HPE Community
Comware Based
1753641 Members
4880 Online
108798 Solutions
New Discussion

Re: SSH users don't have full permission to configure H3c Switches through ssh using free radius

 
johnnynguyen
Occasional Visitor

‎09-25-2017 07:02 PM

‎09-25-2017 07:02 PM

SSH users don't have full permission to configure H3c Switches through ssh using free radius

dear all

i'm new member here and really need help from you all. my company bought many H3c Switches and use them with Cisco switches we also use a freeradius server to authenticate ssh user for both types of switch. cisco switches work well but H3c switches don't work well. it's successful to login but have no permission to configure it.

more details.

switches models : H3C Comware Platform Software
Comware Software, Version 5.20.99, Release 1108
Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5024PV2-EI-PWR uptime is 7 weeks, 0 day, 1 hour, 28 minutes

H3C S5024PV2-EI-PWR
128M    bytes DRAM
32M     bytes Flash Memory
Config Register points to Flash

Hardware Version is REV.A
Bootrom Version is 110
[SubSlot 0] 24GE+4SFP Hardware Version is REV.A

i already configure radius scheme for it with the followin content :

radius scheme 2000
 primary authentication 172.19.16.12
 primary accounting 172.19.16.12
 key authentication cipher $c$3$FLwitDuepyryEo99M8/mX4QfJLaJ
 key accounting cipher $c$3$Ihu/Owx+stq0yxjWPxj6Pyxbu7wn
 user-name-format without-domain
 nas-ip 172.19.3.182
#
domain 2000
 authentication default radius-scheme 2000
 authorization default radius-scheme 2000
 accounting default radius-scheme 2000
 authentication login radius-scheme 2000 local
 authorization login radius-scheme 2000 local
 accounting login radius-scheme 2000 local
 authorization command local

here is the user's information i declare on freeradius ( centos 6.6 final)

boss Cleartext-Password := "boss"
       Service-Type = NAS-Prompt-User,
       H3C-Exec-Privilege = "3",
       Login-Service = 50,
       Cisco-AVPair = "shell:roles=network-operator"

and here is the result when i ssh to h3c switches. in fact i'm successful to access the switch but have no permission to configure just have permission to use display command.

<FacB_H3C_Parking_187>?
User view commands:
  cluster  Run cluster command
  display  Display current system information
  ping     Ping function
  quit     Exit from current command view
  ssh2     Establish a secure shell client connection
  super    Set the current user priority level
  telnet   Establish one TELNET connection
  tracert  Trace route function
<FacB_H3C_Parking_187>

can annyone have the same problem ? please help me

 

0 Kudos
1 REPLY 1
TerjeAFK
Respected Contributor

‎09-26-2017 03:22 AM

‎09-26-2017 03:22 AM

Re: SSH users don't have full permission to configure H3c Switches through ssh using free radius

Change the Cisco-AVPair attribute in FreeRadius from "shell:roles=network-operator" to "shell:roles=network-admin"

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.