- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Problem with Radius authentication with 5900 switc...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2015 12:04 AM
10-08-2015 12:04 AM
Problem with Radius authentication with 5900 switch
Hi
I have 5900 switch running 7.1.045, Release 2311P05
I have implemented the below config for radius authentication:
radius scheme infra.mms
primary authentication 1.1.1.1 key simple xxxxxxxx
user-name-format keep-original
quit
domain infra.mms
authentication login radius-scheme infra.mms local
authorization login radius-scheme infra.mms local
accounting login radius-scheme infra.mms local
authentication default radius-scheme infra.mms local
quit
domain default enable infra.mms
user-interface vty 0 15
authentication-mode scheme
user-role network-admin
user-role network-operator
quit
Althogh the user is authenticated successfuly the switch is disconnecting the SSH connection.
I have the same configuration with another switch with older version Version 7.1.023, Release 2108P02 which works without a problem.
Can someone help figuring the problem?
Below are the debug from the switch
*Sep 7 06:13:40:438 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Get authentication methods: password
*Sep 7 06:13:40:438 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[51].
*Sep 7 06:13:40:695 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.
*Sep 7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 50.
*Sep 7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_USERAUTH_REQUEST.
*Sep 7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Username: user@infra.mms, service: ssh-connection, method: password
*Sep 7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Try authentication method password.
*Sep 7 06:13:52:194 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Password authentication and authorization.
*Sep 7 06:13:52:196 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authentication.
*Sep 7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Sent authentication request successfully.
*Sep 7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Processing AAA request data.
*Sep 7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got request data successfully, primitive: authentication.
*Sep 7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Getting RADIUS server info.
*Sep 7 06:13:52:197 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got RADIUS server info successfully.
*Sep 7 06:13:52:198 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Created request context successfully.
*Sep 7 06:13:52:198 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Created request packet successfully, dstIP: 15.224.192.139, dstPort: 1812, VPN instance: --(public), socketFd: 22, pktID: 249.
*Sep 7 06:13:52:198 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Added packet socketfd to epoll successfully, socketFd: 22.
*Sep 7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Mapped PAM item to RADIUS attribute successfully.
*Sep 7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got RADIUS username format successfully, format: 0.
*Sep 7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Added attribute user-name successfully, user-name: user@infra.mms.
*Sep 7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Filled RADIUS attributes in packet successfully.
*Sep 7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Composed request packet successfully.
*Sep 7 06:13:52:291 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Created response timeout timer successfully.
*Sep 7 06:13:52:292 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
User-Name=user@infra.mms
User-Password=******
Service-Type=Login-User
Framed-IP-Address=5.5.5.5
NAS-IP-Address=3.3.3.3
*Sep 7 06:13:52:292 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent request packet successfully.
*Sep 7 06:13:52:293 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
01 f9 00 53 af fb ee 97 ad ca c6 6c d1 0d 1a 84
6a 88 a1 36 01 1b 6d 69 63 68 61 65 6c 2e 70 6f
6c 65 76 6f 79 40 69 6e 66 72 61 2e 6d 6d 73 02
12 33 d5 88 e7 70 1b a6 8c 6f a6 93 e5 7d e6 ad
5b 06 06 00 00 00 01 08 06 d5 08 6f 84 04 06 0a
77 00 6b
*Sep 7 06:13:52:293 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent request packet and create request context successfully.
*Sep 7 06:13:52:294 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Added request context to global table successfully.
*Sep 7 06:13:52:747 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.
*Sep 7 06:13:54:396 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Reply SocketFd received EPOLLIN event.
*Sep 7 06:13:54:396 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Received reply packet succuessfully.
*Sep 7 06:13:54:396 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Found request context, dstIP: 15.224.192.139, dstPort: 1812, VPN instance: --(public), socketFd: 22, pktID: 249.
*Sep 7 06:13:54:397 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
The reply packet is valid.
*Sep 7 06:13:54:397 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Decoded reply packet successfully.
*Sep 7 06:13:54:397 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
Class=0x53425232434c93c4f89daab1bd84ef8011803a0180038198ce8002801d81b6daacb6c385caec979c8df6e395ecefbcd08d96f399e4e1979badd79812800e8193c4f89daab1bd84ef808087c0bc
Cisco-AVPair=shell:roles=network-admin
Service-Type=NAS-Prompt-User
*Sep 7 06:13:54:398 2015 CA-KAM-DC-R1.4-01 RADIUS/7/PACKET:
02 f9 00 8b 7e 0c d6 4d e8 7d 3e 7c ea d4 02 f6
ed 01 1f 58 19 4f 53 42 52 32 43 4c 93 c4 f8 9d
aa b1 bd 84 ef 80 11 80 3a 01 80 03 81 98 ce 80
02 80 1d 81 b6 da ac b6 c3 85 ca ec 97 9c 8d f6
e3 95 ec ef bc d0 8d 96 f3 99 e4 e1 97 9b ad d7
98 12 80 0e 81 93 c4 f8 9d aa b1 bd 84 ef 80 80
87 c0 bc 1a 22 00 00 00 09 01 1c 73 68 65 6c 6c
3a 72 6f 6c 65 73 3d 6e 65 74 77 6f 72 6b 2d 61
64 6d 69 6e 00 06 06 00 00 00 07
*Sep 7 06:13:54:398 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent reply message successfully.
*Sep 7 06:13:54:398 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Sep 7 06:13:54:399 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Received authentication reply message, resultCode: 0
*Sep 7 06:13:54:405 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authorization.
*Sep 7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: RADIUS Authorization successfully.
*Sep 7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: Get work directory flash:.
*Sep 7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: Get role list network-admin.
*Sep 7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: password authentication accepted for user@infra.mms.
*Sep 7 06:13:54:406 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: accounting.
*Sep 7 06:13:54:412 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: account management : 0 (success)
%Sep 7 06:13:54:412 2015 CA-KAM-DC-R1.4-01 SSHS/6/SSHS_LOG: Accepted password for user@infra.mms from 5.5.5.5 port 41606 ssh2.
*Sep 7 06:13:54:412 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[52].
*Sep 7 06:13:54:413 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Entering interactive session for SSH2.
*Sep 7 06:13:54:414 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Initiate server message dispatch, compatibility:1/0
*Sep 7 06:13:54:631 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 90.
*Sep 7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_CHANNEL_OPEN: ctype session, rchan 0, win 16384, max 8192
*Sep 7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received session request.
*Sep 7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: new [server-session]
*Sep 7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Session id 0 unused.
*Sep 7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Session opened: session 0, link with channel 0
*Sep 7 06:13:54:632 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[91].
*Sep 7 06:13:54:846 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 98.
*Sep 7 06:13:54:847 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_CHANNEL_REQUEST: channel 0, request pty-req, reply 1
*Sep 7 06:13:54:847 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel request: user user@infra.mms, service type 1
*Sep 7 06:13:54:859 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Open pty: pseudo-terminal-master(25), pseudo-terminal-sub(24)
*Sep 7 06:13:54:860 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[99].
*Sep 7 06:13:55:074 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 98.
*Sep 7 06:13:55:074 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SSH2_MSG_CHANNEL_REQUEST: channel 0, request shell, reply 1
*Sep 7 06:13:55:074 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel request: user user@infra.mms, service type 1
*Sep 7 06:13:55:077 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: read_fd 27 is a TTY.
*Sep 7 06:13:55:077 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[93].
*Sep 7 06:13:55:078 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[99].
*Sep 7 06:13:55:079 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: opening session.
*Sep 7 06:13:55:086 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Setup environment: user=user@infra.mms, work directory=flash:, level=0
*Sep 7 06:13:55:087 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Get default work dir: flash:, return:0
%Sep 7 06:13:55:088 2015 CA-KAM-DC-R1.4-01 SSHS/6/SSHS_CONNECT: SSH user user@infra.mms (IP: 5.5.5.5) connected to the server successfully.
*Sep 7 06:13:55:109 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.
*Sep 7 06:13:55:230 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: RADIUS accounting started.
*Sep 7 06:13:55:231 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Sent accounting-start request successfully.
*Sep 7 06:13:55:231 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Processing AAA request data.
*Sep 7 06:13:55:231 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Got request data successfully, primitive: accounting-start.
*Sep 7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Getting RADIUS server info.
*Sep 7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/ERROR:
Failed to get server info.
*Sep 7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
Sent reply message successfully.
*Sep 7 06:13:55:232 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Fetched accounting-start reply-data successfully, resultCode: 3
*Sep 7 06:13:55:233 2015 CA-KAM-DC-R1.4-01 RADIUS/7/EVENT:
PAM_RADIUS: Received accounting-start reply message, resultCode: 3
%Sep 7 06:13:55:248 2015 CA-KAM-DC-R1.4-01 LOGIN/6/LOGIN_FAILED: user@infra.mms failed to log in from 5.5.5.5.
*Sep 7 06:13:58:251 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: read failed
*Sep 7 06:13:58:252 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: input state changed (open - drain)
*Sep 7 06:13:58:252 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: send EOF
*Sep 7 06:13:58:252 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[96].
*Sep 7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: input state changed (drain - closed)
*Sep 7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Received SIGCHLD.
*Sep 7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: request exit-status confirm 0
*Sep 7 06:13:58:253 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[98].
*Sep 7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Release channel 0
*Sep 7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: write failed
*Sep 7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: send EOW
*Sep 7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: output state changed (open - closed)
*Sep 7 06:13:58:254 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(24)
*Sep 7 06:13:58:256 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: send SSH2_MSG_CHANNEL_CLOSE
*Sep 7 06:13:58:256 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Prepare packet[97].
*Sep 7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 96.
*Sep 7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: received EOF
*Sep 7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 97.
*Sep 7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: received SSH2_MSG_CHANNEL_CLOSE
*Sep 7 06:13:58:470 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Close session: session 0, pid 0
*Sep 7 06:13:58:471 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(-1)
*Sep 7 06:13:58:471 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Session id 0 unused.
*Sep 7 06:13:58:471 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: Channel 0: garbage collecting
*Sep 7 06:13:58:472 2015 CA-KAM-DC-R1.4-01 SSHS/7/ERROR: Read error from remote host 5.5.5.5: Connection reset by peer
%Sep 7 06:13:58:472 2015 CA-KAM-DC-R1.4-01 SSHS/6/SSHS_DISCONNECT: SSH user user@infra.mms (IP: 5.5.5.5) disconnected from the server.
*Sep 7 06:13:58:472 2015 CA-KAM-DC-R1.4-01 SSHS/7/EVENT: PAM: cleanup
*Sep 7 06:13:58:696 2015 CA-KAM-DC-R1.4-01 SSHS/7/MESSAGE: Received packet type 93.;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2015 03:11 AM
10-08-2015 03:11 AM
Re: Problem with Radius authentication with 5900 switch
We are running software 7.1.045 2311P06 on our 5900 switches, and this config works for us:
radius scheme scheme-ahfk
primary authentication <Radius server>
key authentication cipher xxxxxxxxxx
user-name-format without-domain
nas-ip <switch ip address>
#
domain ahfk
authentication login radius-scheme scheme-ahfk
authorization login radius-scheme scheme-ahfk
#
line vty 0 15
terminal type vt100
authentication-mode scheme
user-role network-admin
user-role privilege
protocol inbound ssh
idle-timeout 0 0
#
We use Aruba ClearPass for Radius.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2015 03:51 AM
10-23-2015 03:51 AM
Re: Problem with Radius authentication with 5900 switch
Hi polevoym,
you have
radius scheme infra.mms
primary authentication 1.1.1.1 key simple xxxxxxxx
...
I think you need to add a line for the primary accounting server aswell, since you in your domain infra.mms
are doing accounting.
Regards
Region Midtjylland