Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

HP 5900 RADIUS and SSH disconnection

This thread has been viewed 0 times

  • 1.  HP 5900 RADIUS and SSH disconnection

    Posted Dec 02, 2014 08:55 AM

    Hello,

     

    I have an IRF stack composed of 2x 5900 and 2x5920 switches.

    I have a Windows NPS and configured the stack to use RADIUS.

     

    I can successfuly connect to my switches with an AD login, but when I connect using ssh, I don't get a prompt and I am instantaneously disconnected.

     

    For example :

     

    ssh 10.xxx.xxx.xxx -l lscharf
    lscharf@xxx@10.xxx.xxx.xxx's password:

    ******************************************************************************
    * Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.          *
    * Without the owner's prior written consent,                                 *
    * no decompiling or reverse-engineering shall be allowed.                    *
    ******************************************************************************

    Connection to 10.xxx.xxx.xxx closed.

     

    Configuration looks like that :

     

    line vty 0 63
     authentication-mode scheme
     user-role network-operator
     protocol inbound ssh
     idle-timeout 30 5

     


    radius scheme xxx
     primary authentication 10.xxx.xxx.1
     primary accounting 10.xxx.xxx.1
     secondary authentication 10.xxx.xxx.2
     secondary accounting 10.xxx.xxx.2
     key authentication cipher xxx
     key accounting cipher xxx
     user-name-format without-domain
    #
    radius scheme system
     user-name-format without-domain
    #
    domain xxx
     authentication login radius-scheme xxx local
     authorization login radius-scheme xxx local
     accounting login radius-scheme xxx local

     

    In the Windows Event Viewer, nothing abnormal, the connection is granted.

    In the logbuffer I have SSHS/6/SSHS_LOG: Accepted password for lscharf@xxx from 10.xxx.xxx.xxx port 33420 ssh2.

     

    So everything looks OK but that SSH connection is actually not working.

    Anyone experienced that already and might have a solution for me ?

     

    Thanks !


    #windows
    #ssh
    #irf
    #Radius
    #5900


  • 2.  RE: HP 5900 RADIUS and SSH disconnection

    Posted Dec 03, 2014 06:57 AM

    Hi lscharf

     

    1 : Have you enabled the ssh server?

     

    ] ssh server enable

     

    2: Have you genereated the key infrastructure

     

    ]  public-key local create dsa

    ]  public-key local create rsa

     

    3: looks like you might need to configure radius authorisatuin server in your  raduis scheme

    In your domain xxx , you ask to use  "authorization login radius-scheme xxx local",  but you have no radius athorization in the raduis scheme xxx.

     

    4: also remember to set the default domain to xxx

    ] domain default enable xxx

     

    if you use "ssh -l lscharf <management_ipaddress_of_switch>" and do not specify the domain explicitly.

     

    NB: What software version are you running.

     

    Regards

     

     



  • 3.  RE: HP 5900 RADIUS and SSH disconnection

    Posted Dec 03, 2014 07:49 AM

    Hello sdide,

     

    I have ssh enabled and key generated as I am able to connect using the local admin account.

     

    How to configure that authorization in the radius scheme ? As far as I'm aware, authorization uses the authentication setup.

     

    [HP-radius-xxx]primary ?
      accounting      Specify the primary RADIUS accounting server
      authentication  Specify the primary RADIUS authentication server

     

    If I remove the authorization attribute in the domain setup, I am unable to ssh the device with my AD login, I don't even get the warning anymore.

     

    Regarding the version, I'm running the following :

     

    HP Comware Software, Version 7.1.045, Release 2311P01
    Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.
    HP 5900AF-48XG-4QSFP+ Switch uptime is 10 weeks, 5 days, 23 hours, 12 minutes
    Last reboot reason : Power on

    Boot image: flash:/5900_5920-cmw710-boot-r2311p01.bin
    Boot image version: 7.1.045P15, Release 2311P01
      Compiled Jul 16 2014 12:17:18
    System image: flash:/5900_5920-cmw710-system-r2311p01.bin
    System image version: 7.1.045, Release 2311P01
      Compiled Jul 16 2014 12:17:28

     

    Thanks for your help.



  • 4.  RE: HP 5900 RADIUS and SSH disconnection

    Posted Dec 03, 2014 08:10 AM

    Hi lscharf

     

    I had a lot of trouble getting hwtacacs working on my 5900s.

    I was using some old software and did a lot of debugging, but when i upgraded the software, the "problem" vanished (or rather the switch starting behaving like intended), so thats why i asked about the software version.

     

    Apart from that.

    try playing with :

    <user-view>terminal monitor

    <user-view>terminal logging level 7

    <user-view> debugging radius [all, error, event]

    <user-view> debugging ssh server  [all, error, event, message] 

    <user-view> debugging role [all, error, event]

     

    (what log-messages do you see)

    and see what happens when you try logging on via the radius, if you can make such a setup.

     

    Regards