HiddenOne

Continuing with my Procurve articles, my current article will detail how to use a RADIUS server to handle authentication on a switch. This article will cover using a RADIUS server to handle authentication for the following methods of access on a Procurve switch:

• Web Interface
• Console
• Telnet
• SSH

This configuration was tested on an HP Procurve 5412zl switch running K.13.25 software. Configuration on other switches with different software versions may vary. Consult the Access Security Guide for your switch for further details.

Configuring your RADIUS server is beyond the scope of this article, particularly since there are many options for RADIUS servers out there. Free Radius is one popular option. I can personally confirm that this configuration works with Microsoft’s IAS which was setup to authenticate against Active Directory.

Once your RADIUS server has been properly configured, you need to configure your switch so that it knows how to communicate with the server. This is done using the command:

radius-server host IP Address key 'MyKey01'

This command accomplishes a few tasks. First, it tells the switch at what IP address to reach the RADIUS server. You should substitute IP Address with the IP address of your server. The second part establishes the password or key that has been set for this switch. This key is used by the RADIUS server to verify the identity of the switch. On your RADIUS server, you can set a unique key for each switch (which are usually called RAIDUS clients).

With the connection to the RADIUS server established, you are now ready to configure authentication for each of the modes of access. This will be accomplished using the aaa authentication command. Below is an example of the format of the command.

aaa authentication method enable/login auth1 auth2

The first option is the access method for which you would like to apply the authentication. Your options here are: console, telnet, ssh, and web. The enable/login options specify when authentication should be attempted. Login specifies that authentication should be attempted when a user first attempts to login. Enable specifies that authentication should be attempted when a user enters the “enable” command. The enable option will not apply to web access.

The last two options specify the means of authentication. Auth1 is the primary means of authentication, which in this case you should set to radius. Auth2 is optional as it is a backup means of authentication. However, it is a good idea to set this to local, just in case the switch cannot communicate with the RADIUS server. Local specifies that the passwords set locally will be used for authentication.

Here are some of the various commands that could be used to enable RADIUS authentication.

aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication web login radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

One final command to note is something that many network administrators may find useful. That command is:

aaa authentication login privilege-mode

This command tells the switch to expect additional parameters from the RADIUS server upon successful authentication. These parameters tell the switch which mode the user can gain access into. You can configure the RADIUS server to send the Administrative-User service type for users that are granted access to enable/configuration modes. On the other hand, you can configure the server to return the NAS-Prompt-User service type for users that you only want to grant access to operator mode.

This is very useful if you have a group of users that you only wish to have minimal access to your switches. If these limited access users attempt to enter manager mode with the enable command, they will be prompted to login again but they will then be presented with an “Access Denied” error message.

After everything has been configured, you can confirm that the proper forms of primary and secondary authentication have been applied with the following command:

show authentication

Below is some output produced by this command:

J8698A-01# show authentication

 Status and Counters - Authentication Information

  Login Attempts : 3
  Respect Privilege : Enabled

              | Login      Login      Enable     Enable
  Access Task | Primary    Secondary  Primary    Secondary
  ----------- + ---------- ---------- ---------- ----------
  Console     | Local      None       Local      None
  Telnet      | Radius     Local      Radius     Local
  Port-Access | Local      None
  Webui       | Radius     None       Local      None
  SSH         | Local      None       Local      None
  Web-Auth    | ChapRadius None
  MAC-Auth    | ChapRadius None

I made a change to the comments feature tonight, and in the process discovered a “bug”.

First, readers will now be able to leave a comment without being a registered user. All you need to do is provide your name and an email address. There are still some conditions that will hold a comment until it is approved, such as if it contains a certain amount of links.

In the process, I dicovered that after leaving a comment users were redircted to a 404 error page. After some quick investigation, I found the cause to be an extra space I had in the permalink configuration. The error has now been remediated so everything is running normally.

Update: I should also mention that when you post a comment, your email address is not displayed. You name will be a hyperlink to your web site.

A topic not often covered in the Procurve community is the issue of licensing certain features on a switch. HP does an excellent job of providing a robust feature set on most of their equipment out of the box. However, some applications require additional features that are not included with the switch.

An issue arose at work where we wanted to use a 5406zl to route to an external entity. There was a thought that we could peer with the entity using OSPF. After some quick digging around the command line, I found that our 5406zl only supported RIP with the current license. Upgrading to a premium license would be required to support OSPF. The premium license adds support for the following on 3500 and 5400 series switches.

• OSPFv2
• PIM Dense mode
• PIM Sparse mode
• VRRP
• QinQ (IEEE 802.1ad)

How can you tell what license is currently installed on your switch? If you are running OSPF, that is a good indicator that you switch currently has a premium license installed. A better way to view the installed license is with the show licenses command:

J8698A-01# show licenses

 Feature Group         License Status
 ——————–  ————–
 premium               Not Installed
   OSPF
   PIM-SM/DM
   VRRP
   QinQ

Here you can clearly see that this switch does not have the premium license installed, as is indicated by the “Not Installed” license status.

Installing a premium license is a multi-step process that will require you to use the my.procurve.com web site. Obtaining a premium license is beyond the scope of this article, however I will cover how to obtain the hardware ID for you switch. The hardware ID is required when obtaining a premium license.

Obtaining the Hardware ID

In order to obtain the hardware ID for the switch, you need to enter configuration mode using the configure terminal command. Once you have entered configuration mode, issue the command licenses hardware-id premium. The output of this command is shown below:

J8698A-01(config)# licenses hardware-id premium

The hardware Id for package “premium” is
  XXXXXXXXXX-X-XXXXXXX-XXXXXXX-XXXXX8X-XXXXXXX

There are a few points I would like to note. First, the hardware ID has been sanitized. However, the format above is the same format that you can expect on other switches. Second, the exact command to be used will depend on the model switch in use. Some HP documentation makes use of the licenses hardware-id premium-edge command to retireve the hardware ID. The use of context sensitive help will reveal which command should be used on your switch.

Installing a Premium License

Installing a premium license is strightforward. Again, you need to enter configuration mode using the configure terminal command. Once in configuration mode, issue the following command:

licenses install premium <license-key>

You will replace <license-key> with the key that was provided to you on the my.procurve.com web site. Keep in mind that after the switch installs the license, it will reboot.

Removing a Premium License

At some point, you may need to remove a license from a switch for various reasons. Like the previous commands, you must be in configuration mode to uninstall a license. From configuration mode issue the command:

licenses uninstall premium

This command will issue the following warning:

J8698A-01(config)# licenses uninstall premium
                              **** CAUTION ****

Completion of this operation will remove the functionality that is enabled
in the premium feature group, and will delete the configuration for
those features from the active configuration.

Device will be rebooted, do you want to continue [y/n]?

After you answer yes, the switch will delete the key and issue an uninstall verification number. It is very important that you copy this uninstall verification number, as you will need to enter it into the my.procurve.com website to “release” the license for use on another switch. After this the switch will reboot.

Viewing Uninstalled Licesnes

Should you need to view a license that was uninstalled from a switch you can use the following command:

show licenses uninstalled

This will show the license that was uninstalled, as well as the uninstall verification key. This command comes in handy if you forgot to save the uninstall verification key after removing a license.