HPE Community
Comware Based
1824971 Members
3686 Online
109678 Solutions
New Discussion

HP 5940 RBAC based RADIUS login via Windows NPS

 
Hikmat Zainitdin
Occasional Contributor

‎06-11-2020 10:03 PM

‎06-11-2020 10:03 PM

HP 5940 RBAC based RADIUS login via Windows NPS

Hi people,

I've been trying to connect our new HP switches (FF 5940 48SFP+ 6QSFP28 and 5940 48XGT 6QSFP28) running on the latest OS 7.10.R2702 with Windows 2016 server standart NPS RADIUS for AAA scheme RBAC based admins login.

Read a lot (Security Configuration Guide, Security Command Reference, Fundamentals Configuration Guide, Fundamentals Command Reference, https://www.iana.org/assignments/radius-types/radius-types.xhtml, many different articles in this forum and Internet) with no success.

I saw in Windows NPS logs that access granted, but switches don't wanna to authorise, assuming due to no role provided.

Follow https://community.hpe.com/t5/comware-based/5700-flexfabric-radius-configuration/m-p/6885223#M8044, https://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment/, http://www.h3c.com/en/Product_Technology/Operating_System/ComwareV7/System_Management/White_Papers/201808/1102727_294549_0.htmhttps://wiki.freeradius.org/vendor/HP-Comware 
but still can't login.

My config

line vty 0 63
authentication-mode scheme
user-role network-admin
protocol inbound ssh

#

ssh server enable

#

super authentication-mode scheme local

#

radius scheme nps
primary authentication fg-sso
primary accounting fg-sso
key authentication cipher ....
key accounting cipher ....
user-name-format without-domain
nas-ip interface Vlan-interface30
attribute 15 check-mode loose

#

domain radius
authentication login radius-scheme nps none

authorization login radius-scheme nps local
accounting login radius-scheme nps none
#
domain default enable radius
#
role default-role enable network-operator

I can easily connect pointing local users manager class in system domain, so SSH works fine.

Windows NPS also works becouse the other all switches (HP 1950 48G 2SFP+ 2XGT PoE+) has RADIUS AAA for admin logins.

That policy for 1950 series doesn't work for 5940 series. It has only one statement in Network policy Vendor ID 25506, attribute 29, decimal value 15 (exec_level 15 for authenticated users).

I try to use according Fundamentals Configuration Guide (page 33-35)
Cisco_AVpair shell:roles="network-admin" and shell:roles=network-admin, also shell:role="network-admin" and shell:role=network-admin

Security Configuration Guide, Appendix C RADIUS subattributes (vendor ID 25506)

Vendor ID 25506, attribute 210, string value "network-admin" and network-admin

Vendor ID 25506, attribute 155, string value "network-admin" and network-admin

Vendor ID 25506, attribute 29, decimal value 15

State Service-Type to Framed (Login, NAS Prompt, Administrative), Framed-Protocol PPP, Login-Service - SSH, Terminal (yeap I've modified NPS dnary.xml to add for attribut 15 new values SSH 50, Console 52)

In different combinations - all fail

Follow Fundamentals Configuration Guide (page 43  Login attempts by RADIUS users always fail)

Symptom
Attempts by a RADIUS user to log in to the network access device always fail, even though the
following conditions exist:
• The network access device and the RADIUS server can communicate with one another.
• All AAA settings are correct.
Analysis
RBAC requires that a login user have a minimum of one user role. If the RADIUS server does not
authorize the login user to use any user role, the user cannot log in to the device.
Solution
To resolve the issue:
1. Use one of the following methods:
Configure the role default-role enable command. A RADIUS user can log in with
the default user role when no user role is assigned by the RADIUS server.
Add the user role authorization attributes on the RADIUS server.
44
2. If the issue persists, contact Hewlett Packard Enterprise Support.

cannot chat with HPE support for several days, allways all operators are busy, in my country no official support representative, I cannot call for long distance

Please, world help 

0 Kudos
2 REPLIES 2
Hikmat Zainitdin
Occasional Contributor

‎06-11-2020 10:43 PM

‎06-11-2020 10:43 PM

Allways chat is offline

chat.jpg

0 Kudos
Ivan_B
HPE Pro

‎06-12-2020 08:15 AM

‎06-12-2020 08:15 AM

Re: Allways chat is offline

Hello Hikmat Zainitdin!

Regarding the support - have you tried to submit a support case? https://support.hpe.com/help/en/Content/productSupport/supportCaseManager.html

To the issue. Could you run a Wireshark on the NPS server, try to login to the switch once again while the capture is running and then check if the NPS really sends Access-Accept message and that the message contains proper attributes. It will help if you will post a screenshot of those attributes here to double-check NPS is really doing what you have instructed it to do.

 

I am an HPE employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.