HPE Community
Switching and Routing
1754385 Members
3075 Online
108813 Solutions
New Discussion юеВ

Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

 
ClaytonEduardo
Occasional Advisor

тАО06-18-2021 08:23 AM

тАО06-18-2021 08:23 AM

Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Good morning everybody,

I was able to successfully implement the Microsoft MFA and Microsoft RADIUS implementation for user authentication on the HPE 5130 and 5900 switches, however, I am not able to implement it on my HPE1900 CORE switch.

Below is the configuration for the HPE 5130 and HPE5900 switches:

radius scheme system
primary authentication MY_SERVER_RADIUS
primary accounting MY_SERVER_RADIUS
security-policy-server MY_SERVER_RADIUS
key authentication cipher XXXXXXXXXXXXXXXX
key accounting cipher XXXXXXXXXXXXXXXXXXX
user-name-format without-domain

and

role default-role enable network-admin

I have the same configuration as above on my HPE 11900 switch, however, on the HPE11900 switch there is no command "security-policy-server" command, this was the only difference in the configuration I found between them...
When I try to use MFA on the HPE 11900 Switch I get the message below:

Pre-authentication banner message from server:
Invalid code. ├З
> Contact your administrator to make sure that the time on your mobile device is
> in sync with ADSelfService Plus server and try again.
End of banner message from server
Further authentication required
myuser.admin@IP_SWITCH_CORE's password:

All switches in my network synchronize date and time and they are all the same.
Does anyone know if there is any alternative command, or how I could solve this question?

0 Kudos
8 REPLIES 8
akg7
HPE Pro

тАО06-18-2021 08:12 PM

тАО06-18-2021 08:12 PM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Hello,

Can you please share the product number 'JXXXXX' of HPE 11900 switch and current software version?

Thanks!
Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
ClaytonEduardo
Occasional Advisor

тАО06-18-2021 08:40 PM

тАО06-18-2021 08:40 PM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Yes, software version HPE Comware Software, Version 7.1.070, Release 7576, Release Version: HP FF 11908-V-7576

 

0 Kudos
ClaytonEduardo
Occasional Advisor

тАО06-18-2021 08:43 PM

тАО06-18-2021 08:43 PM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Sorry, this is the model DEVICE_NAME : HPE 11908 V Switch Chassis JG608A

0 Kudos
akg7
HPE Pro

тАО06-19-2021 02:57 PM

тАО06-19-2021 02:57 PM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Hello,

I believe you need to enable radius session control

Below are the steps:

[Switch] radius session-control enable

.[Switch] radius session-control client ip <security-policy server ip> key simple <key>

Thanks!
Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
ClaytonEduardo
Occasional Advisor

тАО06-19-2021 07:19 PM

тАО06-19-2021 07:19 PM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Hi....

I put this command, but i received the same response

0 Kudos
ClaytonEduardo
Occasional Advisor

тАО06-22-2021 08:13 AM

тАО06-22-2021 08:13 AM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Good mornning,

Today I had support with the MFA team and they told me that the MFA code sent by the switch is incorrect, however, this only happens on the HPE 11900 switch, when I put the CODE using Microsoft Authenticator. But on the HPE 5130 and 5900 switches it is working correctly, does anyone have any ideas?

0 Kudos
akg7
HPE Pro

тАО06-23-2021 03:51 AM

тАО06-23-2021 03:51 AM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Hello,

The radius config looks fine which oyu have configured into HPE 11900 switch. This might be a bug in current software but I am unable to trace it. This issue needs remote/LAB intervention.

So request you to please log a case with HPE Support Center portal for further resolution using the link: https://support.hpe.com/hpesc/public/home/

Thanks!

 

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
ClaytonEduardo
Occasional Advisor

тАО06-23-2021 02:20 PM

тАО06-23-2021 02:20 PM

Re: Authetication SSH Switch HPE 5130, 5900 and 11900 with RADIUS and MFA Microsoft

Thank you for your feedback I already opened a call on the link you indicated,

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.