Comware-based devices require some specific attributes to be returned by the RADIUS server in order to allow for administrative login.
Vendor ID 2011, attribute ID 29 will let you specify the user level to apply, using the following values:
0 H3C-Visitor
1 H3C-Monitor
2 H3C-Manager
3 H3C-Administrator
Additionally, you will want to return standard attribute Login-Service (AVP Type 15) with a value of "telnet" (0) if you want to grant telnet access, 50 for SSH and 52 for console access. Comware gear is picky on having the RADIUS server return the exact login-service along with the right exec privilege.
For those of you with Microsoft radius servers, you must alter the following file and add the above login-service AVPs to the right section:
c:\windows\system32\ias\dnary.xml
The section looks like this when properly filled in. Reboot the server after editing the file (no, a service restart is not sufficient).
<StandardValues> <StandardValue> <Name>Telnet</Name> <Value>0</Value> </StandardValue> <StandardValue> <Name>Rlogin</Name> <Value>1</Value> </StandardValue> <StandardValue> <Name>TCP Clear</Name> <Value>2</Value> </StandardValue> <StandardValue> <Name>Portmaster (proprietary)</Name> <Value>3</Value> </StandardValue> <StandardValue> <Name>LAT</Name> <Value>4</Value> </StandardValue> <StandardValue> <Name>X25-PAD</Name> <Value>5</Value> </StandardValue> <StandardValue> <Name>X25-T3POS</Name> <Value>6</Value> </StandardValue> <StandardValue> <Name>ssh</Name> <Value>50</Value> </StandardValue><StandardValue> <Name>console</Name> <Value>52</Value> </StandardValue> <StandardValue> <Name>TCP Clear Quiet (suppresses any NAS-generated connect string)</Name> <Value>8</Value> </StandardValue> </StandardValues>
The message "Admin user's login type mismatches the radius server assigned" when debugging radius means that you are trying to login through telnet,ssh or the console and the radius server has either not returned the Login-Service attribute or has returned another one.
If you are reading this right, this means that you will require one RADIUS policy which will match the NAS port type at login and you usually will pick either telnet or ssh for your remote shell access. Console access will see the switch passing a different NAS port type than vty access, which will allow for differenciation at the RADIUS policy level.
Looking at a wireshark trace, the returned attributes will look like this:
The following config accomplishes RADIUS authentication (tested on an A5800 running 5.20 R1206):
#
domain default enable RADLAB
#
radius scheme SCHEME-LAB
server-type extended
primary authentication 10.1.1.1
primary accounting 10.1.1.1
key authentication RADKEY
key accounting RADKEY
user-name-format without-domain
#
domain RADLAB
authentication login radius-scheme SCHEME-LAB
authorization login radius-scheme SCHEME-LAB
accounting login radius-scheme SCHEME-LAB
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-interface vty 0 15
authentication-mode scheme
#
If you want to differentiate the admin login requests coming from Comware switches, you may do so using a number of attributes that are attached to the Access-Request sent by Comware:
