1
Domain login via RADIUS auf 3com 4500g
Hallo,
Ich habe folgendes Problem,
Ich habe einen 3com 4500g Switch wie folgt fuer RADIUS domain login konfiguriert.
Ich kann auch per Console oder per SSH und meinem Domain Login mich auf dem Switch einloggen.
Allerdings komme ich ueber ssh nur in den privilege mode 0 ... und wenn ich ueber "super" ne ebene hoeher gelangen moechte, bekomm ich ne fehlermeldung.
Ueber Console kann ich bis in den privilege mode 3.
Irgendwer ne Idee was ich in der Konfiguration aendern muss, damit die User die ueber SSH sich auf den switch connecten auch in den "manager" mode kommen?
Beste,
Neopren
Ich habe folgendes Problem,
Ich habe einen 3com 4500g Switch wie folgt fuer RADIUS domain login konfiguriert.
domain default enable domainlogin
#
radius scheme domainlogin
server-type standard
primary authentication <ip>
primary accounting <ip>
key authentication <key>
key accounting <key>
user-name-format without-domain
#
domain domainlogin
authentication default radius-scheme domainlogin
authorization default radius-scheme domainlogin
accounting default radius-scheme domainlogin
authentication login radius-scheme domainlogin
authorization login radius-scheme domainlogin
accounting login radius-scheme domainlogin
access-limit enable 10
state active
idle-cut disable
self-service-url disable
#
ssh server enable
#
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
user privilege level 3Ich kann auch per Console oder per SSH und meinem Domain Login mich auf dem Switch einloggen.
Allerdings komme ich ueber ssh nur in den privilege mode 0 ... und wenn ich ueber "super" ne ebene hoeher gelangen moechte, bekomm ich ne fehlermeldung.
Ueber Console kann ich bis in den privilege mode 3.
Irgendwer ne Idee was ich in der Konfiguration aendern muss, damit die User die ueber SSH sich auf den switch connecten auch in den "manager" mode kommen?
Beste,
Neopren
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 100981
Url: https://administrator.de/contentid/100981
Printed on: April 23, 2024 at 09:04 o'clock
1 Comment
vermutlich kommt der beitrag wieder 2 jahre zu spaet ... egal maybe isses ja gut fuer refuerbished equipment : )
... gerade das selbe problem beim kunden gehabt, (liebe gruesse an dieser stelle ins reich der mitte [ auch chinesische radius-server muessen verkauf werden ] , aber die verfuegbare doku ist schlamm am bauch eines aals.
ich hab das zeug mit der local-server function von h3c (3com) debugged (leider erst meine zweite idee) und die nicht dokumentierten radius-attribute rausgepopelt:
tasks:
die folgenden schritte orientieren sich an einer debian/freeradius installation, sind aber auf alle anderen rads adaptierbar ...
dictionary des radius-servers anpassen:
spezielle vendor-attribute ergaenzen:
in meinem vendor file fehlte 29 und dat braucht man !
beim local-radius des 4210-switch von 3com werden sowohl das h3c als auch das 3com attribute geliefert, hier darf experimentiert werden, ob eines der beiden reicht ..!?
das ist der PUNKT !!! (3com-50 [ - von mir so genannt - ist ssh ] ... 3com-52 evtl.ftp ... nicht ausproboiert und nicht sicher !)
3com / H3C Switch-Config
freeradius users-file
freeradius-debug ...:
switch-debug
freilich kann man auch einen eigenen radius-server als proxy aufsetzen und den local-radius auf einem 3com/h3c-switch nutzen (der kann max. 7 radius-clients verknusen ... ab sieben muss also proximiert werden), das spart das gefummel in den dictionary-files ... ... eigentlich haette man alan de'kok auch die relevanten dictionaries rueberreichen koennen ... und fertich ... egal ...
... gerade das selbe problem beim kunden gehabt, (liebe gruesse an dieser stelle ins reich der mitte [ auch chinesische radius-server muessen verkauf werden ] , aber die verfuegbare doku ist schlamm am bauch eines aals.
ich hab das zeug mit der local-server function von h3c (3com) debugged (leider erst meine zweite idee) und die nicht dokumentierten radius-attribute rausgepopelt:
tasks:
die folgenden schritte orientieren sich an einer debian/freeradius installation, sind aber auf alle anderen rads adaptierbar ...
dictionary des radius-servers anpassen:
spezielle vendor-attribute ergaenzen:
in meinem vendor file fehlte 29 und dat braucht man !
vi /usr/share/freeradius/dictionary.h3c
##############################################################################
#
# Dictionary for Huawei-3Com. See also dictionary.huawei
#
# http://www.h3c.com
#
# $Id: dictionary.h3c,v 1.2 2007/09/20 17:07:08 aland Exp $
#
##############################################################################
VENDOR H3C 25506
BEGIN-VENDOR H3C
ATTRIBUTE H3C-Connect_Id 26 integer
ATTRIBUTE H3C-Exec_Privilege 29 integer
ATTRIBUTE H3C-NAS-Startup-Timestamp 59 integer
ATTRIBUTE H3C-Ip-Host-Addr 60 string
ATTRIBUTE H3C-Product-ID 255 string
END-VENDOR H3C
~beim local-radius des 4210-switch von 3com werden sowohl das h3c als auch das 3com attribute geliefert, hier darf experimentiert werden, ob eines der beiden reicht ..!?
#
# 3com SuperStack Firewall dictionary
# Bought from Sonicwall, apparently, from Enterprise number 8741.
#
# $Id: dictionary.3com,v 1.8 2007/11/18 06:53:20 aland Exp $
#
VENDOR 3com 43
#
# These attributes contain the access-level value.
#
BEGIN-VENDOR 3com
ATTRIBUTE 3Com-User-Access-Level 1 integer
# Read-only access to basic network tools (ping, etc)
VALUE 3Com-User-Access-Level 3Com-Visitor 0
# Read-only access to manageable (not security) parameters
VALUE 3Com-User-Access-Level 3Com-Monitor 1
# Read-write access to manageable (not security) parameters
VALUE 3Com-User-Access-Level 3Com-Manager 2
# Read-write access to all manageable parameters
VALUE 3Com-User-Access-Level 3Com-Administrator 3
ATTRIBUTE 3Com-VLAN-Name 2 string
ATTRIBUTE 3Com-Mobility-Profile 3 string
ATTRIBUTE 3Com-Encryption-Type 4 string
ATTRIBUTE 3Com-Time-Of-Day 5 string
ATTRIBUTE 3Com-SSID 6 string
# String formatted as: YY/MM/DD-HH:MM
# NOT as a "date" attribute!
ATTRIBUTE 3Com-End-Date 7 string
# Commented out, because the 3Com documentation
# gives it the same number as End-Date, above.
#ATTRIBUTE 3Com-Start-Date 7 string
# URL where the user is redirected after WebAAA
ATTRIBUTE 3Com-URL 8 string
ATTRIBUTE 3Com-Connect_Id 26 integer
ATTRIBUTE 3Com-NAS-Startup-Timestamp 59 integer
ATTRIBUTE 3Com-Ip-Host-Addr 60 string
ATTRIBUTE 3Com-Product-ID 255 string
END-VENDOR 3comdas ist der PUNKT !!! (3com-50 [ - von mir so genannt - ist ssh ] ... 3com-52 evtl.ftp ... nicht ausproboiert und nicht sicher !)
vi dictionary.rfc2865
#snipped .............
VALUE Framed-Compression IPX-Header-Compression 2
VALUE Framed-Compression Stac-LZS 3
# Login Services
VALUE Login-Service Telnet 0
VALUE Login-Service Rlogin 1
VALUE Login-Service TCP-Clear 2
VALUE Login-Service PortMaster 3
VALUE Login-Service LAT 4
VALUE Login-Service X25-PAD 5
VALUE Login-Service X25-T3POS 6
VALUE Login-Service TCP-Clear-Quiet 8
VALUE Login-Service 3com-50 50
VALUE Login-Service 3com-52 52
# Login-TCP-Port (see /etc/services for more examples)
VALUE Login-TCP-Port Telnet 23
#snipped .............3com / H3C Switch-Config
domain default enable freerad
#
radius scheme freerad
server-type extended
primary authentication "freerad-ip"
primary accounting "freerad-ip"
accounting optional
key authentication "freerad-key"
key accounting "freerad-key"
user-name-format without-domain
#
domain freerad
scheme radius-scheme freerad
#
user-interface vty 0 4
authentication-mode scheme
accounting commands scheme
user privilege level 3
idle-timeout 60 0freeradius users-file
otto Cleartext-Password := "XXXXXXXX"
Service-Type += Login-User,
Login-Service += Telnet,
Login-Service += 3com-50,
H3C-Exec_Privilege = 3,
3Com-User-Access-Level = 3Com-Administrator
login as: otto
otto@172.25.50.175's password:
********************************************************************************
* Copyright(c) 2004-2009 3Com Corp. and its licensors. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
********************************************************************************
<4210-FN09-175>
%Apr 3 17:22:40:784 2010 4210-FN09-175 SHELL/5/LOGIN:- 1 - otto(10.242.2.70) in unit1 login
<4210-FN09-175>
<4210-FN09-175>
<4210-FN09-175>?
User view commands:
boot Set boot option
cd Change current directory
clock Specify the system clock
cluster Run cluster command
copy Copy from one file to another
debugging Enable system debugging functions
delete Delete a file
dir List files on a file system
display Display current system information
fixdisk Recover lost chains in storage device
format Format the device
free Clear user terminal interface
ftp Open FTP connection
lock Lock current user terminal interface
mkdir Create a new directory
more Display the contents of a file
move Move a file
nslookup Query Internet name servers
ntdp Run NTDP commands
ping Ping function
pwd Display current working directory
quit Exit from current command view
reboot Reset switch
rename Rename a file or directory
---- More ----
: )freeradius-debug ...:
rad_recv: Access-Request packet from host 172.25.50.175 port 5001, id=161, length=200
User-Name = "otto"
User-Password = "xxxxxxx"
NAS-IP-Address = 172.25.50.175
NAS-Identifier = "00225728c426"
NAS-Port = 212993
NAS-Port-Id = "unit=0;subslot=0;port=52;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Login-User
Login-IP-Host = 0.0.0.0
Calling-Station-Id = "0000-0000-0000"
Framed-IP-Address = 10.242.2.70
H3C-Connect_Id = 195
H3C-Product-ID = "4210"
H3C-Ip-Host-Addr = "10.242.2.70 00:00:00:00:00:00"
H3C-NAS-Startup-Timestamp = 954633312
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "otto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry otto at line 73
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "xxxxxxx"
rlm_pap: Using clear text password "xxxxxxx"
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [otto/xxxxxxx] (from client network-mgmt port 212993 cli 0000-0000-0000)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 161 to 172.25.50.175 port 5001
Service-Type += Login-User
Login-Service += Telnet
Login-Service += 3com-50
H3C-Exec_Privilege = 3
3Com-User-Access-Level = 3Com-Administrator
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.25.50.175 port 5001, id=229, length=212
User-Name = "otto"
NAS-Identifier = "00225728c426"
NAS-Port = 212993
NAS-Port-Id = "unit=0;subslot=0;port=52;vlanid=1"
NAS-Port-Type = Ethernet
Calling-Station-Id = "0000-0000-0000"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Acct-Session-Id = "11100303173239"
Framed-IP-Address = 10.242.2.70
NAS-IP-Address = 172.25.50.175
Event-Timestamp = "Apr 3 2010 19:32:12 CEST"
Service-Type = Login-User
Vendor-Specific = 0x2b000000010600000003
H3C-Exec_Privilege = 3
H3C-Ip-Host-Addr = "10.242.2.70 00:00:00:00:00:00"
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 212993,Client-IP-Address = 172.25.50.175,NAS-IP-Address = 172.25.50.175,Acct-Session-Id = "11100303173239",User-Name = "otto"'
rlm_acct_unique: Acct-Unique-Session-ID = "a8b5f5304c232977".
++[acct_unique] returns ok
rlm_realm: No '@' in User-Name = "otto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/172.25.50.175/detail-20100403
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/172.25.50.175/detail-20100403
expand: %t -> Sat Apr 3 19:17:47 2010
++[detail] returns ok
++[unix] returns ok
expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
expand: %{User-Name} -> otto
++[radutmp] returns ok
expand: %{User-Name} -> otto
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 229 to 172.25.50.175 port 5001
Finished request 10.
Cleaning up request 10 ID 229 with timestamp +203
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 161 with timestamp +202
Ready to process requests.switch-debug
<4210-FN09-175>
*1.1261557685 4210-FN09-175 SSH/8/debugging_msg_send:- 1 -SSH_VERSION_SEND message sent on VTY 2
*1.1261557799 4210-FN09-175 SSH/8/msg_rcv_vty:- 1 -SSH_VERSION_RECEIVE message received on VTY 2
*1.1261568575 4210-FN09-175 SSH/8/debug:- 1 -AAA auth: Successful to submit Login request (user name: otto).
*1.1261568582 4210-FN09-175 RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=Normal auth request Index = 195, ulParam3=2183828452]
*1.1261568583 4210-FN09-175 RDS/8/DEBUG:- 1 -NAS name is too long, can not send Connect_port attribute
*1.1261568583 4210-FN09-175 RDS/8/DEBUG:- 1 -Send attribute list:
*1.1261568584 4210-FN09-175 RDS/8/DEBUG:- 1 -
[1 User-name ] [6 ] [otto]
[2 Password ] [18] [F2988323025E3865917930F89B48DB2D]
[4 NAS-IP-Address ] [6 ] [172.25.50.175]
[32 NAS-Identifier ] [14] [00225728c426]
[5 NAS-Port ] [6 ] [212993]
[87 NAS_Port_Id ] [35] [unit=0;subslot=0;port=52;vlanid=1]
*1.1261568585 4210-FN09-175 RDS/8/DEBUG:- 1 -
[61 NAS-Port-Type ] [6 ] [15]
[3com-26 Connect_ID ] [6 ] [195]
[6 Service-Type ] [6 ] [1]
[14 Login-Host ] [6 ] [0.0.0.0]
[31 Caller-ID ] [16] [303030302D303030302D30303030]
[8 Framed-Address ] [6 ] [10.242.2.70]
*1.1261568586 4210-FN09-175 RDS/8/DEBUG:- 1 -
[3com-255Product-ID ] [6 ] [4210]
[3com-60 Ip-Host-Addr ] [31] [10.242.2.70 00:00:00:00:00:00]
[3com-59 NAS-Startup-Timestamp ] [6 ] [954633312]
*1.1261568587 4210-FN09-175 RDS/8/DEBUG:- 1 -Send: IP=[172.25.50.14], UserIndex=[195], ID=[161], RetryTimes=, Code=[1], Length=[200]
*1.1261568587 4210-FN09-175 RDS/8/DEBUG:- 1 -Send Raw Packet is:
*1.1261568588 4210-FN09-175 RDS/8/DEBUG:- 1 -
01 a1 00 c8 d8 19 00 00 24 27 00 00 96 49 00 00
6b 75 00 00 01 06 6f 74 74 6f 02 12 f2 98 83 23
02 5e 38 65 91 79 30 f8 9b 48 db 2d 04 06 ac 19
32 af 20 0e 30 30 32 32 35 37 32 38 63 34 32 36
05 06 00 03 40 01 57 23 75 6e 69 74 3d 30 3b 73
75 62 73 6c 6f 74 3d 30 3b 70 6f 72 74 3d 35 32
3b 76 6c 61 6e 69 64 3d 31 3d 06 00 00 00 0f 06
06 00 00 00 01 0e 06 00 00 00 00 1f 10 30 30 30
30 2d 30 30 30 30 2d 30 30 30 30 08 06 0a f2 02
46 1a 37 00 00 63 a2 1a 06 00 00 00 c3 ff 06 34
32 31 30 3c 1f 31 30 2e 32 34 32 2e 32 2e 37 30
20 30 30 3a 30 30 3a 30 30 3a 30 30 3a 30 30 3a
30 30 3b 06 38 e6 8c 60
*1.1261568596 4210-FN09-175 RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=PKT response Index = 62, ulParam3=2183111092]
*1.1261568596 4210-FN09-175 RDS/8/DEBUG:- 1 -Receive Raw Packet is:
*1.1261568597 4210-FN09-175 RDS/8/DEBUG:- 1 -
02 a1 00 3e 41 93 b1 ba e9 58 35 4e a4 7a 99 41
80 33 64 55 06 06 00 00 00 01 0f 06 00 00 00 00
0f 06 00 00 00 32 1a 0c 00 00 63 a2 1d 06 00 00
00 03 1a 0c 00 00 00 2b 01 06 00 00 00 03
*1.1261568598 4210-FN09-175 RDS/8/DEBUG:- 1 -Receive:IP=[172.25.50.14],Code=[2],Length=[62]
*1.1261568598 4210-FN09-175 RDS/8/DEBUG:- 1 -
[6 Service-Type ] [6 ] [1]
[15 Login-Service ] [6 ]
[15 Login-Service ] [6 ] [50]
[3com-29 Exec_Privilege ] [6 ] [3]
[3com-1 User_Access_Level ] [6 ] [3]
*1.1261568604 4210-FN09-175 RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=Account request Index = 195, ulParam3=0]
*1.1261568605 4210-FN09-175 RDS/8/DEBUG:- 1 -Send attribute list:
*1.1261568605 4210-FN09-175 RDS/8/DEBUG:- 1 -
[1 User-name ] [6 ] [otto]
[32 NAS-Identifier ] [14] [00225728c426]
[5 NAS-Port ] [6 ] [212993]
[87 NAS_Port_Id ] [35] [unit=0;subslot=0;port=52;vlanid=1]
[61 NAS-Port-Type ] [6 ] [15]
[31 Caller-ID ] [16] [303030302D303030302D30303030]
*1.1261568606 4210-FN09-175 RDS/8/DEBUG:- 1 -
[40 Acct-Status-Type ] [6 ] [1]
[45 Acct-Authentic ] [6 ] [1]
[44 Acct-Session-Id ] [16] [11100303173239]
[8 Framed-Address ] [6 ] [10.242.2.70]
[4 NAS-IP-Address ] [6 ] [172.25.50.175]
[55 Event-Timestamp ] [6 ] [1270315932]
*1.1261568607 4210-FN09-175 RDS/8/DEBUG:- 1 -
[3com-28 Ftp_Directory ] [2 ]
[6 Service-Type ] [6 ] [1]
[3com-29 Exec_Privilege ] [6 ] [3]
[3com-1 User_Access_Level ] [6 ] [3]
[3com-60 Ip-Host-Addr ] [31] [10.242.2.70 00:00:00:00:00:00]
*1.1261568607 4210-FN09-175 RDS/8/DEBUG:- 1 -Send: IP=[172.25.50.14], UserIndex=[195], ID=[229], RetryTimes=, Code=[4], Length=[212]
*1.1261568608 4210-FN09-175 RDS/8/DEBUG:- 1 -Send Raw Packet is:
*1.1261568608 4210-FN09-175 RDS/8/DEBUG:- 1 -
04 e5 00 d4 a5 58 e0 76 37 5a 34 5c 15 17 ef 65
45 98 59 82 01 06 6f 74 74 6f 20 0e 30 30 32 32
35 37 32 38 63 34 32 36 05 06 00 03 40 01 57 23
75 6e 69 74 3d 30 3b 73 75 62 73 6c 6f 74 3d 30
3b 70 6f 72 74 3d 35 32 3b 76 6c 61 6e 69 64 3d
31 3d 06 00 00 00 0f 1f 10 30 30 30 30 2d 30 30
30 30 2d 30 30 30 30 28 06 00 00 00 01 2d 06 00
00 00 01 2c 10 31 31 31 30 30 33 30 33 31 37 33
32 33 39 08 06 0a f2 02 46 04 06 ac 19 32 af 37
06 4b b7 7b 9c 06 06 00 00 00 01 1a 0c 2b 00 00
00 01 06 00 00 00 03 1a 2d 00 00 63 a2 1c 02 1d
06 00 00 00 03 3c 1f 31 30 2e 32 34 32 2e 32 2e
37 30 20 30 30 3a 30 30 3a 30 30 3a 30 30 3a 30
30 3a 30 30
*1.1261568617 4210-FN09-175 RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=PKT response Index = 20, ulParam3=2183111092]
*1.1261568617 4210-FN09-175 RDS/8/DEBUG:- 1 -Receive Raw Packet is:
*1.1261568618 4210-FN09-175 RDS/8/DEBUG:- 1 -
05 e5 00 14 72 74 cf d1 e2 74 d8 93 da d5 4b bf
7b 71 63 fe
*1.1261568618 4210-FN09-175 RDS/8/DEBUG:- 1 -Receive:IP=[172.25.50.14],Code=[5],Length=[20]
*1.1261568619 4210-FN09-175 RDS/8/DEBUG:- 1 -NULL
*1.1261568621 4210-FN09-175 SSH/8/debug:- 1 -AAA auth: Write queue (result: 260, ID: 195, privilege: 3).
*1.1261568627 4210-FN09-175 SSH/8/debug:- 1 -AAA auth: Read queue (result: 260, ID: 195, privilege: 3).
*1.1261568921 4210-FN09-175 SSH/8/msg_rcv_vty:- 1 -SSH_MSG_REQUEST_PTY message received on VTY 2
*1.1261569099 4210-FN09-175 SSH/8/msg_rcv_vty:- 1 -SSH_MSG_START_SHELL message received on VTY 2
%Apr 3 17:32:13:505 2010 4210-FN09-175 SHELL/5/LOGIN:- 1 - otto(10.242.2.70) in unit1 loginfreilich kann man auch einen eigenen radius-server als proxy aufsetzen und den local-radius auf einem 3com/h3c-switch nutzen (der kann max. 7 radius-clients verknusen ... ab sieben muss also proximiert werden), das spart das gefummel in den dictionary-files ... ... eigentlich haette man alan de'kok auch die relevanten dictionaries rueberreichen koennen ... und fertich ... egal ...
