Radius authentication through management interface fails

Created Apr 24, 2017 08:50:33Latest reply Apr 24, 2017 09:21:04 1182 1 0 0

On Cloud Engine 6800 customer was using radius authentication for SSH via management interface, the authentication failed.

Software version CE6850HI-V100R005C10SPC200.cc.

configuration;

#

radius server group rtve
radius server shared-key-cipher xxxxxxxxxxxxxxxxxx
radius server authentication x.x.128.28 1812
radius server accounting x.x.128.28 1813
radius server retransmit 2
radius server source interface MEth0/0/0
radius server user-name domain-excluded

#
authentication-scheme default
  authentication-mode radius local
#
authentication-scheme auth
  authentication-mode local radius
#
authorization-scheme default
#
accounting-scheme default
#
accounting-scheme abc
  accounting-mode radius
#
domain default
#
domain default_admin
  authentication-scheme auth
  accounting-scheme abc
  adminuser-priority 15
  radius server group rtve

#
stelnet server enable
ssh user admin
ssh user admin authentication-type all
ssh user admin service-type all
ssh authorization-type default aaa
#
ssh server cipher aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc blowfish_cbc
ssh server hmac sha2_256_96 sha2_256 sha1 sha1_96
#
interface MEth0/0/0
ip address 10.50.226.89 255.255.255.240

  • x
  • convention:

ms.america     Created Apr 24, 2017 09:21:04 Helpful(0) Helpful(0)

1. Firstly it will be necessary to check if the radius server is reachable from the CE switch. Ping from radius server to Meth0/0/0 interface IP and reverse is successful.

2. The next step is to perform a debugging for aaa system while user is trying to connect to system by ssh.


Open debugging
< R7_U18_CE6850>  debugging radius all
< R7_U18_CE6850>t d                                                                                                                 
Info: Current terminal debugging is on.                                                                                            
< R7_U18_CE6850>t m                                                                                                                 
Info: Current terminal monitor is on.                                                                                              

Try to connect by ssh/stelnet
Collect the debugging.


At this step, the system was not returning any kind of output unless customer was trying to access the system with a local user. Remote users defined into radius didn't enable any kind of output.


transparent.gif Root Cause

Since the aaa didn't trigger any kind of logging for remote radius defined users I reviewed again the SSH configuration. It looks like customer defined only on user locally into the system.

ssh user admin
ssh user admin authentication-type all
ssh user admin service-type all
ssh authorization-type default aaa

For this user the authentication succeed.


transparent.gif Solution

Of course, defining all users locally into CE switch is not scalable, but using  “ssh authentication-type default password” system will allow radius authentication for all users that uses SSH connection .

Solution:

# Configure the password authentication mode for an SSH user.
< HUAWEI> system-view
[~HUAWEI] ssh authentication-type default password

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top