This might be somewhat off-topic but I'll ask anyway. First my questions:
How do I get the cisco device -- a 3750 with the latest software image -- to use EAP-TTLS and what am I missing for the rest. I've set up radius to use kerberos: kerberos seems to like it when I log on with ssh on the cisco: Jan 16 17:33:34 auth-ipa.domain.at krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.2.74: NEEDED_PREAUTH: h...@domain.at for krbtgt/domain...@domain.at, Additional pre-authentication required Jan 16 17:33:34 auth-ipa.domain.at krb5kdc[9251](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.2.74: ISSUE: authtime 1358354014, etypes {rep=18 tkt=18 ses=18}, h...@domain.at for krbtgt/domain...@domain.at Allas radius does not. rad_recv: Access-Request packet from host 192.168.2.99 port 1645, id=14, length=91 User-Name = "h...@realm.at" User-Password = "hidden" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.2.73" NAS-IP-Address = 192.168.2.99 # Executing section authorize from file /etc/raddb//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "REALM.AT" for User-Name = "h...@realm.at" [suffix] Found realm "REALM.AT" [suffix] Adding Stripped-User-Name = "hb" [suffix] Adding Realm = "REALM.AT" [suffix] Proxying request from user hb to realm REALM.AT [suffix] Preparing to proxy authentication request to realm "REALM.AT" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = "hb" User-Password = "hidden" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.2.73" NAS-IP-Address = 192.168.2.99 Message-Authenticator := 0x00000000000000000000000000000000 Proxy-State = 0x3134 Proxying request 9 to home server 127.0.0.1 port 1812 Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = "hb" User-Password = "hidden" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.2.73" NAS-IP-Address = 192.168.2.99 Message-Authenticator := 0x00000000000000000000000000000000 Proxy-State = 0x3134 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=149, length=102 User-Name = "hb" User-Password = "hidden" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.2.73" NAS-IP-Address = 192.168.2.99 Message-Authenticator = 0xf42c5bcf8d1c09945833967ce22f9690 Proxy-State = 0x3134 # Executing section authorize from file /etc/raddb//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "hb", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos # Executing group from file /etc/raddb//sites-enabled/default +- entering group Kerberos {...} rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname cannot be canonicalized ++[krb5] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb//sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> hb attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 149 to 127.0.0.1 port 1814 Proxy-State = 0x3134 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=149, length=24 Proxy-State = 0x3134 # Executing section post-proxy from file /etc/raddb//sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject # Executing group from file /etc/raddb//sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> h...@realm.at attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 14 to 192.168.2.99 port 1645 Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 149 with timestamp +2998 Cleaning up request 9 ID 14 with timestamp +2998 Ready to process requests.
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users