Comware

 View Only

  • 1.  RADIUS authentication HP1920-16G

    Posted Aug 18, 2016 11:49 AM

    I currently have quite a few HP1910 (8G and 16G) and HP 5120 which use RADIUS for SSH logins. The NPS server is 2012R2. The RADIUS authentication works and assigns the correct privilege level.

    Recently I got some HP1920 (8G and 16G). However those fail RADIUS authentication with the same settings that work on the 1910. On the 2012R2 server side I can see the user is granted full access successfully however the switch just logs:

    SHELL/5/SHELL_LOGINFAIL: SSH user martin failed to log in from 192.168.205.55 on VTY0..
    SC/5/SC_AAA_FAILURE: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA is failed. Common.
    SC/6/SC_AAA_LAUNCH: -AAAType=AUTHEN-AAAScheme= radius-scheme system-Service=login-UserName=martin@example; AAA launched.

    The relevant switch config from HP1920 (which is the exat same on 1910 switches) is:

    radius scheme system
    server-type extended
    primary authentication 1.1.1.1
    key authentication XXXXXXXXXXXXXXXXXXXXXXX
    user-name-format without-domain
    #
    domain example
    authentication default radius-scheme system
    authorization default radius-scheme system
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    #
    domain default enable example

     

    The only notable difference is that 1910 switches run Comware Software, Version 5.20, Release 1513P99

    And the 1920 ones are on Comware Software, Version 5.20.99, Release 1112

    However I doubt that is the issue.

    Thanks,

    Martin



  • 2.  RE: RADIUS authentication HP1920-16G

    Posted Aug 23, 2016 07:17 AM

    Hello,

    One thing to check on the 1920 series switches - are these still using the (older H3C / Huawei) 4 levels of privilege (0-3, 3 being admin or manager) or have they shifted over to using the 0-15 (very Cisco like) scheme.

    Have a look at this FreeRadius example to see what I mean - it shows both the 4 level and 16 level privilege model. Should be easy enough to copy teh Cisco style one for a new rule for the new switch and test it.

    I know some people had to revist their VSA model (vendor specific attributes) when intrioducing CW7.

    It might be a red herring but worth checking out.

    Ta

    Ian

     



  • 3.  RE: RADIUS authentication HP1920-16G

    Posted Aug 23, 2016 09:39 AM

    Did you succeed? I have the exact same problem with a new 1920-8G. The old attributes configured in Freeradius don't seem to work on this one.



  • 4.  RE: RADIUS authentication HP1920-16G

    Posted Aug 23, 2016 12:23 PM

    Not yet. I will be able to work more on this problem next week. If I do I will post how we did it.

     

    M



  • 5.  RE: RADIUS authentication HP1920-16G

    Posted Aug 23, 2016 02:36 PM

    We usally use the following with 1920:

    Hw_Exec_Privilege = H3C-Administrator,
3Com-User-Access-Level = 3Com-Manager,
Service-Type = NAS-Prompt-User,
HP-Privilege-Level = "3"

    Does this work for you?



  • 6.  RE: RADIUS authentication HP1920-16G

    Posted Aug 23, 2016 12:22 PM

    Hi Ian,

     

    I figured it might be in the VSA's but what I don't get is that FW between 1910 and 1920 seems to be identical CW5.. We are finishing deployment of 1920's this week and I have requested 1 to be sent up to our test lab. I will be able to work on that next week and will drop you an update when I have one.

    Regards,

    Martin



Related Content