HPE Community
Switches, Hubs, and Modems
1752765 Members
5056 Online
108789 Solutions
New Discussion юеВ

Re: commands authorization, RADIUS Server

 
SOLVED
Go to solution
Tobias Bartholdi
New Member

тАО01-30-2010 01:11 PM

тАО01-30-2010 01:11 PM

commands authorization, RADIUS Server

hi all

i am trying to configuring commands authorization on a RADIUS Server for my hp switches.
as radius server i use Microsoft IAS. in this guide (http://cdn.procurve.com/training/Manuals/2900-ASG-Jan08-5-RADIUS.pdf), hp explains it for a cisco tool and freeradius.
does anyone know if RADIUS command authorization also works with a IAS server? i have no idea how to configure it... could you point me in the right direction?

thanks a lot.
tobias
0 Kudos
2 REPLIES 2
Jeff Carrell
Honored Contributor

тАО01-31-2010 04:24 AM

тАО01-31-2010 04:24 AM

Solution

Re: commands authorization, RADIUS Server

quick note: this feature is available on the ProVision ASIC family of switches: 3500/6200/6600/5400/8200...and at least the 2900 series...but not the "older" switches like 2524, 2626/2650, 2824/2828, 3400, 5300, 4000...


here are the steps to configure commands authorization for IAS and the switch:

IAS config for commands authorization:

1) In the IAS Remote Access Policies list window, right-click the entry and click Properties in the pop-up menu.

2) Click Edit Profile and then click the Advanced tab and click Add.

3) In the Add Attribute window, scroll down to select the Vendor-Specific name and then click Add.

4) In the Multivalued Attribute Information window, click Add.

5) In the Vendor-Specific Attribute Information window, specify the following information:
Parameter Action or Value
Enter Vendor Code: Enable radio button
Vendor Code 11
Yes, it conforms. Enable radio button

6) Click Configure Attribute.

7) In the Configure VSA window, specify the following information.
Parameter Value
String 2
Attribute format String
Attribute value **see note below**
Do not include spaces before or after the semicolons.

8) Click OK.

9) In the Multivalued Attribute Information window, click Add.

10) In the Vendor-Specific Attribute Information window, specify the following information:
Parameter Action or Value
Enter Vendor Code: Enable radio button
Vendor Code 11
Yes, it conforms. Enable radio button

11) Click Configure Attribute.

12) In the Configure VSA window, specify the following information.
Parameter Action or Value
String 3
Attribute format Decimal
Attribute value "x"

The attribute value of 0 allows the command list to be used.
The attribute value of 1 denies the command list to be used.

13) Click OK.

14) Click OK.

15) Click OK to close the Edit Dial-in Profile window.

16) Click OK to close the policy Properties window.


**note**
Command string format
Each command can be up to 249 characters in length and each command is delimited by a semicolon (;).

You can enter the commands you wish to allow or deny with the special characters used in standard regular expressions. These include the use of individual characters like the
asterisk (*), circumflex (^), dollar sign ($), period (.), and backslash (\).

You can also use the more complex regular expressions that involve specifying a bracketed list of characters or the inverse, a list of bracketed list of characters that are not to be used.

A regular expression is a string that describes or matches a set of strings, according to certain syntax rules. Regular expressions are used by many text editors and utilities to search and manipulate bodies of text based on certain patterns. A regular expression is often called a pattern. It is an expression that describes a set of strings. They are usually used to give a concise description of a set of strings, without having to list all of the elements.

For example:
.op matches any three-character string like hop, mop, or top.
[hm]op matches hop and mop.
[^t]op matches all the matched strings from the regex .op except top.
^[hm]op matches hop and mop, but only at the beginning of a line.
[hm]op$ matches hop and mop, but only at the end of a line.

Command list examples :
show;ping;tra*;
show;enable;conf;wr;vlan;i[pn];
*****


switch config for commands authorization:

1) <3500>(config)# aaa authorization commands radius

-------------------

hth...jeff
Arran Cudbard-Bell
Advisor

тАО02-06-2010 01:43 PM

тАО02-06-2010 01:43 PM

Re: commands authorization, RADIUS Server

No the command authorization feature is enabled on the earlier models 2600,2800,2610, you just have to be running the latest firmware.

Software revision : I.10.77

ProCurve Switch 2848(config)# aaa authorization commands radius

There's a defect which exists in most branches that prevents command authorization being used with the 'no' version of commands. This should be fixed as new stable versions are released.

Be aware that as soon as this feature is enabled the requisite VSAs must be present in Access-Accept responses else the switch will reject authentication attempts.

Also be aware that this feature blocks access to the menu.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.