- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- commands authorization, RADIUS Server
Switches, Hubs, and Modems
1752716
Members
5860
Online
108789
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-30-2010 01:11 PM
тАО01-30-2010 01:11 PM
hi all
i am trying to configuring commands authorization on a RADIUS Server for my hp switches.
as radius server i use Microsoft IAS. in this guide (http://cdn.procurve.com/training/Manuals/2900-ASG-Jan08-5-RADIUS.pdf), hp explains it for a cisco tool and freeradius.
does anyone know if RADIUS command authorization also works with a IAS server? i have no idea how to configure it... could you point me in the right direction?
thanks a lot.
tobias
i am trying to configuring commands authorization on a RADIUS Server for my hp switches.
as radius server i use Microsoft IAS. in this guide (http://cdn.procurve.com/training/Manuals/2900-ASG-Jan08-5-RADIUS.pdf), hp explains it for a cisco tool and freeradius.
does anyone know if RADIUS command authorization also works with a IAS server? i have no idea how to configure it... could you point me in the right direction?
thanks a lot.
tobias
Solved! Go to Solution.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-31-2010 04:24 AM
тАО01-31-2010 04:24 AM
Solution
quick note: this feature is available on the ProVision ASIC family of switches: 3500/6200/6600/5400/8200...and at least the 2900 series...but not the "older" switches like 2524, 2626/2650, 2824/2828, 3400, 5300, 4000...
here are the steps to configure commands authorization for IAS and the switch:
IAS config for commands authorization:
1) In the IAS Remote Access Policies list window, right-click the entry and click Properties in the pop-up menu.
2) Click Edit Profile and then click the Advanced tab and click Add.
3) In the Add Attribute window, scroll down to select the Vendor-Specific name and then click Add.
4) In the Multivalued Attribute Information window, click Add.
5) In the Vendor-Specific Attribute Information window, specify the following information:
Parameter Action or Value
Enter Vendor Code: Enable radio button
Vendor Code 11
Yes, it conforms. Enable radio button
6) Click Configure Attribute.
7) In the Configure VSA window, specify the following information.
Parameter Value
String 2
Attribute format String
Attribute value **see note below**
Do not include spaces before or after the semicolons.
8) Click OK.
9) In the Multivalued Attribute Information window, click Add.
10) In the Vendor-Specific Attribute Information window, specify the following information:
Parameter Action or Value
Enter Vendor Code: Enable radio button
Vendor Code 11
Yes, it conforms. Enable radio button
11) Click Configure Attribute.
12) In the Configure VSA window, specify the following information.
Parameter Action or Value
String 3
Attribute format Decimal
Attribute value "x"
The attribute value of 0 allows the command list to be used.
The attribute value of 1 denies the command list to be used.
13) Click OK.
14) Click OK.
15) Click OK to close the Edit Dial-in Profile window.
16) Click OK to close the policy Properties window.
**note**
Command string format
Each command can be up to 249 characters in length and each command is delimited by a semicolon (;).
You can enter the commands you wish to allow or deny with the special characters used in standard regular expressions. These include the use of individual characters like the
asterisk (*), circumflex (^), dollar sign ($), period (.), and backslash (\).
You can also use the more complex regular expressions that involve specifying a bracketed list of characters or the inverse, a list of bracketed list of characters that are not to be used.
A regular expression is a string that describes or matches a set of strings, according to certain syntax rules. Regular expressions are used by many text editors and utilities to search and manipulate bodies of text based on certain patterns. A regular expression is often called a pattern. It is an expression that describes a set of strings. They are usually used to give a concise description of a set of strings, without having to list all of the elements.
For example:
.op matches any three-character string like hop, mop, or top.
[hm]op matches hop and mop.
[^t]op matches all the matched strings from the regex .op except top.
^[hm]op matches hop and mop, but only at the beginning of a line.
[hm]op$ matches hop and mop, but only at the end of a line.
Command list examples :
show;ping;tra*;
show;enable;conf;wr;vlan;i[pn];
*****
switch config for commands authorization:
1) <3500>(config)# aaa authorization commands radius
-------------------
hth...jeff
here are the steps to configure commands authorization for IAS and the switch:
IAS config for commands authorization:
1) In the IAS Remote Access Policies list window, right-click the
2) Click Edit Profile and then click the Advanced tab and click Add.
3) In the Add Attribute window, scroll down to select the Vendor-Specific name and then click Add.
4) In the Multivalued Attribute Information window, click Add.
5) In the Vendor-Specific Attribute Information window, specify the following information:
Parameter Action or Value
Enter Vendor Code: Enable radio button
Vendor Code 11
Yes, it conforms. Enable radio button
6) Click Configure Attribute.
7) In the Configure VSA window, specify the following information.
Parameter Value
String 2
Attribute format String
Attribute value **see note below**
Do not include spaces before or after the semicolons.
8) Click OK.
9) In the Multivalued Attribute Information window, click Add.
10) In the Vendor-Specific Attribute Information window, specify the following information:
Parameter Action or Value
Enter Vendor Code: Enable radio button
Vendor Code 11
Yes, it conforms. Enable radio button
11) Click Configure Attribute.
12) In the Configure VSA window, specify the following information.
Parameter Action or Value
String 3
Attribute format Decimal
Attribute value "x"
The attribute value of 0 allows the command list to be used.
The attribute value of 1 denies the command list to be used.
13) Click OK.
14) Click OK.
15) Click OK to close the Edit Dial-in Profile window.
16) Click OK to close the policy Properties window.
**note**
Command string format
Each command can be up to 249 characters in length and each command is delimited by a semicolon (;).
You can enter the commands you wish to allow or deny with the special characters used in standard regular expressions. These include the use of individual characters like the
asterisk (*), circumflex (^), dollar sign ($), period (.), and backslash (\).
You can also use the more complex regular expressions that involve specifying a bracketed list of characters or the inverse, a list of bracketed list of characters that are not to be used.
A regular expression is a string that describes or matches a set of strings, according to certain syntax rules. Regular expressions are used by many text editors and utilities to search and manipulate bodies of text based on certain patterns. A regular expression is often called a pattern. It is an expression that describes a set of strings. They are usually used to give a concise description of a set of strings, without having to list all of the elements.
For example:
.op matches any three-character string like hop, mop, or top.
[hm]op matches hop and mop.
[^t]op matches all the matched strings from the regex .op except top.
^[hm]op matches hop and mop, but only at the beginning of a line.
[hm]op$ matches hop and mop, but only at the end of a line.
Command list examples :
show;ping;tra*;
show;enable;conf;wr;vlan;i[pn];
*****
switch config for commands authorization:
1) <3500>(config)# aaa authorization commands radius
-------------------
hth...jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-06-2010 01:43 PM
тАО02-06-2010 01:43 PM
Re: commands authorization, RADIUS Server
No the command authorization feature is enabled on the earlier models 2600,2800,2610, you just have to be running the latest firmware.
Software revision : I.10.77
ProCurve Switch 2848(config)# aaa authorization commands radius
There's a defect which exists in most branches that prevents command authorization being used with the 'no' version of commands. This should be fixed as new stable versions are released.
Be aware that as soon as this feature is enabled the requisite VSAs must be present in Access-Accept responses else the switch will reject authentication attempts.
Also be aware that this feature blocks access to the menu.
Software revision : I.10.77
ProCurve Switch 2848(config)# aaa authorization commands radius
There's a defect which exists in most branches that prevents command authorization being used with the 'no' version of commands. This should be fixed as new stable versions are released.
Be aware that as soon as this feature is enabled the requisite VSAs must be present in Access-Accept responses else the switch will reject authentication attempts.
Also be aware that this feature blocks access to the menu.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP