Re: [Freeipa-users] Kerberos and Cisco
On 12/23/2012 07:31 PM, Simo Sorce wrote: On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote: On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. allow_weak_crypto = true in krb5.conf to enable it. These instructions are relevant only for a Linux based client. Bret, on top of changing the above on the server and restarting it, you need to add DES as an allowed enctype in the IPA server LDAP attribute that controls it(*) as well as explicitly specify you want a DES key when you use ipa-getkeytab to get a keytab for you device. (*) This attribute is called krbSupportedEncSaltTypes and is stored in cn=REALM,cn=kerberos,cn=suffix in your LDAP server. You probably want to add the value: des-cbc-crc:normal I would add: DES + CRC is considered insecure, weight it in your use case carefully. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote: On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. allow_weak_crypto = true in krb5.conf to enable it. These instructions are relevant only for a Linux based client. Bret, on top of changing the above on the server and restarting it, you need to add DES as an allowed enctype in the IPA server LDAP attribute that controls it(*) as well as explicitly specify you want a DES key when you use ipa-getkeytab to get a keytab for you device. (*) This attribute is called krbSupportedEncSaltTypes and is stored in cn=REALM,cn=kerberos,cn=suffix in your LDAP server. You probably want to add the value: des-cbc-crc:normal Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. Thanks, Mike On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. Has anyone done this? Any pointers if so? Thanks, and happy holidays! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. allow_weak_crypto = true in krb5.conf to enable it. Thanks, Mike On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. Has anyone done this? Any pointers if so? Thanks, and happy holidays! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
Thanks, all. I'll report back. -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Friday, December 21, 2012 at 6:23 PM, Dmitri Pal wrote: On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. allow_weak_crypto = true in krb5.conf to enable it. Thanks, Mike On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman bret.wort...@damascusgrp.com (mailto:bret.wort...@damascusgrp.com) wrote: My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. Has anyone done this? Any pointers if so? Thanks, and happy holidays! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ (http://www.redhat.com/carveoutcosts/) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users