<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/16/2013 11:44 AM, Han Boetes wrote:
<blockquote
cite="mid:CAOzo9e7dyx_-R2N+-g+wynY8UrTeXQboRVjMBxxEQhL+S7SuqA@mail.gmail.com"
type="cite">
<div dir="ltr">This might be somewhat off-topic but I'll ask
anyway.<br>
<div><br>
</div>
<div style="">First my questions:</div>
<div style=""><br>
</div>
<div style="">How do I get the cisco device -- a 3750 with the
latest software image -- to use EAP-TTLS and what am I missing
for the rest. <br>
</div>
</div>
</blockquote>
<br>
My memory about all this is a bit rusty. I was hoping that latest
cisco switches support EAP-TTLS but it does not seem to be the case.<br>
It seems that it supports EAP-TLS that might be as good.<br>
You effectively need to fins a tunneling protocol that both ends i.e
switch and radius server support.<br>
You would have to match docs on the two.<br>
The protocols you are looking for are EAP-TTLS, PEAP.<br>
As far as I remember EAP-TLS and LEAP might work to but I do not
remember the details so you need to do a bit of reading on those.<br>
<br>
<blockquote
cite="mid:CAOzo9e7dyx_-R2N+-g+wynY8UrTeXQboRVjMBxxEQhL+S7SuqA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div style="">I've set up radius to use kerberos: kerberos seems
to like it when I log on with ssh on the cisco:</div>
<div style=""><br>
</div>
<div style="">
<div>Jan 16 17:33:34 <a moz-do-not-send="true"
href="http://auth-ipa.domain.at">auth-ipa.domain.at</a>
krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) <a
moz-do-not-send="true" href="http://192.168.2.74">192.168.2.74</a>:
NEEDED_PREAUTH: <a class="moz-txt-link-abbreviated" href="mailto:hb@domain.AT">hb@domain.AT</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/domain.AT@domain.AT">krbtgt/domain.AT@domain.AT</a>,
Additional pre-authentication required</div>
<div>Jan 16 17:33:34 <a moz-do-not-send="true"
href="http://auth-ipa.domain.at">auth-ipa.domain.at</a>
krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) <a
moz-do-not-send="true" href="http://192.168.2.74">192.168.2.74</a>:
ISSUE: authtime 1358354014, etypes {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:hb@domain.AT">hb@domain.AT</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/domain.AT@domain.AT">krbtgt/domain.AT@domain.AT</a></div>
<div><br>
</div>
<div style="">Allas radius does not.</div>
</div>
<div style=""><br>
</div>
<div style="">
<div>rad_recv: Access-Request packet from host 192.168.2.99
port 1645, id=14, length=91</div>
<div><span class="" style="white-space:pre"> </span>User-Name
= "<a moz-do-not-send="true" href="mailto:hb@REALM.AT">hb@REALM.AT</a>"</div>
<div><span class="" style="white-space:pre"> </span>User-Password
= "hidden"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port
= 1</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Id
= "tty1"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Type
= Virtual</div>
<div><span class="" style="white-space:pre"> </span>Calling-Station-Id
= "192.168.2.73"</div>
<div><span class="" style="white-space:pre"> </span>NAS-IP-Address
= 192.168.2.99</div>
<div># Executing section authorize from file
/etc/raddb//sites-enabled/default</div>
<div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div>
<div>++[chap] returns noop</div>
<div>++[mschap] returns noop</div>
<div>++[digest] returns noop</div>
<div>[suffix] Looking up realm "<a moz-do-not-send="true"
href="http://REALM.AT">REALM.AT</a>" for User-Name = "<a
moz-do-not-send="true" href="mailto:hb@REALM.AT">hb@REALM.AT</a>"</div>
<div>[suffix] Found realm "<a moz-do-not-send="true"
href="http://REALM.AT">REALM.AT</a>"</div>
<div>[suffix] Adding Stripped-User-Name = "hb"</div>
<div>[suffix] Adding Realm = "<a moz-do-not-send="true"
href="http://REALM.AT">REALM.AT</a>"</div>
<div>[suffix] Proxying request from user hb to realm <a
moz-do-not-send="true" href="http://REALM.AT">REALM.AT</a></div>
<div>[suffix] Preparing to proxy authentication request to
realm "<a moz-do-not-send="true" href="http://REALM.AT">REALM.AT</a>" </div>
<div>++[suffix] returns updated</div>
<div>[eap] No EAP-Message, not doing EAP</div>
<div>++[eap] returns noop</div>
<div>[files] users: Matched entry DEFAULT at line 206</div>
<div>++[files] returns ok</div>
<div>++[expiration] returns noop</div>
<div>++[logintime] returns noop</div>
<div>++[pap] returns noop</div>
<div> WARNING: Empty pre-proxy section. Using default return
values.</div>
<div>Sending Access-Request of id 149 to 127.0.0.1 port 1812</div>
<div><span class="" style="white-space:pre"> </span>User-Name
= "hb"</div>
<div><span class="" style="white-space:pre"> </span>User-Password
= "hidden"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port
= 1</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Id
= "tty1"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Type
= Virtual</div>
<div><span class="" style="white-space:pre"> </span>Calling-Station-Id
= "192.168.2.73"</div>
<div><span class="" style="white-space:pre"> </span>NAS-IP-Address
= 192.168.2.99</div>
<div><span class="" style="white-space:pre"> </span>Message-Authenticator
:= 0x00000000000000000000000000000000</div>
<div><span class="" style="white-space:pre"> </span>Proxy-State
= 0x3134</div>
<div>Proxying request 9 to home server 127.0.0.1 port 1812</div>
<div>Sending Access-Request of id 149 to 127.0.0.1 port 1812</div>
<div><span class="" style="white-space:pre"> </span>User-Name
= "hb"</div>
<div><span class="" style="white-space:pre"> </span>User-Password
= "hidden"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port
= 1</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Id
= "tty1"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Type
= Virtual</div>
<div><span class="" style="white-space:pre"> </span>Calling-Station-Id
= "192.168.2.73"</div>
<div><span class="" style="white-space:pre"> </span>NAS-IP-Address
= 192.168.2.99</div>
<div><span class="" style="white-space:pre"> </span>Message-Authenticator
:= 0x00000000000000000000000000000000</div>
<div><span class="" style="white-space:pre"> </span>Proxy-State
= 0x3134</div>
<div>Going to the next request</div>
<div>Waking up in 0.9 seconds.</div>
<div>rad_recv: Access-Request packet from host 127.0.0.1 port
1814, id=149, length=102</div>
<div><span class="" style="white-space:pre"> </span>User-Name
= "hb"</div>
<div><span class="" style="white-space:pre"> </span>User-Password
= "hidden"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port
= 1</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Id
= "tty1"</div>
<div><span class="" style="white-space:pre"> </span>NAS-Port-Type
= Virtual</div>
<div><span class="" style="white-space:pre"> </span>Calling-Station-Id
= "192.168.2.73"</div>
<div><span class="" style="white-space:pre"> </span>NAS-IP-Address
= 192.168.2.99</div>
<div><span class="" style="white-space:pre"> </span>Message-Authenticator
= 0xf42c5bcf8d1c09945833967ce22f9690</div>
<div><span class="" style="white-space:pre"> </span>Proxy-State
= 0x3134</div>
<div># Executing section authorize from file
/etc/raddb//sites-enabled/default</div>
<div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div>
<div>++[chap] returns noop</div>
<div>++[mschap] returns noop</div>
<div>++[digest] returns noop</div>
<div>[suffix] No '@' in User-Name = "hb", looking up realm
NULL</div>
<div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div>
<div>[eap] No EAP-Message, not doing EAP</div>
<div>++[eap] returns noop</div>
<div>[files] users: Matched entry DEFAULT at line 206</div>
<div>++[files] returns ok</div>
<div>++[expiration] returns noop</div>
<div>++[logintime] returns noop</div>
<div>[pap] WARNING! No "known good" password found for the
user. Authentication may fail because of this.</div>
<div>++[pap] returns noop</div>
<div>Found Auth-Type = Kerberos</div>
<div># Executing group from file
/etc/raddb//sites-enabled/default</div>
<div>+- entering group Kerberos {...}</div>
<div>rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname
cannot be canonicalized</div>
<div>++[krb5] returns reject</div>
<div>Failed to authenticate the user.</div>
<div>Using Post-Auth-Type Reject</div>
<div># Executing group from file
/etc/raddb//sites-enabled/default</div>
<div>+- entering group REJECT {...}</div>
<div>[attr_filter.access_reject] <span class=""
style="white-space:pre"> </span>expand: %{User-Name}
-> hb</div>
<div>attr_filter: Matched entry DEFAULT at line 11</div>
<div>++[attr_filter.access_reject] returns updated</div>
<div>Delaying reject of request 10 for 1 seconds</div>
<div>Going to the next request</div>
<div>Waking up in 0.9 seconds.</div>
<div>Sending delayed reject for request 10</div>
<div>Sending Access-Reject of id 149 to 127.0.0.1 port 1814</div>
<div><span class="" style="white-space:pre"> </span>Proxy-State
= 0x3134</div>
<div>Waking up in 4.9 seconds.</div>
<div>rad_recv: Access-Reject packet from host 127.0.0.1 port
1812, id=149, length=24</div>
<div><span class="" style="white-space:pre"> </span>Proxy-State
= 0x3134</div>
<div># Executing section post-proxy from file
/etc/raddb//sites-enabled/default</div>
<div>+- entering group post-proxy {...}</div>
<div>[eap] No pre-existing handler found</div>
<div>++[eap] returns noop</div>
<div>Using Post-Auth-Type Reject</div>
<div># Executing group from file
/etc/raddb//sites-enabled/default</div>
<div>+- entering group REJECT {...}</div>
<div>[attr_filter.access_reject] <span class=""
style="white-space:pre"> </span>expand: %{User-Name}
-> <a moz-do-not-send="true" href="mailto:hb@REALM.AT">hb@REALM.AT</a></div>
<div>attr_filter: Matched entry DEFAULT at line 11</div>
<div>++[attr_filter.access_reject] returns updated</div>
<div>Sending Access-Reject of id 14 to 192.168.2.99 port 1645</div>
<div>Finished request 9.</div>
<div>Going to the next request</div>
<div>Waking up in 4.9 seconds.</div>
<div>Cleaning up request 10 ID 149 with timestamp +2998</div>
<div>Cleaning up request 9 ID 14 with timestamp +2998</div>
<div>Ready to process requests.</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>