Microsoft IAS and Procurve Radius Authentication

Networking, Procurve, System Administrator, Windows No Responses »
Nov 232010

On my to-do list for a year or so has been setting up Radius authentication on all of our switches. I don’t want to have to give everyone the local password on the switches, but still be able to grant access to people that [think they] have to have access to the switches.

By doing Radius Authentication I can create rules on the Radius Server as to who can access the switches and what level of access they receive. We already use Microsoft Active Directory, so Microsoft’s IAS was the easy choice for a Radius Server. I’m working on finding a way to script the creation of the client Objects, but for now I created a small number of clients for a small number of switches for testing.

In the IAS console, choose Radius Client. Either Action -> New Radius Client, or right click in the right half of the screen and choose New Radius Client.

Friendly name: DataCenter-1
Enter the IP or the DNS Name of the switch.
Shared Secret: the “password” that the switch and the radius server use to talk. Should be different from other passwords used on your network as it is passed unencrypted.

Next you need to create a Remote Access Policy. Right click in the right half of the screen and choose new Remote Access Policy.

Name: DataCenterSwitchAccess
Access Method: VPN
Choose Group and then click Add. Type the name of the Group in Active Directory that you want to grant access to the switches to. I created a group that I’m going to use just for granting access to the switches with.
Click Next a couple of times and then Finish.

Now we have to make one change and that is the authentication method. Right click on the remote access policy you just created and choose Properties. Click Edit Profile and then choose the Authentication Tab. Unselect anything that is selected on the screen and then check unencrypted Authentication (PAP, SPAP). Click ok twice.

Lastly, we need to set up a Connection Request Policy. I setup a connection request Policy for each User that I wanted to access the switch. One of the reasons that I did this was to be able to include the service type to give certain people manager rights on the switches and everyone else operator rights.

Right Click on the right side of the Connection Policy Screen and Choose new Connection Policy.

I chose to do a Custom Policy

Profile Name: SysAdmin
I added User-Name and entered my username.
On the next screen Choose Edit Profile and Choose the Advanced Tab
Click add and find Service-Type. The default is Administrative, leave this if you want the user to have manager access to the switch. Set it to NAS Prompt if you want the user to be an operator. This user will get be asked to authenticate if they try to enter manager mode, and will get Access Denied If they enter their credentials since they don’t have manager access.

You will need to create a Connection Policy for each user that you want to access the switches.

You will notice that I have not entered an IP address for either of the two Policies that we created. The reason I’ve done this is that I don’t want to have to create a policy for each of the switches, or each of the switch\user combos in the connection policies.

On the switch you will need to enter four commands: 

Radius-server host <ipaddress> key <PassPhrase>
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode

the first sets up what Radius Server you want the switch to use and what the Passphrase it should use is. The next two allow you to login to the switch over SSH using radius credentials as allowed by the radius server. The last command enables the processing of the Service Type field that we added to the connection Policy to give access levels.

You can also use radius to Console, web, and telnet authentication, just replace the ssh with the one you want above.

You now can use select AD Credentials to login to the switch. This is part of another project I’m working on which is getting Rancid up and running. I’m hoping to have a post about that up sometime next week.

Posted by randerson at 3:47 pm

Procurve: Downloading Show Tech All output

Networking, Procurve 1 Response »
Apr 282010

Quick post here,

The Show Tech All command has a wealth of information in it that can be useful for many reasons. but what if you want to download it so that you can look at it later or maybe you need to send it to support for assistance in troubleshooting an issue. it’s actual very easy, start up your tftp server and then enter the following on the switch that you want to download the tech all from:

copy command-output ‘show tech all’ tftp

you may have to pre-create the file to save the output to on your tftp server.

Posted by randerson at 9:09 am Tagged with: , ,

Procurve: Corrupt Flash

Networking, Procurve 9 Responses »
Jan 252010

I had a problem a while back with a switch’s flash becoming corrupt.  I believe it was do to some construction being done in one of our sites, but I’m not sure.

One of my 5400′s Flash became corrupt, therefore the switch wouldn’t boot. The suggestions that the switch itself gives you to resolve this are somewhat useless, so i contacted support.

If your Console session to a switch shows a “=>” prompt, then the switch is in Boot Monitor. They suggest trying the following steps to see if the switch can be recovered:

a) Try booting from the other image use the “jp x” command where “x” is:

if the “primary” image failed, then type “jp 2” to use the secondary

if the “secondary” image failed, then type “jp 1” to use the primary image.

b) If that doesn’t work, delete the boot.ini file and boot normally. Then try one of the “jp x” options above:

=> rm /cfa0/boot.ini         this “removes” (rm) the boot.ini file

=>jp 1   or  =>jp 2

Since the boot.ini file was deleted, any configuration file information is also lost. When the system boots successfully, it will create a new copy of the “boot.ini” file. Upon bootup, if you find the switch is now running an “empty” configuration (at factory default), there is a chance the old config is still there.

Before a reboot, type “show config files” and see what ‘filename’ the boot.ini file wants to run. (“config” or “config1”)

Boot again, and interrupt and get to the Boot Monitor (option “0” from the Boot Profiles)

=> cd /cfa0   Change directories to the “cfa0” device (that’s a zero, not “oh)

=> cd cfg      The Config files are stored in the cfg directory

=> ls               List out the files;

Here’s a sample output:

=>ls
.
..
WorkingCfg
config

Likely, one of these files is the actual config file. So, COPY your “real” config file to the one the Boot.ini thinks it’s supposed to load (in this case “config”) and then boot.

=>cp WorkingCfg config

copying file WorkingCfg -> config

=>jp 1

When the switch boots up, “show config files” will still show the config filename being “config” (in this case.) So now, the file can be renamed to anything you like by using the following command:

WkgCfg# rename config config WorkingCfg

Mine still wasn’t working after deleting the boot.ini, so they offered to replace at this point or i can try to reformat and copy over the files from another switch.  the hard drive for the 5400 is just a Compact Flash card, like in some digital cameras.  so you can hook it up like a hard drive and do formats and file copies etc.

the last did solve my problem and only took about 2 minutes (once i found something that read Compact Flash cards, had a printer in our office for printing photos.).

Posted by randerson at 4:30 pm Tagged with: , ,
© 2013 Suffusion theme by Sayontan Sinha