Web and Unmanaged
1748183 Members
3634 Online
108759 Solutions
New Discussion юеВ

V1910 radius server Level privilege

 
Cornflag
Occasional Visitor

V1910 radius server Level privilege

Authorization while using CS ACS as a RADIUS server does not seem to work with the V1910 switches we are using.

The VSA for determining privilege levels (representing privilege levels 0 through 3) and is set on my RADIUS server... I see in the logs that it's passing this attribute back to the switch.  However, no matter what I set this value to I am always at privilege level 0 when I authenticate against the RADIUS server.

 

Does anybody know how to fix it?

6 REPLIES 6
thedesp
Occasional Visitor

Re: V1910 radius server Level privilege

Hi

 

I have exactly the same problem.

My switch is V1910-24G

 

Here is my simple user file from freeradius

 

 

testing         Cleartext-Password := "password"
                3Com-User-Access-Level = 3

 

The user is authenticated successfully. RADIUS sent the "3Com-User-Access-Level = 3" but stuck in view only mode after login.

 

switchman
Member

Re: V1910 radius server Level privilege

Cornflag, thedesp, have you made any progress with this?

 

I seem to be having the same issue.

Using Server 2008 Network policy services(AKA IAS)

HP V1910 switch

 

I have it all set up and I can telnet to the switch and log into the web page.

However, with telnet, the only command available is "quit".

When I log into the web page, I get "User level is lower!110"

 

Have tried:
Service-Type=Administrative

Vendor-Specific=010600000003

Vendor-Specific=shell:priv-lvl=15

 

in various combinations.

 

Thanks!

thedesp
Occasional Visitor

Re: V1910 radius server Level privilege

Still no progress on this.

nborisenkov
Occasional Contributor

Re: V1910 radius server Level privilege

Good afternoon.
I have the same problem. What should be sent to 3Com Baseline Switch 2920-SFP Plus (HP V1910) in Access-Accept packet to make it give a necessary privilege level? It returns at this moment the:

<ROOT>
  <ErrorMsg>
    User level is lower!
  </ErrorMsg>
  <ErrorId>
    11
  </ErrorId>
  <BackHome>
    0
  </BackHome>
</ROOT>
nborisenkov
Occasional Contributor

Re: V1910 radius server Level privilege

I did it :) I just change the radius server type from "Standart" to "Extended" and then add "Login-Service = Telnet" to radius attributes...

 

My current working config:

...

domain default enable system

...

radius scheme system
 server-type extended
 primary authentication 172.30.192.232
 key authentication testing123
 user-name-format without-domain

...

domain testdomain
 authentication default radius-scheme system
 authorization default radius-scheme system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

...
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

And my current lines from freeradius users file to 3Com Baseline Switch 2920-SFP Plus:

steve Cleartext-Password := "testing123"
   3Com-User-Access-Level = 3,
   Service-Type = NAS-Prompt-User,
   Login-Service = Telnet

 

freeradius users lines for HP-v1910

steve Cleartext-Password := "testing123"
   Hw_Exec_Privilege = H3C-Administrator,
   Service-Type = NAS-Prompt-User,
   Login-Service = Telnet

 and dictionary.h3c:

VENDOR      H3C             25506

BEGIN-VENDOR    H3C

ATTRIBUTE   H3C-Connect_Id                    26  integer
ATTRIBUTE   H3C-NAS-Startup-Timestamp   59  integer
ATTRIBUTE   H3C-Ip-Host-Addr                  60  string
ATTRIBUTE   H3C-Product-ID                     255 string

ATTRIBUTE   Hw_Exec_Privilege           29 integer

VALUE       Hw_Exec_Privilege           H3C-Visitor              0
VALUE       Hw_Exec_Privilege           H3C-Monitor            1
VALUE       Hw_Exec_Privilege           H3C-Manager          2
VALUE       Hw_Exec_Privilege           H3C-Administrator    3

END-VENDOR  H3C

 

Now login with username steve@testdomain and you have administrator rights

 

Cornflag
Occasional Visitor

Re: V1910 radius server Level privilege

It is config truly working

 

Thanks for all