Network Management

 View Only
Back to discussions
Expand all | Collapse all

iMC UAM Device management users, YES login on device but NO enter in sys mode

This thread has been viewed 0 times

  • 1.  iMC UAM Device management users, YES login on device but NO enter in sys mode

    Posted Mar 19, 2013 06:57 AM

    Hi all,

    I’m writing this message because I have a problem with authentication of network devices with the UAM module (device management feature).

    I configured everything as described in the UAM (Chapter 14 Device management users) and at present I can access to the device, log-in, but then I can’t enter in sys mode.

    Is like I don’t have the necessary authorization!

    The device in question is a HP-5120, and on IMC I have set “H3C” on Access Device Type field on Access Device configuration. In addition, the username/account with whom I can’t enter in sys mode I used EXEC Priority set as 1, 3 and 15. But at the end the result doesn’t change.

    Anyone have any suggestions for me?

     

    The process I followed was as follows:

    1. Adding users to device management and configuring the UAM users.

    2. Configuring the related devices as access devices in UAM.

    3. Configuring AAA authentication on the devices.

     

    Could it be that define the device as H3C and not HP will give problems?



  • 2.  RE: iMC UAM Device management users, YES login on device but NO enter in sys mode

    Posted Mar 28, 2013 05:26 PM

    Hi,

     

    I had some confusing results as well with the UAM device management users and stopped using it (that was on 5.1, still need to check on 5.2).

    The main issue was that the radius vendor attribute for the device auth was the h3c/huawei code, and the device was expecting the other code.

    Since you are running the HP branded comware, it may be a similar issue, but I am not sure.

     

    The reason why I stopped using it is that the UAM only allows a single service-type (either telnet or ssh) for the user, so you cannot grant both at the same time, or allow terminal service-type as well (for UAM based console auth).

     

    This probably is better handled by the TAM (tacacs module of IMC) software module, but I do not have experience with that module so far.

     

    Best regards,Peter.

     

     



  • 3.  RE: iMC UAM Device management users, YES login on device but NO enter in sys mode

    Posted Mar 31, 2013 06:37 AM

    Hi Peter!

    In the end, together with a colleague, I realized the reason for this strange behavior.
    IMC was well configured, but the device had not been included lines for the management dell'authorization and server-type.
    Once we have configured the device as below, everything started to work properly:

     

    radius scheme auth_radius
    server-type extended
    primary authentication <IP_server_IMC>
    key authentication <password>
    user-name-format keep-original

    domain radius_domain_imc
    authentication default radius-scheme auth_radius local
    authorization default radius-scheme auth_radius local
    authentication login radius-scheme auth_radius local
    authorization login radius-scheme auth_radius local


    user-interface vty 0 15
    authentication-mode scheme

    domain default enable radius_domain_imc

     

    A greeting and thank you for your answer.

     

    FB


    #DeviceManagementonIMC


Related Content