Thursday, February 28, 2013

Setting up HP Virtual Connect Manager 3.70 for RADIUS authentication with Microsoft NPS

One of the issues I’ve been tackling with over the past week was trying to get HP Virtual Connect Manager version 3.70 to authenticate with a Microsoft NPS (Network Policy Server) server as a RADIUS client.  I was able to get as far as setting up the client and the policy so that I could log into the HP Virtual Connect Manager with Active Directory credentials but couldn’t quite figure out how to assign Administrator permissions for the Active Directory group I was logging in as.  The setup I had is shown in the following screenshots:

image

The following are the settings for the RADIUS client representing the HP Virtual Connect Manager:

clip_image001

clip_image001[4]

A policy was created:

image

clip_image001[6]

I used Windows Groups and Client Friendly Name for the conditions of the policy:

image

Unencrypted authentication (PAP, SPAP) was used:

clip_image001[8]

The following are the standard attributes:

Framed-protocol – PPP

Service-Type – NAS Prompt

clip_image001[10]

What I was missing was the Vendor Specific attribute for the virtual connect:

clip_image001[12]

Without setting a Vendor Specific to grant the users belonging to the Active Directory group logging in, the user would only have read only access:

clip_image001[14]

Notice how all of the options are grayed out:

image

Searching through the internet didn’t provide too much information so I opened up a ticket with HP and not long after got escalated to a senior engineer where he pointed to me at the user guide on page 75:

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03478464/c03478464.pdf

clip_image001[16]

that mentions the vendor-specific attribute named:

HP-VC-Groups

… with the description:

This is the group name value configured as the vendor-specific attribute HP-VC-Groups on the RADIUS server. The name can consist of 1 to 255 standard text-string characters (alphanumeric characters, hyphen (-), underscore (_), period (.)) except backslash (\) and single quote ('). You cannot change the name on edit.

I must have overlooked this while reading the guide earlier in the week so I took the HP-VC-Groups string and Google-ed it leading me to the following webpage:

http://friendsnow.hatenablog.com/entry/2012/04/14/153532

… which appeared to be a Japanese forum but what caught my eye was the following:

# cat /etc/raddb/users

最終行に追記

DEFAULT Auth-Type = ntlm_auth

Service-Type = NAS-Prompt-User,

HP-VC-Groups = "vcadmingroup",

… and:

# cat /usr/share/freeradius/dictionary.vc

VENDOR HP 11

BEGIN-VENDOR HP

ATTRIBUTE HP-VC-Groups 192 string

END-VENDOR HP

image

With that information, I created a group in HP Virtual Connect Manager:

clip_image001[18]

clip_image001[20]

Named the group HPVCMAdmins and checked off the following privilege levels:

  • Domain
  • Network
  • Server
  • Storage

clip_image001[22]

clip_image001[24]

I then went into the policy’s Vendor Specific section and played around with the vendor specific custom attribute:

clip_image001[26]

Vendor: Custom

Attributes Name: Vendor-Specific

Vendor: RADIUS Standard

clip_image001[28]

clip_image001[30]

Enter Vendor Code: 11

Yes. It conforms

clip_image001[32]

Vendor-assigned attribute number: 192

Attribute format: String

Attribute value: HPVCMAdmins

clip_image001[34]

clip_image001[36]

I went back to the HP Virtual Connect Manager and logged in with my Active Directory account:

image

… then confirmed that I was now able to edit settings:

image

Notice how the controls and fields are no longer grayed out:

image

One of the things that I notice was that if I was logged in with a RADIUS authenticated account, I am not able to edit any RADIUS settings:

A RADIUS-authenticated user is not permitted to change the RADIUS configuration.

clip_image001[38]

This is most likely by design.

No comments: