topic Re: Radius login-service=50 for SSH access in Network Access Control

Radius login-service=50 for SSH access

csarrazi — Wed, 16 Mar 2016 14:34:01 GMT

Hi team,

Some HP switches (S3600) require the radius server to return login-service=50 for SSH access, even if it is not in the IETF standard, some Radius servers (FreeRadius, NPS) permit to customize IETF attribute.

How could we solve this issue with ISE, do we have any way to add login-service=50 in the IETF library ?

thanks in advance for your answer

Best regards

Christophe

Re: Radius login-service=50 for SSH access

hslai — Wed, 16 Mar 2016 16:21:45 GMT

This does not seem supported at the moment. [ Dict > RADIUS > IETF > Login-Service (15)] is system pre-defined and not allowed for customization. I will forward your request to those more familiar with 3rd-party support.

Re: Radius login-service=50 for SSH access

csarrazi — Thu, 17 Mar 2016 08:01:29 GMT

Do we have any workaround, because my customer would like to replace ISE by NPS just due to this issue ?

regards

Christophe

Re: Radius login-service=50 for SSH access

danmassa — Mon, 26 Sep 2016 14:30:33 GMT

My customer and I hit this issue as well with Cisco Secure ACS 5.6. Started TAC ticket 680982850 to get more info. They also indicated the IETF RADIUS attributes cannot be extended to include "50."

I have just finished reading IETF RFC 2865, which covers how these radius attributes work. My judgement: it would be *nice* if Cisco allowed us to extend Login-Service to include "50", but RFC 2865 is a standard. It can be extended with Vendor Specified Attributes, but type code 15 (Login-Service) only has nine values defined, and 50 for SSH is not one of them.

HP seems to be the ridiculous one here. I blame them for this snafu.

My customer and I will look at using TACACS+ to authenticate SSH users. I will post back here when the test is complete.

Has anyone else found a better solution? I seems odd that I need a Cisco-specific technology like TACACS on my HP switches!

Thanks.

Re: Radius login-service=50 for SSH access

danmassa — Mon, 26 Sep 2016 15:11:48 GMT

I just put in the TACACS config on the HP Comware-based switch to authenticate SSH users. That seems to do the trick. It authenticates me and allows me to enter system-view mode (Comware's version of CONFIG TERMINAL.)

This was a crazy ride. HP should not have used Login-Service=50.

I am using Comware 5. I think Comware 7 introduced a new scheme for Role Based Access Control (RBAC.) I wonder if the new RBAC requires Login-Service=50 for SSH. I can't check it out; it would blow even more time on something that should have been simple.

If anyone else tries the new RBAC, please post here. Thanks.