Web and Unmanaged
Showing results for 
Search instead for 
Did you mean: 

RADIUS authentication HP1920-16G


RADIUS authentication HP1920-16G

I currently have quite a few HP1910 (8G and 16G) and HP 5120 which use RADIUS for SSH logins. The NPS server is 2012R2. The RADIUS authentication works and assigns the correct privilege level.

Recently I got some HP1920 (8G and 16G). However those fail RADIUS authentication with the same settings that work on the 1910. On the 2012R2 server side I can see the user is granted full access successfully however the switch just logs:

SHELL/5/SHELL_LOGINFAIL: SSH user martin failed to log in from on VTY0..
SC/5/SC_AAA_FAILURE: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA is failed. Common.
SC/6/SC_AAA_LAUNCH: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA launched.

The relevant switch config from HP1920 (which is the exat same on 1910 switches) is:

radius scheme system
server-type extended
primary authentication
user-name-format without-domain
domain example
authentication default radius-scheme system
authorization default radius-scheme system
access-limit disable
state active
idle-cut disable
self-service-url disable
domain default enable example


The only notable difference is that 1910 switches run Comware Software, Version 5.20, Release 1513P99

And the 1920 ones are on Comware Software, Version 5.20.99, Release 1112

However I doubt that is the issue.



Ian Vaughan
Honored Contributor

Re: RADIUS authentication HP1920-16G


One thing to check on the 1920 series switches - are these still using the (older H3C / Huawei) 4 levels of privilege (0-3, 3 being admin or manager) or have they shifted over to using the 0-15 (very Cisco like) scheme.

Have a look at this FreeRadius example to see what I mean - it shows both the 4 level and 16 level privilege model. Should be easy enough to copy teh Cisco style one for a new rule for the new switch and test it.

I know some people had to revist their VSA model (vendor specific attributes) when intrioducing CW7.

It might be a red herring but worth checking out.




Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Tweets: @2techie4me

Re: RADIUS authentication HP1920-16G

Did you succeed? I have the exact same problem with a new 1920-8G. The old attributes configured in Freeradius don't seem to work on this one.


Re: RADIUS authentication HP1920-16G

Hi Ian,


I figured it might be in the VSA's but what I don't get is that FW between 1910 and 1920 seems to be identical CW5.. We are finishing deployment of 1920's this week and I have requested 1 to be sent up to our test lab. I will be able to work on that next week and will drop you an update when I have one.




Re: RADIUS authentication HP1920-16G

Not yet. I will be able to work more on this problem next week. If I do I will post how we did it.




Re: RADIUS authentication HP1920-16G

We usally use the following with 1920:

Hw_Exec_Privilege = H3C-Administrator,
3Com-User-Access-Level = 3Com-Manager,
Service-Type = NAS-Prompt-User,
HP-Privilege-Level = "3"

Does this work for you?