Hi,
First post here. I did a search but didn't found a solution for my problem.
I got some basic level of functionality authenticating users that logon to 3Com switches against a RADIUS server. Problem is that I can not get the user to obtain admin privileges. I'm using Microsoft's IAS service. According to 3Com documentation when configuring the access policy on IAS the value of 010600000003 have to be used to specify admin access level. That value have to be input in the Dial-in profile section:
010600000003 - indicates admin privileges
010600000002 - manager
010600000001 - monitor
010600000000 - visitor
Here is the configuration on the switch:
radius scheme system
server-type standard
primary authentication XXX.XXX.XXX.XXX
accounting optional
key authentication XXXXXX
key accounting XXXXXX
#
domain system
scheme radius-scheme system
#
local-user admin
service-type ssh telnet terminal
level 3
local-user manager
service-type ssh telnet terminal
level 2
local-user monitor
service-type ssh telnet terminal
level 1
The configuration is working with the IAS server because I can check user login events with the Eventviewer tool.
Here is the output of the DISPLAY RADIUS command at the switch:
[4500]disp radius
------------------------------------------------------------------
SchemeName =system Index=0 Type=standard
Primary Auth IP =XXX.XXX.XXX.XXX Port=1645 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= XXXXXX
Acct Server Encryption Key= XXXXXX
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
------------------------------------------------------------------
Total 1 RADIUS scheme(s). 1 listed
Here is the output of the DISPLAY DOMAIN and DISPLAY CONNECTION commands after users log into the switch:
[4500]display domain
0 Domain = system
State = Active
RADIUS Scheme = system
Access-limit = Disable
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
[4500]display connection
Index=0 ,Username=admin@system
IP=0.0.0.0
Index=2 ,Username=3d1l@system
IP=xxx.xxx.xxx.xxx
On Unit 1:Total 2 connections matched, 2 listed.
Total 2 connections matched, 2 listed.
[4500]
Here is the DISP RADIUS STATISTICS:
[4500]
%Apr 2 00:23:39:957 2000 4500 SHELL/5/LOGIN:- 1 - 3d1l(xxx.xxx.xxx.xxx) in un it1 logindisp radius stat
state statistic(total=1048):
DEAD=1046 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=2
AcctStop=0 OnLine=2 Stop=0
StateErr=0
Received and Sent packets statistic:
Unit 1........................................
Sent PKT total :4 Received PKT total:1
Resend Times Resend total
1 1
2 1
Total 2
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=0 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=1 , Err=0 , Succ=1
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=0 , Err=0 , Succ=0
PKT acct_timeout , Num=3 , Err=1 , Succ=2
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=1 , Err=0 , Succ=1
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
Using the console port instead of telnet I noticed the following:
*********************************************************
User interface aux0 is available.
Please press ENTER.
Login authentication
Username:3d1l
Password:
<4500>
%Apr 21 01:15:01:342 2000 4500 SHELL/5/LOGIN:- 1 - 3d1l(aux0) in unit1 login
<4500>
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>super
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<4500>system
System View: return to User View with Ctrl+Z.
[4500]
As you can see there, I was not able to use the system command but then after typing the super command the system displays that I'm already at level 3 (manage) and after that the admin system command works. Problem is that I tried that using telnet and it didn't work because it returns password is not set after using the super command:
*********************************************************
Login authentication
Username:3d1l
Password:
<4500>
%Apr 21 01:21:08:641 2000 4500 SHELL/5/LOGIN:- 1 - 3d1l(xxx.xxx.xxx.xxx) in un
it1 login
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>
<4500>super
% Password is not set
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
I'm already using the same server to authenticate users for cisco devices the only difference is that you use "shell
riv-lvl=15" as a string value and VSA (RFC compliant). With that the user logs as administrator without needing to provide an enable password since the priv-lvl is already 15 (like using the username command at the IOS).
The other problem is that when the RADIUS server is not available I can not log in to the switch. The switch have 3 local accounts but none of them works. How can I specify the switch to use the local accounts in case that the RADIUS service is not available?
First post here. I did a search but didn't found a solution for my problem.
I got some basic level of functionality authenticating users that logon to 3Com switches against a RADIUS server. Problem is that I can not get the user to obtain admin privileges. I'm using Microsoft's IAS service. According to 3Com documentation when configuring the access policy on IAS the value of 010600000003 have to be used to specify admin access level. That value have to be input in the Dial-in profile section:
010600000003 - indicates admin privileges
010600000002 - manager
010600000001 - monitor
010600000000 - visitor
Here is the configuration on the switch:
radius scheme system
server-type standard
primary authentication XXX.XXX.XXX.XXX
accounting optional
key authentication XXXXXX
key accounting XXXXXX
#
domain system
scheme radius-scheme system
#
local-user admin
service-type ssh telnet terminal
level 3
local-user manager
service-type ssh telnet terminal
level 2
local-user monitor
service-type ssh telnet terminal
level 1
The configuration is working with the IAS server because I can check user login events with the Eventviewer tool.
Here is the output of the DISPLAY RADIUS command at the switch:
[4500]disp radius
------------------------------------------------------------------
SchemeName =system Index=0 Type=standard
Primary Auth IP =XXX.XXX.XXX.XXX Port=1645 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= XXXXXX
Acct Server Encryption Key= XXXXXX
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
------------------------------------------------------------------
Total 1 RADIUS scheme(s). 1 listed
Here is the output of the DISPLAY DOMAIN and DISPLAY CONNECTION commands after users log into the switch:
[4500]display domain
0 Domain = system
State = Active
RADIUS Scheme = system
Access-limit = Disable
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
[4500]display connection
Index=0 ,Username=admin@system
IP=0.0.0.0
Index=2 ,Username=3d1l@system
IP=xxx.xxx.xxx.xxx
On Unit 1:Total 2 connections matched, 2 listed.
Total 2 connections matched, 2 listed.
[4500]
Here is the DISP RADIUS STATISTICS:
[4500]
%Apr 2 00:23:39:957 2000 4500 SHELL/5/LOGIN:- 1 - 3d1l(xxx.xxx.xxx.xxx) in un it1 logindisp radius stat
state statistic(total=1048):
DEAD=1046 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=2
AcctStop=0 OnLine=2 Stop=0
StateErr=0
Received and Sent packets statistic:
Unit 1........................................
Sent PKT total :4 Received PKT total:1
Resend Times Resend total
1 1
2 1
Total 2
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=0 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=1 , Err=0 , Succ=1
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=0 , Err=0 , Succ=0
PKT acct_timeout , Num=3 , Err=1 , Succ=2
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=1 , Err=0 , Succ=1
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
Using the console port instead of telnet I noticed the following:
*********************************************************
User interface aux0 is available.
Please press ENTER.
Login authentication
Username:3d1l
Password:
<4500>
%Apr 21 01:15:01:342 2000 4500 SHELL/5/LOGIN:- 1 - 3d1l(aux0) in unit1 login
<4500>
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>super
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<4500>system
System View: return to User View with Ctrl+Z.
[4500]
As you can see there, I was not able to use the system command but then after typing the super command the system displays that I'm already at level 3 (manage) and after that the admin system command works. Problem is that I tried that using telnet and it didn't work because it returns password is not set after using the super command:
*********************************************************
Login authentication
Username:3d1l
Password:
<4500>
%Apr 21 01:21:08:641 2000 4500 SHELL/5/LOGIN:- 1 - 3d1l(xxx.xxx.xxx.xxx) in un
it1 login
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
<4500>?
User view commands:
language-mode Specify the language environment
ping Ping function
quit Exit from current command view
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
<4500>
<4500>super
% Password is not set
<4500>
<4500>system
^
% Unrecognized command found at '^' position.
<4500>
I'm already using the same server to authenticate users for cisco devices the only difference is that you use "shell
riv-lvl=15" as a string value and VSA (RFC compliant). With that the user logs as administrator without needing to provide an enable password since the priv-lvl is already 15 (like using the username command at the IOS).The other problem is that when the RADIUS server is not available I can not log in to the switch. The switch have 3 local accounts but none of them works. How can I specify the switch to use the local accounts in case that the RADIUS service is not available?