Wired Intelligent Edge

Hi All,

 

I would like to login to our procurve switches using AD credentials and bypass the operator level and jump to the enable/manager (SSO, single sign on)

 

I've configured a procurve J4899A switch (H.10.74) for RADIUS authentication to a NPS server

Added the Procurve switch IP / shared secret to the NPS as a RADIUS client

Access-Request messagess must contain the Message-Authenticator attribute (ticked)

 

Ive ran the NPS wizard and it created a connection request / network policies:

 

Connection request policy (NAS Port Type=Ethernet)

Network Policy (NAS Port type = ethernet, windows group = <group>)

Contraints: Authentication Methods Microsoft: secured password, EAP-MSCHAP v2, MS-CHAP (ticked), PAP, SPAP (ticked)

 

The switch is configured with aaa authentication as below:

aaa authentication login privilege-mode

aaa authentication telnet enable radius local

radius-server host w.x.y.z key xyz

 

When I telnet to the switch and enter my username/password, the switch returns:

User authentication failure

 

The "Hardening Procurve switch" whitepaper mentions:

 

To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
Service-Type = 6 allows manager-level access
Service-Type = 7 allows operator-level access
A user with Service-Type not equal to 6 or 7 is denied access
A user with no Service-Type attribute supplied is denied access when privilege mode is enabled

 

In the NPS Policy settings, there is a "Service Type" condition but which one specifies the above?

 

I've chosen "Administrative" but it still didn't work.

 

Thanks.

You are very close I would say....

 

I am attaching 3 screen shots, 1 for the connection policy and 2 for the network policy. These configs are on W2K8 (not R2, but may be the same if you are using R2).

 

These configurations work for 3500yl and probably all other ProVision switches, and possibly other ProCurve (non-ProVision code) switches as well.

 

This config supports the "login priviledge-mode" function.

 

 

hth...Jeff

 

 

All working! Thanks Jeff.

 

Your screenshot helped me too. We were missing "Framed-protocol=PPP" HP Procurve 2910 with firmware W_14_70 was working but after W_15_08_0012 it was not. And we need add that one line to Radius to fix it. That line was not any document that I did read. (I did read many)

I have this working without using a Connection Request Policy.

 

I am curious what the need is for the Connection Request Policy.  I only have a single policy (screenshot attached), and it seems to be working fine.  Basically, I am able to log in to the HP devices using specific domain credentials.

 

I use the Network Policy to grant/deny access based on conditions (AD group membership).  This is working great.  In the Network Policy I have Service-Type set to Administrative.  This supports aaa authentication login privilege-mode.  This is also very important for webui access, btw.

 

It seems the Connection Request Policy is used to redirect certain authentication requests to other AAA systems?  And if you are doing that, then you have to configure it properly.....

 

I will search around a bit for explanations, but figured I'd post here in case someone can explain it to me :)

This was working perfectly for a year or so.  I am not sure what happened, but our 2910al switches can't authenticate anymore.  Our 5400zl switches are fine.   I'm getting an error code "16" in the logs- user credential mismatch. 

---

@Jeff Carrell wrote:

You are very close I would say....

 

I am attaching 3 screen shots, 1 for the connection policy and 2 for the network policy. These configs are on W2K8 (not R2, but may be the same if you are using R2).

 

These configurations work for 3500yl and probably all other ProVision switches, and possibly other ProCurve (non-ProVision code) switches as well.

 

This config supports the "login priviledge-mode" function.

 

 

hth...Jeff

 

 

---

 

hi all,

i'm in the same situation....try all the commands possible...

with "aaa authentication login privilege-mode" i can't login, but if i remove this command i'm able to login with operator privileges.

 

how can i fix on NPS?

 

thanks,

fabio

I am having the same issue with a 5412R and latest 16.01.0006 firmware.  I don't mind logging in twice on a ssh session to get to manager mode however for some of our helpdesk guys they need the web ui.  It appears there is no way to get manager access without using this command on the gui.

no aaa authentication login privilege-mode     -  and radius works fine

with    aaa authentication login privilege-mode    enable it will not login.

The radius server is Windows Server 2012R2.

Ive tried various Authentication methods.  Framed-Protocol is set to PPP and Service-Type is set to Administrative

Hi Mike,

I don't have a 5400R but I tested on a 3800 with KA.16.01.0006 and it is working for me. I have attached a screenshot of my NPS Network Policy. You might also check the RADIUS logs to verify it is using the policy you think it is. Go to Event Viewer - Custom Views - Server Roles - Network Policy and Access Services.

My switch config is very simple. The interesting parts are:

radius-server host <IPADDR> key "RADIUSKEY"
aaa authentication login privilege-mode
aaa authentication ssh login radius
aaa authentication ssh enable radius

If this doesn't help, can you share your switch config and your NPS config.

As one last test. I have seen an issue twice now where an upgrade to 16.01 caused some wierd corruption in the config and when we copied the config off to a TFTP server and then back again, everything started working.

Using #K.16.02.0014 and 'aaa authentication login privilege-mode

When checking the radius auth calls, I was seeing calls go out and succeed, however the switch would deny the password

HP-3500yl-24G# show radius host <radius server IP>

See the linked reference document and specifically: "Enable manager access priv (optional)" and note the return values for the call (6/7)

When I checked the Win2k12 NPS setup, it was set to return "FRAMED" for service-type.

I changed that to "Administrator" and tested logging into the ProCurve with 'aaa authentication login privilege-mode':  tests all logged into the manager level.

I verified that this did not affect the Cisco logins in our environment.

Note: it appears that if you 'no aaa authentication login privilege-mode', then you will enter in Operator and then can enable, auth again with the same credentials, then be put in Manager.

 

 

Hi sphar1970/Jeff,

 

I need your help to setup radius server for switches and wireless controller access. if you have any document or screen short of all the configuration which may help to impelment on HP switch 8406 and radius server 2008.

 

Thanks

Mohammed