cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2333
Views
1
Helpful
4
Replies

Radius login-service=50 for SSH access

csarrazi
Cisco Employee
Cisco Employee

Hi team,

Some HP switches (S3600) require the radius server to return login-service=50 for SSH access, even if it is not in the IETF standard, some Radius servers (FreeRadius, NPS) permit to customize IETF attribute.

How could we solve this issue with ISE, do we have any way to add login-service=50 in the IETF library ?

thanks in advance for your answer

Best regards

Christophe

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

This does not seem supported at the moment. [ Dict > RADIUS > IETF > Login-Service (15)] is system pre-defined and not allowed for customization. I will forward your request to those more familiar with 3rd-party support.

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

This does not seem supported at the moment. [ Dict > RADIUS > IETF > Login-Service (15)] is system pre-defined and not allowed for customization. I will forward your request to those more familiar with 3rd-party support.

Do we have any workaround, because my customer would like to replace ISE by NPS just due to this issue ?

regards

Christophe

danmassa
Level 1
Level 1

My customer and I hit this issue as well with Cisco Secure ACS 5.6.  Started TAC ticket 680982850 to get more info.  They also indicated the IETF RADIUS attributes cannot be extended to include "50."

I have just finished reading IETF RFC 2865, which covers how these radius attributes work.  My judgement: it would be *nice* if Cisco allowed us to extend Login-Service to include "50", but RFC 2865 is a standard.  It can be extended with Vendor Specified Attributes, but type code 15 (Login-Service) only has nine values defined, and 50 for SSH is not one of them.

HP seems to be the ridiculous one here.  I blame them for this snafu.

My customer and I will look at using TACACS+ to authenticate SSH users.  I will post back here when the test is complete.

Has anyone else found a better solution?  I seems odd that I need a Cisco-specific technology like TACACS on my HP switches!

Thanks.

I just put in the TACACS config on the HP Comware-based switch to authenticate SSH users.  That seems to do the trick.  It authenticates me and allows me to enter system-view mode (Comware's version of CONFIG TERMINAL.)

This was a crazy ride.  HP should not have used Login-Service=50. 

I am using Comware 5.  I think Comware 7 introduced a new scheme for Role Based Access Control (RBAC.)  I wonder if the new RBAC requires Login-Service=50 for SSH.  I can't check it out; it would blow even more time on something that should have been simple.

If anyone else tries the new RBAC, please post here.  Thanks.