On 01/16/2013 11:44 AM, Han Boetes wrote: > This might be somewhat off-topic but I'll ask anyway. > > First my questions: > > How do I get the cisco device -- a 3750 with the latest software image > -- to use EAP-TTLS and what am I missing for the rest.
My memory about all this is a bit rusty. I was hoping that latest cisco switches support EAP-TTLS but it does not seem to be the case. It seems that it supports EAP-TLS that might be as good. You effectively need to fins a tunneling protocol that both ends i.e switch and radius server support. You would have to match docs on the two. The protocols you are looking for are EAP-TTLS, PEAP. As far as I remember EAP-TLS and LEAP might work to but I do not remember the details so you need to do a bit of reading on those. > > I've set up radius to use kerberos: kerberos seems to like it when I > log on with ssh on the cisco: > > Jan 16 17:33:34 auth-ipa.domain.at <http://auth-ipa.domain.at> > krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.2.74 > <http://192.168.2.74>: NEEDED_PREAUTH: h...@domain.at for > krbtgt/domain...@domain.at, Additional pre-authentication required > Jan 16 17:33:34 auth-ipa.domain.at <http://auth-ipa.domain.at> > krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.2.74 > <http://192.168.2.74>: ISSUE: authtime 1358354014, etypes {rep=18 > tkt=18 ses=18}, h...@domain.at for krbtgt/domain...@domain.at > > Allas radius does not. > > rad_recv: Access-Request packet from host 192.168.2.99 port 1645, > id=14, length=91 > User-Name = "h...@realm.at <mailto:h...@realm.at>" > User-Password = "hidden" > NAS-Port = 1 > NAS-Port-Id = "tty1" > NAS-Port-Type = Virtual > Calling-Station-Id = "192.168.2.73" > NAS-IP-Address = 192.168.2.99 > # Executing section authorize from file /etc/raddb//sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] Looking up realm "REALM.AT <http://REALM.AT>" for User-Name = > "h...@realm.at <mailto:h...@realm.at>" > [suffix] Found realm "REALM.AT <http://REALM.AT>" > [suffix] Adding Stripped-User-Name = "hb" > [suffix] Adding Realm = "REALM.AT <http://REALM.AT>" > [suffix] Proxying request from user hb to realm REALM.AT <http://REALM.AT> > [suffix] Preparing to proxy authentication request to realm "REALM.AT > <http://REALM.AT>" > ++[suffix] returns updated > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > [files] users: Matched entry DEFAULT at line 206 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns noop > WARNING: Empty pre-proxy section. Using default return values. > Sending Access-Request of id 149 to 127.0.0.1 port 1812 > User-Name = "hb" > User-Password = "hidden" > NAS-Port = 1 > NAS-Port-Id = "tty1" > NAS-Port-Type = Virtual > Calling-Station-Id = "192.168.2.73" > NAS-IP-Address = 192.168.2.99 > Message-Authenticator := 0x00000000000000000000000000000000 > Proxy-State = 0x3134 > Proxying request 9 to home server 127.0.0.1 port 1812 > Sending Access-Request of id 149 to 127.0.0.1 port 1812 > User-Name = "hb" > User-Password = "hidden" > NAS-Port = 1 > NAS-Port-Id = "tty1" > NAS-Port-Type = Virtual > Calling-Station-Id = "192.168.2.73" > NAS-IP-Address = 192.168.2.99 > Message-Authenticator := 0x00000000000000000000000000000000 > Proxy-State = 0x3134 > Going to the next request > Waking up in 0.9 seconds. > rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=149, > length=102 > User-Name = "hb" > User-Password = "hidden" > NAS-Port = 1 > NAS-Port-Id = "tty1" > NAS-Port-Type = Virtual > Calling-Station-Id = "192.168.2.73" > NAS-IP-Address = 192.168.2.99 > Message-Authenticator = 0xf42c5bcf8d1c09945833967ce22f9690 > Proxy-State = 0x3134 > # Executing section authorize from file /etc/raddb//sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "hb", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > [files] users: Matched entry DEFAULT at line 206 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > Found Auth-Type = Kerberos > # Executing group from file /etc/raddb//sites-enabled/default > +- entering group Kerberos {...} > rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname cannot be > canonicalized > ++[krb5] returns reject > Failed to authenticate the user. > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb//sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> hb > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 10 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 10 > Sending Access-Reject of id 149 to 127.0.0.1 port 1814 > Proxy-State = 0x3134 > Waking up in 4.9 seconds. > rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=149, > length=24 > Proxy-State = 0x3134 > # Executing section post-proxy from file /etc/raddb//sites-enabled/default > +- entering group post-proxy {...} > [eap] No pre-existing handler found > ++[eap] returns noop > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb//sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> h...@realm.at > <mailto:h...@realm.at> > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Sending Access-Reject of id 14 to 192.168.2.99 port 1645 > Finished request 9. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 10 ID 149 with timestamp +2998 > Cleaning up request 9 ID 14 with timestamp +2998 > Ready to process requests. > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users