Comware-based devices require some specific attributes to be returned by the RADIUS server in order to allow for administrative login.
Vendor ID 2011, attribute ID 29 will let you specify the user level to apply, using the following values:
0 H3C-Visitor
1 H3C-Monitor
2 H3C-Manager
3 H3C-Administrator
Additionally, you will want to return standard attribute Login-Service (AVP Type 15) with a value of "telnet" (0) if you want to grant telnet access, 50 for SSH and 52 for console access. Comware gear is picky on having the RADIUS server return the exact login-service along with the right exec privilege.
For those of you with Microsoft radius servers, you must alter the following file and add the above login-service AVPs to the right section:
c:\windows\system32\ias\dnary.xml
The section looks like this when properly filled in. Reboot the server after editing the file (no, a service restart is not sufficient).
<StandardValues> <StandardValue> <Name>Telnet</Name> <Value>0</Value> </StandardValue> <StandardValue> <Name>Rlogin</Name> <Value>1</Value> </StandardValue> <StandardValue> <Name>TCP Clear</Name> <Value>2</Value> </StandardValue> <StandardValue> <Name>Portmaster (proprietary)</Name> <Value>3</Value> </StandardValue> <StandardValue> <Name>LAT</Name> <Value>4</Value> </StandardValue> <StandardValue> <Name>X25-PAD</Name> <Value>5</Value> </StandardValue> <StandardValue> <Name>X25-T3POS</Name> <Value>6</Value> </StandardValue> <StandardValue> <Name>ssh</Name> <Value>50</Value> </StandardValue><StandardValue> <Name>console</Name> <Value>52</Value> </StandardValue> <StandardValue> <Name>TCP Clear Quiet (suppresses any NAS-generated connect string)</Name> <Value>8</Value> </StandardValue> </StandardValues>
The message "Admin user's login type mismatches the radius server assigned" when debugging radius means that you are trying to login through telnet,ssh or the console and the radius server has either not returned the Login-Service attribute or has returned another one.
If you are reading this right, this means that you will require one RADIUS policy which will match the NAS port type at login and you usually will pick either telnet or ssh for your remote shell access. Console access will see the switch passing a different NAS port type than vty access, which will allow for differenciation at the RADIUS policy level.
Looking at a wireshark trace, the returned attributes will look like this:
The following config accomplishes RADIUS authentication (tested on an A5800 running 5.20 R1206):
#
domain default enable RADLAB
#
radius scheme SCHEME-LAB
server-type extended
primary authentication 10.1.1.1
primary accounting 10.1.1.1
key authentication RADKEY
key accounting RADKEY
user-name-format without-domain
#
domain RADLAB
authentication login radius-scheme SCHEME-LAB
authorization login radius-scheme SCHEME-LAB
accounting login radius-scheme SCHEME-LAB
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-interface vty 0 15
authentication-mode scheme
#
If you want to differentiate the admin login requests coming from Comware switches, you may do so using a number of attributes that are attached to the Access-Request sent by Comware:
Hello,
ReplyDeleteThanks for these informations. I have similar goal but can't have it to work.
H3C S5800-56C, Version 5.20, Release 1211.
Tried with these attributes on FreeRadius :
H3C-Exec-Privilege = 3
Login-Service = Telnet
H3C S5800 config:
-----------------
[rang-1cn-18-22-41]display radius scheme radius-ups
SchemeName : radius-ups
Index : 1 Type : extended
Primary Auth Server:
IP: W.X.Y.Z Port: 1812 State: active
Encryption Key : XXX
VPN instance : N/A
Primary Acct Server:
IP: W.X.Y.Z Port: 1813 State: active
Encryption Key : XXX
VPN instance : N/A
Second Auth Server:
IP: V.X.Y.Z Port: 1812 State: active
Encryption Key : T01P-UPS
VPN instance : N/A
Second Acct Server:
IP: V.X.Y.Z Port: 1813 State: active
Encryption Key : XXX
VPN instance : N/A
Auth Server Encryption Key : N/A
Acct Server Encryption Key : N/A
VPN instance : N/A
Accounting-On packet disable, send times : 50 , interval : 3s
Interval for timeout(second) : 3
Retransmission times for timeout : 3
Interval for realtime accounting(minute) : 12
Retransmission times of realtime-accounting packet : 5
Retransmission times of stop-accounting packet : 500
Quiet-interval(min) : 5
Username format : keep-original
Data flow unit : Byte
Packet unit : one
[rang-1cn-18-22-41]display domain dsrt
Domain: dsrt
State: Active
Access-limit: Disabled
Accounting method: Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Login authentication scheme : radius:radius-ups
Login authorization scheme : radius:radius-ups
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
Authorization attributes:
H3C debug output says:
----------------------
*Dec 16 14:10:37:480 2011 rang-1cn-18-22-41 RDS/7/DEBUG:
[H3C-29 Exec_Privilege ] [6 ] [3]
[15 Login-Service ] [6 ] [0]
*Dec 16 14:10:37:480 2011 rang-1cn-18-22-41 RDS/7/DEBUG: Reject, Message=[Admin user's login type mismatches the radius server assigned !]
I search for a while but with no success so far...
Regards,
Can you post your configuration? I will be pleased to look at it. I will however amend this post right now because it is missing some data. Feel free to reread...
ReplyDelete"Admin user's login type mismatches the radius server assigned" means you are not returning the expected Login-Service for the access method you are trying to use. I amended the post to clarify this.
ReplyDeleteYou were right Mat, I needed Login-Service Radius attribute...
ReplyDeleteWithout it, H3C debug ouput shows that FreeRadius default behavior is to send Login-Service = 0 (Telnet) to H3C.
But telnet is not enable on my H3C, just SSH (Login-Service = 50 as you mentioned it).
So the NAS (H3C) rejected authentication because it didn't receive (from Free Radius) the Login-Service suited for the used access method (ssh), as you explained.
Now, it rolls out !
Thanks for your appreciated help !
Here is my config:
H3C:
----
[H3C]display version
H3C Comware Platform Software
Comware Software, Version 5.20, Release 1211
Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C S5800-56C uptime is 0 week, 0 day, 3 hours, 58 minutes
[H3C]display current-configuration
...
domain default enable dtsi
...
radius scheme radius-ups
server-type extended
primary authentication 5.6.7.8
primary accounting 5.6.7.8
key authentication XXXX
key accounting XXXX
user-name-format without-domain
...
domain dtsi
authentication login radius-scheme radius-ups
authorization login radius-scheme radius-ups
accounting login radius-scheme radius-ups
access-limit disable
state active
idle-cut disable
self-service-url disable
...
user-interface vty 0 4
authentication-mode scheme
Free Radius (FreeRADIUS Version 2.1.1)
--------------------------------------
/usr/local/share/freeradius/dictionary.rfc2865 :
Add 'VALUE Login-Service SSH 50'
/etc/raddb/users :
denis Auth-Type := Crypt-Local, Password := "DYTDYDGDRGDGD"
Huawei-Exec-Privilege = 3,
Login-Service = 50
H3C Debug output:
-----------------
...
*Apr 26 15:47:22:662 2000 H3C RDS/7/DEBUG: Send attribute list:
*Apr 26 15:47:22:743 2000 H3C RDS/7/DEBUG:
[1 User-name ] [7 ] [denis]
[2 Password ] [18] [JHDFHDGD]
[4 NAS-IP-Address ] [6 ] [172.30.2.21]
[32 NAS-Identifier ] [5 ] [H3C]
[5 NAS-Port ] [6 ] [0]
[87 NAS_Port_Id ] [34] [slot=0;subslot=0;port=0;vlanid=0]
*Apr 26 15:47:23:223 2000 H3C RDS/7/DEBUG:
[61 NAS-Port-Type ] [6 ] [5]
[H3C-26 Connect_ID ] [6 ] [1048577]
[6 Service-Type ] [6 ] [1]
[14 Login-Host ] [6 ] [172.30.2.21]
[31 Caller-ID ] [19] [30302D30302D30302D30302D30302D3030]
[8 Framed-Address ] [6 ] [1.2.3.4]
...
*Apr 26 15:47:25:756 2000 H3C RDS/7/DEBUG: Receive:IP=[5.6.7.8],Code=[2],Length=[38]
*Apr 26 15:47:25:867 2000 H3C RDS/7/DEBUG:
[H3C-29 Exec_Privilege ] [6 ] [3]
[15 Login-Service ] [6 ] [50]
...
%Apr 26 15:47:27:593 2000 H3C RDS/6/RDS_SUCC: -IfName=N/A-VlanId=0-MACAddr=00:00:00:00:00:00-IPAddr=1.2.3.4-IPv6Addr=N/A-UserName=denis@dtsi; User got online successfully.
%Apr 26 15:47:27:814 2000 H3C SHELL/5/SHELL_LOGIN: denis logged in from 1.2.3.4.
...
Hi All,
DeleteI am using the MS IAS server for AD authentication and the same is failing. With regards to the xml file in my servers config its a dnary.mdb file. Anybody having the attributes that is required for it to work with MS IAS.
The H3C device config is as under :
sysname H3C
#
radius trap authentication-server-down
radius trap authentication-error-threshold
radius nas-ip 192.0.123.231
#
domain default enable xxx.com
#
telnet server enable
#
dot1x
#
vlan 1
#
vlan 192
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
radius scheme 2000
primary authentication 10.109.0.63
key authentication cisco
user-name-format without-domain
#
domain xxx.com
authentication default radius-scheme 2000 local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password simple admin
authorization-attribute level 3
service-type telnet
#
interface NULL0
#
interface Vlan-interface192
ip address 192.0.123.231 255.255.0.0
#
interface GigabitEthernet1/0/1
port access vlan 192
#
ip route-static 0.0.0.0 0.0.0.0 192.0.0.254
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user-interface vty 5 15
#
return
The debug output from the switch is as under :
[H3C]
*Apr 26 20:04:04:061 2000 H3C RDS/7/DEBUG: Recv MSG,[MsgType=Auth request Index = 27, ulParam3=2218482496]
*Apr 26 20:04:04:193 2000 H3C RDS/7/DEBUG:
Info: Unknow IP address type in making login-ip-host attribute.
*Apr 26 20:04:04:323 2000 H3C RDS/7/DEBUG: Send attribute list:
*Apr 26 20:04:04:404 2000 H3C RDS/7/DEBUG:
[1 User-name ] [10] [srinivas]
[2 Password ] [18] [DAE89E618CD207AF5A524DC40D37EE48]
[4 NAS-IP-Address ] [6 ] [192.0.123.231]
[32 NAS-Identifier ] [5 ] [H3C]
[5 NAS-Port ] [6 ] [16781504]
[87 NAS_Port_Id ] [36] [slot=1;subslot=0;port=1;vlanid=192]
[61 NAS-Port-Type ] [6 ] [5]
[6 Service-Type ] [6 ] [1]
[31 Caller-ID ] [19] [30302D30302D30302D30302D30302D3030]
[8 Framed-Address ] [6 ] [192.0.2.149]
*Apr 26 20:04:05:236 2000 H3C RDS/7/DEBUG:
Event: Begin to switch RADIUS server when sending 0 packet.
*Apr 26 20:04:05:367 2000 H3C RDS/7/DEBUG: Send: IP=[192.0.3.151], UserIndex=[27], ID=[0], RetryTimes=[0], Code=[1], Length=[138]
*Apr 26 20:04:05:528 2000 H3C RDS/7/DEBUG:
Event: Set socket VPN attribute, VPN index=0, Result=0!
*Apr 26 20:04:05:651 2000 H3C RDS/7/DEBUG: Send Raw Packet is:
*Apr 26 20:04:05:732 2000 H3C RDS/7/DEBUG:
01 00 00 8a 92 68 00 00 37 29 00 00 9e 28 00 00
af 16 00 00 01 0a 73 72 69 6e 69 76 61 73 02 12
da e8 9e 61 8c d2 07 af 5a 52 4d c4 0d 37 ee 48
04 06 c0 00 7b e7 20 05 48 33 43 05 06 01 00 10
c0 57 24 73 6c 6f 74 3d 31 3b 73 75 62 73 6c 6f
74 3d 30 3b 70 6f 72 74 3d 31 3b 76 6c 61 6e 69
64 3d 31 39 32 3d 06 00 00 00 05 06 06 00 00 00
01 1f 13 30 30 2d 30 30 2d 30 30 2d 30 30 2d 30
30 2d 30 30 08 06 c0 00 02 95
*Apr 26 20:04:06:344 2000 H3C RDS/7/DEBUG: Recv MSG,[MsgType=PKT response Index = 20, ulParam3=2218786176]
*Apr 26 20:04:06:485 2000 H3C RDS/7/DEBUG: Receive Raw Packet is:
*Apr 26 20:04:06:566 2000 H3C RDS/7/DEBUG:
03 00 00 14 cc 53 89 87 0e 15 6e 6c 5b 9e 4c 9c
8f 72 49 81
*Apr 26 20:04:06:707 2000 H3C RDS/7/DEBUG: Receive:IP=[192.0.3.151],Code=[3],Length=[20]
*Apr 26 20:04:06:817 2000 H3C RDS/7/DEBUG: NULL
*Apr 26 20:04:06:878 2000 H3C RDS/7/DEBUG: RejectMsg=[Rejected by RADIUS server without any message ]
#Apr 26 20:04:06:999 2000 H3C RDS/4/AuthErrorThreshold:
Trap:1.3.6.1.4.1.25506.2.13.3.0.3
RADIUS authentication error percent exceeded the threshold!
Index: 2 IPAddr:192.0.3.151 Port:1812
Have been able to solve the problem. You would need to upgrade the switch to 2215 rel 5.2 and ensure to include the "server-type extended" command under the radius scheme.
DeleteThanks man, its help me a lot.
ReplyDeleteIts working on HP v1910
DeleteJust wanted to add a few step by steps for anyone wanting to uses Windows Radius (NPS).
ReplyDeleteStep 1: Follow the guide above for configuring your HP switch with the radius settings.
Step 2: Go into your NPS server and add a new network policy. Under overview you will want to enable the policy (default) and grant access. Under conditions you will want to add "service type = login" and you can add a group for security restriction. Under constraints you will want to edit the security authentication methods. Only select "Unencrypted authentication (PAP, SPA). Move on to the settings tab. Under the standard menu you will want to add an attribute of "Login-Service = ssh" (Name = Value). You can remove the defaults. Under the vendor specific tab you will create a new attribute for "Vendor-Specific". The vendor code will be 2011. Select "Yes. It conforms" and select "Configure Attribute...". For the "Vendor-assigned attribute number:" type 29. The "Attribute format:" will be decimal and your "Attribute value:" will be 3. I verified this these settings with a HP 5500 and it is running comware5.
Thank you so much! It works!! :) (HP A5120)
ReplyDeleteI am trying tp set up radius for HP 5120 and done as per about steps and could use radius authentication
ReplyDeleteAnd what if the Radius server is not accessible? Are you still able to login with the local user account?
ReplyDeleteThis comment has been removed by the author.
DeleteThis comment has been removed by the author.
DeleteYes, when your ssh or telnet session request your credentials, just put the local user followed by @system.
DeleteEx:
username: admin@system
password: xxxxx
This comment has been removed by the author.
ReplyDeleteWill this work for a HPE 5700?
ReplyDeleteAllan Follmann,
ReplyDeleteIf the local-user "admin" doesn't have a password set under it. Will someone be able to access the switch with the admin@system login?
These are our configs right now:
local-user admin
service-type ssh terminal
Hi,
ReplyDeleteit's possible to ignore the "Login-Service" attribute? Because I can do only one policy with ne autentication method if I want to login
Probably something simple, noticed on the particular switch I use for testing that I'm not allowed to change Radius configuration under domain system - error is "There are user(s) online , can not be configured". I thought I might get away with using a console connection, but error persists. What is the process to overcome this gotcha?!
ReplyDeleteI worked around my little issue by changing auth mode to none for Aux, changed the configuration and readded auth mode scheme with the updated configuration in place :)
ReplyDeleteHi all,
ReplyDeleteVery useful information, I want to share the following information.
There are two ways to have total access to the equipment, its use depends on the model of the device: These policies can be integrated into one.
1. shell:roles="network-admin"
Check the following link https://abouthpnetworking.com/2014/03/16/comware7-radius-based-rbac-user-role-assignment, all the steps are correct but use the following character "", check the figure in the link or Copy this command shell:roles="network-admin"
2. Vendor-assigned attribute number: 29 level 3
The other configuration is to access with profile level 3. Please check page 22 of this link https://community.hpe.com/hpeb/attachments/hpeb/switching-e-series-forum/3882/1/HP%20Networking%20-%202008%20R2%20NPS%20Radius%20for%20Management%20Login.doc Make the following changes suggested by TechGuy14.
Window Vendor-Specific Attribute Information
Enter Vendor code: 2011
Window Configure VSA (RFC Compliant)
Vendor-assigned attribute number: 29
Attribute format: Decimal
Attribute value: 3
I Share the scripts for the deviceS 3com4210, hp1910, hp1920, hp1950, A5500
Script
*****************
HP1910
radius scheme nps
server-type extended
primary authentication 10.27.9.55
primary accounting 10.27.9.55
secondary authentication 10.27.9.56
secondary accounting 10.27.9.56
key authentication simple XXXX
key accounting simple XXXX
user-name-format without-domain
attribute 25 car
domain radiussimple
authentication login radius-scheme nps local
authorization login radius-scheme nps local
accounting login radius-scheme nps local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain default enable radiussimple
*****************
HP1920
radius scheme nps
server-type extended vendor 2011
primary authentication 10.27.9.55
primary accounting 10.27.9.55
secondary authentication 10.27.9.56
secondary accounting 10.27.9.56
key authentication simple XXXX
key accounting simple XXXX
user-name-format without-domain
attribute 25 car
domain radiussimple
authentication login radius-scheme nps local
authorization login radius-scheme nps local
accounting login radius-scheme nps local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain default enable radiussimple
*****************
HP1950
radius scheme nps
primary authentication 10.27.9.55
primary accounting 10.27.9.55
secondary authentication 10.27.9.56
secondary accounting 10.27.9.56
accounting-on enable
key authentication simple XXXX
key accounting simple XXXX
user-name-format without-domain
attribute 15 check-mode loose
domain radiussimple
authentication login radius-scheme nps none
authorization login radius-scheme nps none
accounting login radius-scheme nps none
domain default enable radiussimple
*****************
3COM-4210
radius scheme nps
server-type standard
primary authentication 10.27.9.55
primary accounting 10.27.9.55
secondary authentication 10.27.9.56
secondary accounting 10.27.9.56
key authentication simple XXXX
key accounting simple XXXX
user-name-format without-domain
domain radiussimple
scheme radius-scheme nps
authentication login radius-scheme nps local
accounting login radius-scheme nps local
domain default enable radiussimple
ssh authentication-type default all
super password level 3 cipher xxx
*****************
HP A5500
radius scheme nps
server-type extended vendor 2011
primary authentication 10.27.9.55
primary accounting 10.27.9.55
secondary authentication 10.27.9.56
secondary accounting 10.27.9.56
key authentication simple XXXX
key accounting simple XXXX
timer quiet 3
user-name-format without-domain
nas-ip 10.17.9.1
accounting-on enable
attribute 25 car
domain radiussimple
authentication login radius-scheme nps local
authorization login radius-scheme nps local
accounting login radius-scheme nps local
access-limit disable
state active
idle-cut disable
self-service-url disable
*****************
thank u for sharing this post
ReplyDeleteHP Switches
Meraki Switches
This comment has been removed by the author.
ReplyDeleteYou can also find accessories such as steam kits and even sauna kits, depending on the type of sauna you want. With Sauna-UKs, you can have the best of both worlds. To learn more about Luxury Hydro Shower Cabins From UK's Biggest Specialist, visit on hyperlinked site.
ReplyDelete