Comware

Currently we access the management console of Switches via Radius authentication using Radius server Microsoft NPS. We have implemented this model in all 3Com Switch 4500 and 5500 Comware V3.

We did not make the same implementation in HP A3600 Comware V5.20.

Below is the settings that were applied in the HP A3600:

#

radius scheme lab
server-type extended
primary authentication <ip server>
primary accounting <ip server>
key authentication <password>
key accounting <password>
timer realtime-accounting 15
timer response-timeout 5
nas-ip <switch ip>
retry 5

#

domain lab.com
authentication login radius-scheme lab local
authorization login radius-scheme lab local
accounting login radius-scheme lab local
access-limit enable 60
state active
idle-cut enable 20 2000
self-service-url disable

#

user-interface vty 0 4
authentication-mode scheme

viewing the Logs of the HP A3600 Switch, got the following error messages:

*Oct 24 20:35:09:344 2016 SW_CORE_LAB RDS/7/DEBUG: Recv MSG,[MsgType=Auth request Index = 113, ulParam3=1195743184]
*Oct 24 20:35:09:344 2016 SW_CORE_LAB RDS/7/DEBUG: Send attribute list:
*Oct 24 20:35:09:345 2016 SW_CORE_LAB RDS/7/DEBUG:
[1 User-name ] [18] [userlogin@lab.com]
[2 Password ] [34] [9431D6F1B31F17848979PAOUID0BF918446CC2952D9464ED3F6EB8588D3893PPOEE3]
[4 NAS-IP-Address ] [6 ] [<ip switch>]
[32 NAS-Identifier ] [13] [SW_CORE_LAB]
[5 NAS-Port ] [6 ] [0]
[87 NAS_Port_Id ] [34] [slot=0;subslot=0;port=0;vlanid=0]
*Oct 24 20:35:09:346 2016 SW_CORE_LAB RDS/7/DEBUG:
[61 NAS-Port-Type ] [6 ] [5]
[HP-26 Connect_ID ] [6 ] [462849]
[6 Service-Type ] [6 ] [1]
[14 Login-Host ] [6 ] [<switch ip>]
[31 Caller-ID ] [19] [30302D30302D30302D30302D30302D3030]
[44 Acct-Session-Id ] [17] [11609242035f010]
*Oct 24 20:35:09:346 2016 SW_CORE_LAB RDS/7/DEBUG:
[8 Framed-Address ] [6 ] [<client ip>]
[HP-255Product-ID ] [25] [HP 3600-48 v2 EI Switch]
[HP-60 Ip-Host-Addr ] [32] [<client ip> 00:00:00:00:00:00]
[HP-59 NAS-Startup-Timestamp ] [6 ] [1262304031]
*Oct 24 20:35:09:347 2016 SW_CORE_LAB RDS/7/DEBUG:
Event: Send Packet,oem(10), send count(0), primary state(0).
*Oct 24 20:35:09:347 2016 SW_CORE_LAB RDS/7/DEBUG:
Event: Restart select server.
*Oct 24 20:35:09:348 2016 SW_CORE_LAB RDS/7/DEBUG:
Event: Begin to switch RADIUS server when sending 0 packet.
*Oct 24 20:35:09:348 2016 SW_CORE_LAB RDS/7/DEBUG:
Event: Modify NAS-IP to <switch ip>.
*Oct 24 20:35:09:349 2016 SW_CORE_LAB RDS/7/DEBUG: Send: IP=[<server ip>], UserIndex=[113], ID=[14], RetryTimes=[0], Code=[1], Length=[266]
*Oct 24 20:35:09:349 2016 SW_CORE_LAB RDS/7/DEBUG:
Event: Set socket VPN attribute, VPN index=0, Result=0!
*Oct 24 20:35:09:350 2016 SW_CORE_LAB RDS/7/DEBUG: Send Raw Packet is:
*Oct 24 20:35:09:350 2016 SW_CORE_LAB RDS/7/DEBUG:
01 0e 01 0a 3b f6 76 ad d3 23 0c 68 ea 8a 84 a6
11 dd 10 41 01 12 61 72 74 75 67 40 6c 62 76 2e
6f 72 67 2e 62 72 02 22 94 31 d6 f1 b3 1f 17 84
66 90 2d 0b f9 18 44 6c c2 95 2d 94 64 ed 3f 6e
b8 58 8d 38 93 d1 ce e3 04 06 0a 03 a0 1a 20 0d
53 57 5f 43 4f 52 45 5f 42 53 41 05 06 00 00 00
00 57 22 73 6c 6f 74 3d 30 3b 73 75 62 73 6c 6f
74 3d 30 3b 70 6f 72 74 3d 30 3b 76 6c 61 6e 69
64 3d 30 3d 06 00 00 00 05 06 06 00 00 00 01 0e
06 0a 03 a0 1a 1f 13 30 30 2d 30 30 2d 30 30 2d
30 30 2d 30 30 2d 30 30 2c 11 31 31 36 30 39 32
34 32 30 33 35 66 30 31 30 08 06 0a 64 05 b1 1a
4b 00 00 63 a2 1a 06 00 07 10 01 ff 19 48 50 20
33 36 30 30 2d 34 38 20 76 32 20 45 49 20 53 77
69 74 63 68 3c 20 31 30 2e 31 30 30 2e 35 2e 31
37 37 20 30 30 3a 30 30 3a 30 30 3a 30 30 3a 30
30 3a 30 30 3b 06 4b 3d 3b 1f

*Oct 24 20:35:09:378 2016 SW_CORE_LAB RDS/7/DEBUG: Recv MSG,[MsgType=PKT response Index = 20, ulParam3=1195080128]
*Oct 24 20:35:09:379 2016 SW_CORE_LAB RDS/7/DEBUG: Receive Raw Packet is:
*Oct 24 20:35:09:379 2016 SW_CORE_LAB RDS/7/DEBUG:
03 0e 00 14 73 47 3d 7a cb 79 ad b3 a7 01 df 0b
33 ec 4e bd

*Oct 24 20:35:09:380 2016 SW_CORE_LAB RDS/7/DEBUG: Receive:IP=[<server ip>],Code=[3],Length=[20]
*Oct 24 20:35:09:380 2016 SW_CORE_LAB RDS/7/DEBUG: NULL
*Oct 24 20:35:09:381 2016 SW_CORE_LAB RDS/7/DEBUG: RejectMsg=[Rejected by RADIUS server without any message ]
#Oct 24 20:35:10:377 2016 SW_CORE_LAB SSH/4/TrapAuthFailed:
1.3.6.1.4.1.25506.2.22.1.3.0.1 SSH authentication fail trap information

#Oct 24 20:35:10:378 2016 SW_CORE_LAB SSH/4/TrapAuthFailed:
1.3.6.1.4.1.25506.2.22.1.3.0.1 SSH authentication fail trap information

The error message says that the Radius server is not responding, but the same Radius server is used to authenticate all other 3Com Switch 5500, in addition to receiving the same request Swtich HP A3600.

I believe the version of Comware V5, should have some different parameter or Microsoft NPS Radius server or the settings of the Switch AAA.

Can anyone help me?

I am facing the same problem. Did you find the solution? Thanks

Hello,

I have the same problem, have you found the solution please?

Thanks

Mathieu

Hi there,

You might already have this but might not, can you try adding this to your config.

Just in case make sure ssh server enable is applied.

To your User-interfaces add command protocol inbound ssh

user-interface vty 0 15

 authentication-mode scheme

 protocol inbound ssh

Might not need this:

local-user <name>
password cipher <password>(Optional)
authorization-attribute level 3(Optional)
service-type ssh
service-type web(Optional)
password-control length 8(Optional)
#

(Optional)  are required if you want to secure your connection if radius server goes down. But defenetly add Service-type ssh.

If you want to connect to switch via web then add "Service-type web" and apply web server enable

Hope this helps.