Hi,
Following the setup that I have for my Cisco devices, I got some basic level of functionality authenticating users that loggin to 3Com switches authenticated against a RADIUS server. Problem is that I can not get the user to obtain admin privileges. I'm using Microsoft's IAS service. According to 3Com documentation when configuring the access policy on IAS the value of 010600000003 have to be used to specify admin access level. That value have to be input in the Dial-in profile section:
010600000003 - indicates admin privileges
010600000002 - manager
010600000001 - monitor
010600000000 - visitor
Here is the configuration on the switch:
radius scheme system
server-type standard
primary authentication XXX.XXX.XXX.XXX
accounting optional
key authentication XXXXXX
key accounting XXXXXX
domain system
scheme radius-scheme system
local-user admin
service-type ssh telnet terminal
level 3
local-user manager
service-type ssh telnet terminal
level 2
local-user monitor
service-type ssh telnet terminal
level 1
The configuration is working with the IAS server because I can check user login events with the Eventviewer tool.
Here is the output of the DISPLAY RADIUS command at the switch:
[4500]disp radius
SchemeName =system Index=0 Type=standard
Primary Auth IP =XXX.XXX.XXX.XXX Port=1645 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= XXXXXX
Acct Server Encryption Key= XXXXXX
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
Total 1 RADIUS scheme(s). 1 listed
Here is the output of the DISPLAY DOMAIN and DISPLAY CONNECTION commands after users log into the switch:
[4500]display domain
0 Domain = system
State = Active
RADIUS Scheme = system
Access-limit = Disable
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
[4500]display connection
Index=0 ,Username=admin@system
IP=0.0.0.0
Index=2 ,Username=user@system
IP=xxx.xxx.xxx.xxx
On Unit 1:Total 2 connections matched, 2 listed.
Total 2 connections matched, 2 listed.
[4500]
Here is the DISP RADIUS STATISTICS:
[4500]
%Apr 2 00:23:39:957 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(xxx.xxx.xxx.xxx) in un it1 logindisp radius stat
state statistic(total=1048):
DEAD=1046 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=2
AcctStop=0 OnLine=2 Stop=0
StateErr=0
Received and Sent packets statistic:
Unit 1........................................
Sent PKT total :4 Received PKT total:1
Resend Times Resend total
1 1
2 1
Total 2
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=0 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=1 , Err=0 , Succ=1
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=0 , Err=0 , Succ=0
PKT acct_timeout , Num=3 , Err=1 , Succ=2
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=1 , Err=0 , Succ=1
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
The other problem is that when the RADIUS server is not available I can not log in to the switch. The switch have 3 local accounts but none of them works. How can I specify the switch to use the local accounts in case that the RADIUS service is not available?
