HPE Community
Comware Based
1819870 Members
2705 Online
109607 Solutions
New Discussion юеВ

HP Comware 5 RADIUS Authentication will not allow level 3

 
gunnermike
New Member

тАО10-25-2019 01:21 PM

тАО10-25-2019 01:21 PM

HP Comware 5 RADIUS Authentication will not allow level 3

I am attempting to configure RADIUS authentication for some HP 5500 switches running 5.20. I am able to get the switch to allow login, but when I type "sys" I get "unrecognized command". Super asks for a password, when I enter that password it tells me the privilage level for the user is 3 and goes back to the > prompt.

Switch settings

domain system
authentication login radius-scheme RadiusServer local
authorization login radius-scheme RadiusServer local
accounting login none


radius scheme nps
primary authentication 10.1.4.10
primary accounting 10.1.4.10
key authentication sanadmin
key accounting sanadmin
user-name-format without-domain

domain system
authentication login radius-scheme nps local
authorization login radius-scheme nps local
accounting login radius-scheme nps local

Server settings I have tried are Vendor specific for cisco AV pair with a value of shell:roles=network-admin

I have also tired setting a custome of 

Window Vendor-Specific Attribute Information
Enter Vendor code: 2011

Window Configure VSA (RFC Compliant)
Vendor-assigned attribute number: 29
Attribute format: Decimal
Attribute value: 3

What can I do to get logged in as level 3?

0 Kudos
2 REPLIES 2
Ivan_B
HPE Pro

тАО11-06-2019 01:20 AM

тАО11-06-2019 01:20 AM

Re: HP Comware 5 RADIUS Authentication will not allow level 3

Hello!

 

Here is a FreeRADIUS 'users' file config part that should help you to get a better understanding which attributes should be used:

netadmin Cleartext-Password := "netadmin"
    Service-Type = Administrative-User,
    # RADIUS Attribute for original H3C/Comware
    Huawei-Exec-Privilege = "3",
    # Login-Service 50 is for SSH
    Login-Service = 50,
 
Also, I attached a screenshot from Wireshark with an example of these attributes, so you can see all details around these AVPs:
 
Radius-CW5.png
 
Hope it helps!
 
I am an HPE employee

Accept or Kudo

0 Kudos
Ivan_B
HPE Pro

тАО11-06-2019 01:31 AM

тАО11-06-2019 01:31 AM

Re: HP Comware 5 RADIUS Authentication will not allow level 3

Regarding your question "Super asks for a password, when I enter that password it tells me the privilage level for the user is 3 and goes back to the > prompt.". Unlike other vendors where '>' prompt is a sign of a limited access and '#' is so called 'privilege exec mode', Comware has totally different ideology where you have two modes - user-view and system-view. User-view is for certaind commads like 'display', 'reset...' etc and in general is for observation only. System-view is for configuration. Logging in with the user name whos privilege level is '3' does not bring you to the 'system-view' directly. 

 

I am an HPE employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.