HPE Community
Switches, Hubs, and Modems
1820478 Members
2977 Online
109624 Solutions
New Discussion юеВ

IAS authentication levels

 
Miika T
Valued Contributor

тАО01-22-2006 03:55 AM

тАО01-22-2006 03:55 AM

IAS authentication levels

How can I configure, which user level is autenticated, when I have enabled radius switch authentication using IAS in w2k3? Basically I would like to know, how does the switch know that the domain user name I will use to login is and operator or manager level userid? This is with procurve 2500/2600/5300 switches?

-Miika
0 Kudos
3 REPLIES 3
Holger Hasenaug
Trusted Contributor

тАО01-22-2006 08:06 PM

тАО01-22-2006 08:06 PM

Re: IAS authentication levels

In the RADIUS access-request packet there is a "service-type" attribute that the switch includes. Depending on whether operator (login) or manager (enable) access level is being requested, the service-type attribute will be nas-prompt (7) or administrative-user (6), respectively. The RADIUS server needs a policy defined to take the field into account in determining the ultimate permit/deny decision.
0 Kudos
Miika T
Valued Contributor

тАО02-06-2006 01:38 AM

тАО02-06-2006 01:38 AM

Re: IAS authentication levels

Is it a feature that the radius user first logins as operator and then if I give "enable" command I am prompted for username again, which accepts the same username/password as the operator login.

As for the service-type configuration, should I change this in IAS/policy/advanced service-type? Both administrative and Nas-prompt is found, but I can't have attribute number 6. So is this the value that should be either 6 or 7. If so, how can I change it?

-Miika
0 Kudos
MsE
Advisor

тАО06-27-2006 09:35 PM

тАО06-27-2006 09:35 PM

Re: IAS authentication levels

It might be a little late to answer your question regarding the date on which you have posted it but I'm going to answer anyway. Maybe other people have similar problems.

> Is it a feature that the radius user first
> logins as operator and then if I give
> "enable" command I am prompted for username
> again, which accepts the same
> username/password as the operator login.

RTFM! :)
The 5300 Series Switches' Access Security Guide Manual on Page 6-10 states that you have to use the "aaa authentication login privilege-mode" option to get rid of the double login.

> As for the service-type configuration,
> should I change this in IAS/policy/advanced
> service-type? Both administrative and
> Nas-prompt is found, but I can't have
> attribute number 6. So is this the value
> that should be either 6 or 7. If so, how
> can I change it?

Defining the "Administrative" service-type in a POLICY means to only accept requests that contain the "Administrative" attribute. This leads to your first question:

> Basically I would like to know, how does
> the switch know that the domain user name I
> will use to login is and operator or
> manager level userid?

As I set up my first IAS I had the same question and it took me quite a long time to figure it out. I had read almost every MS document about IAS but couldn't find an answer to my question.
What you have to do is to
1.) make a new windows group like "switch access" or something and add the users which are going to be allowed to access the switches.
2.) define a remote access policy. In the wizard choose the "Windows group matches..." condition and supply the group which you want to grant access to.
3.) edit the corresponding dial-in profile. On the "Advanced" tab, choose the "Service-Type" to be "Administrative".
(This is what I did on W2K3, might be slightly different on W2K)

This way the switch "knows" which users may be granted access to because the IAS answers with the right Service-Type when being asked by the switch.

You can test your config with the eventvwr or by using the "iasparse" tool from microsofts resource kit. Both supply detailed information and reasons why an access request has been rejected.
I hope this helps.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.