Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

problems with RADIUS authentication

This thread has been viewed 1 times

  • 1.  problems with RADIUS authentication

    Posted Oct 31, 2018 10:32 AM

    Hi all,

    I'm experiencing authentication problems with this configuration on HPE5510 R1309:

    radius scheme system
     primary authentication 10.40.0.208
     key authentication cipher $c$3$miP5XfL7OV3vTSlz8OsyWF+O0jl2QvIj4FemMw==
     user-name-format without-domain
     nas-ip 10.99.80.6
    #
    domain system
     authentication login radius-scheme system local
     authorization login radius-scheme system local

    The radius server is a Freeradius 3.0.16

    I've enabled "debug radius all", below the output:

    <TWR-F>             *Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
    Got request data successfully, primitive: authentication.
    *Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
    Getting RADIUS server info.
    *Oct 31 14:23:56:738 2018 TWR-F RADIUS/7/EVENT:
    Got RADIUS server info successfully.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Created request context successfully.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Created request packet successfully, dstIP: 10.40.0.208, dstPort: 1812, VPN instance: --(public), socketFd: 34, pktID: 56.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Added packet socketfd to epoll successfully, socketFd: 34.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Mapped PAM item to RADIUS attribute successfully.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Got RADIUS username format successfully, format: 2.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Added attribute user-name successfully, user-name: test.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Filled RADIUS attributes in packet successfully.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Composed request packet successfully.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/EVENT:
    Created response timeout timer successfully.
    *Oct 31 14:23:56:739 2018 TWR-F RADIUS/7/PACKET:
        User-Name="test"
        NAS-Identifier="TWR-F"
        Framed-IP-Address=10.40.10.83
        NAS-Port-Type=Virtual
        Acct-Session-Id="00000001201810311423560000000108100627"
        User-Password=******
        Service-Type=Login-User
        NAS-IP-Address=10.99.80.6
        H3c-Product-Id="HPE 5510 48G 4SFP+ HI 1-slot Switch JH146A"
        H3c-Nas-Startup-Timestamp=1540985598
    *Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
    Sent request packet successfully.
    *Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/PACKET:
     01 38 00 b1 1f 73 10 14 69 b3 0a 4e 13 6f b9 17
     71 8f c8 7d 01 06 74 65 73 74 20 07 54 57 52 2d
     46 08 06 0a 28 0a 53 3d 06 00 00 00 05 2c 28 30
     30 30 30 30 30 30 31 32 30 31 38 31 30 33 31 31
     34 32 33 35 36 30 30 30 30 30 30 30 31 30 38 31
     30 30 36 32 37 02 12 7b b9 99 47 fe 2b 32 62 9b
     21 7a cf 68 e8 58 d4 06 06 00 00 00 01 04 06 0a
     63 50 06 1a 32 00 00 63 a2 ff 2c 48 50 45 20 35
     35 31 30 20 34 38 47 20 34 53 46 50 2b 20 48 49
     20 31 2d 73 6c 6f 74 20 53 77 69 74 63 68 20 4a
     48 31 34 36 41 1a 0c 00 00 63 a2 3b 06 5b d9 92
     fe
    *Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
    Sent request packet and create request context successfully.
    *Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
    Added request context to global table successfully.
    *Oct 31 14:23:56:740 2018 TWR-F RADIUS/7/EVENT:
    Processing AAA request data.
    *Oct 31 14:23:56:741 2018 TWR-F RADIUS/7/EVENT:
    PAM_RADIUS: Sent authentication request successfully.
    *Oct 31 14:23:56:759 2018 TWR-F RADIUS/7/EVENT:
    Reply SocketFd recieved EPOLLIN event.
    *Oct 31 14:23:56:759 2018 TWR-F RADIUS/7/EVENT:
    Received reply packet succuessfully.
    *Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
    Found request context, dstIP: 10.40.0.208, dstPort: 1812, VPN instance: --(public), socketFd: 34, pktID: 56.
    *Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
    The reply packet is valid.
    *Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
    Decoded reply packet successfully.
    *Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/PACKET:
     02 38 00 14 06 87 b7 fe 69 24 46 2d 01 bb f6 db
     a4 15 d3 d8
    *Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
    Sent reply message successfully.
    *Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
    PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
    *Oct 31 14:23:56:760 2018 TWR-F RADIUS/7/EVENT:
    PAM_RADIUS: Received authentication reply message, resultCode: 0
    *Oct 31 14:23:56:762 2018 TWR-F RADIUS/7/EVENT:
    PAM_RADIUS: Processing RADIUS authorization.
    *Oct 31 14:23:56:762 2018 TWR-F RADIUS/7/EVENT:
    PAM_RADIUS: RADIUS Authorization successfully.
    %Oct 31 14:23:56:763 2018 TWR-F SSHS/6/SSHS_LOG: Accepted password for test from 10.40.10.83 port 53869.

    %Oct 31 14:23:57:786 2018 TWR-F SSHS/6/SSHS_CONNECT: SSH user test (IP: 10.40.10.83) connected to the server successfully.
    %Oct 31 14:23:58:136 2018 TWR-F LOGIN/5/LOGIN_FAILED: test failed to log in from 10.40.10.83.
    %Oct 31 14:24:01:148 2018 TWR-F SSHS/6/SSHS_LOG: User test logged out from 10.40.10.83 port 53869.
    %Oct 31 14:24:01:148 2018 TWR-F SSHS/6/SSHS_DISCONNECT: SSH user test (IP: 10.40.10.83) disconnected from the server.

    The authentication and authorization phases seem to be successful, but in the end I get only:

    LOGIN/5/LOGIN_FAILED and  SSHS/6/SSHS_DISCONNECT:

    Has anyone experienced something like this?

    Thx in advance


    #Radius
    #aaa
    #ssh


  • 2.  RE: problems with RADIUS authentication

    Posted Nov 07, 2018 03:30 AM

    Hi,

    Can you share the radius server configuration. Check if the Login-Service is set to 50 (SSH) in the User configuration file under the user.

    Eg:
           Login-Service = 50



  • 3.  RE: problems with RADIUS authentication

    Posted Nov 07, 2018 05:08 AM

    Thanks for the hint,

    but I don't know how to set "Login-Service=50" with web interface of my DaloRadius.

    Daloradius.JPG

    I will have to ask the  server administrator if it is possible to modify the file in case it exists.

    Thx again

    NextHop



  • 4.  RE: problems with RADIUS authentication

    Posted Nov 07, 2018 06:40 AM

    Hi rajkumar787,

    I've tried to set Login-service=50 but the result is the same:

    %Nov  7 12:13:56:763 2018 TWR-F SSHS/6/SSHS_LOG: Accepted password for test from 10.40.10.83 port 53869.

    %Nov  7 12:13:57:786 2018 TWR-F SSHS/6/SSHS_CONNECT: SSH user test (IP: 10.40.10.83) connected to the server successfully.
    %Nov  7 12:13:58:136 2018 TWR-F LOGIN/5/LOGIN_FAILED: test failed to log in from 10.40.10.83.
    %Nov  7 12:14:01:148 2018 TWR-F SSHS/6/SSHS_LOG: User test logged out from 10.40.10.83 port 53869.
    %Nov  7 12:14:01:148 2018 TWR-F SSHS/6/SSHS_DISCONNECT: SSH user test (IP: 10.40.10.83) disconnected from the server

    IMHO, it seems not be an issue with SSH because I've an "Accepted, user connect, and user disconnect" messages from SSH.

    I don't know why I've a LOGIN_FAILED on user test.

    So, thx again.

    NextHop



  • 5.  RE: problems with RADIUS authentication

    Posted Nov 12, 2018 06:08 AM

    Hi,

    Try  adding 'primary accounting 10.40.0.208 &  key authentication <radius key>' under 'radius scheme system', and 'accounting  login radius-scheme system local' under the  'domain system',.

    Also make sure the 'domain default enable system' is there by default.

    If still you have issues to login, may be a wireshark trace on the radius server will help.
      



  • 6.  RE: problems with RADIUS authentication

    Posted Nov 14, 2018 03:37 AM

    Hi rajkumar787,

    first of all thx for your answer. I don't need a srv account, I don't think the problem be that.

    Anyway I've tried, but unfortunately, the result is the same.

    Best regards

    NextHop