[Freeipa-users] freeipa radius cisco

Dmitri Pal dpal at redhat.com
Wed Jan 16 18:59:01 UTC 2013 

On 01/16/2013 11:44 AM, Han Boetes wrote:
> This might be somewhat off-topic but I'll ask anyway.
>
> First my questions:
>
> How do I get the cisco device -- a 3750 with the latest software image
> -- to use EAP-TTLS and what am I missing for the rest.

My memory about all this is a bit rusty. I was hoping that latest cisco
switches support EAP-TTLS but it does not seem to be the case.
It seems that it supports EAP-TLS that might be as good.
You effectively need to fins a tunneling protocol that both ends i.e
switch and radius server support.
You would have to match  docs on the two.
The protocols you are looking for are EAP-TTLS, PEAP.
As far as I remember EAP-TLS and LEAP might work to but I do not
remember the details so you need to do a bit of reading on those.

>
> I've set up radius to use kerberos: kerberos seems to like it when I
> log on with ssh on the cisco:
>
> Jan 16 17:33:34 auth-ipa.domain.at <http://auth-ipa.domain.at>
> krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.2.74
> <http://192.168.2.74>: NEEDED_PREAUTH: hb at domain.AT for
> krbtgt/domain.AT at domain.AT, Additional pre-authentication required
> Jan 16 17:33:34 auth-ipa.domain.at <http://auth-ipa.domain.at>
> krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.2.74
> <http://192.168.2.74>: ISSUE: authtime 1358354014, etypes {rep=18
> tkt=18 ses=18}, hb at domain.AT for krbtgt/domain.AT at domain.AT
>
> Allas radius does not.
>
> rad_recv: Access-Request packet from host 192.168.2.99 port 1645,
> id=14, length=91
> User-Name = "hb at REALM.AT <mailto:hb at REALM.AT>"
> User-Password = "hidden"
> NAS-Port = 1
> NAS-Port-Id = "tty1"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "192.168.2.73"
> NAS-IP-Address = 192.168.2.99
> # Executing section authorize from file /etc/raddb//sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "REALM.AT <http://REALM.AT>" for User-Name =
> "hb at REALM.AT <mailto:hb at REALM.AT>"
> [suffix] Found realm "REALM.AT <http://REALM.AT>"
> [suffix] Adding Stripped-User-Name = "hb"
> [suffix] Adding Realm = "REALM.AT <http://REALM.AT>"
> [suffix] Proxying request from user hb to realm REALM.AT <http://REALM.AT>
> [suffix] Preparing to proxy authentication request to realm "REALM.AT
> <http://REALM.AT>" 
> ++[suffix] returns updated
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry DEFAULT at line 206
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
>   WARNING: Empty pre-proxy section.  Using default return values.
> Sending Access-Request of id 149 to 127.0.0.1 port 1812
> User-Name = "hb"
> User-Password = "hidden"
> NAS-Port = 1
> NAS-Port-Id = "tty1"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "192.168.2.73"
> NAS-IP-Address = 192.168.2.99
> Message-Authenticator := 0x00000000000000000000000000000000
> Proxy-State = 0x3134
> Proxying request 9 to home server 127.0.0.1 port 1812
> Sending Access-Request of id 149 to 127.0.0.1 port 1812
> User-Name = "hb"
> User-Password = "hidden"
> NAS-Port = 1
> NAS-Port-Id = "tty1"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "192.168.2.73"
> NAS-IP-Address = 192.168.2.99
> Message-Authenticator := 0x00000000000000000000000000000000
> Proxy-State = 0x3134
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=149,
> length=102
> User-Name = "hb"
> User-Password = "hidden"
> NAS-Port = 1
> NAS-Port-Id = "tty1"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "192.168.2.73"
> NAS-IP-Address = 192.168.2.99
> Message-Authenticator = 0xf42c5bcf8d1c09945833967ce22f9690
> Proxy-State = 0x3134
> # Executing section authorize from file /etc/raddb//sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "hb", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry DEFAULT at line 206
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
>  Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = Kerberos
> # Executing group from file /etc/raddb//sites-enabled/default
> +- entering group Kerberos {...}
> rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname cannot be
> canonicalized
> ++[krb5] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb//sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> hb
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 10 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 10
> Sending Access-Reject of id 149 to 127.0.0.1 port 1814
> Proxy-State = 0x3134
> Waking up in 4.9 seconds.
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=149,
> length=24
> Proxy-State = 0x3134
> # Executing section post-proxy from file /etc/raddb//sites-enabled/default
> +- entering group post-proxy {...}
> [eap] No pre-existing handler found
> ++[eap] returns noop
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb//sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> hb at REALM.AT
> <mailto:hb at REALM.AT>
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Sending Access-Reject of id 14 to 192.168.2.99 port 1645
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 10 ID 149 with timestamp +2998
> Cleaning up request 9 ID 14 with timestamp +2998
> Ready to process requests.
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130116/1f26c1c5/attachment.htm>

More information about the Freeipa-users mailing list