Comware

 View Only
last person joined: 2 days ago 

Expand all | Collapse all

radius peap-mschapv2 - User 'unknown'

This thread has been viewed 31 times
  • 1.  radius peap-mschapv2 - User 'unknown'

    Posted Feb 02, 2023 09:24 AM
    Hello All,

    I've configured Radius authentication on Aruba 2930M with ms-chapv2 encryption:

    aaa server-group radius "NPS" host 192.168.100.101
    aaa server-group radius "NPS" host 192.168.100.102
    aaa authentication login privilege-mode
    aaa authentication web login peap-mschapv2 server-group "NPS" local
    aaa authentication web enable peap-mschapv2 server-group "NPS" local
    aaa authentication ssh login radius local
    aaa authentication ssh enable radius local​

    On the NPS Server I see that authentication was successful:


    but on the switch I see an error and can't login in the web-console:

    W 02/02/23 13:32:09 00419 auth: Invalid user name/password on WEB-UI session
                User 'unknown' is trying to login from 192.168.200.125
    ----  Bottom of Log : Events Listed = 497  ----​

    what is wrong? With PAP encryption everything works.

    When I enable ms-chapv2 for ssh, then I see the username, but switch says invalid credentials:

    W 02/02/23 13:53:26 00419 auth: Invalid user name/password on SSH session User
    'my-user' is trying to login from 192.168.200.125
    ---- Bottom of Log : Events Listed = 502 ----​

    Thank you in advance!


  • 2.  RE: radius peap-mschapv2 - User 'unknown'

    Posted Feb 02, 2023 12:05 PM
    this may be due to a certificate issue:

    How can I upload AD Root CA? The switch always tries to replace Default CA:


    I found I can do it via CLI, but a command not available:

    sw-014(config)# crypto pki ta-profile domain-root
    sw-014(config)# ta-certificate import terminal
    Invalid input: ta-certificate
    sw-014(config)#​



  • 3.  RE: radius peap-mschapv2 - User 'unknown'
    Best Answer

    EMPLOYEE
    Posted Feb 03, 2023 02:32 AM

    Hello, 
    Is the NPS configured to return the RADIUS attribute service-type with a value of 6?

    This should be configured when you are using the option " aaa authentication login privilege-mode"

    https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html

    If you dont have access to the NPS config maybe you can check by removing " aaa authentication login privilege-mode"




  • 4.  RE: radius peap-mschapv2 - User 'unknown'

    Posted Feb 03, 2023 05:39 AM

    Thanks a lot! I have access to the NPS, now I need to find to adjust it 😊

    without "aaa authentication login privilege-mode" it works 👍




  • 5.  RE: radius peap-mschapv2 - User 'unknown'

    Posted Feb 03, 2023 11:02 AM
    I've found this. I hope it can be useful for others: