Comware

 View Only

  • 1.  HPE 5900 radius configuration and fallback

    Posted May 12, 2023 06:30 AM

    Hi all,
    I'm going to configure radius login on a 5900 with comware 7 and i'm facing some troubles. Looking at some guides and forum posts, I see all different configurations.
    On Aruba i have this:

    aaa authentication console login radius local
    aaa authentication console enable radius local
    aaa authentication telnet login radius local
    aaa authentication telnet enable radius local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local
    radius-server host <server-ip> key <server-key> acct-port 1646
    radius-server key <server-key>

    but I cannot translate it correctly on 5945. When I tried, the system cutted me out and I had to proceed with password recovery.

    My task is to configure radius server to access via telnet and ssh. Local password for CLI and as fallback after 5 radius fail.

    My first configuration is this one:

    #
    radius scheme <nome scheme>
        primary authentication <ip radius server> key cipher <key>
        primary accounting <ip radius server> key cipher <key>
        accounting-on enable
        accounting-on extended
        user-name-format without-domain
        nas-ip <ip dello switch stesso>
    #
    domain radius
        authentication login radius-scheme <nome scheme> local telnet ssh
        authorization login radius-scheme <nome scheme> local telnet ssh
        accounting login radius-scheme <nome scheme> local telnet ssh
    #
    line vty 0 3
        authentication-mode scheme
        user-role network-admin
        user-role network-operator
        idle timeout 0 0
    #
    line vty 4
        uthentication mode scheme
        user-role network-operator
        idle timeout 0 0
    #
    ssh server enable
    public-key local create rsa
    y
    #

    Thanks,

    Stefano



  • 2.  RE: HPE 5900 radius configuration and fallback

    Posted May 15, 2023 09:21 AM
    Edited by spgsitsupport May 15, 2023 09:26 AM     
    #
radius scheme nps
 primary authentication IP.of.the.NPS key cipher xxxxxxxxxxxxxxxxxx
 primary accounting IP.of.the.NPS
 key authentication cipher xxxxxxxxxxxxxxxxxxxxxxxxxx
 key accounting cipher xxxxxxxxxxxxxxxxxxxxxxx
 user-name-format without-domain
#
radius scheme system
 user-name-format without-domain
#
domain domain-name
 authentication login radius-scheme nps local
 authorization login radius-scheme nps local
 accounting login radius-scheme nps local
#
domain system
#
 domain default enable domain-name
#

#
line class aux
 user-role network-admin
#
line class vty
 user-role network-operator
#
line aux 0 3
 user-role network-admin
#
line vty 0 63
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh






    ------------------------------
    spgsitsupport



  • 3.  RE: HPE 5900 radius configuration and fallback

    Posted May 16, 2023 01:55 AM

    If you want to have the auth fail back to local after failed passwords, I don't think this will work. Which is good.
    If you want to fail because radius server is not available you will need to look at health checks of some kind. If comware has a route to the IP of the radius server (and no health checks) you can't log in (e.g. if the WAN link was down).


     radius-server test-profile <profile_name> username radiushcheck password cipher <blahblahblah> interval 5 eap-profile <eap_profile>_PEAP
     primary authentication 1.2.3.4 key cipher blahblahblah test-profile <profile_name> weight 100

    You can however create a local username/password that is always available. This could be made extremely long and be rotated for more security. Example config below

    #
    radius scheme system
     user-name-format without-domain
    #
    domain localauth
     authentication login local
     authorization command local
    #
    domain system
     authentication login radius-scheme ssh_scheme local none
     authorization login radius-scheme ssh_scheme local none
     accounting login radius-scheme ssh_scheme local none

    You then log in with localuser@localauth




  • 4.  RE: HPE 5900 radius configuration and fallback

    Posted May 16, 2023 04:45 AM

    https://techhub.hpe.com/eginfolib/networking/docs/switches/12500/5998-4868_security_cg/content/378583728.htm



    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


Related Content