Saturday, May 14, 2011

HP A-Series / H3C / Comware RADIUS Administrative Login HOWTO

Most of the larger networks I work on typically involve central authentication to avoid credential management to become a nightmare.

Comware-based devices require some specific attributes to be returned by the RADIUS server in order to allow for administrative login.

Vendor ID 2011, attribute ID 29 will let you specify the user level to apply, using the following values:

0 H3C-Visitor
1 H3C-Monitor
2 H3C-Manager
3 H3C-Administrator

Additionally, you will want to return standard attribute Login-Service (AVP Type 15) with a value of "telnet" (0) if you want to grant telnet access, 50 for SSH and 52 for console access. Comware gear is picky on having the RADIUS server return the exact login-service along with the right exec privilege.

For those of you with Microsoft radius servers, you must alter the following file and add the above login-service AVPs to the right section:
c:\windows\system32\ias\dnary.xml

The section looks like this when properly filled in. Reboot the server after editing the file (no, a service restart is not sufficient).
 

<StandardValues>
   <StandardValue>
    <Name>Telnet</Name>
    <Value>0</Value>
   </StandardValue>
   <StandardValue>
    <Name>Rlogin</Name>
    <Value>1</Value>
   </StandardValue>
   <StandardValue>
    <Name>TCP Clear</Name>
    <Value>2</Value>
   </StandardValue>
   <StandardValue>
    <Name>Portmaster (proprietary)</Name>
    <Value>3</Value>
   </StandardValue>
   <StandardValue>
    <Name>LAT</Name>
    <Value>4</Value>
   </StandardValue>
   <StandardValue>
    <Name>X25-PAD</Name>
    <Value>5</Value>
   </StandardValue>
   <StandardValue>
    <Name>X25-T3POS</Name>
    <Value>6</Value>
   </StandardValue>
   <StandardValue>
    <Name>ssh</Name>
    <Value>50</Value>
   </StandardValue>
 <StandardValue>
    <Name>console</Name>
    <Value>52</Value>
   </StandardValue>

   <StandardValue>
<Name>TCP Clear Quiet (suppresses any NAS-generated connect    string)</Name>
    <Value>8</Value>
   </StandardValue>
  </StandardValues>

The message "Admin user's login type mismatches the radius server assigned" when debugging radius means that you are trying to login through telnet,ssh or the console and the radius server has either not returned the Login-Service attribute or has returned another one.

If you are reading this right, this means that you will require one RADIUS policy which will match the NAS port type at login and you usually will pick either telnet or ssh for your remote shell access. Console access will see the switch passing a different NAS port type than vty access, which will allow for differenciation at the RADIUS policy level.
Looking at a wireshark trace, the returned attributes will look like this:


The following config accomplishes RADIUS authentication (tested on an A5800 running 5.20 R1206):


#
 domain default enable RADLAB
#
radius scheme SCHEME-LAB
 server-type extended
 primary authentication 10.1.1.1
 primary accounting 10.1.1.1
 key authentication RADKEY
 key accounting RADKEY
 user-name-format without-domain
#
domain RADLAB
 authentication login radius-scheme SCHEME-LAB
 authorization login radius-scheme SCHEME-LAB
 accounting login radius-scheme SCHEME-LAB
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
user-interface vty 0 15
 authentication-mode scheme
#

If you want to differentiate the admin login requests coming from Comware switches, you may do so using a number of attributes that are attached to the Access-Request sent by Comware:

25 comments:

  1. Hello,

    Thanks for these informations. I have similar goal but can't have it to work.

    H3C S5800-56C, Version 5.20, Release 1211.

    Tried with these attributes on FreeRadius :
    H3C-Exec-Privilege = 3
    Login-Service = Telnet

    H3C S5800 config:
    -----------------
    [rang-1cn-18-22-41]display radius scheme radius-ups
    SchemeName : radius-ups
    Index : 1 Type : extended
    Primary Auth Server:
    IP: W.X.Y.Z Port: 1812 State: active
    Encryption Key : XXX
    VPN instance : N/A
    Primary Acct Server:
    IP: W.X.Y.Z Port: 1813 State: active
    Encryption Key : XXX
    VPN instance : N/A
    Second Auth Server:
    IP: V.X.Y.Z Port: 1812 State: active
    Encryption Key : T01P-UPS
    VPN instance : N/A
    Second Acct Server:
    IP: V.X.Y.Z Port: 1813 State: active
    Encryption Key : XXX
    VPN instance : N/A
    Auth Server Encryption Key : N/A
    Acct Server Encryption Key : N/A
    VPN instance : N/A
    Accounting-On packet disable, send times : 50 , interval : 3s
    Interval for timeout(second) : 3
    Retransmission times for timeout : 3
    Interval for realtime accounting(minute) : 12
    Retransmission times of realtime-accounting packet : 5
    Retransmission times of stop-accounting packet : 500
    Quiet-interval(min) : 5
    Username format : keep-original
    Data flow unit : Byte
    Packet unit : one

    [rang-1cn-18-22-41]display domain dsrt
    Domain: dsrt
    State: Active
    Access-limit: Disabled
    Accounting method: Required
    Default authentication scheme : local
    Default authorization scheme : local
    Default accounting scheme : local
    Login authentication scheme : radius:radius-ups
    Login authorization scheme : radius:radius-ups
    Domain User Template:
    Idle-cut : Disabled
    Self-service : Disabled
    Authorization attributes:


    H3C debug output says:
    ----------------------
    *Dec 16 14:10:37:480 2011 rang-1cn-18-22-41 RDS/7/DEBUG:
    [H3C-29 Exec_Privilege ] [6 ] [3]
    [15 Login-Service ] [6 ] [0]
    *Dec 16 14:10:37:480 2011 rang-1cn-18-22-41 RDS/7/DEBUG: Reject, Message=[Admin user's login type mismatches the radius server assigned !]

    I search for a while but with no success so far...

    Regards,

    ReplyDelete
  2. Can you post your configuration? I will be pleased to look at it. I will however amend this post right now because it is missing some data. Feel free to reread...

    ReplyDelete
  3. "Admin user's login type mismatches the radius server assigned" means you are not returning the expected Login-Service for the access method you are trying to use. I amended the post to clarify this.

    ReplyDelete
  4. You were right Mat, I needed Login-Service Radius attribute...
    Without it, H3C debug ouput shows that FreeRadius default behavior is to send Login-Service = 0 (Telnet) to H3C.
    But telnet is not enable on my H3C, just SSH (Login-Service = 50 as you mentioned it).
    So the NAS (H3C) rejected authentication because it didn't receive (from Free Radius) the Login-Service suited for the used access method (ssh), as you explained.

    Now, it rolls out !
    Thanks for your appreciated help !

    Here is my config:

    H3C:
    ----
    [H3C]display version
    H3C Comware Platform Software
    Comware Software, Version 5.20, Release 1211
    Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
    H3C S5800-56C uptime is 0 week, 0 day, 3 hours, 58 minutes

    [H3C]display current-configuration
    ...
    domain default enable dtsi
    ...
    radius scheme radius-ups
    server-type extended
    primary authentication 5.6.7.8
    primary accounting 5.6.7.8
    key authentication XXXX
    key accounting XXXX
    user-name-format without-domain
    ...
    domain dtsi
    authentication login radius-scheme radius-ups
    authorization login radius-scheme radius-ups
    accounting login radius-scheme radius-ups
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    ...
    user-interface vty 0 4
    authentication-mode scheme

    Free Radius (FreeRADIUS Version 2.1.1)
    --------------------------------------
    /usr/local/share/freeradius/dictionary.rfc2865 :
    Add 'VALUE Login-Service SSH 50'

    /etc/raddb/users :
    denis Auth-Type := Crypt-Local, Password := "DYTDYDGDRGDGD"
    Huawei-Exec-Privilege = 3,
    Login-Service = 50

    H3C Debug output:
    -----------------
    ...
    *Apr 26 15:47:22:662 2000 H3C RDS/7/DEBUG: Send attribute list:
    *Apr 26 15:47:22:743 2000 H3C RDS/7/DEBUG:
    [1 User-name ] [7 ] [denis]
    [2 Password ] [18] [JHDFHDGD]
    [4 NAS-IP-Address ] [6 ] [172.30.2.21]
    [32 NAS-Identifier ] [5 ] [H3C]
    [5 NAS-Port ] [6 ] [0]
    [87 NAS_Port_Id ] [34] [slot=0;subslot=0;port=0;vlanid=0]
    *Apr 26 15:47:23:223 2000 H3C RDS/7/DEBUG:
    [61 NAS-Port-Type ] [6 ] [5]
    [H3C-26 Connect_ID ] [6 ] [1048577]
    [6 Service-Type ] [6 ] [1]
    [14 Login-Host ] [6 ] [172.30.2.21]
    [31 Caller-ID ] [19] [30302D30302D30302D30302D30302D3030]
    [8 Framed-Address ] [6 ] [1.2.3.4]
    ...
    *Apr 26 15:47:25:756 2000 H3C RDS/7/DEBUG: Receive:IP=[5.6.7.8],Code=[2],Length=[38]
    *Apr 26 15:47:25:867 2000 H3C RDS/7/DEBUG:
    [H3C-29 Exec_Privilege ] [6 ] [3]
    [15 Login-Service ] [6 ] [50]
    ...
    %Apr 26 15:47:27:593 2000 H3C RDS/6/RDS_SUCC: -IfName=N/A-VlanId=0-MACAddr=00:00:00:00:00:00-IPAddr=1.2.3.4-IPv6Addr=N/A-UserName=denis@dtsi; User got online successfully.
    %Apr 26 15:47:27:814 2000 H3C SHELL/5/SHELL_LOGIN: denis logged in from 1.2.3.4.
    ...

    ReplyDelete
    Replies
    1. Hi All,

      I am using the MS IAS server for AD authentication and the same is failing. With regards to the xml file in my servers config its a dnary.mdb file. Anybody having the attributes that is required for it to work with MS IAS.

      The H3C device config is as under :

      sysname H3C
      #
      radius trap authentication-server-down
      radius trap authentication-error-threshold
      radius nas-ip 192.0.123.231
      #
      domain default enable xxx.com
      #
      telnet server enable
      #
      dot1x
      #
      vlan 1
      #
      vlan 192
      #
      radius scheme system
      server-type extended
      primary authentication 127.0.0.1 1645
      primary accounting 127.0.0.1 1646
      user-name-format without-domain
      radius scheme 2000
      primary authentication 10.109.0.63
      key authentication cisco
      user-name-format without-domain
      #
      domain xxx.com
      authentication default radius-scheme 2000 local
      access-limit disable
      state active
      idle-cut disable
      self-service-url disable
      domain system
      access-limit disable
      state active
      idle-cut disable
      self-service-url disable
      #
      user-group system
      #
      local-user admin
      password simple admin
      authorization-attribute level 3
      service-type telnet
      #
      interface NULL0
      #
      interface Vlan-interface192
      ip address 192.0.123.231 255.255.0.0
      #
      interface GigabitEthernet1/0/1
      port access vlan 192
      #
      ip route-static 0.0.0.0 0.0.0.0 192.0.0.254
      #
      load xml-configuration
      #
      user-interface aux 0
      user-interface vty 0 4
      authentication-mode scheme
      user-interface vty 5 15
      #
      return


      The debug output from the switch is as under :

      [H3C]
      *Apr 26 20:04:04:061 2000 H3C RDS/7/DEBUG: Recv MSG,[MsgType=Auth request Index = 27, ulParam3=2218482496]
      *Apr 26 20:04:04:193 2000 H3C RDS/7/DEBUG:
      Info: Unknow IP address type in making login-ip-host attribute.
      *Apr 26 20:04:04:323 2000 H3C RDS/7/DEBUG: Send attribute list:
      *Apr 26 20:04:04:404 2000 H3C RDS/7/DEBUG:
      [1 User-name ] [10] [srinivas]
      [2 Password ] [18] [DAE89E618CD207AF5A524DC40D37EE48]
      [4 NAS-IP-Address ] [6 ] [192.0.123.231]
      [32 NAS-Identifier ] [5 ] [H3C]
      [5 NAS-Port ] [6 ] [16781504]
      [87 NAS_Port_Id ] [36] [slot=1;subslot=0;port=1;vlanid=192]
      [61 NAS-Port-Type ] [6 ] [5]
      [6 Service-Type ] [6 ] [1]
      [31 Caller-ID ] [19] [30302D30302D30302D30302D30302D3030]
      [8 Framed-Address ] [6 ] [192.0.2.149]
      *Apr 26 20:04:05:236 2000 H3C RDS/7/DEBUG:
      Event: Begin to switch RADIUS server when sending 0 packet.
      *Apr 26 20:04:05:367 2000 H3C RDS/7/DEBUG: Send: IP=[192.0.3.151], UserIndex=[27], ID=[0], RetryTimes=[0], Code=[1], Length=[138]
      *Apr 26 20:04:05:528 2000 H3C RDS/7/DEBUG:
      Event: Set socket VPN attribute, VPN index=0, Result=0!
      *Apr 26 20:04:05:651 2000 H3C RDS/7/DEBUG: Send Raw Packet is:
      *Apr 26 20:04:05:732 2000 H3C RDS/7/DEBUG:
      01 00 00 8a 92 68 00 00 37 29 00 00 9e 28 00 00
      af 16 00 00 01 0a 73 72 69 6e 69 76 61 73 02 12
      da e8 9e 61 8c d2 07 af 5a 52 4d c4 0d 37 ee 48
      04 06 c0 00 7b e7 20 05 48 33 43 05 06 01 00 10
      c0 57 24 73 6c 6f 74 3d 31 3b 73 75 62 73 6c 6f
      74 3d 30 3b 70 6f 72 74 3d 31 3b 76 6c 61 6e 69
      64 3d 31 39 32 3d 06 00 00 00 05 06 06 00 00 00
      01 1f 13 30 30 2d 30 30 2d 30 30 2d 30 30 2d 30
      30 2d 30 30 08 06 c0 00 02 95

      *Apr 26 20:04:06:344 2000 H3C RDS/7/DEBUG: Recv MSG,[MsgType=PKT response Index = 20, ulParam3=2218786176]
      *Apr 26 20:04:06:485 2000 H3C RDS/7/DEBUG: Receive Raw Packet is:
      *Apr 26 20:04:06:566 2000 H3C RDS/7/DEBUG:
      03 00 00 14 cc 53 89 87 0e 15 6e 6c 5b 9e 4c 9c
      8f 72 49 81

      *Apr 26 20:04:06:707 2000 H3C RDS/7/DEBUG: Receive:IP=[192.0.3.151],Code=[3],Length=[20]
      *Apr 26 20:04:06:817 2000 H3C RDS/7/DEBUG: NULL
      *Apr 26 20:04:06:878 2000 H3C RDS/7/DEBUG: RejectMsg=[Rejected by RADIUS server without any message ]
      #Apr 26 20:04:06:999 2000 H3C RDS/4/AuthErrorThreshold:
      Trap:1.3.6.1.4.1.25506.2.13.3.0.3
      RADIUS authentication error percent exceeded the threshold!
      Index: 2 IPAddr:192.0.3.151 Port:1812

      Delete
    2. Have been able to solve the problem. You would need to upgrade the switch to 2215 rel 5.2 and ensure to include the "server-type extended" command under the radius scheme.

      Delete
  5. Just wanted to add a few step by steps for anyone wanting to uses Windows Radius (NPS).

    Step 1: Follow the guide above for configuring your HP switch with the radius settings.
    Step 2: Go into your NPS server and add a new network policy. Under overview you will want to enable the policy (default) and grant access. Under conditions you will want to add "service type = login" and you can add a group for security restriction. Under constraints you will want to edit the security authentication methods. Only select "Unencrypted authentication (PAP, SPA). Move on to the settings tab. Under the standard menu you will want to add an attribute of "Login-Service = ssh" (Name = Value). You can remove the defaults. Under the vendor specific tab you will create a new attribute for "Vendor-Specific". The vendor code will be 2011. Select "Yes. It conforms" and select "Configure Attribute...". For the "Vendor-assigned attribute number:" type 29. The "Attribute format:" will be decimal and your "Attribute value:" will be 3. I verified this these settings with a HP 5500 and it is running comware5.

    ReplyDelete
  6. Thank you so much! It works!! :) (HP A5120)

    ReplyDelete
  7. I am trying tp set up radius for HP 5120 and done as per about steps and could use radius authentication

    ReplyDelete
  8. And what if the Radius server is not accessible? Are you still able to login with the local user account?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Yes, when your ssh or telnet session request your credentials, just put the local user followed by @system.
      Ex:
      username: admin@system
      password: xxxxx

      Delete
  9. This comment has been removed by the author.

    ReplyDelete
  10. Allan Follmann,

    If the local-user "admin" doesn't have a password set under it. Will someone be able to access the switch with the admin@system login?

    These are our configs right now:

    local-user admin
    service-type ssh terminal

    ReplyDelete
  11. Hi,
    it's possible to ignore the "Login-Service" attribute? Because I can do only one policy with ne autentication method if I want to login

    ReplyDelete
  12. Probably something simple, noticed on the particular switch I use for testing that I'm not allowed to change Radius configuration under domain system - error is "There are user(s) online , can not be configured". I thought I might get away with using a console connection, but error persists. What is the process to overcome this gotcha?!

    ReplyDelete
  13. I worked around my little issue by changing auth mode to none for Aux, changed the configuration and readded auth mode scheme with the updated configuration in place :)

    ReplyDelete
  14. Hi all,

    Very useful information, I want to share the following information.

    There are two ways to have total access to the equipment, its use depends on the model of the device: These policies can be integrated into one.

    1. shell:roles="network-admin"
    Check the following link https://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment, all the steps are correct but use the following character "", check the figure in the link or Copy this command shell:roles="network-admin"

    2. Vendor-assigned attribute number: 29 level 3

    The other configuration is to access with profile level 3. Please check page 22 of this link https://community.hpe.com/hpeb/attachments/hpeb/switching-e-series-forum/3882/1/HP%20Networking%20-%202008%20R2%20NPS%20Radius%20for%20Management%20Login.doc Make the following changes suggested by TechGuy14.

    Window Vendor-Specific Attribute Information
    Enter Vendor code: 2011

    Window Configure VSA (RFC Compliant)
    Vendor-assigned attribute number: 29
    Attribute format: Decimal
    Attribute value: 3


    I Share the scripts for the deviceS 3com4210, hp1910, hp1920, hp1950, A5500


    Script
    *****************
    HP1910

    radius scheme nps
    server-type extended
    primary authentication 10.27.9.55
    primary accounting 10.27.9.55
    secondary authentication 10.27.9.56
    secondary accounting 10.27.9.56
    key authentication simple XXXX
    key accounting simple XXXX
    user-name-format without-domain
    attribute 25 car

    domain radiussimple
    authentication login radius-scheme nps local
    authorization login radius-scheme nps local
    accounting login radius-scheme nps local
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    domain default enable radiussimple
    *****************
    HP1920

    radius scheme nps
    server-type extended vendor 2011
    primary authentication 10.27.9.55
    primary accounting 10.27.9.55
    secondary authentication 10.27.9.56
    secondary accounting 10.27.9.56
    key authentication simple XXXX
    key accounting simple XXXX
    user-name-format without-domain
    attribute 25 car

    domain radiussimple
    authentication login radius-scheme nps local
    authorization login radius-scheme nps local
    accounting login radius-scheme nps local
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    domain default enable radiussimple

    *****************
    HP1950
    radius scheme nps
    primary authentication 10.27.9.55
    primary accounting 10.27.9.55
    secondary authentication 10.27.9.56
    secondary accounting 10.27.9.56
    accounting-on enable
    key authentication simple XXXX
    key accounting simple XXXX
    user-name-format without-domain
    attribute 15 check-mode loose

    domain radiussimple
    authentication login radius-scheme nps none
    authorization login radius-scheme nps none
    accounting login radius-scheme nps none

    domain default enable radiussimple

    *****************
    3COM-4210

    radius scheme nps
    server-type standard
    primary authentication 10.27.9.55
    primary accounting 10.27.9.55
    secondary authentication 10.27.9.56
    secondary accounting 10.27.9.56
    key authentication simple XXXX
    key accounting simple XXXX
    user-name-format without-domain

    domain radiussimple
    scheme radius-scheme nps
    authentication login radius-scheme nps local
    accounting login radius-scheme nps local

    domain default enable radiussimple

    ssh authentication-type default all
    super password level 3 cipher xxx
    *****************
    HP A5500

    radius scheme nps
    server-type extended vendor 2011
    primary authentication 10.27.9.55
    primary accounting 10.27.9.55
    secondary authentication 10.27.9.56
    secondary accounting 10.27.9.56
    key authentication simple XXXX
    key accounting simple XXXX
    timer quiet 3
    user-name-format without-domain
    nas-ip 10.17.9.1
    accounting-on enable
    attribute 25 car

    domain radiussimple
    authentication login radius-scheme nps local
    authorization login radius-scheme nps local
    accounting login radius-scheme nps local
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    *****************

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. You can also find accessories such as steam kits and even sauna kits, depending on the type of sauna you want. With Sauna-UKs, you can have the best of both worlds. To learn more about Luxury Hydro Shower Cabins From UK's Biggest Specialist, visit on hyperlinked site.

    ReplyDelete