Failed to assign privillege to telnet user through windows radius server

Publication Date:  2015-11-28 Views:  122 Downloads:  0
Issue Description

Customer bought Huawei S5700 switch and he wants to assign different privillege for different telnet user through windows radius server.
After finished the configuration, he found it did not work on huawei S5700 switch. However,it worked fine on C device.

The configuration is as following:
radius-server template radius
radius-server shared-key cipher XXXXX
radius-server authentication X.X.X.X 1812 weight 80
undo radius-server user-name domain-included

user-interface vty 0 4
authentication-mode aaa
protocol inbound telnet

Handling Process

1.Check the configuration on S5700 and confirm it is ok
2.Make debugging on our S5700 and find that the Radius server assign user privillege through "Cisco-AVpair" attribute.
debugging radius all
terminal monitor
terminal debugging

Nov 19 2015 13:46:08.612.5 XXX RDS/7/DEBUG:
  Server Template: 0
  Server IP   : X.X.X.X
  Server Port : 1645
  Protocol: Standard
  Code    : 2
  Len     : 96
  ID      : 72
  [Service-Type                       ] [6 ] [7]
  [Class                              ] [46] [C0 EF C 5D 0 0 1 37 0 1 2 0 AC 16 50 44 0 0 0 0 A0 31 5D E1 B7 AB 1E 9E 1 CF 4F EB 8C 97 DC 43 0 0 0 0 A F3 D0 85 ]
  [Cisco-avpair                       ] [18] [shell:priv-lvl=1]

3.Check the radius attribute on our switch and find this attribute. Check product documentation, this attribute is used for voice vlan.
<XXX>display radius-attribute name Cisco-AVpair
Radius Attribute Type        : 26-1CISCO            
Radius Attribute Name        : Cisco-avpair           
Radius Attribute Description : Indicates cisco private attribute           
Supported Packets            : Auth Accept, COA Request
<XXX>
This attribute cannot be used for user privillege. Huawei has own privillege attribute.
Attribute No. 26-29
Attribute Name: HW-Exec-Privilege
Description: Management user (such as Telnet user) priority, ranging from 0 to 16. The value 16 indicates that the user does not have the administrator rights.

Based on above analysis, need customer to modify the configuration on radius server.

4. Send the configuration example on windows radius server to customer. After the test, it works fine.

Root Cause

The Configuration on Radius server is not correct and customer used one wrong radius attribute.

Solution

Send the correct radius attribute.

About the radius attribute description, please refer to Chapter "AAA Configuration - Principles - RADIUS Protocol - RADIUS Attributes" in product documentation.

END