Comware7 Radius based RBAC user-role assignment

In this post a quick overview of a sample Radius server configuration for admin authentication on Comware7 devices.

Comware7 is using a complete new authorization system compared to Comware5. In Comware5, there were the 4 levels (0-1-2-3) and that was basically it.

In Comware7, there are 15 different levels and admins can define their own roles, this is known as RBAC. The big difference with command authorization is the fact that RBAC simply allows the assignment of interfaces, features and Read/Write options, so you can easily grant full access to interface x , while preventing admin access to interface y.

Once you have defined new roles, you just need to assign them at login time to the correct user through the TACACS+ or RADIUS server.

In this article, the RADIUS server is configured and the default role “network-admin” is assigned to the network administrator.

Configuration steps:

  • Define a Windows group and test user
  • RADIUS Server: RADIUS Client Configuration (not part of this article)
  • RADIUS Server: Network Policy configuration to grant network-admin role
  • Comware7 Device: RADIUS Server configuration
  • Comware7 Device: Domain and line configuration
  • Verify
  • Network trace

The article has been tested with an HP 5900 R2307, Simware7 7.1.45 and the VSR1000 E0102.

Define a Windows group and test user

In this step a sample Windows group is created, a test user “net-admin” is defined and the user is made a member of the group.

20140315-cmw7-radius-rbac-001

RADIUS Server: Network Policy configuration

In this example, the Microsoft NPS Server is used. Install the NPS Server role on a Windows system and define a RADIUS client for the switch (steps not included in article).

Open the Network Policy Server management console.

  • Next, define a new Access Policy:

20140315-cmw7-radius-rbac-002

  • Enter a descriptive name for the policy.

20140315-cmw7-radius-rbac-003

  • Next you need to set the matching conditions for this policy. This example will check on:
    • Windows group “net-admins”
    • Service-type “login”

20140315-cmw7-radius-rbac-004

  • First add the Windows group condition:

20140315-cmw7-radius-rbac-005

 

20140315-cmw7-radius-rbac-006

  • The test group “net-admins” is selected.

20140315-cmw7-radius-rbac-007

20140315-cmw7-radius-rbac-008

  • Next add the service-type condition:

20140315-cmw7-radius-rbac-009

20140315-cmw7-radius-rbac-010

  • For the Service-Type, select “Login”

20140315-cmw7-radius-rbac-011

  • Verify the 2 conditions:

20140315-cmw7-radius-rbac-012

  • Leave the access permission to “access granted

20140315-cmw7-radius-rbac-013

  • Admin logins are basic RADIUS login requests, so make sure to enable the clear text PAP/SPAP methods:

20140315-cmw7-radius-rbac-014

  • No other constraints need to be configured:

20140315-cmw7-radius-rbac-015

  • In the settings which will be applied, select the “Vendor Specific” category.

20140315-cmw7-radius-rbac-016

  • Select the vendor “Cisco” and the “Cisco-AV-Pair” Attribute:

20140315-cmw7-radius-rbac-017

 

20140315-cmw7-radius-rbac-018

  • UPDATE 19/01/2015: I received input through the comments that currently the quotes are no longer required, so the command would now be shell:roles=network-admin (no more quotes). I have not checked this myself, but consider yourself updated now :). The screenshots in this post have not been updated to reflect this update !
  • Original post text:
    For the attribute value, set shell:roles=”network-admin”

20140315-cmw7-radius-rbac-019

 

  • Review the Vendor Specific settings and finish the wizard.

20140315-cmw7-radius-rbac-020

  • In the Network policy list, make sure the new policy is placed in front of the block all default policies:

20140315-cmw7-radius-rbac-021

 

Comware7 Device: RADIUS Server configuration

On the comware7 device, define a radius scheme. The simple password will be automatically saved with a ciphered version. Make sure the key matches the RADIUS Client definitions on the NPS server.

radius scheme nps
 primary authentication 10.0.1.100
 primary accounting 10.0.1.100
 key authentication simple hp
 key accounting simple hp
 user-name-format without-domain
#

Comware7 Device: Domain and line configuration

Next, configure an isp domain (in this example, the default domain system is updated) to use the radius server for administrative logins. Backup authentication is set to none in this example.

domain system
 authentication login radius-scheme nps none
 authorization login radius-scheme nps none
 accounting login radius-scheme nps none
#

Configure the line vty range to use the domain authentication scheme

line vty 0 63
 authentication-mode scheme

Verify the authentication

Now a telnet client connection is opened, and the test user “net-admin” can login to the device:

20140315-cmw7-radius-rbac-022

 

RADIUS network trace

  • In the network trace, the access request shows the service-type login 20140315-cmw7-radius-rbac-023
  • And the access accept shows the assigned network role

20140315-cmw7-radius-rbac-024

 

Comware roles

Admin roles can be listed on the comware device with the “display role” command.

This is the filtered example:

<device2>dis role | i Role
Role: network-admin
Role: network-operator
Role: level-0
Role: level-1
Role: level-2
Role: level-3
Role: level-4
Role: level-5
Role: level-6
Role: level-7
Role: level-8
Role: level-9
Role: level-10
Role: level-11
Role: level-12
Role: level-13
Role: level-14
Role: level-15
Role: security-audit

And this would be the detail of the role network-admin:

<device2>dis role name network-admin
Role: network-admin
  Description: Predefined network admin role has access to all commands on the device
  VLAN policy: permit (default)
  Interface policy: permit (default)
  VPN instance policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm   Type  Scope         Entity
  -------------------------------------------------------------------
  sys-1   permit       command       *
  sys-2   permit RWX   web-menu      -
  sys-3   permit RWX   xml-element   -
  sys-4   deny         command       display security-logfile summary
  sys-5   deny         command       system-view ; info-center securi
                                     ty-logfile directory *
  sys-6   deny         command       security-logfile save
  R:Read W:Write X:Execute

<device2>

 

This entry was posted in Comware7 and tagged , , , , , , , . Bookmark the permalink.

36 Responses to Comware7 Radius based RBAC user-role assignment

  1. Johan says:

    Very informative article, thank you. However, I get access denied. 😦

    • I would recommend to run through the configuration again and check each step:
      * radius server : client IP and secret
      * radius server : check logs (accept/reject)
      * radius server : verify the vendor-specific Cisco-AVPair does not contain any typo’s
      * comware device : make sure authentication/accounting and authorization are configured under the domain (I had a recent case where only authentication and authorization were configured, which also caused an access denied)
      * comware device : configure radius authentication and accounting and the key (secret) for both
      * comware device : perform radius debugging and verify access-accept packets are received from the radius server

      • Jonatan says:

        Thank you very much Peter.
        After hours with RADIUS authentication issue i look your article and this answer, nice.
        Everything works fine now.
        saved my friday hahaha

  2. Johan says:

    The logfile stated that I was denied because there was no corresponding Connection Request Policy. Created that and it works. It seems that when I get AAA to work, local password authentication is no longer possible. Do you know a way to combine RADIUS and local passwords?
    I enabled uthentication-mode scheme only on first 16 vty lines as seen in the display command:
    switch]dis line vty 5
    Idx Type Tx/Rx Modem Auth Int
    15 VTY 5 – A –
    30 VTY 20 – P –
    So, in theory, should I not be able to authenticate with the local password if I connected on vty 20?However, I have no idea if it is possible to specify a vty line at login.

    • Hi Johan,

      this is fairly simple through the domain concept. The post example configured the domain system with radius authentication, the domain system is also the default domain.
      This means that any login without the @ sign will be processed by the default domain (system). So a login “admin” will be processed like this, but a login “admin@system” would also be processed like this.
      So if you want to have local and remote, you must use 2 domains:
      1/ Keep e.g. domain system as default (default domain and default local user auth), define e.g. a local user “admin”
      2/ Define a new domain e.g. “central”, and configure the login radius auth on this domain. I assume a central radius user “net-admin” exists with proper configuration.

      Now at the vty login, you can login with:
      1/ admin > there is no @ sign, so default domain is used (system), which is still using the local auth
      2/ net-admin@central > @ sign, so the switch will process the “net-admin” username based on the “central” domain settings. These point to radius > radius login will be done. The radius server setting has “username-format without domain”, so the login request to the radius server will be username “net-admin”. Otherwise (username-format with domain), the login request to the radius server would be “net-admin@central”.

      So within a domain, only 1 method is possible (you can use local as backup if radius failed, but not “concurrent” login and radius).

      I hope this clarifies the setup !

      • And I forgot you can also reverse the default domain to the central (radius),so at the vty login:
        1/ admin@system > will use the domain system with local auth
        2/ net-admin > no @ sign, so use the default domain (configured to central) with radius

      • Dominic says:

        Hi Peter,

        Very helpful page, thanks for the info. You say that within a domain you can use local authentication as backup if radius fails – could you just clarify how that is done please? Is that what “authentication login radius-scheme xxx local” means, because “local” is listed after the radius scheme?

        Thanks!

      • Hi Dominic,

        Yes, the local keyword means the local user database will be used as backup in case the primary authentication method would be down

      • Dominic says:

        Also – apologies for the double post! – how does the Comware device decide when radius is unavailable in that scenario? Is it a ping to the specified IP address(es)?

        Thanks again.

      • That is controlled by several configuration options:
        1/ check of single radius server
        Each radius scheme can be configured with a primary and secondary radius server IP, so effectively 2 radius servers can be configured.
        The device will by default send the radius request to the primary server, at which point a timer is started (timer response-timeout).
        When the device does not receive a response (for whatever reason) within this timer period, it will resend the request (retry) and wait again.
        It will repeat this based on the configured “retry” value.
        Once all retries have failed, the single (by default primary) server status will be set to a BLOCKED state, which means it will not be used by the device anymore.
        If a secondary server has been configured on the radius scheme, the secondary (backup radius server) will be used at this point.

        The original radius server will remain in the BLOCKED state (not used) for the period configured by the quiet configuration parameter.
        Once the timer expired, the status changes to ACTIVE again and the device will attempt to use it again (based on first rules), if it fails again, it changes to BLOCKED again.

        radius scheme uam
        # wait timer for respone (default 3s)
        timer response-timeout 3
        # number of attempts (default 3) > default total 9 seconds
        retry 3
        # how long a failed server is in blocked state (default 5 min)
        timer quiet 5

        Above system will ensure:
        * detection of failed radius
        * avoids loosing time on every request to reach the original radius (thanks to the 5 min blocked state)
        * auto-recovery of using the primary radius if it comes back online (after 5 min timer expires)

        2/ failover of the primary authentication method to the secondary authentication method
        While rules above provide failover for primary/secondary radius, it could happen that the network is down or both radius servers are down.
        In this case, both primary and secondary servers will be in BLOCKED state, and the radius scheme object will be marked as failed.
        At this point, the secondary authentication method which can be configured on the domain scheme will be used (for example the local user database).

  3. Johan says:

    Worked just like you said. Thanks a lot for your help!

  4. Osama.R says:

    Very Informative article as always.. and even useful info in comment section!

    I am trying to configure domain system by a user logged in via telnet and i am getting the following error message:

    [HP]authorization default hwtacacs-scheme tacacs+ local
    There are user(s) online ,can not be configured.

    Under line vty 0 63 i do have authentication-mode scheme, which is using AAA for authentication but if i dont have console access, is their a way i can login via vty locally rather than scheme?

    • The easiest method will be to have a multi-step approach:
      1/ reconfigure lint vty 0 1
      configure password and set it to auth mode password
      2/ connect again with telnet, this should be with the password auth (this will ensure not scheme logins are active)
      3/ reconfigure the domain system
      4/ use additional telnet connections (the 3th telnet connection will be vty 3, which is still set to use the scheme auth) to test the new system
      5/ if validated ok, change the vty 0 1 to auth scheme again

  5. Osama.R says:

    Thanks a lot for the valuable input, i was able to resolve the issue, but just to add a point, for one of ours routers in the DVPN network having the role as VAM server, we were not able to execute the command authorization default hw-tacas ABC local under domain system,

    I tried it on another VAM Server router which was disconnected from uplinks and it took the command, so i concluded the user created with service-type dvpn with Spokes/Hubs registered might also interfere with the process of configuring tacacs server.

    • true, if you follow the default setup/config of the dvpn, a local user is defined e.g. dvpn-user, and on the remote end side, the username you enter would be “dvpn-user”. Since no @ sign is used, it will be authenticated using the default domain (which is system by default).

      So you would either have to change the default domain, or create a new domain for the dvpn users , e.g. dvpn-domain (default settings should be ok, since it uses local users for the auth), and configure the remote end to login with dvpn-user@dvpn-domain. That would ensure the logins are not processed by the default system domain.

  6. Dominic says:

    Thanks for your replies to both my questions – very helpful!

  7. Léo says:

    Hello

    First thank you for this clear howto.

    I’m having an issue on 5900 devices. I followed your howto, I can connect using SSH but then I get immediately disconnected.

    lscharf@10.xx.xx.xx‘s password:

    ******************************************************************************
    * Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P. *
    * Without the owner’s prior written consent, *
    * no decompiling or reverse-engineering shall be allowed. *
    ******************************************************************************

    Connection to 10.xx.xx.xx closed.

    I have 2 VTY lines and I can’t delete the second one, I don’t know if that could impact anything.

    line vty 0 15
    authentication-mode scheme
    user-role network-operator
    protocol inbound ssh
    idle-timeout 30 5
    #
    line vty 16 63
    authentication-mode scheme
    user-role network-operator

    Do you have any idea where this could be coming from ?

    Many thanks beforehand.
    Léo

    • Hi Leo,

      This is because there is a range of 64 (0 to 63) telnet sessions which can be configured (so you could have 64 concurrent telnet connections, the first connecting user would be on vty 0, the second telnet session on vty 1 etc).

      In your case, the first 16 sessions have a different configuration from the remaining telnet sessions. When you would ensure that they have the same config, the switch will show them on 1 line again.

      E.g.:
      line vty 16 63
      protocol inbound ssh
      idle-timeout 30 5

      That will ensure all telnet sessions have the same settings, so the config can show them as 1 range (line vty 0 63) again.

      As far as the ssh disconnect is concerned, you would need check the log files on the radius server and/or the log messages on the device (display log reverse).

      Best regards,Peter

  8. Dennis Ladefoged says:

    Hey, just wanted to add that shell:roles=”network-admin” should be without hyphens. Like this shell:roles=network-admin. Otherwise the switch won´t eat it 😀

    • Léo says:

      Yep, that was actually my issue in my previous comments.
      That should be corrected in your tutorial 😉

      Thanks.

    • Hi Dennis,

      Which switch/firmware release did you use for this ?
      I remember having to try various formats and at the time, this version with quotes did work for me (many other formats did not 🙂 ).
      So I am curious if this has changed at some point…
      thanks !

  9. ciobis says:

    Hi,

    I am trying to setup the backup authentication as local, for when Radius is not available, but, I cannot get it to work:
    here is my configuration and I am testing by disabling the Radius policy for this device:

    user-interface vty 0 15
    authentication-mode scheme
    user-role network-admin
    user-role network-operator
    protocol inbound ssh

    radius scheme switch-radius
    primary authentication x.x.x.x
    primary accounting x.x.x.x
    secondary authentication x.x.x.x
    secondary accounting x.x.x.x
    key authentication cipher key
    key accounting cipher key
    user-name-format without-domain
    #
    radius scheme system
    user-name-format without-domain
    #
    domain OURDOMAIN
    authentication login radius-scheme switch-radius
    authorization login radius-scheme switch-radius
    accounting login radius-scheme switch-radius
    #
    domain system
    authentication login radius-scheme system local
    authorization login radius-scheme system local
    accounting login radius-scheme system local

    local-user adminclass manage
    password hash password
    service-type ssh telnet
    authorization-attribute user-role network-operator
    authorization-attribute user-role network-admin

    domain default enable OURDOMAIN
    role default-role enable

    Thanks for help

    • Hi, you should update the domain configuration and add the local auth option as fallback:
      domain OURDOMAIN
      authentication login radius-scheme switch-radius local
      authorization login radius-scheme switch-radius local
      accounting login radius-scheme switch-radius local

  10. Dominic says:

    We were running 7.1.035 release 2210 on our 5920s, with RADIUS-authenticated SSH access as described above. Since upgrading to version 7.1.045 release 2311P05, this access no longer works – the SSH user is rejected with a “login failed” message, and the following log messages appear on the console port:

    SSHS/6/SSHS_LOG: Accepted password for user123 from 1.2.3.4 port 1346 ssh2.
    SSHS/6/SSHS_CONNECT: SSH user user123 (IP: 1.2.3.4) connected to the server successfully.
    LOGIN/6/LOGIN_FAILED: user123 failed to log in from 1.2.3.4.
    SSHS/6/SSHS_LOG: User user123 logged out from 1.2.3.4 port 1346.
    SSHS/6/SSHS_DISCONNECT: SSH user user123 (IP: 1.2.3.4) disconnected from the server.

    I saw the blog update about the use of quotes in the Cisco-AV-Pair attribute, so changed our config from shell:roles=”network-admin” to shell:roles=network-admin (no more quotes). Unfortunately this hasn’t solved the problem. I was just wondering if we are aware of anything else which has changed?

    • Dominic says:

      Apologies, should have looked more closely before posting last comment.. it was just our domain command “accounting primary x.x.x.x” which was missing!

  11. Chris says:

    Hey Peter, just wanted you to know this article is still helping people out there, coming from a Cisco shop this was extremely helpful. After hours of troubleshooting I remembered that my radius client key was set to a test value for the Comware 7 switch I was testing. Great article, much easier to read that HP’s stuff

  12. Mmoi says:

    Hi, I got a problem with my setup…
    I followed the tutorial and I’m able to connect to the switch. Unfortunately, the user role don’t seems to be applied. I get an “Permission denied.” on every command…
    I already tried to set the Cisco AV Pair value with and without quotes, with no change at all.

  13. sebus says:

    I never get to the prompt after this setup while trying SSH login to the switch
    Server 2012 R2 NPS

    NOT even with local user!!

    login as: me
    me@10.0.1.190‘s password:

    ******************************************************************************
    * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP *
    * Without the owner’s prior written consent, *
    * no decompiling or reverse-engineering shall be allowed. *
    ******************************************************************************

  14. Eskimo says:

    Great article. Did the job for me. Thanks

  15. Juha says:

    Hi, Im trying this with a HPE 5120 SI with version 5.20, Release 1518
    I cannot get it to login with highest privileges. I’ve tried the vendor spesific method and user-interface vty 0 15 -> user privilede level 3 but nothing seems to do the job.

    It just says:
    >sys
    ^
    % Unrecognized command found at ‘^’ position.

  16. Merwin says:

    Hi, I’m trying to configure a HP A5120-24G-PoE+ EI. I was able to login but can’t switch to system-view. I’m stuck at user-view. Here is the config:
    domain default enable seldp
    #
    radius scheme system
    user-name-format without-domain
    radius scheme switch-radius
    primary authentication 10.0.3.254 10812
    primary accounting 10.0.3.254
    key authentication ANYKEY
    key accounting ANYKEY
    user-name-format without-domain
    #
    domain seldp
    authentication login radius-scheme switch-radius local
    authorization login radius-scheme switch-radius local
    accounting login radius-scheme switch-radius local
    authentication super radius-scheme switch-radius
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    domain system
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    #
    user-group system
    #
    local-user admin
    password cipher ***********
    authorization-attribute level 3
    service-type telnet terminal
    local-user sshadmin
    password cipher ************
    authorization-attribute level 3
    service-type ssh
    #
    user-interface vty 0 4
    authentication-mode scheme
    user-interface vty 5 15
    #

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s