Users Cannot Log In to S5700 After Passing RADIUS Authentication

Publication Date:  2015-06-09 Views:  2063 Downloads:  0
Issue Description
A user attempts to log in to an S5700 through SSH. The RADIUS authentication server prompts that the user has passed authentication, but the user fails to log in to the S5700. The reason is that the packets sent by RADIUS server contain invalid login-service field.
Alarm Information
<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.330.1-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Finish processing Au once, result: 1

<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.330.2-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Failure, method: , partial: 0

<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.1-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Finish processing Au once, sub2 fsm: 1, sub3 fsm: 1, result: 1

<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.2-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Finish Au once, change the fsm, sub2 fsm: 1, sub3 fsm: 1, result: 1

<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.3-05:13 GFR-H5700-MGSE14A SSH/7/DISCONNECT:The connection is closed by SSH server, current FSM is SSH_Main_SSHProcess.

<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.4-05:13 GFR-H5700-MGSE14A SSH/7/FSM_MOVE:FSM moved from SSH_Main_SSHProcess to SSH_Main_Disconnect.
Handling Process
The debugging information shows that the user logs in to the switch through SSH, but the login-service field in the packets sent by the server is telnet(0). As a result, the user fails to log in.

Configuration example:

#
radius-server template travelsky
radius-server shared-key cipher %@%@\XXoN.b3654./!M|Gp4D*e0A%@%@
radius-server authentication 10.6.177.230 1812 source ip-address 10.6.112.214 weight 80
radius-server accounting 10.6.177.231 1813 source ip-address 10.6.112.214 weight 80
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme default
authentication-mode radius local
authorization-scheme default
accounting-scheme default
accounting-mode radius
domain default
radius-server travelsky
authentication-scheme default
accounting-scheme default  //The default templates are used, so the configuration is not displayed.
domain default_admin
radius-server travelsky
#
stelnet server enable
ssh authentication-type default password //The default SSH login mode is password.
ssh user koup
ssh user koup authentication-type password //Set the default authentication type. If you need to configure the authentication user on the switch, this command is required.
ssh user koup service-type stelnet
ssh client first-time enable
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound all
Root Cause
User access type is SSH, but the login-service field in the packets sent by authentication server is telnet(0).
Solution
1. Configure the authentication server not to deliver the login-service field or deliver a correct login-service field.

2. Enable RADIUS attribute translation on the switch.

Run the following commands in the RADIUS template view:

radius-server attribute translate
radius-attribute disable Login-Service receive

END