The "-A MD5" is for IPMIv1.5 sessions ("-I lan").  You need to use "-C 3" for IPMIv2.0 sessions ("-I lanplus")
RegardsMike

From: VJ <***@gmail.com>
To: ipmitool-***@lists.sourceforge.net
Sent: Friday, February 10, 2017 12:39 AM
Subject: [Ipmitool-devel] RAKP 2 message indicates an error : unauthorized name

Hi,After i set authtype to MD5 Iam unable to login and get the error metioned in the subject.Please help
some debug info below
(with -A M5 and without that same error)> ipmitool -vvv -I lanplus -U Administrator -f file.txt -A MD5 -H host chassis status
BUILDING A v1.5 COMMAND>> IPMI Request Session Header>>   Authtype   : NONE>>   Sequence   : 0x00000000>>   Session ID : 0x00000000>> IPMI Request Message Header>>   Rs Addr    : 20>>   NetFn      : 06>>   Rs LUN     : 0>>   Rq Addr    : 81>>   Rq Seq     : 00>>   Rq Lun     : 0>>   Command    : 38<< IPMI Response Session Header<<   Authtype                : NONE<<   Payload type            : IPMI (0)<<   Session ID              : 0x00000000<<   Sequence                : 0x00000000<<   IPMI Msg/Payload Length : 16<< IPMI Response Message Header<<   Rq Addr    : 81<<   NetFn      : 07<<   Rq LUN     : 0<<   Rs Addr    : 20<<   Rq Seq     : 00<<   Rs Lun     : 0<<   Command    : 38<<   Compl Code : 0x00>> SENDING AN OPEN SESSION REQUEST
<<OPEN SESSION RESPONSE<<  Message tag                        : 0x00<<  RMCP+ status                       : no errors<<  Maximum privilege level            : admin<<  Console Session ID                 : 0xa0a2a3a4<<  BMC Session ID                     : 0xffb52dfb<<  Negotiated authenticatin algorithm : hmac_sha1<<  Negotiated integrity algorithm     : hmac_sha1_96<<  Negotiated encryption algorithm    : aes_cbc_128
<<RAKP 2 MESSAGE<<  Message tag                   : 0x00<<  RMCP+ status                  : unauthorized name<<  Console Session ID            : 0xa0a2a3a4<<  BMC random number             : 0x002db5ff000000080100000801000008<<  BMC GUID                      : 0x01000008020000080169737400000000<<  Key exchange auth code [sha1] : 0x0000000000000000000000000000000000000000
RAKP 2 message indicates an error : unauthorized nameError: Unable to establish IPMI v2 / RMCP+ session

# ipmitool user list 1ID  Name     Callin  Link Auth IPMI Msg   Channel Priv Limit1                    false   false      true       USER2   Administrator    false   true       true       ADMINISTRATOR


# ipmitool lan print 1Set in Progress         : Set CompleteAuth Type Support       : NONE MD2 MD5 PASSWORDAuth Type Enable        : Callback : MD5                        : User     : MD5                        : Operator : MD5                        : Admin    : MD5                        : OEM      :....IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP DisabledGratituous ARP Intrvl   : 0.0 secondsDefault Gateway IP      : .........Default Gateway MAC     : 00:00:00:00:00:00Backup Gateway IP       : 0.0.0.0Backup Gateway MAC      : 00:00:00:00:00:00802.1q VLAN ID          : Disabled802.1q VLAN Priority    : 0RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12,15Cipher Suite Priv Max   : XXXaXXaaXXXXXXX                        :     X=Cipher Suite Unused                        :     c=CALLBACK                        :     u=USER                        :     o=OPERATOR                        :     a=ADMIN                        :     O=OEM

MD5 is the (default and strongest) Authentication for RMCP (a.k.a. IPMI 1.5,
a.k.a. -I lan) and not for RMCP+ (a.k.a. IPMI 2.0 a.k.a. -I lanplus) so I
guess this command line option gets ignored as you are still trying to
establish a RMCP+ session (-I lanplus) with the default Cipher Suite 3 - which
seems to be disabled on your BMC.



Still not sure what you are trying to do and who has configured your BMC.
HMAC_MD5 is weaker from a crypto point of view (Cipher Suites 6,7,8) for
Authentication, and MD5_128 is weaker than HMAC_MD5 for Integrity (Cipher
Suites 11,12 versus 6,7,8).

HMAC_SHA256 is stronger than HMAC_SHA1 (1,2,3) but your BMC does *only*
support Authentication with HMAC_SHA256 (Cipher Suite 15, currently disabled)
but no Integrity Check (missing Cipher Suite 16/17, so anyone can mess with
your LAN packets after the session is open) and worse - no encryption when
using HMAC_SHA256 (missing Cipher Suite 17).



Currently enabled are:

Cipher Suite 6 (no Integrity, no encryption)

Cipher Suite 11 (MD5, no encryption)

Cipher Suite 12 (MD5, AES)



Instead of going from medium to low hash strength I would recommend use long,
strong passwords (you do have 20 bytes available) and change them
periodically.



From: VJ [mailto:***@gmail.com]
Sent: Friday, February 10, 2017 7:39 AM
To: ipmitool-***@lists.sourceforge.net
Subject: [Ipmitool-devel] RAKP 2 message indicates an error : unauthorized
name



Hi,

After i set authtype to MD5 Iam unable to login and get the error metioned in
the subject.

Please help



some debug info below



(with -A M5 and without that same error)
BUILDING A v1.5 COMMAND
<< IPMI Response Session Header

<< Authtype : NONE

<< Payload type : IPMI (0)

<< Session ID : 0x00000000

<< Sequence : 0x00000000

<< IPMI Msg/Payload Length : 16

<< IPMI Response Message Header

<< Rq Addr : 81

<< NetFn : 07

<< Rq LUN : 0

<< Rs Addr : 20

<< Rq Seq : 00

<< Rs Lun : 0

<< Command : 38

<< Compl Code : 0x00
<<OPEN SESSION RESPONSE

<< Message tag : 0x00

<< RMCP+ status : no errors

<< Maximum privilege level : admin

<< Console Session ID : 0xa0a2a3a4

<< BMC Session ID : 0xffb52dfb

<< Negotiated authenticatin algorithm : hmac_sha1

<< Negotiated integrity algorithm : hmac_sha1_96

<< Negotiated encryption algorithm : aes_cbc_128
cc 18 fe 89 2d c0 e6 3c 28 66 80 ee 0a 82 0b 59
<<RAKP 2 MESSAGE

<< Message tag : 0x00

<< RMCP+ status : unauthorized name

<< Console Session ID : 0xa0a2a3a4

<< BMC random number : 0x002db5ff000000080100000801000008

<< BMC GUID : 0x01000008020000080169737400000000

<< Key exchange auth code [sha1] : 0x0000000000000000000000000000000000000000



RAKP 2 message indicates an error : unauthorized name

Error: Unable to establish IPMI v2 / RMCP+ session





# ipmitool user list 1

ID Name Callin Link Auth IPMI Msg Channel Priv Limit

1 false false true USER

2 Administrator false true true ADMINISTRATOR







# ipmitool lan print 1

Set in Progress : Set Complete

Auth Type Support : NONE MD2 MD5 PASSWORD

Auth Type Enable : Callback : MD5

: User : MD5

: Operator : MD5

: Admin : MD5

: OEM :

....

IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10

BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled

Gratituous ARP Intrvl : 0.0 seconds

Default Gateway IP : .........

Default Gateway MAC : 00:00:00:00:00:00

Backup Gateway IP : 0.0.0.0

Backup Gateway MAC : 00:00:00:00:00:00

802.1q VLAN ID : Disabled

802.1q VLAN Priority : 0

RMCP+ Cipher Suites : 1,2,3,6,7,8,11,12,15

Cipher Suite Priv Max : XXXaXXaaXXXXXXX

: X=Cipher Suite Unused

: c=CALLBACK

: u=USER

: o=OPERATOR

: a=ADMIN

: O=OEM