Hi!
Is 10.60.82.6 the correct NTP server the switch uses for clock synchronization?
Ok, so then 'GPSs' means that 10.60.82.6 server syncs its clock with a server who uses clock signal originated by GPS. Normally GPS clocks has stratum 0, 10.60.82.6 has stratum 2, so it means there is another intermediary server with stratum 1 between original GPS receiver and 10.60.82.6. So far NTP clock looks perfectly fine and at this time nothing points to it as a root cause for those disconnections.
Several clarification questions:
- Regarding those disconnections and 5510 working with ISE - did it work before with the same ISE using the same configuration on 5510? Or the disconnection issue is something that was there since the very beginning of deployment phase?
- If it was working fine before, did you change anything in the ISE or 5510?
- When you say it kicks you out a couple of seconds after loggin into the switch, what type of connection is it? SSH, Telnet? Do you see any error message in the terminal program on disconnection? Could you provide a copy of terminal output from such unsuccessful session in order to see at what step 5510 disconnects you?
- Could you post a sanitized "current-configuration" from the switch? You can remove any sensitive information as global IP addresses, usernames, passwords, SNMP community strings etc. If we troubleshoot management login like SSH or Telnet, you can delete physical ports details from the "current-configuration" to make it shorter as I am not sure how long messages HPE Community supports. Here is what I would like to check in your config - domain, radius or tacacs scheme, VTY configuration.
- Since ISE must be using either RADIUS or TACACS+ for AAA, what attributes does it send on successful authentication in its Access-Accept messages, for example (if it uses RADIUS)? Incorrect authorization attributes pushed to Comware device may lead to issues similar to what you are experiencing - login accepted by the RADIUS server, it sends Access-Accept to the switch with incorrect attributes, but since the switch does not know how to interpret authorization level using incorrect attributes, it just disconnects the user no matter that access was actually granted by the server. Please, check that attributes and let me know what are they.
Thank you!
The configuration seems fine except these lines:
#
line vty 0 4
authentication-mode scheme
user-role level-3
user-role network-admin
user-role network-operator
set authentication password hash $h$6$qObIGj8/oB8hKqRy$0AinxLJuEMc1jMS8ajdPOo6Sd29ZJcA2FttReQikCRDEL0JBjF8/WUOjgTQx7i+xoVolnN6OxljwtwZYItZldA==
idle-timeout 120 0
#
You don't need those lines in red if you will use TACACS. Please, delete them.
Another point from my previous message that is still not clarified - what attributes ISE sends to the 5510 on successful user authentication?
It needs to send the following one:
roles="network-admin"
Please, check that.
Another point - when you try to log in, do you see the switch's prompt at least for a second before disconnection?
Unfortunately, I do not know if ISE is blocking this version of the switch. In your first message you mentioned that ISE logs show no problem and access was allowed. I guess if ISE decides to block something, it will mention it in its logs...
If ISE shows no errors, I am still thinking that the issue might be in the authorization. Let's try one command before proceeding further:
system-view
role default-role enable
Try to set that command and log in to the switch again.
You say that the you send the net-admin role, but could you double-check the attributes ISE sends, they should be 1:1 , no creativity here is allowed : - )
priv-lvl=15
roles="network-admin"
If you know the TACACS encryption key that server and switch share to encrypt messages, you can capture the traffic between ISE and switch, then using Wireshark and set that key for the TACACS protocol in order decrypt those messages. Thus you will see what actually ISE is sending to the switch, all attributes and their format.
That key is the one you have entered in this line:
primary authentication 10.60.82.211 key cipher $c$3$zkNcskv+RWaPZ70WmTpNAJKPogsZf3BHEODyBFQE3Og=
Let me repeat my question on the way switch disconnects you after the login - do you see switch' prompt at least for a while after entering the password or it breaks the connection right after the password and there is no any output after it?