[Freeipa-users] freeipa radius cisco

Han Boetes hboetes at gmail.com
Wed Jan 16 16:44:56 UTC 2013 

This might be somewhat off-topic but I'll ask anyway.

First my questions:

How do I get the cisco device -- a 3750 with the latest software image --
to use EAP-TTLS and what am I missing for the rest.

I've set up radius to use kerberos: kerberos seems to like it when I log on
with ssh on the cisco:

Jan 16 17:33:34 auth-ipa.domain.at krb5kdc[9251](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.2.74: NEEDED_PREAUTH: hb at domain.AT for
krbtgt/domain.AT at domain.AT, Additional pre-authentication required
Jan 16 17:33:34 auth-ipa.domain.at krb5kdc[9251](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.2.74: ISSUE: authtime 1358354014, etypes {rep=18
tkt=18 ses=18}, hb at domain.AT for krbtgt/domain.AT at domain.AT

Allas radius does not.

rad_recv: Access-Request packet from host 192.168.2.99 port 1645, id=14,
length=91
User-Name = "hb at REALM.AT"
User-Password = "hidden"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.2.73"
NAS-IP-Address = 192.168.2.99
# Executing section authorize from file /etc/raddb//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "REALM.AT" for User-Name = "hb at REALM.AT"
[suffix] Found realm "REALM.AT"
[suffix] Adding Stripped-User-Name = "hb"
[suffix] Adding Realm = "REALM.AT"
[suffix] Proxying request from user hb to realm REALM.AT
[suffix] Preparing to proxy authentication request to realm "REALM.AT"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 149 to 127.0.0.1 port 1812
User-Name = "hb"
User-Password = "hidden"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.2.73"
NAS-IP-Address = 192.168.2.99
Message-Authenticator := 0x00000000000000000000000000000000
Proxy-State = 0x3134
Proxying request 9 to home server 127.0.0.1 port 1812
Sending Access-Request of id 149 to 127.0.0.1 port 1812
User-Name = "hb"
User-Password = "hidden"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.2.73"
NAS-IP-Address = 192.168.2.99
Message-Authenticator := 0x00000000000000000000000000000000
Proxy-State = 0x3134
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=149,
length=102
User-Name = "hb"
User-Password = "hidden"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.2.73"
NAS-IP-Address = 192.168.2.99
Message-Authenticator = 0xf42c5bcf8d1c09945833967ce22f9690
Proxy-State = 0x3134
# Executing section authorize from file /etc/raddb//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "hb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = Kerberos
# Executing group from file /etc/raddb//sites-enabled/default
+- entering group Kerberos {...}
rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname cannot be
canonicalized
++[krb5] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb//sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> hb
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 149 to 127.0.0.1 port 1814
Proxy-State = 0x3134
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=149,
length=24
Proxy-State = 0x3134
# Executing section post-proxy from file /etc/raddb//sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb//sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> hb at REALM.AT
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 14 to 192.168.2.99 port 1645
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 149 with timestamp +2998
Cleaning up request 9 ID 14 with timestamp +2998
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130116/8a1623b3/attachment.htm>

More information about the Freeipa-users mailing list