Monday, January 23, 2012

Setting Up SSH Access with Radius Authentication on 3Com Switches (5500 and 4500 Family) using Microsoft Network Policy Services (NPS)

I have been dealing with this for many days and I finally got it working ! I believe there are a lot of people out there that are also willing to implement something like this , but there is no much 3Com documentation out there to help themselves. Follow this tutorial step by step in order to start authenticating ssh access to 3Com switches (5500 Family and 4500 Family) using your active directory and the windows server 2008 Network Policy Server. I also think this procedure can be improved and I will keep working on it (check for updates later). I would also like to use the same authentication mechanism for the 3Com web interface. A very similar configuration can also be used to set up 802.1x port authentication on this switches (post coming soon ;) ). All comments are welcome at the bottom of the post ! Enjoy !

Windows Server Side Configuration

1- Install NPS Role on Windows Server 2008




2- Define the RADIUS clients




3- Modify Connection Request Policies using the Network Policy Server configuration Snap-in

 
 

5- Modify Standard Radius Attributes Dictionary on Windows Server 2008 by editing C:\Windows\System32\ias\dnary.xml to add SSH, FTP and Terminal under the Login-Service Attribute. The Standard RADIUS only allow for Telnet login by default, therefore the dictionary modification is needed in order to add, SSH, FTP and Terminal as login options under the standard RADIUS implementation.


6- Restart the Windows Server (Sometimes a Service Restart is not enough and a Server Restart might be required for the SSH option to show up among the standard RADIUS options) 

7- Modify the Standard Radius Attribute inside the corresponding Network Policy to allow clients to log in using SSH. 




8- Modify the Vendor Specific Attribute to provide the corresponding User Access Level. Once the client connecting to the switch through SSH have been authenticate, the RADIUS server needs to tell the switch what access level is this user allowed. 3Com switches support the following access levels:
  1. - Level 0 (Attribute Number 1, Attribute Value 0) - 3Com-Visit
  2. - Level 1 (Attribute Number 1, Attribute Value 1) - 3Com-Monitor
  3. - Level 2 (Attribute Number 1, Attribute Value 2) - 3Com-Manager
  4. - Level 3 (Attribute Number 1, Attribute Value 3) - 3Com-Administrator
In this case we are going to provide the users of the WEM-Local-NetAdmin domain group with User Access Level 3 (Administrator), so the user will be able to run any commands on the switches.






3Com Switch Side Configuration

1- Set up a Radius Scheme on 3Com

radius scheme domain_name
 server-type extended
 primary authentication IP_Address_Of_NPS_Server
 primary accounting IP_Address_Of_NPS_Server
 accounting optional
 key authentication systems2006
 key accounting systems2006
 timer realtime-accounting 15
 timer response-timeout 5
 retry 5
 user-name-format with-domain
 nas-ip IP_Address_Of_Switch
 calling-station-id mode mode2 uppercase

2- Set up a Domain and link it to the corresponding Radius Scheme

domain domain.local
 scheme radius-scheme domain_name local
 scheme lan-access radius-scheme domain_name
 scheme login local
 accounting lan-access radius-scheme domain_name
 authentication login radius-scheme domain_name local
 accounting login radius-scheme domain_name local
 access-limit enable 60
 idle-cut enable 20 2000

3- Set up the VTY interfaces to allow for ssh connections and to use the Radius Authentication Scheme

user-interface vty 0 4
 authentication-mode scheme

4- Set up the SSH Server parameters

 ssh-server source-ip ip_address
 ssh server authentication-retries 5

5- Set up the SSH user that are allowed to log in using SSH. Ideally, I would like to specify a group, instead of a domain user (userid@wem.local), so that all users on that group are valid users for the 3Com switch, but I have not found the way to do that yet.

 ssh user admin authentication-type password
 ssh user admin service-type all
 ssh user userid@domain.local authentication-type password
 ssh user userid@domain.local service-type all

Troubleshooting

1- Check the Windows Server Event Viewer for Security , under Windows Logs. Verify the events are being logged as Audit Success.

2- Use Wireshark on the NPS Server and try to connect to the switch using SSH. Verify Radius parameters passed back from the NPS server to the Switch.

3- Use NTRadPing Test Utility freeware tool to test connectivity to the RADIUS server and check your parameters.

Recommendations

This procedure should be improved so that there is no need to define each user using the ssh user statement. Ideally only the AD user group should be used.

Implement the same authentication mecanism for the switch management web interface.

Comments are welcome !

6 comments:

  1. Hi - not sure if you read the comments - but I was wondering whether your 802.1x post is coming!? This was really useful - I am now going to work on an 802.1x wired NPS setup..

    Thanks,
    Anthony

    ReplyDelete
  2. Hi,

    Wonderful post.. This is Wonderful Screen Short Explanations.. Thanks

    Wedding Websites | Web Development India

    ReplyDelete
  3. INTERNATIONAL CONCEPT OF WORK FROM HOME
    Work from home theory is fast gaining popularity because of the freedom and flexibility that comes with it. Since one is not bound by fixed working hours, they can schedule their work at the time when they feel most productive and convenient to them. Women & Men benefit a lot from this concept of work since they can balance their home and work perfectly. People mostly find that in this situation, their productivity is higher and stress levels lower. Those who like isolation and a tranquil work environment also tend to prefer this way of working. Today, with the kind of communication networks available, millions of people worldwide are considering this option.

    Women & Men who want to be independent but cannot afford to leave their responsibilities at home aside will benefit a lot from this concept of work. It makes it easier to maintain a healthy balance between home and work. The family doesn't get neglected and you can get your work done too. You can thus effectively juggle home responsibilities with your career. Working from home is definitely a viable option but it also needs a lot of hard work and discipline. You have to make a time schedule for yourself and stick to it. There will be a time frame of course for any job you take up and you have to fulfill that project within that time frame.

    There are many things that can be done working from home. A few of them is listed below that will give you a general idea about the benefits of this concept.

    Baby-sitting
    This is the most common and highly preferred job that Women & Men like doing. Since in today's competitive world both the parents have to work they need a secure place to leave behind their children who will take care of them and parents can also relax without being worried all the time. In this job you don't require any degree or qualifications. You only have to know how to take care of children. Parents are happy to pay handsome salary and you can also earn a lot without putting too much of an effort.

    Nursery
    For those who have a garden or an open space at your disposal and are also interested in gardening can go for this method of earning money. If given proper time and efforts nursery business can flourish very well and you will earn handsomely. But just as all jobs establishing it will be a bit difficult but the end results are outstanding.

    Freelance
    Freelance can be in different wings. Either you can be a freelance reporter or a freelance photographer. You can also do designing or be in the advertising field doing project on your own. Being independent and working independently will depend on your field of work and the availability of its worth in the market. If you like doing jewellery designing you can do that at home totally independently. You can also work on freelancing as a marketing executive working from home. Wanna know more, email us on workfromhome.otr214427@gmail.com and we will send you information on how you can actually work as a marketing freelancer.


    Internet related work
    This is a very vast field and here sky is the limit. All you need is a computer and Internet facility. Whatever field you are into work at home is perfect match in the software field. You can match your time according to your convenience and complete whatever projects you get. To learn more about how to work from home, contact us today on workfromhome.otr214427@gmail.comand our team will get you started on some excellent work from home projects.


    Diet food
    Since now a days Women & Men are more conscious of the food that they eat hence they prefer to have homemade low cal food and if you can start supplying low cal food to various offices then it will be a very good source of income and not too much of efforts. You can hire a few ladies who will help you out and this can be a good business.

    Thus think over this concept and go ahead.
    Otr214427

    ReplyDelete
  4. Hi.
    Very nive post.
    I've tried this configuration in my switch and I can not log with admin rights.
    I set Vendor Specific Attribute to "3".

    Regards

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete