- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- IAS authentication levels
Switches, Hubs, and Modems
1820478
Members
2977
Online
109624
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2006 03:55 AM
тАО01-22-2006 03:55 AM
IAS authentication levels
How can I configure, which user level is autenticated, when I have enabled radius switch authentication using IAS in w2k3? Basically I would like to know, how does the switch know that the domain user name I will use to login is and operator or manager level userid? This is with procurve 2500/2600/5300 switches?
-Miika
-Miika
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2006 08:06 PM
тАО01-22-2006 08:06 PM
Re: IAS authentication levels
In the RADIUS access-request packet there is a "service-type" attribute that the switch includes. Depending on whether operator (login) or manager (enable) access level is being requested, the service-type attribute will be nas-prompt (7) or administrative-user (6), respectively. The RADIUS server needs a policy defined to take the field into account in determining the ultimate permit/deny decision.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-06-2006 01:38 AM
тАО02-06-2006 01:38 AM
Re: IAS authentication levels
Is it a feature that the radius user first logins as operator and then if I give "enable" command I am prompted for username again, which accepts the same username/password as the operator login.
As for the service-type configuration, should I change this in IAS/policy/advanced service-type? Both administrative and Nas-prompt is found, but I can't have attribute number 6. So is this the value that should be either 6 or 7. If so, how can I change it?
-Miika
As for the service-type configuration, should I change this in IAS/policy/advanced service-type? Both administrative and Nas-prompt is found, but I can't have attribute number 6. So is this the value that should be either 6 or 7. If so, how can I change it?
-Miika
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-27-2006 09:35 PM
тАО06-27-2006 09:35 PM
Re: IAS authentication levels
It might be a little late to answer your question regarding the date on which you have posted it but I'm going to answer anyway. Maybe other people have similar problems.
> Is it a feature that the radius user first
> logins as operator and then if I give
> "enable" command I am prompted for username
> again, which accepts the same
> username/password as the operator login.
RTFM! :)
The 5300 Series Switches' Access Security Guide Manual on Page 6-10 states that you have to use the "aaa authentication login privilege-mode" option to get rid of the double login.
> As for the service-type configuration,
> should I change this in IAS/policy/advanced
> service-type? Both administrative and
> Nas-prompt is found, but I can't have
> attribute number 6. So is this the value
> that should be either 6 or 7. If so, how
> can I change it?
Defining the "Administrative" service-type in a POLICY means to only accept requests that contain the "Administrative" attribute. This leads to your first question:
> Basically I would like to know, how does
> the switch know that the domain user name I
> will use to login is and operator or
> manager level userid?
As I set up my first IAS I had the same question and it took me quite a long time to figure it out. I had read almost every MS document about IAS but couldn't find an answer to my question.
What you have to do is to
1.) make a new windows group like "switch access" or something and add the users which are going to be allowed to access the switches.
2.) define a remote access policy. In the wizard choose the "Windows group matches..." condition and supply the group which you want to grant access to.
3.) edit the corresponding dial-in profile. On the "Advanced" tab, choose the "Service-Type" to be "Administrative".
(This is what I did on W2K3, might be slightly different on W2K)
This way the switch "knows" which users may be granted access to because the IAS answers with the right Service-Type when being asked by the switch.
You can test your config with the eventvwr or by using the "iasparse" tool from microsofts resource kit. Both supply detailed information and reasons why an access request has been rejected.
I hope this helps.
> Is it a feature that the radius user first
> logins as operator and then if I give
> "enable" command I am prompted for username
> again, which accepts the same
> username/password as the operator login.
RTFM! :)
The 5300 Series Switches' Access Security Guide Manual on Page 6-10 states that you have to use the "aaa authentication login privilege-mode" option to get rid of the double login.
> As for the service-type configuration,
> should I change this in IAS/policy/advanced
> service-type? Both administrative and
> Nas-prompt is found, but I can't have
> attribute number 6. So is this the value
> that should be either 6 or 7. If so, how
> can I change it?
Defining the "Administrative" service-type in a POLICY means to only accept requests that contain the "Administrative" attribute. This leads to your first question:
> Basically I would like to know, how does
> the switch know that the domain user name I
> will use to login is and operator or
> manager level userid?
As I set up my first IAS I had the same question and it took me quite a long time to figure it out. I had read almost every MS document about IAS but couldn't find an answer to my question.
What you have to do is to
1.) make a new windows group like "switch access" or something and add the users which are going to be allowed to access the switches.
2.) define a remote access policy. In the wizard choose the "Windows group matches..." condition and supply the group which you want to grant access to.
3.) edit the corresponding dial-in profile. On the "Advanced" tab, choose the "Service-Type" to be "Administrative".
(This is what I did on W2K3, might be slightly different on W2K)
This way the switch "knows" which users may be granted access to because the IAS answers with the right Service-Type when being asked by the switch.
You can test your config with the eventvwr or by using the "iasparse" tool from microsofts resource kit. Both supply detailed information and reasons why an access request has been rejected.
I hope this helps.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP