One of the issues I’ve been tackling with over the past week was trying to get HP Virtual Connect Manager version 3.70 to authenticate with a Microsoft NPS (Network Policy Server) server as a RADIUS client. I was able to get as far as setting up the client and the policy so that I could log into the HP Virtual Connect Manager with Active Directory credentials but couldn’t quite figure out how to assign Administrator permissions for the Active Directory group I was logging in as. The setup I had is shown in the following screenshots:
The following are the settings for the RADIUS client representing the HP Virtual Connect Manager:
A policy was created:
I used Windows Groups and Client Friendly Name for the conditions of the policy:
Unencrypted authentication (PAP, SPAP) was used:
The following are the standard attributes:
Framed-protocol – PPP
Service-Type – NAS Prompt
What I was missing was the Vendor Specific attribute for the virtual connect:
Without setting a Vendor Specific to grant the users belonging to the Active Directory group logging in, the user would only have read only access:
Notice how all of the options are grayed out:
Searching through the internet didn’t provide too much information so I opened up a ticket with HP and not long after got escalated to a senior engineer where he pointed to me at the user guide on page 75:
http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03478464/c03478464.pdf
that mentions the vendor-specific attribute named:
HP-VC-Groups
… with the description:
This is the group name value configured as the vendor-specific attribute HP-VC-Groups on the RADIUS server. The name can consist of 1 to 255 standard text-string characters (alphanumeric characters, hyphen (-), underscore (_), period (.)) except backslash (\) and single quote ('). You cannot change the name on edit.
I must have overlooked this while reading the guide earlier in the week so I took the HP-VC-Groups string and Google-ed it leading me to the following webpage:
http://friendsnow.hatenablog.com/entry/2012/04/14/153532
… which appeared to be a Japanese forum but what caught my eye was the following:
# cat /etc/raddb/users
最終行に追記
DEFAULT Auth-Type = ntlm_auth
Service-Type = NAS-Prompt-User,
HP-VC-Groups = "vcadmingroup",
… and:
# cat /usr/share/freeradius/dictionary.vc
VENDOR HP 11
BEGIN-VENDOR HP
ATTRIBUTE HP-VC-Groups 192 string
END-VENDOR HP
With that information, I created a group in HP Virtual Connect Manager:
Named the group HPVCMAdmins and checked off the following privilege levels:
- Domain
- Network
- Server
- Storage
I then went into the policy’s Vendor Specific section and played around with the vendor specific custom attribute:
Vendor: Custom
Attributes Name: Vendor-Specific
Vendor: RADIUS Standard
Enter Vendor Code: 11
Yes. It conforms
Vendor-assigned attribute number: 192
Attribute format: String
Attribute value: HPVCMAdmins
I went back to the HP Virtual Connect Manager and logged in with my Active Directory account:
… then confirmed that I was now able to edit settings:
Notice how the controls and fields are no longer grayed out:
One of the things that I notice was that if I was logged in with a RADIUS authenticated account, I am not able to edit any RADIUS settings:
A RADIUS-authenticated user is not permitted to change the RADIUS configuration.
This is most likely by design.
No comments:
Post a Comment