Comware

Hello !

I have a problem to access on my 5700 in local or Radius Access ,

I replace provision switch by comware 5700 and since this change i cannot access to my switch .

On provision i had this configuration for RADIUS/SSH access and its worked fine :

aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
aaa accounting system start-stop radius
radius-server host x;x;x;x;x

ip ssh
ip ssh key-size 1024

Now on my comware device i did this ( there is no ACL for the moment ):

for local access :

line vty 0 4
 authentication-mode scheme
 user-role network-admin
 user-role network-operator
 protocol inbound ssh
 idle-timeout 30 5

ssh server enable

for radius access :

radius scheme xxxx
 primary authentication x.x.x.x key cipher
 primary accounting x.x.x.x. key cipher
 key authentication cipher
 key accounting cipher
 user-name-format without-domain

#
domain system
 authentication login radius-scheme xxxxx
 authorization login radius-scheme xxxx
 accounting login radius-scheme xxxxx xxxx
 authentication default radius-scheme xxxx local
 authorization default radius-scheme xxxx local
 accounting default radius-scheme xxxx local
#
 domain default enable system

When a user try to connect using Radius ssh he got this error message( the user is instantly disconnected from the session ):

%Feb  9 19:24:50:167 2015 FR-CORE-01 SSHS/6/SSHS_LOG: Accepted password for kanchana from xx.x.x.x port 54603ssh2.

%Feb  9 19:24:50:198 2015 FR-CORE-01 SSHS/6/SSHS_CONNECT: SSH user  (IP: ) connected to the server successfully.
%Feb  9 19:24:51:845 2015 FR-CORE-01 SSHS/6/SSHS_DISCONNECT: SSH user  (IP:) disconnected from the server.

And in local access using ssh :

Access permission denied

On the user ssh interface we just see this and we are always disconnected :

******************************************************************************
* Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.          *
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************


Shared connection to  x;x;x;x closed.

Please , can you help me ?

Thanks in advance for your help.

Hi Slimbens,

A few things you need to remember.

1: Have you created the rsa and/or dsa keys needed for ssh?

] public-key local create rsa

] public-key local create dsa

You use only "line vty 0 4", burt there are in fact 64 vty lines (so you might want to use "line vty 0 63").

If you want to fall back to local login, you need to look through your "domain system"-commands

there are a few "local" missing in the end of the aaa login-statements. (you don't need the default statements if you just need ssh login)

and - you need to make a local user if you want to log in locally.

]local-user mylocaluser

]password simple <cleartext-password>

]authorization-attribut user-role <the-user-role-you-want>

So if somehow the radius-service cannot be reached, you can do a fallback*) login using mylocaluser in the system domain.

*The fallback-login is enabled in the "domain " (in your case the "system") using the

"authentication login radius-scheme parrot local"-command (and the same for the authorization and accounting)

the last "local"-in these lines makes the fallback. You can only use this fallback in case the radius service cannot be reached.

If you want to make a local user that can be enabled at the same time as a functioning radius-service, you can make a new domain, and log onto that with the local user.

Regards.

When creating the local private keys dont forget to define their size.

I think default is 1024 which is NOT recommended nowadays. They should be at least 2048.

So press ? key after the last command of each line to see which sizes are available and pick the largest possible.

Thanks you very much for your quick reply , i already created the RSA / DSA KEY FILES but after reading your advise i can see some mistakes in my configuration so im trying to fix it and i come back to you with some news.

Best regards !

Slim

Hello everyone,

After testing on your tips, the fallback for local access For SSH service type and local users is worked fine.
However, to make it work, i have changed the modulus encryption of public key RSA and DSA from 2048 to 1024, it doesnt worked with 2048 modulus, but now its ok for local SSH access.

But i always have a problem for RADIUS session, the SSH users have a public key peer and these command :

ssh users ....service type all authentication any ( password/public key ) assign 'key...."

the key peer was imported in the flash directory by command :

public key peer .....

The RADIUS ( 802.1x) users connect correctly to the 5700 by radius but they are automatically/instantly disconnected....

Debugging Radius and ssh were displayed and recovered. if you want i can share the debug comment.

Did you have any idea of the problem ? is there a problem with the key , i think is useless because we never specified a key peer or other on provision switches.

Thanks in advance for ur precious help .

Best regards.

Slim

for information, here under your can find what is displayed on the client screen when i try radius connexion :

9d [Slimbens@grenache:/home/Slimbens] $ ssh r1                                                                                                                                                                                                                                        

Slimbens@192.168.99.1’s password:

Permission denied, please try again.

Slimbens@192.168.99.1’s password:

******************************************************************************

* Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.         *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                  *

******************************************************************************

##### PERSONAL AUTHORIZED ONLY // ACCES IS FORBIDDEN #####

Shared connection to 192.168.99.1 closed.

and on the switch i have this :

*Feb 20 11:07:09:461 2015 SWITCH1SSHS/7/EVENT: Received SSH2_MSG_DISCONNECT from 192.168.99.99: reason '11', message "disconnected by user".

%Feb 20 11:07:09:461 2015 SWITCH1SSHS/6/SSHS_DISCONNECT: SSH user Slimbens (IP: 192.168.99.99) disconnected from the server.

*Feb 20 11:07:09:461 2015 SWITCH1SSHS/7/EVENT: PAM: cleanup

Did you configure the radius server profile to send service-type login and either the cmw5 based priv level (0/1/2/3) or the cmw7 based user-role (using cisco-av-pair) ?

Thanks for your reply !

for information :

Using the cisco av pair attributes 'level-x or network-admin"or creating a specific role attributes  on device its OK we can connect to the device with a radius account,

but now we must to fix the rules and privilege cause we only have a reading access

regards

Slim