5920: RADIUS attributes for SSH login on HP 5920AF

tveng · ‎11-04-2012

We are using a HP 5920AF Comware 7.10 r2108p03
We would like to have administrators log into the switch using ssh2 and radius authentication
We are using a Microsift IAS radius (2003)

We are able to login to the switch but apparently the exec_priviliged are wrong as we only have a limited commands set available allthough we have configured the user-role as network admin

user-interface vty 0 15
authentication-mode scheme
user-role network-admin
protocol inbound ssh

When using a locally configured user (non-radius) the user get the correct privilige (network admin)
So i guess that the HW-Exec privilege are wrong - possible the vendor ID which a havent been able to find

Any ideas ??

Decoded reply packet successfully.
*Nov 5 00:39:21:244 2012 HP RADIUS/7/PACKET:
    Hw-Exec-Privilege=3
    Framed-Protocol=PPP
    Login-Service=50
    Service-Type=Administrative-User
    class="0x2f26051f0000013700010a0c011001cd83175317db320000000001849dbd"
*Nov 5 00:39:21:245 2012 HP RADIUS/7/PACKET:
02 ec 00 52 67 14 18 6c 57 f9 46 79 c7 02 65 d7
80 67 95 e0 1a 0c 00 00 07 db 1d 06 00 00 00 03
07 06 00 00 00 01 0f 06 00 00 00 32 06 06 00 00
00 06 19 20 2f 26 05 1f 00 00 01 37 00 01 0a 0c
01 10 01 cd 83 17 53 17 db 32 00 00 00 00 01 84
9d bd

Jeff Carrell · ‎11-04-2012

Yes, this is a not-very-well documented configuration.

The info I have worked for Comware version 5.20, I do not have Comware 7, but at least you could try this.

You need to configure a VSA in IAS and you must modify the IAS dnary.mdb file for ssh support.

See the attachment for the info, specifically pages 22-25. That config worked for me for Comware 5.

hth...Jeff

tveng · ‎11-04-2012

Thank's for the document - it's best best i ever seen...

Unfortunately it dosnt solve our problem :(

We managed to have administrative radius authenentication for 5500 switches both 3Com and H3C, but apparently it's not quite the same for 5920 (comware 7)

br

Torben

Jeff Carrell · ‎11-04-2012

Well, I did have to make a change when I used W2K8-R2_NPS and latest Comware 5.20 on an H3C S5500EI.

Attached is a scrn shot of what I did to make it work, instead of the older VSA config as in the doc.

hth...Jeff

Paul.Kraus · ‎02-08-2013

Hi Torben,

Have you been able to resolve this problem? I am also trying to implement Radius authentication for both Comware 5 and Comware 7 switches. The Comware 7 switches now use "roles" instead of "levels". The "Fundimentals Guide" for the 5900 just tells you to look in the documentation of the Radius server. But for HWTACACS it does say that the roles are specified as a list ....

"For remote AAA authentication users, user roles are configured on the remote authentication server. For

information about configuring user roles for RADIUS users, see the RADIUS server documentation. For

HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1, and level-2 to an HWTACACS user "

I assume there must be a similar RADIUS attribute that can be used to specify the Comware 7 roles assigned to a user.

Thanks to anyone who can provide some insight on how to configure user roles on RADIUS.

Paul

tveng · ‎02-18-2013

Hi Paul
No, i havent been able to solve the problem yet.
HP has just released firmaware version 2207 - with a lot of radius commands
But sofar i havent had any success

Torben

3comold · ‎02-18-2013

it's a little different and btw well documented by HP: http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf

Paul.Kraus · ‎02-19-2013

I have been looking at the Fundamentals Configuration guide, but if you can tell me on which page it specifies the Radius attribute and format to be returned to specify the RBAC "user role", I would be grateful!

I got an answer from HP L3 support stating that I should just use the same HP vendor specifc attribute for Exec-Privilege (29), but give it the values 0-15 corresponding to the user roles level-0 through level-15. And, looking through the Fundamentals Configuration guide again, I found these notes on page 44:

"NOTE:

•

To be compatible with privilege-based access control, the device automatically converts privilege-based

user levels (0 to 15) assigned by an AAA server to RBAC user roles (level-0 to level-15).

•

If the AAA server assigns a privilege-based user level and a user role to a user, the user can use the

collection of commands and resources accessible to both the user level and the user role. "

The first note would confirm the answer that I received from HP L3 support. However, in a mixed Comware5/Comware7 environment, I now have to figure out how to send the old 0-3 Exec-Privilege values to the Comware5 devices and the new 0-15 Exec-Privilege values to the Comware7 devices. May just have to do this based on NAS IP address.

However, the second note confirms that there is some other Radius attribute that can be returned to specify a "user role". The HP Radius attribute 29 is the "privilege-based user role", so what attribute is used to specify a "user role"?

Paul

Paul.Kraus · ‎02-20-2013

Sorry, it was actually there in the Configuration guide under the example for RBAC with Radius on page 51.

The user roles are specified by using the Cisco-AVPair attribute. We tested this with a MS NPS server, setting the Cisco-AVPair attribute equal to "shell:roles=network-admin". The Comware7 switch accepts this and gives the user access to the commands defined for the network-admin role.

Paul

Paul.Kraus · ‎02-20-2013

An update on this solution....

We tested the following combinations using an MS NPS as the Radius server.

Radius returns the Huawei attribute 29 for Exec-Privilege set to "1": The Comware7 switch gives access to the commands preconfigured for user role level-1. This also works for a Comware5 switch as Userlevel 1 on Comware5 and user role "level-1" on Comware7 have pretty much the same command set.

Radius returns the Huawei attribute 29 for Exec-Privilege set to "15": The Comware7 switch gives access to the commands preconfigured for user role level-15. This does not work with a Comware5 switch, which denies access.

Radius returns the Huawei attribute 29 for Exec-Privilege set to "1" and also returns the Cisco-AVPair attribute set to "shell:roles=network-operator": The Comware7 switch gives the command set assigned to the role "newtork-operator". The Comware5 swtich sets the Userlevel to "1".

Radius returns the Huawei attribute 29 for Exec-Privilege set to "3" and also returns the Cisco-AVPair attribute set to "shell:roles=network-admin": The Comware7 switch gives the command set assigned to the role "newtork-admin". The Comware5 switch sets the Userlevel to "3".

Unfortunately, we could not find any way to display the actual "user role" of an authenticated user on the Comware7 swtich. Neither the "display users" nor the "display user-interface" commands give any information about the assigned user role. So we had to base the results on the command set available to the user after authenticated. (On Comware5, the "display users" command does show the Userlevel that is assigned to a connected user.)

Hope this is of help to others :-)

Paul

3comold · ‎03-25-2013

Thanks Paul!
It will also be possible to add a condition to the network policy that can match the comWare 5 devices using their IP addresses ( if you have for example all comWare 5 device in 1 to 100 of their subnet, then it will be simple); or even creating connection requestes that will match each NAS IPv4 Address of the comWare 5 and another the comWare 7 devices. However, you can also (simpler) duplicate the current policy and changes accordingly the condition: when the NAS IPv4 Address is xx.xx.xx.01 to xx.xx.xx.50 in one policy and in the other policy if NAS IPv4 Address is xx.xx.xx.51 to xx.xx.xx.100.
For each policy you NPS returns the attribute that corresponds to the version of comWare.

IF you have time and you are interested going into this way you can test. Anyway having both privilege levels returned does not harm, but it is not clean.

Thank you again, and
Kind regards

Peter_Debruyne · ‎03-26-2013

Hi,

Great replies, this will help a lot of people !

I do not have a 5900 to test, but if anyone can post a radius packet trace of the login request, I could see if there are any differences in the radius access-request packet compared to the comware 5 devices.

This would allow an additional condition to be configured on the radius server...

thanks,Peter

3comold · ‎03-27-2013

Thanks Peter!

The condition contraints using the NAS IP address is a character string attribute and when setting this condition in NPS (or IAS) we can use pattern matching syntax to specify IP networks.
The syntax is defined from here http://technet.microsoft.com/en-us/library/cc737419(v=ws.10).aspx

As to the user role that can be returned:

First you have to approach the “FEATURE GROUP”. The feature group will allow binding access to permission commands to an enabled feature set of the command. However, if you do not use this “FEATURE GROUP” it will also work, since there are predefined “FEATURE GROUPS”. Look at the document from HP from here http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf. In addition to these predefined “FEATURE GROUPS” you can also create your own.
Then you have to approach the “USER ROLE”. The user role is a kind of “policy/ACL” that will define what the user can do from the command prompt (CLI). There is also a predefined user role; however it is per default disable. It can be enabled to allow access for any user authenticated from AAA WHO is not bound to any user role.
See also in the HP document: http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf

So, after you have configured the user role (you do not have to, if you want to use a predefined user role that will be set using the returned attribute), then you configure in radius the cisco av pair with this user role to be returned to the NAS.

For example, let’s suppose that you create a user role called “rolex” - that is not the famous watch  -and that you created a feature group to which you wish binding this user; you want then the commands this user executes, after he/she has passed the RADIUS authentication to be limited to his/her feature group and user role AND you want also that his/her user role is correctly returned as an attribute:

So, then first you create the feature group; let’s named “feature-groupx”.
role feature-group name feature-groupx
.
.
.

Then you configure the set of feature for this group. When you have finished, then you configure the user role (“rolex” in our example):

role name rolex
rule x permit read write feature-group feature-groupx
.
.
.

When you have finished configuring the policy for this user role “rolex”, you then configure the following cisco av pair to be returned by RADIUS to the NAS after successful authentication of a RADIUS user:

shell:roles=rolex

Thanks again, and,

Kind regards

HPRamin · ‎12-15-2016

Hello Jeff, great finding Jeff about the VSA. I added this attribute into my NPS and it resolved my authenticated user privilege.

Thanks again

Marcusz97 · ‎06-08-2018

Hi,

I've configured correctly the policy for Comware 7 , and either Comware 5, and I can autenticate to the appliance.

Now I'm trying to authenticate with different protocol (SSH, telnet, cli ) with Comware 7 there aren't problem, basically if the attribute "Login-service" is missed I can autenticate with every protocol. But with Comware 5 I need to specify the "Login-service" in order to login, so if I specify telnet, I can't autenticate with SSH. I use Microsoft NPS (Win 2012) , and I can't have more policy with different login service neither all login service in the same policy.

So I ask if it's possible to autenticate without specify the "login-service" attribute on Comware 5, maybe specify to the appliance to ignore it.

Thank you,

Marco

paag · ‎02-08-2019

So, did you end up getting an answer? I am stuck with the same situation with my Comware 5 switches.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

5920: RADIUS attributes for SSH login on HP 5920AF

5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF - Packet trace ?

Re: 5920: RADIUS attributes for SSH login on HP 5920AF - Packet trace ?

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF

Re: 5920: RADIUS attributes for SSH login on HP 5920AF