Can't work out HP/Huawei reply attributes

Joel Bergmark joel.bergmark at t3.se
Mon Mar 7 22:38:29 CET 2016


Hello all,

I've got quite stuck regarding reply-attributes to get privileged when logging on to a HP/Comware firmware switch (HP, Huawei, 3com etc). I run Daloradius as frontend.

Basically what I want is to have something similar to the "Cisco AVPair shell:priv-lvl=15".

So the radius server is working and I can login to the HP in question, I have googled this for hours and tried much but to no resolution, examples is like: http://certifiedgeek.weebly.com/blog/ssh-radius-authentication-with-hp-comware-and-freeradius

Also tried a number of variants including Cisco AVPair, most of time tried variants of this:

NAS-Prompt-User
Huawei-Exec-Privilege = "3"
rlm_sql: Failed to create the pair: Unknown attribute "NAS-Prompt-User" requires a hex string, not "Huawei-Exec-Privilege = "3""

3Com-User-Access-Level
HP-Privelege-Level = 3
rlm_sql: Failed to create the pair: Unknown value HP-Privelege-Level = 3 for attribute 3Com-User-Access-Level

3Com-User-Access-Level
HP-Privelege-Level = 3
rlm_sql: Failed to create the pair: Unknown value 3Com-User-Access-Level = 3 for attribute 3Com-User-Access-Level

Basically debug gives me same issue, "failed to create the pair: Unknown value <reply attribute> for <attribute> like this:

(...)
[sql]   expand: %{User-Name} -> hua
[sql] sql_set_user escaped user --> 'hua'
rlm_sql (sql): Reserving sql socket id: 0
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'hua'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'hua'           ORDER BY id
rlm_sql: Failed to create the pair: Unknown value Huawei-Exec-Privilege = "3" for attribute Huawei-Exec-Privilege
rlm_sql (sql): Error getting data from database
[sql] SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 0
++[sql] returns fail
Invalid user: [user/password] (from client dr1.xyz port 0 cli 00-00-00-00-00-00)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> hua
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 39 to X8.X3.3X.65 port 2888

This leads me to believe that there is something with the dictionary not working correct, I have tried to figure out the dictionary stuff but not sure on how to troubleshoot it. And I also have started a thread at the HP-forums to see if anyone not running windows have got it to work.

Thanks for any assistance, and if solved I will as before update the wiki :-)

Kind regards, Joel


More information about the Freeradius-Users mailing list