HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS authentication HP1920-16G

 
martini5468
Visitor

RADIUS authentication HP1920-16G

I currently have quite a few HP1910 (8G and 16G) and HP 5120 which use RADIUS for SSH logins. The NPS server is 2012R2. The RADIUS authentication works and assigns the correct privilege level.

Recently I got some HP1920 (8G and 16G). However those fail RADIUS authentication with the same settings that work on the 1910. On the 2012R2 server side I can see the user is granted full access successfully however the switch just logs:

SHELL/5/SHELL_LOGINFAIL: SSH user martin failed to log in from 192.168.205.55 on VTY0..
SC/5/SC_AAA_FAILURE: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA is failed. Common.
SC/6/SC_AAA_LAUNCH: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA launched.

The relevant switch config from HP1920 (which is the exat same on 1910 switches) is:

radius scheme system
server-type extended
primary authentication 1.1.1.1
key authentication XXXXXXXXXXXXXXXXXXXXXXX
user-name-format without-domain
#
domain example
authentication default radius-scheme system
authorization default radius-scheme system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
domain default enable example

 

The only notable difference is that 1910 switches run Comware Software, Version 5.20, Release 1513P99

And the 1920 ones are on Comware Software, Version 5.20.99, Release 1112

However I doubt that is the issue.

Thanks,

Martin

5 REPLIES
Ian Vaughan
Honored Contributor

Re: RADIUS authentication HP1920-16G

Hello,

One thing to check on the 1920 series switches - are these still using the (older H3C / Huawei) 4 levels of privilege (0-3, 3 being admin or manager) or have they shifted over to using the 0-15 (very Cisco like) scheme.

Have a look at this FreeRadius example to see what I mean - it shows both the 4 level and 16 level privilege model. Should be easy enough to copy teh Cisco style one for a new rule for the new switch and test it.

I know some people had to revist their VSA model (vendor specific attributes) when intrioducing CW7.

It might be a red herring but worth checking out.

Ta

Ian

 

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
t2d2
Visitor

Re: RADIUS authentication HP1920-16G

Did you succeed? I have the exact same problem with a new 1920-8G. The old attributes configured in Freeradius don't seem to work on this one.

martini5468
Visitor

Re: RADIUS authentication HP1920-16G

Hi Ian,

 

I figured it might be in the VSA's but what I don't get is that FW between 1910 and 1920 seems to be identical CW5.. We are finishing deployment of 1920's this week and I have requested 1 to be sent up to our test lab. I will be able to work on that next week and will drop you an update when I have one.

Regards,

Martin

martini5468
Visitor

Re: RADIUS authentication HP1920-16G

Not yet. I will be able to work more on this problem next week. If I do I will post how we did it.

 

M

t2d2
Visitor

Re: RADIUS authentication HP1920-16G

We usally use the following with 1920:

Hw_Exec_Privilege = H3C-Administrator,
3Com-User-Access-Level = 3Com-Manager,
Service-Type = NAS-Prompt-User,
HP-Privilege-Level = "3"

Does this work for you?