Security

Reply
Frequent Contributor I

Clearpass How can i add a IETF Attribute

Hi

 

we got some new HP/3Com bladeswitches and I am trying to get Radius authentication via ssh working with CPPM.

During some research i found the attributes which must be send from Radius server to the switch.

One of them is Standard Radius Login-Service (15) Attribut with the Value of 50 (ssh).

In the dictiononary this attribut with value of 50 does not exist.

I know that it is not a standard ietf attribute but on lots of radius server you can add it manually:

http://hpnetworkers.blogspot.co.uk/2011/05/hp-series-h3c-comware-radius.html

 

Is it possible on CPPM too?

Thanks for help.

Guru Elite

Re: Clearpass How can i add a IETF Attribute

You would need to export the radius dictionary, modify the XML to add the new entry and then reimport it.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: Clearpass How can i add a IETF Attribute

<post removed>

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I

Re: Clearpass How can i add a IETF Attribute

Thanks exporting and editing was the solution. sometimes it is more easy than expected.

Occasional Contributor I

Re: Clearpass How can i add a IETF Attribute

Administration -> Dictionaries -> RADIUS
Find "IEFT" in the list for Vendor Name. Clik on "IEFT".
Click on "Export" and save the XML file.

Open the XML file and search for "Login-Service"
Add this line under existing enumOrdinal(s):

<ValidValue enumOrdinal="50" value="SSH"/>

Save the updated XML file.

 

Now import the updated Radius dictionary file for IEFT.

Administration -> Dictionaries -> RADIUS, click on Import in upper right corner.
Find the updated XML file, and clik on Import.

Now you are able to add Radius:IEFT Login-Service = SSH (50) for the Enforcement profile.

If you choose to use Telnet (0) for Login-Service, then both Telnet and SSH access is accepted (if the switch have both Telnet and SSH service enabled).
If you, however, use SSH (50) for Login-service only, then Telnet access is rejected.

Finally add the Radius:Huawei Huawei-Exec-Privilege = 3 to the Enforcement profile, if you want access level as administrator (highest), when login is accepted.

Management login for Radius on the HP Comware switch is enabled by:

domain <name>
authentication login radius-scheme <name of radius scheme>
authorization login radius-schme <name of radius scheme>

 

Bo Nielsen
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: