I have encountered issues with RADIUS authentication with updated version of Comware 7. In my case, I was over my head when we upgraded our HP 5130 switch from Comware version 7.1.045 Release 3109P09 to Comware version 7.1.045 Release 3112. With the same configuration, RADIUS authentication suddenly stops working as such I was forced to use local authentication.
I had the resulting RADIUS debug logs from the switch to showed my problem.
I had the resulting RADIUS debug logs from the switch to showed my problem.
*Jan 1 20:49:49:596 2013 HPE RADIUS/7/PACKET:
Service-Type=Administrative-User
Hw-Exec-Privilege=3
Login-Service=50
Cisco-AVPair="shell:priv-lvl=15"
Cisco-AVPair="shell:roles="network-admin""
*Jan 1 20:49:49:596 2013 HPE RADIUS/7/PACKET:
02 de 00 68 16 ee 82 b6 be 07 13 8b 5e 9b 48 57
4e 47 4a f7 06 06 00 00 00 06 1a 0c 00 00 07 db
1d 06 00 00 00 03 0f 06 00 00 00 32 1a 19 00 00
00 09 01 13 73 68 65 6c 6c 3a 70 72 69 76 2d 6c
76 6c 3d 31 35 1a 23 00 00 00 09 01 1d 73 68 65
6c 6c 3a 72 6f 6c 65 73 3d 22 6e 65 74 77 6f 72
6b 2d 61 64 6d 69 6e 22
*Jan 1 20:49:49:597 2013 HPE RADIUS/7/ERROR:
Failed to map attribute to PAM item.
*Jan 1 20:49:49:597 2013 HPE RADIUS/7/ERROR:
Failed to fill reply data.
*Jan 1 20:49:49:597 2013 HPE RADIUS/7/EVENT:
Sent reply message successfully.
*Jan 1 20:49:49:598 2013 HPE RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 3
*Jan 1 20:49:49:598 2013 HPE RADIUS/7/EVENT:
PAM_RADIUS: Received authentication reply message, resultCode: 3
%Jan 1 20:49:49:602 2013 HPE SSHS/6/SSHS_LOG: Authentication failed for netadmin from 10.2.15.203 port 54908 because of invalid username or wrong password ssh2.
After some debugging, I found out the multiple CIsco-AVPair strings are causing the problem. Selecting only one "shell:roles="network-admin"" in the RADIUS server fixed the issue.
In the latest version as of this writing, Comware version 7.1.045 Release 3113P05 seems to be fixed as it can now receive multiple Cisco AVPair strings.
Hopefully this helps others with the same problem.
In the latest version as of this writing, Comware version 7.1.045 Release 3113P05 seems to be fixed as it can now receive multiple Cisco AVPair strings.
Hopefully this helps others with the same problem.