Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

V1910 radius server Level privilege

Cornflag
Occasional Visitor

V1910 radius server Level privilege

Authorization while using CS ACS as a RADIUS server does not seem to work with the V1910 switches we are using.

The VSA for determining privilege levels (representing privilege levels 0 through 3) and is set on my RADIUS server... I see in the logs that it's passing this attribute back to the switch.  However, no matter what I set this value to I am always at privilege level 0 when I authenticate against the RADIUS server.

 

Does anybody know how to fix it?

6 REPLIES
thedesp
Occasional Visitor

Re: V1910 radius server Level privilege

Hi

 

I have exactly the same problem.

My switch is V1910-24G

 

Here is my simple user file from freeradius

 

 

testing         Cleartext-Password := "password"
                3Com-User-Access-Level = 3

 

The user is authenticated successfully. RADIUS sent the "3Com-User-Access-Level = 3" but stuck in view only mode after login.

 

switchman
Member

Re: V1910 radius server Level privilege

Cornflag, thedesp, have you made any progress with this?

 

I seem to be having the same issue.

Using Server 2008 Network policy services(AKA IAS)

HP V1910 switch

 

I have it all set up and I can telnet to the switch and log into the web page.

However, with telnet, the only command available is "quit".

When I log into the web page, I get "User level is lower!110"

 

Have tried:
Service-Type=Administrative

Vendor-Specific=010600000003

Vendor-Specific=shell:priv-lvl=15

 

in various combinations.

 

Thanks!

thedesp
Occasional Visitor

Re: V1910 radius server Level privilege

Still no progress on this.

nborisenkov
Occasional Contributor

Re: V1910 radius server Level privilege

Good afternoon.
I have the same problem. What should be sent to 3Com Baseline Switch 2920-SFP Plus (HP V1910) in Access-Accept packet to make it give a necessary privilege level? It returns at this moment the:

<ROOT>
  <ErrorMsg>
    User level is lower!
  </ErrorMsg>
  <ErrorId>
    11
  </ErrorId>
  <BackHome>
    0
  </BackHome>
</ROOT>
nborisenkov
Occasional Contributor

Re: V1910 radius server Level privilege

I did it :) I just change the radius server type from "Standart" to "Extended" and then add "Login-Service = Telnet" to radius attributes...

 

My current working config:

...

domain default enable system

...

radius scheme system
 server-type extended
 primary authentication 172.30.192.232
 key authentication testing123
 user-name-format without-domain

...

domain testdomain
 authentication default radius-scheme system
 authorization default radius-scheme system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

...
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

And my current lines from freeradius users file to 3Com Baseline Switch 2920-SFP Plus:

steve Cleartext-Password := "testing123"
   3Com-User-Access-Level = 3,
   Service-Type = NAS-Prompt-User,
   Login-Service = Telnet

 

freeradius users lines for HP-v1910

steve Cleartext-Password := "testing123"
   Hw_Exec_Privilege = H3C-Administrator,
   Service-Type = NAS-Prompt-User,
   Login-Service = Telnet

 and dictionary.h3c:

VENDOR      H3C             25506

BEGIN-VENDOR    H3C

ATTRIBUTE   H3C-Connect_Id                    26  integer
ATTRIBUTE   H3C-NAS-Startup-Timestamp   59  integer
ATTRIBUTE   H3C-Ip-Host-Addr                  60  string
ATTRIBUTE   H3C-Product-ID                     255 string

ATTRIBUTE   Hw_Exec_Privilege           29 integer

VALUE       Hw_Exec_Privilege           H3C-Visitor              0
VALUE       Hw_Exec_Privilege           H3C-Monitor            1
VALUE       Hw_Exec_Privilege           H3C-Manager          2
VALUE       Hw_Exec_Privilege           H3C-Administrator    3

END-VENDOR  H3C

 

Now login with username steve@testdomain and you have administrator rights

 

Cornflag
Occasional Visitor

Re: V1910 radius server Level privilege

It is config truly working

 

Thanks for all