Comware

 View Only
  • 1.  TACACS not working on HP Comware 7

    Posted Jun 24, 2019 11:14 AM

    Hi!

    First let me say that we've got working Cisco IOS, NX-OS, IOS-XR, Juniper OS, Brocade Fabric OS, HP ProCurve and Comware 5; however NOT Comware 7.

    For TACACS we're using tac_plus probono! (read carefully as there are several versions out there)

    Configuration on the HP Comware 7:

    hwtacacs scheme tacacs
     primary authentication 1.1.1.1 49
     key authentication simple myPassword
     primary authorization 1.1.1.1 49
     key authorization simple myPassword
     user-name-format without-domain
    !
    domain tacacs
     authentication login hwtacacs-scheme tacacs local
     authorization login hwtacacs-scheme tacacs local
     state active
    !
    domain default enable tacacs
    !
    line vty 0 63
     authentication-mode scheme
     user-role network-admin
    !

    TACACS Server Config (only showing necessary, keep in mind this is working with most vendors!)

    group = admin {
        enable = permit                                      # Allow access to Privileged EXEC
        service = shell {                                    # Vendor: Cisco, HP, Brocade
            optional brcd-role = admin                       # Fabric OS (must be optional!)
            set priv-lvl = 15                                # IOS/XE, NX-OS, PriVision, Comware
            set role = network-admin
        }
        service = junos-exec {                               # Vendor: Juniper
          set local-user-name = remote-su                    # Junos OS
        }
    }

    Logging from tacacs-server

    /var/log/tac_plus/access/20190624.log
    2019-06-24 16:40:58 +0200	10.10.10.10	myUser	Vlan-interface2001	10.10.10.20	ascii login succeeded
    2019-06-24 16:43:30 +0200	10.10.10.10	myUser	Vlan-interface2001	10.10.10.20	ascii login succeeded

    Debug from Comware 7 switch

    *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
    *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.
    *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
    *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
    *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
    *Jun 24 16:43:30:158 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
    *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
    *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
    *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
    *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/send_packet:
    version: 0xc0  type: AUTHEN_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
    session-id: 0xafc472d8
    length of payload: 61
    action: LOGIN  priv_lvl: 0  authen_type: ASCII  service: LOGIN
    user_len: 9   port_len: 18   rem_len: 14   data_len: 12
    user: myUser
    port: Vlan-interface2001
    rem_addr: 10.10.10.20
    data: ******
    *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
    *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/recv_packet:
    version: 0xc0  type: AUTHEN_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
    session-id: 0xafc472d8
    length of payload: 6
    status: STATUS_PASS  flags: ECHO
    server_msg len: 0  data len: 0
    server_msg:
    data:
    *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
    *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
    *Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.
    *Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.
    *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
    *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.
    *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
    *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
    *Jun 24 16:43:30:403 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
    *Jun 24 16:43:30:594 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
    *Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
    *Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
    *Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
    *Jun 24 16:43:30:763 2019 mySwitch TACACS/7/send_packet:
    version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
    session-id: 0xee0175cb
    length of payload: 68
    authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN
    user_len: 9   port_len: 18   rem_len: 14   arg_cnt: 2
    arg0_len: 13    arg1_len: 4
    user: myUser
    port: Vlan-interface2001
    rem_addr: 10.10.10.20
    arg0: service=shell  arg1: cmd*
    *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
    *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/recv_packet:
    version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
    session-id: 0xee0175cb
    length of payload: 37
    Status: STATUS_PASS_ADD  arg_cnt: 2  server_msg len: 0  data len: 0
    arg0_len: 11    arg1_len: 18
    server_msg:
    data:
    arg0: priv-lvl=15  arg1: role=network-admin
    *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.
    *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
    *Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.
    *Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.
    %Jun 24 16:43:30:772 2019 mySwitch SSHS/6/SSHS_LOG: Accepted password for myUser from 10.10.10.20 port 54064 ssh2.
    
    %Jun 24 16:43:30:808 2019 mySwitch SSHS/6/SSHS_CONNECT: SSH user myUser (IP: 10.10.10.20) connected to the server successfully.
    %Jun 24 16:43:30:936 2019 mySwitch LOGIN/6/LOGIN_FAILED: myUser failed to log in from 10.10.10.20.
    %Jun 24 16:43:34:009 2019 mySwitch SSHS/6/SSHS_DISCONNECT: SSH user myUser (IP: 10.10.10.20) disconnected from the server.

    Output from HP Comware Login Attempt

    ******************************************************************************
    * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *
    * Without the owner's prior written consent,                                 *
    * no decompiling or reverse-engineering shall be allowed.                    *
    ******************************************************************************
    
    Login failed.
    Connection to myswitch.my.domain closed.

    What might I be missing? Right now I'm thinking vendor attributes or if I need to create a role on the switch like with Juniper.

    // David


    #comware7
    #HP


  • 2.  RE: TACACS not working on HP Comware 7

    Posted Jul 03, 2019 07:22 PM

    Hi David,

    What is the Firware version that is running on the switch?
    Also share the complete SSH configuration and vty configuration.

    From the debugg logs shared, i can see the Telnet user has already logged in has been disconnected. This is hitting a bug LSV7D000489.
    There are several bugs related to TACACS if you are using a older version it is recommended to upgarde the FW to version 7.10. R2432P05 or later.

    Also TACACS configuration looks good except for a one of optional commands. (but recommended)

    1) In the ISP domain, Specify the accounting method for login users.
    accounting login { hwtacacs-scheme hwtacacs-scheme-name | [ local ] | [ none ] } -
    By default, the default accounting method is used for login users. if you dont want to use the accounting then specifiy it as none.


    Hope this helps.