- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- Re: Hp Comware 5120 and 5130 Radius Authentication...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2021 02:23 PM - edited 05-01-2021 02:35 PM
05-01-2021 02:23 PM - edited 05-01-2021 02:35 PM
Hp Comware 5120 and 5130 Radius Authentication with Windows
Dear All,
We have approx 10 HP switches , all are HP Aruba except for 2 which are HP 5130 and Hp 5120,
We have successfully configured Radius authentication for HP Aruba Switches ,
For HP 5120 also we have configured the Login to Switch via the domain account , and we can also login via the Domain Account, however we cannot run system-view command,
For HP 5130 we are not able to configure login via Radius Server,
We have followed the below artcile from the web,
Comware7 Radius based RBAC user-role assignment | About Aruba Networks (abouthpnetworking.com)
Awaiting kind response,
regards - Hasan Reza
(Attached are also the configuration file for HP 5120 Switch)
[HP5120_CoreSW]display current-configuration
version 5.20.99, Release 2222P11
sysname HP5120_CoreSW
clock timezone GMT add 04:00:00
super password level 3 cipher
dhcp relay server-group 1 ip 172.22.19.20
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
domain default enable msa.local
dns server 213.42.20.20
telnet server enable
password-recovery enable
vlan 1
name Corporate Vlan
#
vlan 2 to 50
#
vlan 51
name DMZ Internal
#
vlan 52
name DMZ External
#
vlan 53 to 99
#
vlan 100
name Voice Vlan
#
vlan 101 to 4094
#
radius scheme system
server-type extended
primary authentication 172.22.18.78
key authentication cipher $c$3$/UxtxY5oCX4KvDWGJF5pgDmL5DQ5MKPjtB2djw==
security-policy-server 172.22.18.78
user-name-format without-domain
radius scheme nps
primary authentication 172.22.19.78
primary accounting 172.22.19.78
key authentication cipher $c$3$eHW83VWCqdmi6wRoJFAYOLgF9BPTfML2p8Q6Cg==
key accounting cipher $c$3$y3yQ9Mf4zm184BugWXr+f7G0CrfQqIS6Y/a4rw==
user-name-format without-domain
#
domain msa.local
authentication login radius-scheme system local
authorization login radius-scheme system local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$GdSQ6lVT9yjUeYWJGPnCJP9545QDUgfR47bzxA==
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
local-user mana
local-user manager
password cipher $c$3$6dZPZXequIPLDTqEkEE4kiWEKny/Aj4PsA8=
service-type telnet
service-type web
local-user root
password cipher $c$3$HXsjuz6HxLZBdmqclYBYSdlcdSH8TGk=
authorization-attribute level 2
service-type lan-access
service-type ssh telnet
service-type ftp
service-type portal
service-type web
#
stp region-configuration
region-name myregion
revision-level 1
active region-configuration
stp enable
#
user-profile privilege
#
interface NULL0
#
interface Vlan-interface1
ip address 172.22.19.254 255.255.254.0
dns server 8.8.8.8
#
interface Vlan-interface51
ip address 172.16.16.2 255.255.255.0
#
interface Vlan-interface100
ip address 192.168.100.254 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface GigabitEthernet1/0/1
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan all
poe enable
#
interface GigabitEthernet1/0/4
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/6
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/7
port access vlan 51
#
interface GigabitEthernet1/0/8
port access vlan 51
poe enable
#
interface GigabitEthernet1/0/9
port access vlan 51
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/10
port access vlan 51
#
interface GigabitEthernet1/0/11
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/12
port access vlan 51
#
interface GigabitEthernet1/0/13
port access vlan 52
#
interface GigabitEthernet1/0/14
port access vlan 52
#
interface GigabitEthernet1/0/15
port link-type hybrid
port hybrid vlan 1 52 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/16
port access vlan 52
#
interface GigabitEthernet1/0/17
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/18
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/19
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 99 tagged
port hybrid vlan 50 untagged
port hybrid pvid vlan 50
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/20
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 99 tagged
port hybrid vlan 50 untagged
port hybrid pvid vlan 50
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/21
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/23
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/24
#
interface GigabitEthernet1/0/25
shutdown
#
interface GigabitEthernet1/0/26
shutdown
interface GigabitEthernet1/0/27
shutdown
#
interface GigabitEthernet1/0/28
shutdown
#
interface Ten-GigabitEthernet1/1/1
port link-type trunk
port trunk permit vlan all
#
interface Ten-GigabitEthernet1/1/2
port link-type trunk
port trunk permit vlan all
ip route-static 0.0.0.0 0.0.0.0 Vlan-interface1 172.22.19.1
info-center syslog channel 1
dhcp enable
ntp-service unicast-server 172.22.19.2
ntp-service unicast-server 172.22.19.6
ssh server enable
load xml-configuration
#
user-interface aux 0
user-interface vty 0
set authentication password cipher $c$3$Gp5XXhIb8Cct12bHCpgeiunQjKqXr7NTpR
user-interface vty 1 15
authentication-mode scheme
set authentication password cipher $c$3$EGH7dZS63hOvwtHTb9sFgflppEr878BrHRJsBvYug==
#
return
[HP5120_CoreSW]
[HP5120_CoreSW]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2021 03:40 PM
05-05-2021 03:40 PM
Re: Hp Comware 5120 and 5130 Radius Authentication with Windows
Desperately awaiting response !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2021 10:38 PM
05-05-2021 10:38 PM
Re: Hp Comware 5120 and 5130 Radius Authentication with Windows
Hello Hasan,
Regarding your query, i checked the configuration shared and require few configuration changes for RBAC to work.
> First i could see below command is set for default domain to be used and its pointing to msa.local.
domain default enable msa.local
> msa.local domain is pointing to Radius scheme system
domain msa.local
authentication login radius-scheme system local
authorization login radius-scheme system local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
> Below Radius scheme System should have authorization server set as well otherwise it maybe able to login but with level 1 or network-operator privelage. For RBAC to work properly i will request to add authorization server to the scheme and on authorization server the privelage must be assigned to user should be "level 3" for HP 5120 switch and "network-admin" for HP 5130 switch. Please try and let me know if that works.
radius scheme system
server-type extended
primary authentication 172.22.18.78
key authentication cipher $c$3$/UxtxY5oCX4KvDWGJF5pgDmL5DQ5MKPjtB2djw==
security-policy-server 172.22.18.78
user-name-format without-domain
radius scheme nps
primary authentication 172.22.19.78
primary accounting 172.22.19.78
key authentication cipher $c$3$eHW83VWCqdmi6wRoJFAYOLgF9BPTfML2p8Q6Cg==
key accounting cipher $c$3$y3yQ9Mf4zm184BugWXr+f7G0CrfQqIS6Y/a4rw==
user-name-format without-domain
#
-N
