Radius authentication through management interface fails

Publication Date:  2016-07-31 Views:  801 Downloads:  0
Issue Description

On Cloud Engine 6800 customer was using radius authentication for SSH via management interface, the authentication failed.

Software version CE6850HI-V100R005C10SPC200.cc.

configuration;

#

radius server group rtve
radius server shared-key-cipher xxxxxxxxxxxxxxxxxx
radius server authentication x.x.128.28 1812
radius server accounting x.x.128.28 1813
radius server retransmit 2
radius server source interface MEth0/0/0
radius server user-name domain-excluded

#
authentication-scheme default
  authentication-mode radius local
#
authentication-scheme auth
  authentication-mode local radius
#
authorization-scheme default
#
accounting-scheme default
#
accounting-scheme abc
  accounting-mode radius
#
domain default
#
domain default_admin
  authentication-scheme auth
  accounting-scheme abc
  adminuser-priority 15
  radius server group rtve

#
stelnet server enable
ssh user admin
ssh user admin authentication-type all
ssh user admin service-type all
ssh authorization-type default aaa
#
ssh server cipher aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc blowfish_cbc
ssh server hmac sha2_256_96 sha2_256 sha1 sha1_96
#
interface MEth0/0/0
ip address 10.50.226.89 255.255.255.240
#

Alarm Information
none, user cannot login to the system by SSH.
Handling Process

1. Firstly it will be necessary to check if the radius server is reachable from the CE switch. Ping from radius server to Meth0/0/0 interface IP and reverse is successful.

2. The next step is to perform a debugging for aaa system while user is trying to connect to system by ssh.


Open debugging
<R7_U18_CE6850>  debugging radius all
<R7_U18_CE6850>t d                                                                                                                 
Info: Current terminal debugging is on.                                                                                            
<R7_U18_CE6850>t m                                                                                                                 
Info: Current terminal monitor is on.                                                                                              

Try to connect by ssh/stelnet
Collect the debugging.


At this step, the system was not returning any kind of output unless customer was trying to access the system with a local user. Remote users defined into radius didn't enable any kind of output.


Root Cause

Since the aaa didn't trigger any kind of logging for remote radius defined users I reviewed again the SSH configuration. It looks like customer defined only on user locally into the system.

ssh user admin
ssh user admin authentication-type all
ssh user admin service-type all
ssh authorization-type default aaa

For this user the authentication succeed.


Solution

Of course, defining all users locally into CE switch is not scalable, but using  “ssh authentication-type default password” system will allow radius authentication for all users that uses SSH connection .

Solution:

# Configure the password authentication mode for an SSH user.
<HUAWEI> system-view
[~HUAWEI] ssh authentication-type default password

Suggestions
none

END