<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 01/16/2013 11:44 AM, Han Boetes wrote: <blockquote cite="mid:CAOzo9e7dyx_-R2N+-g+wynY8UrTeXQboRVjMBxxEQhL+S7SuqA@mail.gmail.com" type="cite"> <div dir="ltr">This might be somewhat off-topic but I'll ask anyway.<br> <div><br> </div> <div style="">First my questions:</div> <div style=""><br> </div> <div style="">How do I get the cisco device -- a 3750 with the latest software image -- to use EAP-TTLS and what am I missing for the rest. <br> </div> </div> </blockquote> <br> My memory about all this is a bit rusty. I was hoping that latest cisco switches support EAP-TTLS but it does not seem to be the case.<br> It seems that it supports EAP-TLS that might be as good.<br> You effectively need to fins a tunneling protocol that both ends i.e switch and radius server support.<br> You would have to match docs on the two.<br> The protocols you are looking for are EAP-TTLS, PEAP.<br> As far as I remember EAP-TLS and LEAP might work to but I do not remember the details so you need to do a bit of reading on those.<br> <br> <blockquote cite="mid:CAOzo9e7dyx_-R2N+-g+wynY8UrTeXQboRVjMBxxEQhL+S7SuqA@mail.gmail.com" type="cite"> <div dir="ltr"> <div><br> </div> <div style="">I've set up radius to use kerberos: kerberos seems to like it when I log on with ssh on the cisco:</div> <div style=""><br> </div> <div style=""> <div>Jan 16 17:33:34 <a moz-do-not-send="true" href="http://auth-ipa.domain.at">auth-ipa.domain.at</a> krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) <a moz-do-not-send="true" href="http://192.168.2.74">192.168.2.74</a>: NEEDED_PREAUTH: <a class="moz-txt-link-abbreviated" href="mailto:hb@domain.AT">hb@domain.AT</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/domain.AT@domain.AT">krbtgt/domain.AT@domain.AT</a>, Additional pre-authentication required</div> <div>Jan 16 17:33:34 <a moz-do-not-send="true" href="http://auth-ipa.domain.at">auth-ipa.domain.at</a> krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) <a moz-do-not-send="true" href="http://192.168.2.74">192.168.2.74</a>: ISSUE: authtime 1358354014, etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:hb@domain.AT">hb@domain.AT</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/domain.AT@domain.AT">krbtgt/domain.AT@domain.AT</a></div> <div><br> </div> <div style="">Allas radius does not.</div> </div> <div style=""><br> </div> <div style=""> <div>rad_recv: Access-Request packet from host 192.168.2.99 port 1645, id=14, length=91</div> <div><span class="" style="white-space:pre"> </span>User-Name = "<a moz-do-not-send="true" href="mailto:hb@REALM.AT">hb@REALM.AT</a>"</div> <div><span class="" style="white-space:pre"> </span>User-Password = "hidden"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port = 1</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Id = "tty1"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Type = Virtual</div> <div><span class="" style="white-space:pre"> </span>Calling-Station-Id = "192.168.2.73"</div> <div><span class="" style="white-space:pre"> </span>NAS-IP-Address = 192.168.2.99</div> <div># Executing section authorize from file /etc/raddb//sites-enabled/default</div> <div>+- entering group authorize {...}</div> <div>++[preprocess] returns ok</div> <div>++[chap] returns noop</div> <div>++[mschap] returns noop</div> <div>++[digest] returns noop</div> <div>[suffix] Looking up realm "<a moz-do-not-send="true" href="http://REALM.AT">REALM.AT</a>" for User-Name = "<a moz-do-not-send="true" href="mailto:hb@REALM.AT">hb@REALM.AT</a>"</div> <div>[suffix] Found realm "<a moz-do-not-send="true" href="http://REALM.AT">REALM.AT</a>"</div> <div>[suffix] Adding Stripped-User-Name = "hb"</div> <div>[suffix] Adding Realm = "<a moz-do-not-send="true" href="http://REALM.AT">REALM.AT</a>"</div> <div>[suffix] Proxying request from user hb to realm <a moz-do-not-send="true" href="http://REALM.AT">REALM.AT</a></div> <div>[suffix] Preparing to proxy authentication request to realm "<a moz-do-not-send="true" href="http://REALM.AT">REALM.AT</a>" </div> <div>++[suffix] returns updated</div> <div>[eap] No EAP-Message, not doing EAP</div> <div>++[eap] returns noop</div> <div>[files] users: Matched entry DEFAULT at line 206</div> <div>++[files] returns ok</div> <div>++[expiration] returns noop</div> <div>++[logintime] returns noop</div> <div>++[pap] returns noop</div> <div> WARNING: Empty pre-proxy section. Using default return values.</div> <div>Sending Access-Request of id 149 to 127.0.0.1 port 1812</div> <div><span class="" style="white-space:pre"> </span>User-Name = "hb"</div> <div><span class="" style="white-space:pre"> </span>User-Password = "hidden"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port = 1</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Id = "tty1"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Type = Virtual</div> <div><span class="" style="white-space:pre"> </span>Calling-Station-Id = "192.168.2.73"</div> <div><span class="" style="white-space:pre"> </span>NAS-IP-Address = 192.168.2.99</div> <div><span class="" style="white-space:pre"> </span>Message-Authenticator := 0x00000000000000000000000000000000</div> <div><span class="" style="white-space:pre"> </span>Proxy-State = 0x3134</div> <div>Proxying request 9 to home server 127.0.0.1 port 1812</div> <div>Sending Access-Request of id 149 to 127.0.0.1 port 1812</div> <div><span class="" style="white-space:pre"> </span>User-Name = "hb"</div> <div><span class="" style="white-space:pre"> </span>User-Password = "hidden"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port = 1</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Id = "tty1"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Type = Virtual</div> <div><span class="" style="white-space:pre"> </span>Calling-Station-Id = "192.168.2.73"</div> <div><span class="" style="white-space:pre"> </span>NAS-IP-Address = 192.168.2.99</div> <div><span class="" style="white-space:pre"> </span>Message-Authenticator := 0x00000000000000000000000000000000</div> <div><span class="" style="white-space:pre"> </span>Proxy-State = 0x3134</div> <div>Going to the next request</div> <div>Waking up in 0.9 seconds.</div> <div>rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=149, length=102</div> <div><span class="" style="white-space:pre"> </span>User-Name = "hb"</div> <div><span class="" style="white-space:pre"> </span>User-Password = "hidden"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port = 1</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Id = "tty1"</div> <div><span class="" style="white-space:pre"> </span>NAS-Port-Type = Virtual</div> <div><span class="" style="white-space:pre"> </span>Calling-Station-Id = "192.168.2.73"</div> <div><span class="" style="white-space:pre"> </span>NAS-IP-Address = 192.168.2.99</div> <div><span class="" style="white-space:pre"> </span>Message-Authenticator = 0xf42c5bcf8d1c09945833967ce22f9690</div> <div><span class="" style="white-space:pre"> </span>Proxy-State = 0x3134</div> <div># Executing section authorize from file /etc/raddb//sites-enabled/default</div> <div>+- entering group authorize {...}</div> <div>++[preprocess] returns ok</div> <div>++[chap] returns noop</div> <div>++[mschap] returns noop</div> <div>++[digest] returns noop</div> <div>[suffix] No '@' in User-Name = "hb", looking up realm NULL</div> <div>[suffix] No such realm "NULL"</div> <div>++[suffix] returns noop</div> <div>[eap] No EAP-Message, not doing EAP</div> <div>++[eap] returns noop</div> <div>[files] users: Matched entry DEFAULT at line 206</div> <div>++[files] returns ok</div> <div>++[expiration] returns noop</div> <div>++[logintime] returns noop</div> <div>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</div> <div>++[pap] returns noop</div> <div>Found Auth-Type = Kerberos</div> <div># Executing group from file /etc/raddb//sites-enabled/default</div> <div>+- entering group Kerberos {...}</div> <div>rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname cannot be canonicalized</div> <div>++[krb5] returns reject</div> <div>Failed to authenticate the user.</div> <div>Using Post-Auth-Type Reject</div> <div># Executing group from file /etc/raddb//sites-enabled/default</div> <div>+- entering group REJECT {...}</div> <div>[attr_filter.access_reject] <span class="" style="white-space:pre"> </span>expand: %{User-Name} -> hb</div> <div>attr_filter: Matched entry DEFAULT at line 11</div> <div>++[attr_filter.access_reject] returns updated</div> <div>Delaying reject of request 10 for 1 seconds</div> <div>Going to the next request</div> <div>Waking up in 0.9 seconds.</div> <div>Sending delayed reject for request 10</div> <div>Sending Access-Reject of id 149 to 127.0.0.1 port 1814</div> <div><span class="" style="white-space:pre"> </span>Proxy-State = 0x3134</div> <div>Waking up in 4.9 seconds.</div> <div>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=149, length=24</div> <div><span class="" style="white-space:pre"> </span>Proxy-State = 0x3134</div> <div># Executing section post-proxy from file /etc/raddb//sites-enabled/default</div> <div>+- entering group post-proxy {...}</div> <div>[eap] No pre-existing handler found</div> <div>++[eap] returns noop</div> <div>Using Post-Auth-Type Reject</div> <div># Executing group from file /etc/raddb//sites-enabled/default</div> <div>+- entering group REJECT {...}</div> <div>[attr_filter.access_reject] <span class="" style="white-space:pre"> </span>expand: %{User-Name} -> <a moz-do-not-send="true" href="mailto:hb@REALM.AT">hb@REALM.AT</a></div> <div>attr_filter: Matched entry DEFAULT at line 11</div> <div>++[attr_filter.access_reject] returns updated</div> <div>Sending Access-Reject of id 14 to 192.168.2.99 port 1645</div> <div>Finished request 9.</div> <div>Going to the next request</div> <div>Waking up in 4.9 seconds.</div> <div>Cleaning up request 10 ID 149 with timestamp +2998</div> <div>Cleaning up request 9 ID 14 with timestamp +2998</div> <div>Ready to process requests.</div> <div><br> </div> </div> </div> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>