- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Web and Unmanaged
- >
- Re: RADIUS authentication HP1920-16G
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-18-2016 08:48 AM
тАО08-18-2016 08:48 AM
RADIUS authentication HP1920-16G
I currently have quite a few HP1910 (8G and 16G) and HP 5120 which use RADIUS for SSH logins. The NPS server is 2012R2. The RADIUS authentication works and assigns the correct privilege level.
Recently I got some HP1920 (8G and 16G). However those fail RADIUS authentication with the same settings that work on the 1910. On the 2012R2 server side I can see the user is granted full access successfully however the switch just logs:
SHELL/5/SHELL_LOGINFAIL: SSH user martin failed to log in from 192.168.205.55 on VTY0..
SC/5/SC_AAA_FAILURE: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA is failed. Common.
SC/6/SC_AAA_LAUNCH: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA launched.
The relevant switch config from HP1920 (which is the exat same on 1910 switches) is:
radius scheme system
server-type extended
primary authentication 1.1.1.1
key authentication XXXXXXXXXXXXXXXXXXXXXXX
user-name-format without-domain
#
domain example
authentication default radius-scheme system
authorization default radius-scheme system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
domain default enable example
The only notable difference is that 1910 switches run Comware Software, Version 5.20, Release 1513P99
And the 1920 ones are on Comware Software, Version 5.20.99, Release 1112
However I doubt that is the issue.
Thanks,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2016 04:17 AM
тАО08-23-2016 04:17 AM
Re: RADIUS authentication HP1920-16G
Hello,
One thing to check on the 1920 series switches - are these still using the (older H3C / Huawei) 4 levels of privilege (0-3, 3 being admin or manager) or have they shifted over to using the 0-15 (very Cisco like) scheme.
Have a look at this FreeRadius example to see what I mean - it shows both the 4 level and 16 level privilege model. Should be easy enough to copy teh Cisco style one for a new rule for the new switch and test it.
I know some people had to revist their VSA model (vendor specific attributes) when intrioducing CW7.
It might be a red herring but worth checking out.
Ta
Ian
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2016 06:39 AM
тАО08-23-2016 06:39 AM
Re: RADIUS authentication HP1920-16G
Did you succeed? I have the exact same problem with a new 1920-8G. The old attributes configured in Freeradius don't seem to work on this one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2016 09:22 AM
тАО08-23-2016 09:22 AM
Re: RADIUS authentication HP1920-16G
Hi Ian,
I figured it might be in the VSA's but what I don't get is that FW between 1910 and 1920 seems to be identical CW5.. We are finishing deployment of 1920's this week and I have requested 1 to be sent up to our test lab. I will be able to work on that next week and will drop you an update when I have one.
Regards,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2016 09:23 AM
тАО08-23-2016 09:23 AM
Re: RADIUS authentication HP1920-16G
Not yet. I will be able to work more on this problem next week. If I do I will post how we did it.
M
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2016 11:35 AM - edited тАО08-23-2016 11:36 AM
тАО08-23-2016 11:35 AM - edited тАО08-23-2016 11:36 AM
Re: RADIUS authentication HP1920-16G
We usally use the following with 1920:
Hw_Exec_Privilege = H3C-Administrator, 3Com-User-Access-Level = 3Com-Manager, Service-Type = NAS-Prompt-User, HP-Privilege-Level = "3"
Does this work for you?