Comware

Hey,

I'm trying to make the HP5900 run AAA against a tacacs server.

 

Problem is, I can't seem to figure out how to make it work.

I have a problem somewhere either configuring the tac_plus server or configureing the switch.

 

The symptoms are that I log on and immidiately gets logged off.

If I enable default user role "role default-role enable", I can log on, but I'm being assigned the default role network-operator, and i need network-admin.

 

using: "debugging hwtacacs all", and "debugging role all", this is (shortened to the last entries) what I see when i try logging on (undo role default-role enable):

 

<beginquote>

*Jan  9 05:41:53:109 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Sending request packet.
*Jan  9 05:41:53:109 2011 <switch> TACACS/7/send_packet:
version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 44
authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN
user_len: 5   port_len: 0   rem_len: 12   arg_cnt: 2
arg0_len: 13    arg1_len: 4
user: <user>
port:
rem_addr: <tac-plus_server>
arg0: service=shell  arg1: cmd*
*Jan  9 05:41:53:110 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Receiving reply packet.
*Jan  9 05:41:53:117 2011 <switch> TACACS/7/recv_packet:
version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 69
Status: STATUS_PASS_ADD  arg_cnt: 3  server_msg len: 0  data len: 0
arg0_len: 12    arg1_len: 21    arg2_len: 27
server_msg:
data&colon;
arg0: idletime=120  arg1: roles="network-admin"
arg2: shell:roles="network-admin"
*Jan  9 05:41:53:117 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Processing authorization reply packet.
*Jan  9 05:41:53:117 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Processing authorization reply data, Reply Type: SUCCESS.
*Jan  9 05:41:53:118 2011 <switch> TACACS/7/EVENT:
PAM_TACACS: Succeeding in processing TACACS authorization.
%Jan  9 05:41:53:118 2011 <switch> SSHS/6/SSHLOG: Accepted password for <user> from <tac-plus_server> port 51298 ssh2.

*Jan  9 05:41:53:185 2011 <switch> RBAC/7/ERROR: Failed to set the user role.
%Jan  9 05:41:53:195 2011 <switch> SSHS/6/SSHLOG: User <user> logged out from <tac-plus_server> port 51298.
<endquote>

 

In this instance I send: roles="network-admin", and shell:roles="network-admin", and i trust me I have tried many permutations of AVpairs.

The 5900 runs "System image version: 7.1.023, Release 2108P03"

 

The 5900 is configured  (tacacs-wise) as:

"

user-interface vty 0 15
 authentication-mode scheme
 user-role network-admin
 idle-timeout 30 0

 

ssh server enable

undo ssh server compatible-ssh1x

 

hwtacacs scheme <tac-scheme>
 primary authentication <tac-plus_server>
 primary authorization <tac-plus_server>
 key authentication cipher <keycipher1>
 key authorization cipher <keycipher1>
 user-name-format keep-original

domain <domain-name>
 authentication default hwtacacs-scheme <tac-scheme>
 authorization default hwtacacs-scheme <tac-scheme>

domain default enable <domain-name>
"

 

What AVpairs do i need to send to the switch to give me network-admin privilege?

 

Regards Søren

 

 

Hi.

Just another comment. (I haven't solved the issue.)

But if someone using tacacs,  comware 7 and have a working setup, could enable hwtacacs debugging ("debugging hwtacacs all") on the switch and send me what they receive on the switch.

Especially the : TACACS/7/recv_packet:

Mine was (my clock is off, need to check my ntp settings aswell i think :)

 

"

*Jan  9 05:41:53:117 2011 <switch> TACACS/7/recv_packet:
version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x1a1d8820
length of payload: 69
Status: STATUS_PASS_ADD  arg_cnt: 3  server_msg len: 0  data len: 0
arg0_len: 12    arg1_len: 21    arg2_len: 27
server_msg:
data&colon;
arg0: idletime=120  arg1: roles="network-admin"
arg2: shell:roles="network-admin"

"

as you'll note from the log in my previous post the error i get (later in the log) is not a tacacs one, but and RBAC one, namely:

"

*Jan  9 05:41:53:185 2011 <switch> RBAC/7/ERROR: Failed to set the user role.

"

And imidiately after that i get logged off.

I'm thinking this is because I send the wrong avpairs. But I traversed what documentation i could find, which is sparse, and I can't seem to find it.

 

On a side note: In the beforementioned sparse documentation (e.g http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf) , I read - and i quote page 44 the note:

 

 

Of couse i tried to set a bunch of different Exec Privilege  AV pairs also, to no avail.

 

Regards

Søren Dideriksen

Hi,

 

Did you check these posts:

http://h30499.www3.hp.com/t5/Comware-Based/5900-v7-2-and-Radius/m-p/6049491/highlight/true#M4165

http://h30499.www3.hp.com/t5/Comware-Based/5920-RADIUS-attributes-for-SSH-login-on-HP-5920AF/m-p/5855277/highlight/true#M3656

 

For radius, the AV-pair to be used is the Cisco-AV pair and the service-type telnet/ssh, not sure on the tacacs however, still need to test that one,

 

Best regards,Peter

Hi Peter,

 

I already read

http://h30499.www3.hp.com/t5/Comware-Based/5920-RADIUS-attributes-for-SSH-login-on-HP-5920AF/m-p/5855277/highlight/true#M3656

 

which is where i got a lot of ideas to try out, but it did not help me.

 

the other thread

http://h30499.www3.hp.com/t5/Comware-Based/5900-v7-2-and-Radius/m-p/6049491/highlight/true#M4165

 

is interesting because it seems to be the exact same problem just with a radius server. The original poster hasn't replied, so I'm not sure if the proposed solution worked.

 

Regards

 

 

Hi Søren,

 

I verified the config with the free tacacs.net server. It was a bit of trial and error (I got confused with the cisco-avpair which is used in the Radius config, which does not seem to be used on the tacacs config).

So on the tacacs.net server there were 2 methods to get it working:

1/ CMW7 compatibility behavior : configure the old priv level 15 and comware 7 will interprete it as level-15 role.

Sample tacacs.net authorization (needs inserting in the authorization.xml file) :

 

<Authorization>
<UserGroups>
<UserGroup>Local System Administrators</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>HP-Switches</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>priv-lvl=15</Set>
</AutoExec>
<Shell>
<Permit>.*</Permit>
</Shell>
<Services>
</Services>
</Authorization>

 

 

2/ CMW7 role assignment : configure the role name.

 

<Authorizations>
<Authorization>
<UserGroups>
<UserGroup>Local System Administrators</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>HP-Switches</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>roles="network-admin"</Set>
</AutoExec>
<Shell>
<Permit>.*</Permit>
</Shell>
<Services>
</Services>
</Authorization>

 

 

Hope this works for you,

 

Best regards,Peter

 

I tried to change the same two attributes on the IMC shell profile but did not work and the logged user is still has network-operator privileges.

the two attributes assigned on OMC Tacacs are:
priv-lvl=15
roles="network-admin"

Hi Sam,

 

I have solved the issue.

 

I think the problem was in the software version.

 

I currently run 7.1.035, Release 2210, and 7.1.045, Release 2307 on various 5900s.

 

Here is what i configured.

] display current-configuration configuration hwtacacs

hwtacacs scheme <tacacs-scheme-name>
 primary authentication <ip-of-primary-tac+-server>
 primary authorization <ip-of-primary-tac+-server>
 primary accounting <ip-of-primary-tac+-server>
 secondary authentication <ip-of-secondary-tac+-server>
 secondary authorization <ip-of-secondary-tac+-server>
 secondary accounting <ip-of-secondary-tac+-server>
 key authentication cipher <authen-cipher>
 key authorization cipher <autho-cipher>
 key accounting cipher <accounting-cipher>
 user-name-format keep-original

] display current-configuration configuration isp

domain <domain-name>
 authentication login hwtacacs-scheme <tacacs-scheme-name>
 authorization login hwtacacs-scheme <tacacs-scheme-name>
 accounting login hwtacacs-scheme <tacacs-scheme-name>

]display current-configuration configuration system

...

domain default enable <domain-name>

 

The only thing the tacplus server sends is

priv-lvl = 15

 

So that works for me now.

 

Regards

Søren Dideriksen

 

 

Hi,

Thanks a lot for your post, it saved a lot of my time.

Thanks and regards,

Ashok Kumar Sunkara.

 

Hi Soren,
Any update on this issue?
did you manage to find a solution?
Thanks in advance