03-16-2016 07:34 AM
Hi team,
Some HP switches (S3600) require the radius server to return login-service=50 for SSH access, even if it is not in the IETF standard, some Radius servers (FreeRadius, NPS) permit to customize IETF attribute.
How could we solve this issue with ISE, do we have any way to add login-service=50 in the IETF library ?
thanks in advance for your answer
Best regards
Christophe
Solved! Go to Solution.
03-16-2016 09:21 AM
This does not seem supported at the moment. [ Dict > RADIUS > IETF > Login-Service (15)] is system pre-defined and not allowed for customization. I will forward your request to those more familiar with 3rd-party support.
03-16-2016 09:21 AM
This does not seem supported at the moment. [ Dict > RADIUS > IETF > Login-Service (15)] is system pre-defined and not allowed for customization. I will forward your request to those more familiar with 3rd-party support.
03-17-2016 01:01 AM
Do we have any workaround, because my customer would like to replace ISE by NPS just due to this issue ?
regards
Christophe
09-26-2016 07:30 AM
My customer and I hit this issue as well with Cisco Secure ACS 5.6. Started TAC ticket 680982850 to get more info. They also indicated the IETF RADIUS attributes cannot be extended to include "50."
I have just finished reading IETF RFC 2865, which covers how these radius attributes work. My judgement: it would be *nice* if Cisco allowed us to extend Login-Service to include "50", but RFC 2865 is a standard. It can be extended with Vendor Specified Attributes, but type code 15 (Login-Service) only has nine values defined, and 50 for SSH is not one of them.
HP seems to be the ridiculous one here. I blame them for this snafu.
My customer and I will look at using TACACS+ to authenticate SSH users. I will post back here when the test is complete.
Has anyone else found a better solution? I seems odd that I need a Cisco-specific technology like TACACS on my HP switches!
Thanks.
09-26-2016 08:11 AM
I just put in the TACACS config on the HP Comware-based switch to authenticate SSH users. That seems to do the trick. It authenticates me and allows me to enter system-view mode (Comware's version of CONFIG TERMINAL.)
This was a crazy ride. HP should not have used Login-Service=50.
I am using Comware 5. I think Comware 7 introduced a new scheme for Role Based Access Control (RBAC.) I wonder if the new RBAC requires Login-Service=50 for SSH. I can't check it out; it would blow even more time on something that should have been simple.
If anyone else tries the new RBAC, please post here. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide