LAN Routing
1832928 Members
2588 Online
110048 Solutions
New Discussion

Hp Comware 5120 and 5130 Radius Authentication with Windows

 
HasanReza
Occasional Contributor

Hp Comware 5120 and 5130 Radius Authentication with Windows

Dear All,

We have approx 10 HP switches , all are HP Aruba except for 2 which are HP 5130 and Hp 5120,

We have successfully configured Radius authentication for HP Aruba Switches ,

For HP 5120 also we have configured the Login to Switch via the domain account , and we can also login via the Domain Account, however we cannot run system-view command,

For HP 5130 we are not able to configure login via Radius Server,

We have followed the below artcile from the web,

Comware7 Radius based RBAC user-role assignment | About Aruba Networks (abouthpnetworking.com)

Awaiting kind response,

regards - Hasan Reza

(Attached are  also the configuration file for HP 5120 Switch)

[HP5120_CoreSW]display current-configuration
version 5.20.99, Release 2222P11
sysname HP5120_CoreSW
clock timezone GMT add 04:00:00
super password level 3 cipher
dhcp relay server-group 1 ip 172.22.19.20
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
domain default enable msa.local
dns server 213.42.20.20
telnet server enable
password-recovery enable
vlan 1
name Corporate Vlan
#
vlan 2 to 50
#
vlan 51
name DMZ Internal
#
vlan 52
name DMZ External
#
vlan 53 to 99
#
vlan 100
name Voice Vlan
#
vlan 101 to 4094
#
radius scheme system
server-type extended
primary authentication 172.22.18.78
key authentication cipher $c$3$/UxtxY5oCX4KvDWGJF5pgDmL5DQ5MKPjtB2djw==
security-policy-server 172.22.18.78
user-name-format without-domain
radius scheme nps
primary authentication 172.22.19.78
primary accounting 172.22.19.78
key authentication cipher $c$3$eHW83VWCqdmi6wRoJFAYOLgF9BPTfML2p8Q6Cg==
key accounting cipher $c$3$y3yQ9Mf4zm184BugWXr+f7G0CrfQqIS6Y/a4rw==
user-name-format without-domain
#
domain msa.local
authentication login radius-scheme system local
authorization login radius-scheme system local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$GdSQ6lVT9yjUeYWJGPnCJP9545QDUgfR47bzxA==
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
local-user mana
local-user manager
password cipher $c$3$6dZPZXequIPLDTqEkEE4kiWEKny/Aj4PsA8=
service-type telnet
service-type web
local-user root
password cipher $c$3$HXsjuz6HxLZBdmqclYBYSdlcdSH8TGk=
authorization-attribute level 2
service-type lan-access
service-type ssh telnet
service-type ftp
service-type portal
service-type web
#
stp region-configuration
region-name myregion
revision-level 1
active region-configuration
stp enable
#
user-profile privilege
#
interface NULL0
#
interface Vlan-interface1
ip address 172.22.19.254 255.255.254.0
dns server 8.8.8.8
#
interface Vlan-interface51
ip address 172.16.16.2 255.255.255.0
#
interface Vlan-interface100
ip address 192.168.100.254 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface GigabitEthernet1/0/1
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan all
poe enable
#
interface GigabitEthernet1/0/4
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/6
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/7
port access vlan 51
#
interface GigabitEthernet1/0/8
port access vlan 51
poe enable
#
interface GigabitEthernet1/0/9
port access vlan 51
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/10
port access vlan 51
#
interface GigabitEthernet1/0/11
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/12
port access vlan 51
#
interface GigabitEthernet1/0/13
port access vlan 52
#
interface GigabitEthernet1/0/14
port access vlan 52
#
interface GigabitEthernet1/0/15
port link-type hybrid
port hybrid vlan 1 52 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/16
port access vlan 52
#
interface GigabitEthernet1/0/17
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/18
port link-type hybrid
port hybrid vlan 1 100 untagged
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/19
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 99 tagged
port hybrid vlan 50 untagged
port hybrid pvid vlan 50
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/20
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 99 tagged
port hybrid vlan 50 untagged
port hybrid pvid vlan 50
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/21
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/23
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/24
#
interface GigabitEthernet1/0/25
shutdown
#
interface GigabitEthernet1/0/26
shutdown
interface GigabitEthernet1/0/27
shutdown
#
interface GigabitEthernet1/0/28
shutdown
#
interface Ten-GigabitEthernet1/1/1
port link-type trunk
port trunk permit vlan all
#
interface Ten-GigabitEthernet1/1/2
port link-type trunk
port trunk permit vlan all
ip route-static 0.0.0.0 0.0.0.0 Vlan-interface1 172.22.19.1
info-center syslog channel 1
dhcp enable
ntp-service unicast-server 172.22.19.2
ntp-service unicast-server 172.22.19.6
ssh server enable
load xml-configuration
#
user-interface aux 0
user-interface vty 0
set authentication password cipher $c$3$Gp5XXhIb8Cct12bHCpgeiunQjKqXr7NTpR
user-interface vty 1 15
authentication-mode scheme
set authentication password cipher $c$3$EGH7dZS63hOvwtHTb9sFgflppEr878BrHRJsBvYug==
#
return
[HP5120_CoreSW]
[HP5120_CoreSW]

 

 

 

 

 

2 REPLIES 2
HasanReza
Occasional Contributor

Re: Hp Comware 5120 and 5130 Radius Authentication with Windows

Desperately awaiting response !

Nitish_N
HPE Pro

Re: Hp Comware 5120 and 5130 Radius Authentication with Windows

Hello Hasan,

Regarding your query, i checked the configuration shared and require few configuration changes for RBAC to work.

> First i could see below command is set for default domain to be used and its pointing to msa.local.

domain default enable msa.local

> msa.local domain is pointing to Radius scheme system 

domain msa.local
authentication login radius-scheme system local
authorization login radius-scheme system local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable

> Below Radius scheme System should have authorization server set as well otherwise it maybe able to login but with level 1 or network-operator privelage. For RBAC to work properly i will request to add authorization server to the scheme and on authorization server the privelage must be assigned to user should be "level 3" for HP 5120 switch and "network-admin" for HP 5130 switch.  Please try and let me know if that works.


radius scheme system
server-type extended
primary authentication 172.22.18.78
key authentication cipher $c$3$/UxtxY5oCX4KvDWGJF5pgDmL5DQ5MKPjtB2djw==
security-policy-server 172.22.18.78
user-name-format without-domain


radius scheme nps
primary authentication 172.22.19.78
primary accounting 172.22.19.78
key authentication cipher $c$3$eHW83VWCqdmi6wRoJFAYOLgF9BPTfML2p8Q6Cg==
key accounting cipher $c$3$y3yQ9Mf4zm184BugWXr+f7G0CrfQqIS6Y/a4rw==
user-name-format without-domain
#

-N


Accept or Kudo