ecajigas
asked on
3Com switches user authenticated by radius not getting admin priv and no access available with radius service down
Hi,
I got some basic level of functionality authenticating users that login to 3Com switches against a RADIUS server. Problem is that I can not get the user to obtain admin privileges. I'm using Microsoft's IAS service. According to 3Com documentation when configuring the access policy on IAS the value of 010600000003 have to be used to specify admin access level. That value have to be input in the Dial-in profile section:
010600000003 - indicates admin privileges
010600000002 - manager
010600000001 - monitor
010600000000 - visitor
Here is the configuration on the switch:
radius scheme system
server-type standard
primary authentication XXX.XXX.XXX.XXX
accounting optional
key authentication XXXXXX
key accounting XXXXXX
#
domain system
scheme radius-scheme system
#
local-user admin
service-type ssh telnet terminal
level 3
local-user manager
service-type ssh telnet terminal
level 2
local-user monitor
service-type ssh telnet terminal
level 1
The configuration is working with the IAS server because I can check user login events with the Eventviewer tool.
Here is the output of the DISPLAY RADIUS command at the switch:
[4500]disp radius
--------------------------
SchemeName =system Index=0 Type=standard
Primary Auth IP =XXX.XXX.XXX.XXX Port=1645 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= XXXXXX
Acct Server Encryption Key= XXXXXX
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
--------------------------
Total 1 RADIUS scheme(s). 1 listed
Here is the output of the DISPLAY DOMAIN and DISPLAY CONNECTION commands after users log into the switch:
[4500]display domain
0 Domain = system
State = Active
RADIUS Scheme = system
Access-limit = Disable
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
[4500]display connection
Index=0 ,Username=admin@system
IP=0.0.0.0
Index=2 ,Username=ecajigas@system
IP=xxx.xxx.xxx.xxx
On Unit 1:Total 2 connections matched, 2 listed.
Total 2 connections matched, 2 listed.
[4500]
Here is the DISP RADIUS STATISTICS:
[4500]
%Apr 2 00:23:39:957 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(xxx.xxx.xxx.xxx) in un it1 logindisp radius stat
state statistic(total=1048):
DEAD=1046 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=2
AcctStop=0 OnLine=2 Stop=0
StateErr=0
Received and Sent packets statistic:
Unit 1.........................
Sent PKT total :4 Received PKT total:1
Resend Times Resend total
1 1
2 1
Total 2
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=0 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=1 , Err=0 , Succ=1
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=0 , Err=0 , Succ=0
PKT acct_timeout , Num=3 , Err=1 , Succ=2
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=1 , Err=0 , Succ=1
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
The other problem is that when the RADIUS server is not available I can not log in to the switch. The switch have 3 local accounts but none of them works. How can I specify the switch to use the local accounts in case that the RADIUS service is not available?
I got some basic level of functionality authenticating users that login to 3Com switches against a RADIUS server. Problem is that I can not get the user to obtain admin privileges. I'm using Microsoft's IAS service. According to 3Com documentation when configuring the access policy on IAS the value of 010600000003 have to be used to specify admin access level. That value have to be input in the Dial-in profile section:
010600000003 - indicates admin privileges
010600000002 - manager
010600000001 - monitor
010600000000 - visitor
Here is the configuration on the switch:
radius scheme system
server-type standard
primary authentication XXX.XXX.XXX.XXX
accounting optional
key authentication XXXXXX
key accounting XXXXXX
#
domain system
scheme radius-scheme system
#
local-user admin
service-type ssh telnet terminal
level 3
local-user manager
service-type ssh telnet terminal
level 2
local-user monitor
service-type ssh telnet terminal
level 1
The configuration is working with the IAS server because I can check user login events with the Eventviewer tool.
Here is the output of the DISPLAY RADIUS command at the switch:
[4500]disp radius
--------------------------
SchemeName =system Index=0 Type=standard
Primary Auth IP =XXX.XXX.XXX.XXX Port=1645 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= XXXXXX
Acct Server Encryption Key= XXXXXX
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
--------------------------
Total 1 RADIUS scheme(s). 1 listed
Here is the output of the DISPLAY DOMAIN and DISPLAY CONNECTION commands after users log into the switch:
[4500]display domain
0 Domain = system
State = Active
RADIUS Scheme = system
Access-limit = Disable
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
[4500]display connection
Index=0 ,Username=admin@system
IP=0.0.0.0
Index=2 ,Username=ecajigas@system
IP=xxx.xxx.xxx.xxx
On Unit 1:Total 2 connections matched, 2 listed.
Total 2 connections matched, 2 listed.
[4500]
Here is the DISP RADIUS STATISTICS:
[4500]
%Apr 2 00:23:39:957 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(xxx.xxx.xxx.xxx) in un it1 logindisp radius stat
state statistic(total=1048):
DEAD=1046 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=2
AcctStop=0 OnLine=2 Stop=0
StateErr=0
Received and Sent packets statistic:
Unit 1.........................
Sent PKT total :4 Received PKT total:1
Resend Times Resend total
1 1
2 1
Total 2
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=0 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=1 , Err=0 , Succ=1
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=0 , Err=0 , Succ=0
PKT acct_timeout , Num=3 , Err=1 , Succ=2
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=1 , Err=0 , Succ=1
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
The other problem is that when the RADIUS server is not available I can not log in to the switch. The switch have 3 local accounts but none of them works. How can I specify the switch to use the local accounts in case that the RADIUS service is not available?
ASKER
Mike,
From the documentation I got the values that I mention in the original post. The IAS side is working fine since as I said I can see user events with event viewer the yes/no it conforms was already tried.
Thanks.
From the documentation I got the values that I mention in the original post. The IAS side is working fine since as I said I can see user events with event viewer the yes/no it conforms was already tried.
Thanks.
I would get a sniffer like Wireshark and capture the packets coming back from IAS to the switch. Detailed viewing of the packets will tell you whether IAS is sending back the expected information in the right way.
also- you might try putting quotation marks around "010600000003" since it's a string. Or is it a hex value? In that case it needs to be preceeded by 0x, as in 0x010600000003
also- you might try putting quotation marks around "010600000003" since it's a string. Or is it a hex value? In that case it needs to be preceeded by 0x, as in 0x010600000003
ASKER
Been very busy recently,
I will follow your suggestion about using quotations marks to see what happens. The user's guide have the string without quotes and I just follow that but for the Cisco I'm using the quotes so let see what happens.
I will follow your suggestion about using quotations marks to see what happens. The user's guide have the string without quotes and I just follow that but for the Cisco I'm using the quotes so let see what happens.
ASKER
With or without the double quotes I got the same result. The user get authenticated but without administrative access. I check the event viewer and the system logs the time of the loging but no additional error messages are listed.
ASKER
I forgot to mention that syslog is also registering the username with the IP of the RADIUS server at each login/logout of the user.
All I can think then is that
1. the format of the string is incorrect and the switch doesn't recognize it, or
2. The switch has a bug and doesn't recognize it
1. the format of the string is incorrect and the switch doesn't recognize it, or
2. The switch has a bug and doesn't recognize it
ASKER
I will try to get another switch. Wath about using the admin local account when the radius server is not available?
Did you read this document? I noticed that the value is supposed to be hex, and they give a LOT of detail. You may have to do some work to put this all into one URL:
http://knowledge.3com.com/service/main.jsp?t=documentTab&ft=searchTab&ps=documentPanels&locale=en_US&_dyncharset=UTF-8&curResURL=%2Fservice%2Fmain.jsp%3F_dyncharset%3DUTF-8%26_dynSessConf%3D-8110485885573646456%26t%3DsearchTab%26dosearch%3Dtrue%26locale%3Den_US%26_dyncharset%3DUTF-8%26searchstring%3D3Com%252bReturn%252bList%252battribute%26SearchButton%3DFind%26useFocusTopic%3Dtrue%26focusTopic%3D9030916%26advopen%3Dfalse&contextId=11986:5189.5371,3937.4118,5073.5184&docUrl=http%3A%2F%2Freportkb.3com.com%2FeServer%2Fhtml%2Fpublished-Public%2F3KB14789.html&docTitle=SuperStack%203%20Switches%20-%20How%20to%20configure%20Switch%20Management%20%20Login%20using%20Internet%20Authentication%20Service&highlightInfo=&docType=HTML&docSize=17&isSrch=Yes&jumpToLink=5189#GoTo5189
If you get a Cisco switch, I know that it works. But it's easier than that, because with a cisco switch, you first log in as a regular user and then enter a superuser password to get Admin access- so you don't normally have to define privilege levels at all.
http://knowledge.3com.com/service/main.jsp?t=documentTab&ft=searchTab&ps=documentPanels&locale=en_US&_dyncharset=UTF-8&curResURL=%2Fservice%2Fmain.jsp%3F_dyncharset%3DUTF-8%26_dynSessConf%3D-8110485885573646456%26t%3DsearchTab%26dosearch%3Dtrue%26locale%3Den_US%26_dyncharset%3DUTF-8%26searchstring%3D3Com%252bReturn%252bList%252battribute%26SearchButton%3DFind%26useFocusTopic%3Dtrue%26focusTopic%3D9030916%26advopen%3Dfalse&contextId=11986:5189.5371,3937.4118,5073.5184&docUrl=http%3A%2F%2Freportkb.3com.com%2FeServer%2Fhtml%2Fpublished-Public%2F3KB14789.html&docTitle=SuperStack%203%20Switches%20-%20How%20to%20configure%20Switch%20Management%20%20Login%20using%20Internet%20Authentication%20Service&highlightInfo=&docType=HTML&docSize=17&isSrch=Yes&jumpToLink=5189#GoTo5189
If you get a Cisco switch, I know that it works. But it's easier than that, because with a cisco switch, you first log in as a regular user and then enter a superuser password to get Admin access- so you don't normally have to define privilege levels at all.
ASKER
The link direct me to 3COM knowledge base but returns an blank document. I double check the type to be Hex, not only that but the documentation that I have also said that it have to be a VSA (non-RFC-compliant) value. I also put the 3COM policy on top of the Cisco one.
Still same problem user get authenticated but I can not use the system command to switch to administrator mode. Then I notice the following when connecting using the AUX port:
**************************
* All rights reserved (1997-2007) *
* Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
**************************
User interface aux0 is available.
Please press ENTER.
Login authentication
Username:ecajigas
Password:
<4500>
%Apr 21 01:15:01:342 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(aux0) in unit1 login
<4500>
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>super
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<4500>system
System View: return to User View with Ctrl+Z.
[4500]
As you can see there, I was not able to use the system command but then after typing the super command the system displays that I'm already al level 3 (manage) and after that the system command works. problem is that I tried that using telnet and it didn't work because it returns password is not set after using the super command:
**************************
* All rights reserved (1997-2007) *
* Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
**************************
Login authentication
Username:ecajigas
Password:
<4500>
%Apr 21 01:21:08:641 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(xxx.xxx.xxx.xxx) in un
it1 login
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>
<4500>super
% Password is not set
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
I'm already using the same server to authenticate users for cisco devices the only difference is that you use "shell:priv-lvl=15" as a string value and VSA (RFC compliant). With that the user logs as administrator without needing to provide an enable password since the priv-lvl is already 15 (like using the username command at the IOS).
Still same problem user get authenticated but I can not use the system command to switch to administrator mode. Then I notice the following when connecting using the AUX port:
**************************
* All rights reserved (1997-2007) *
* Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
**************************
User interface aux0 is available.
Please press ENTER.
Login authentication
Username:ecajigas
Password:
<4500>
%Apr 21 01:15:01:342 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(aux0) in unit1 login
<4500>
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>super
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<4500>system
System View: return to User View with Ctrl+Z.
[4500]
As you can see there, I was not able to use the system command but then after typing the super command the system displays that I'm already al level 3 (manage) and after that the system command works. problem is that I tried that using telnet and it didn't work because it returns password is not set after using the super command:
**************************
* All rights reserved (1997-2007) *
* Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
**************************
Login authentication
Username:ecajigas
Password:
<4500>
%Apr 21 01:21:08:641 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(xxx.xxx.xxx.xxx) in un
it1 login
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>
<4500>super
% Password is not set
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
I'm already using the same server to authenticate users for cisco devices the only difference is that you use "shell:priv-lvl=15" as a string value and VSA (RFC compliant). With that the user logs as administrator without needing to provide an enable password since the priv-lvl is already 15 (like using the username command at the IOS).
This is so frustrating. I guess when I checked that link yesterday, I had the page I wanted cached. I am trying to find it again, as it had step by step instructions for IAS configuration to return the proper codes!
I think they are hosed up, as the search page says I have viewed a page with the correct title. But the page has <> on it instead of text.
what I can tell you partly from memory and partly from looking at their config for a different radius server:
Edit Profile button and then the Advanced tab. then click on the Add button. Select Vendor-Specific, then the Add button. In the drop-down menu select 3Com. Click "Yes it conforms" and click "Configure Attribute"
Vendor ID code = 43
Attribute number =26 < DID YOU HAVE THIS BEFORE?
Attribute type = Hex
Enter the attribute as you listed it in your original question, not with 0x as I suggested.
what I can tell you partly from memory and partly from looking at their config for a different radius server:
Edit Profile button and then the Advanced tab. then click on the Add button. Select Vendor-Specific, then the Add button. In the drop-down menu select 3Com. Click "Yes it conforms" and click "Configure Attribute"
Vendor ID code = 43
Attribute number =26 < DID YOU HAVE THIS BEFORE?
Attribute type = Hex
Enter the attribute as you listed it in your original question, not with 0x as I suggested.
ASKER
I will work with this but have lot of work at other sites so I'm gonna be in and out of the office. I will let you know the results.
ASKER
Ok I'm back sorry for the long delay.
Ok I tried all what you told me but still same result, user get authenticated, I can see it logged with the event viewer, but no admin access from telnet. From console I can get admin level only after using the super command.
Clipboard01.jpg
Ok I tried all what you told me but still same result, user get authenticated, I can see it logged with the event viewer, but no admin access from telnet. From console I can get admin level only after using the super command.
Clipboard01.jpg
I think you need to put 26 in the top field and 010600000003 as an attribute value. 43 is the vendor code which you can use instead of "3Com" in the previous screen. It is possible that 3Com has more than one vendor code.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think what you need to do on the IAS side is to go into your IAS policy and click on the Edit Profile button and then the Advanced tab. then click on the Add button. Select Vendor-Specific, then the Add button. In the drop-down menu select 3Com. Click the "Yes it conforms" or "No it doesn't" button (3 Com will have to answer that question for sure but I suspect it's "Yes") and then Configure Attribute.
From there add the Attribute Value they gave you, exit out and hopefully it will work!