Security

Hi

 

we got some new HP/3Com bladeswitches and I am trying to get Radius authentication via ssh working with CPPM.

During some research i found the attributes which must be send from Radius server to the switch.

One of them is Standard Radius Login-Service (15) Attribut with the Value of 50 (ssh).

In the dictiononary this attribut with value of 50 does not exist.

I know that it is not a standard ietf attribute but on lots of radius server you can add it manually:

http://hpnetworkers.blogspot.co.uk/2011/05/hp-series-h3c-comware-radius.html

 

Is it possible on CPPM too?

Thanks for help.

You would need to export the radius dictionary, modify the XML to add the new entry and then reimport it.


Thanks,
Tim

<post removed>

Thanks exporting and editing was the solution. sometimes it is more easy than expected.

Administration -> Dictionaries -> RADIUS
Find "IEFT" in the list for Vendor Name. Clik on "IEFT".
Click on "Export" and save the XML file.

Open the XML file and search for "Login-Service"
Add this line under existing enumOrdinal(s):

<ValidValue enumOrdinal="50" value="SSH"/>

Save the updated XML file.

 

Now import the updated Radius dictionary file for IEFT.

Administration -> Dictionaries -> RADIUS, click on Import in upper right corner.
Find the updated XML file, and clik on Import.

Now you are able to add Radius:IEFT Login-Service = SSH (50) for the Enforcement profile.

If you choose to use Telnet (0) for Login-Service, then both Telnet and SSH access is accepted (if the switch have both Telnet and SSH service enabled).
If you, however, use SSH (50) for Login-service only, then Telnet access is rejected.

Finally add the Radius:Huawei Huawei-Exec-Privilege = 3 to the Enforcement profile, if you want access level as administrator (highest), when login is accepted.

Management login for Radius on the HP Comware switch is enabled by:

domain <name>
authentication login radius-scheme <name of radius scheme>
authorization login radius-schme <name of radius scheme>