Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

5700 FlexFabric Radius Configuration

This thread has been viewed 0 times

  • 1.  5700 FlexFabric Radius Configuration

    Posted Jul 26, 2016 10:00 PM

    Hi All,

    I am new to HP devices but have been thrown in the deepend with a new role that has mainly HP equipment installed.
    I am looking to setup Radius authentication for the 5700 FlexFabric running Software Version 7.1.045. My radius server is Windows NPS.
    I have attached some snapshots of my radius configuration. Note for the Network Policy Vendor Attribut I have tried the following:

    • shell:allowed-roles="level-15"
    • shell:allowed-roles="network-admin"
    • shell:roles="level-15"
    • shell:roles="network-admin"
    • alowed-roles="level-15"
    • allowed-roles="network-admin"
    • roles="level-15"
    • roles="network-admin"

    Configuration Snapshot:

    #
    line class aux
    user-role network-admin
    #
    line class vty
    user-role network-operator
    #
    line aux 0 1
    user-role network-admin
    #
    line vty 0 63
    authentication-mode scheme
    user-role network-operator
    #
    radius scheme radius

    primary authentication <withheld) key cipher <withheld>
    primary accounting <withheld> key cipher <withheld>
    user-name-format without-domain
    #
    domain radius
    authentication login radius-scheme radius local
    accounting login radius-scheme radius local
    #
    domain system
    #
    domain default enable radius
    #
    role default-role enable
    #
    user-group system
    #
    local-user administrator class manage
    password hash <withheld>
    service-type ssh telnet http https
    authorization-attribute user-role level-15
    authorization-attribute user-role network-operator
    #

    This configuration when captured with wireshark I can see the an access-accept is sent back to the switch, but connection is immediately dropped by the switch, I am assuming that is because no privilege level has been provided, but I am unsure.
    Under the domain radius, I have tried adding authorization default none, this allows me to connect but with practically no privilege level except for a few display commands.

    Any assistance with this would be greately appreciate, I have looked over the configuration guide again and again, but seem to be getting no where.

    Thanks,
    Steven


    #aaa
    #Radius


  • 2.  RE: 5700 FlexFabric Radius Configuration

    Posted Jul 27, 2016 09:51 PM

    I have seen in the documentation that the instructions for Free Radius require the creation of a user account, instead of making it authenticate against the AD, is this a possible limitation of this Switch. Being DC I would assume not.



  • 3.  RE: 5700 FlexFabric Radius Configuration

    Posted Jul 29, 2016 07:10 AM

    200 views and no response, surely someone has come across this before? I come from a mostly Cisco background and the radius commands are thoroughly documented, this is an enterprise level switch surely there is a way to use radius with this using AD credentials. Any suggestion would be appreciated, I've tried everything I can think of at this point apart from installing FreeRadius, which I don't want to do for one device.



  • 4.  RE: 5700 FlexFabric Radius Configuration

    Posted Aug 03, 2016 12:23 AM

    I setup some 5800s to do RADIUS authentication against a Windows server (to check AD accounts) and I've looked everywhere and can't seem to find my backup configs. I'll keep looking.



  • 5.  RE: 5700 FlexFabric Radius Configuration

    Posted Aug 03, 2016 10:22 PM

    Thanks Vince,

    I have been in contact with HP Support and they have been able to provide me a solution.

    Switch configuration I provided was correct.

    NPS Changes as follows:

    • Changed the Service-Type in "Connection Request Policies" to "Framed"
    • Changed the Service-Type in "Network Policies" to "Framed"
    • Moved the the HP "Network Policies" to #1, below this it wouldn't work as it was hitting other policies first
    • Changed the Cisco-AV-Pair to shell:roles=network-admin - quotations have been removed in Comware7

    Full guide for anyone interested is on my blog:

    https://stevenandrewsblog.wordpress.com/2016/07/25/windows-nps-with-hp-and-cisco/#more-206



  • 6.  RE: 5700 FlexFabric Radius Configuration

    Posted Feb 13, 2017 04:24 AM

    Hello, thank you for the information, I have a pb to configure the switch HP procurve 2610 and 2600 and switch H3C 5130 and A3600 and S3600 on the radius, I can not get different rights on the switch. Either I have admin rights or the login window closes as soon as I have the connection to the switch. Would you have the Radius attributes for these models and the setting of the radius SVP?

    My Configuration HP Procurve:

    hostname "ProCurve Switch 2610-24"
    ip default-gateway x.x.x.x
    snmp-server community "public" Unrestricted
    vlan 1
       name "DEFAULT_VLAN"
       untagged 1-28
       ip address x.x.x.x x.x.x.x
       exit
    radius-server host x.x.x.x acct-port 1646 auth-port 1645 key "xxxxxx"
    radius-server key "xxxxxx"
    aaa authentication num-attempts 10
    aaa authentication console enable radius local
    aaa authentication telnet login radius local
    aaa authentication telnet enable radius local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local
    aaa authentication port-access eap-radius authorized
    aaa authentication login privilege-mode
    aaa port-access authenticator active
    ip ssh
    no dhcp config-file-update
    password manager
    password operator

     

    Thanks for your help

    Best regards

    Mathieu