-2006 02:07 AM

тАО07-05-2006 02:07 AM

Re: PC 5300 and MS IAS. Can't get rid of the web double login

Hi Sebastian,
I have tried this with one of my 5300 switches.I used the following config:
aaa authentication web login radius
aaa authentication web enable radius
aaa authenication login privilege-mode
And my config at the IAS:
Policy conditions:
Windows-Groups matches "switch-admins" AND
Service-Type matches "Administrative OR NAS Prompt"
In the profile, under Advanced:
Login-LAT-Service -> Telnet
Service-Type -> Administrative
With this it works for telnet and web login
0 Kudos
Les Ligetfalvy
Esteemed Contributor

тАО07-05-2006 02:31 AM

тАО07-05-2006 02:31 AM

Re: PC 5300 and MS IAS. Can't get rid of the web double login

You may also get improved milage if you manage the proxy settings in the JRE. Depending on how your proxy is setup, you may want to set the JRE to go *direct* for certain exceptions.
0 Kudos
MsE
Advisor

тАО07-05-2006 09:24 PM

тАО07-05-2006 09:24 PM

Re: PC 5300 and MS IAS. Can't get rid of the web double login

@Matt: You're right. It works well when using the telnet login. You convinced me that I have a java problem.

@Werner: Yeah, my config is similar and seems to be working fine except for the web interface. Which JRE version are you running?
BTW: "Login-LAT-Service"? Doesn't it have to be "Login-Service"?

@Les: I'm not using any proxies in my testing environment. I have upgraded the JRE from 1.4.2_06 to 1.5.0_02 but it still doesn't work the way it should.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.