Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1935
Views
0
Helpful
4
Replies

Cisco ACS and HP 2848/2810 Web-Auth via RADIUS

Paul Freiberg
Level 1
Level 1

‎02-10-2012 05:34 AM - edited ‎03-10-2019 06:48 PM

Hi everyone,

I've configured SSH via TACACS+ successfully, but Web(SSL) via RADIUS seems to be impossible. The ACS reports that my authentication was successful but the Switch asks merciless again and again for the credentials.

Do I have to send any specific RADIUS-Attributes with the Authorization Profiles?

Perhaps someone resolved this problem.

Thanks in advanced,

Paul

Labels:
0 Helpful
4 Replies 4

Paul Freiberg
Level 1
Level 1

‎02-13-2012 06:32 AM

Here are the Steps, that I cann see in the RADIUS Authentication Detail:

Steps

11001  Received RADIUS  Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - Switch Web  Admin

Evaluating Identity Policy

15004  Matched rule

15013  Selected Identity Store - Internal  Users
24210  Looking up User in Internal Users IDStore -  freiberg
24212  Found User in Internal Users  IDStore

22037  Authentication Passed

Evaluating Group Mapping Policy

Evaluating Exception Authorization  Policy

15042  No rule was matched

Evaluating Authorization Policy

15004  Matched rule

15016  Selected Authorization Profile - Permit  Access

11002  Returned RADIUS Access-Accept

But the HP Switches are not very impressed by this "RADIUS Access-Accept"...

0 Helpful

camejia
Level 3
Level 3
In response to Paul Freiberg

‎02-13-2012 11:31 AM

Hello Paul,

It sounds like the HP Router is expecting additional information or Attributes to be send by the RADIUS server to complete the connection for WebVPN.

I have checked and I was not able to find any attributes on Cisco side for HP router VPN access to work. Can you check with HP support and verify if a RADIUS dictionary has to be installed on the ACS server for it to send additional information?

Usually 3rd-Party vendors support should provide you with the appropriate dictionary file if applicable.

If this was helpful please rate.

Regards.

0 Helpful

Paul Freiberg
Level 1
Level 1
In response to camejia

‎02-13-2012 11:36 PM

Thx for your reply,

the problem is a bit more trivial. HP 2848/2810 are layer 2 switches and I only want to auth the web-admin-interface via RADIUS.

I found this page:

http://wiki.freeradius.org/HP

There are some Session-Identification attributes like user-name and Acct-Session-ID which sound interessting. This Attributes I found within RADIUS-IETF. But they are not listed if I wanna put them to an authorization-profile.

Perhaps you could find any dictionary file for that HP switches.

Thanks in advanced,

Paul

0 Helpful

Paul Freiberg
Level 1
Level 1
In response to Paul Freiberg

‎02-23-2012 02:32 AM

Hi, I mad it!

I had to transmit the "service-type" - RADIUS-Attribute. "administrative" for enable(manager)-access and "nas-promt" for operator-access.

This Page was very helpful:

http://wiki.freeradius.org/HP

Bye

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents