HPE Community
Comware Based
1756631 Members
2808 Online
108849 Solutions
New Discussion

problems with RADIUS authentication

 
NextHop
Occasional Collector

‎10-31-2018 07:32 AM

‎10-31-2018 07:32 AM

problems with RADIUS authentication

Hi all,

I'm experiencing authentication problems with this configuration on HPE5510 R1309:

radius scheme system
 primary authentication 10.40.0.208
 key authentication cipher $c$3$miP5XfL7OV3vTSlz8OsyWF+O0jl2QvIj4FemMw==
 user-name-format without-domain
 nas-ip 10.99.80.6
#
domain system
 authentication login radius-scheme system local
 authorization login radius-scheme system local

The radius server is a Freeradius 3.0.16

I've enabled "debug radius all", below the output:

<TWR-F>             *Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
Got request data successfully, primitive: authentication.
*Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
Getting RADIUS server info.
*Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
Got RADIUS server info successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Created request context successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Created request packet successfully, dstIP: 10.40.0.208, dstPort: 1812, VPN instance: --(public), socketFd: 34, pktID: 56.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Added packet socketfd to epoll successfully, socketFd: 34.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Mapped PAM item to RADIUS attribute successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Got RADIUS username format successfully, format: 2.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Added attribute user-name successfully, user-name: test.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Filled RADIUS attributes in packet successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Composed request packet successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
Created response timeout timer successfully.
*Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/PACKET:
    User-Name="test"
    NAS-Identifier="TWR-F"
    Framed-IP-Address=10.40.10.83
    NAS-Port-Type=Virtual
    Acct-Session-Id="00000001201810311423560000000108100627"
    User-Password=******
    Service-Type=Login-User
    NAS-IP-Address=10.99.80.6
    H3c-Product-Id="HPE 5510 48G 4SFP+ HI 1-slot Switch JH146A"
    H3c-Nas-Startup-Timestamp=1540985598
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Sent request packet successfully.
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/PACKET:
 01 38 00 b1 1f 73 10 14 69 b3 0a 4e 13 6f b9 17
 71 8f c8 7d 01 06 74 65 73 74 20 07 54 57 52 2d
 46 08 06 0a 28 0a 53 3d 06 00 00 00 05 2c 28 30
 30 30 30 30 30 30 31 32 30 31 38 31 30 33 31 31
 34 32 33 35 36 30 30 30 30 30 30 30 31 30 38 31
 30 30 36 32 37 02 12 7b b9 99 47 fe 2b 32 62 9b
 21 7a cf 68 e8 58 d4 06 06 00 00 00 01 04 06 0a
 63 50 06 1a 32 00 00 63 a2 ff 2c 48 50 45 20 35
 35 31 30 20 34 38 47 20 34 53 46 50 2b 20 48 49
 20 31 2d 73 6c 6f 74 20 53 77 69 74 63 68 20 4a
 48 31 34 36 41 1a 0c 00 00 63 a2 3b 06 5b d9 92
 fe
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Sent request packet and create request context successfully.
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Added request context to global table successfully.
*Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
Processing AAA request data.
*Oct 31 14:23:56:741 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Sent authentication request successfully.
*Oct 31 14:23:56:759 2018 TWR-F RADIUS/7/EVENT:
Reply SocketFd recieved EPOLLIN event.
*Oct 31 14:23:56:759 2018 TWR-F RADIUS/7/EVENT:
Received reply packet succuessfully.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
Found request context, dstIP: 10.40.0.208, dstPort: 1812, VPN instance: --(public), socketFd: 34, pktID: 56.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
The reply packet is valid.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
Decoded reply packet successfully.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/PACKET:
 02 38 00 14 06 87 b7 fe 69 24 46 2d 01 bb f6 db
 a4 15 d3 d8
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
Sent reply message successfully.
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Received authentication reply message, resultCode: 0
*Oct 31 14:23:56:762 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authorization.
*Oct 31 14:23:56:762 2018 TWR-F RADIUS/7/EVENT:
PAM_RADIUS: RADIUS Authorization successfully.
%Oct 31 14:23:56:763 2018 TWR-F SSHS/6/SSHS_LOG: Accepted password for test from 10.40.10.83 port 53869.

%Oct 31 14:23:57:786 2018 TWR-F SSHS/6/SSHS_CONNECT: SSH user test (IP: 10.40.10.83) connected to the server successfully.
%Oct 31 14:23:58:136 2018 TWR-F LOGIN/5/LOGIN_FAILED: test failed to log in from 10.40.10.83.
%Oct 31 14:24:01:148 2018 TWR-F SSHS/6/SSHS_LOG: User test logged out from 10.40.10.83 port 53869.
%Oct 31 14:24:01:148 2018 TWR-F SSHS/6/SSHS_DISCONNECT: SSH user test (IP: 10.40.10.83) disconnected from the server.

The authentication and authorization phases seem to be successful, but in the end I get only:

LOGIN/5/LOGIN_FAILED and  SSHS/6/SSHS_DISCONNECT:

Has anyone experienced something like this?

Thx in advance

0 Kudos
5 REPLIES 5
drk787
HPE Pro

‎11-07-2018 12:30 AM

‎11-07-2018 12:30 AM

Re: problems with RADIUS authentication

Hi,

Can you share the radius server configuration. Check if the Login-Service is set to 50 (SSH) in the User configuration file under the user.

Eg:
       Login-Service = 50

Thank You!
I am an HPE Employee

Accept or Kudo

0 Kudos
NextHop
Occasional Collector

‎11-07-2018 02:08 AM

‎11-07-2018 02:08 AM

Re: problems with RADIUS authentication

Thanks for the hint,

but I don't know how to set "Login-Service=50" with web interface of my DaloRadius.

Daloradius.JPG

I will have to ask the  server administrator if it is possible to modify the file in case it exists.

Thx again

NextHop

0 Kudos
NextHop
Occasional Collector

‎11-07-2018 03:39 AM

‎11-07-2018 03:39 AM

Re: problems with RADIUS authentication

Hi rajkumar787,

I've tried to set Login-service=50 but the result is the same:

%Nov  7 12:13:56:763 2018 TWR-F SSHS/6/SSHS_LOG: Accepted password for test from 10.40.10.83 port 53869.

%Nov  7 12:13:57:786 2018 TWR-F SSHS/6/SSHS_CONNECT: SSH user test (IP: 10.40.10.83) connected to the server successfully.
%Nov  7 12:13:58:136 2018 TWR-F LOGIN/5/LOGIN_FAILED: test failed to log in from 10.40.10.83.
%Nov  7 12:14:01:148 2018 TWR-F SSHS/6/SSHS_LOG: User test logged out from 10.40.10.83 port 53869.
%Nov  7 12:14:01:148 2018 TWR-F SSHS/6/SSHS_DISCONNECT: SSH user test (IP: 10.40.10.83) disconnected from the server

IMHO, it seems not be an issue with SSH because I've an "Accepted, user connect, and user disconnect" messages from SSH.

I don't know why I've a LOGIN_FAILED on user test.

So, thx again.

NextHop

0 Kudos
drk787
HPE Pro

‎11-12-2018 03:07 AM

‎11-12-2018 03:07 AM

Re: problems with RADIUS authentication

Hi,

Try  adding 'primary accounting 10.40.0.208 &  key authentication <radius key>' under 'radius scheme system', and 'accounting  login radius-scheme system local' under the  'domain system',.

Also make sure the 'domain default enable system' is there by default.

If still you have issues to login, may be a wireshark trace on the radius server will help.
  

Thank You!
I am an HPE Employee

Accept or Kudo

0 Kudos
NextHop
Occasional Collector

‎11-14-2018 12:36 AM

‎11-14-2018 12:36 AM

Re: problems with RADIUS authentication

Hi rajkumar787,

first of all thx for your answer. I don't need a srv account, I don't think the problem be that.

Anyway I've tried, but unfortunately, the result is the same.

Best regards

NextHop

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.