I had a look into this and as far as I could tell, the conversation
between the switch and the radius server was not encrypted unless you
use TACACS. Does anyone know if this conversation can be encrypted while
using Freeradius, as otherwise the domain login details are presumably
being sent over the network in clear text?
Oli
On 09/02/11 16:30, Schaatsbergen, Chris wrote:
Greetings Gary,
Well, this does sound like what I would like to achieve, we only have 3
users to administer the Cisco switches, though all domain admins (7)
could do it.
We currently have one admin user account and all domain admins know the
password.
To go to priv level (enable) we will continue to use one password, we
only would like the SSH login to be authenticated against AD.
I am in no hurry (going home now anyway) but would love to hear your
solution a little more detailed.
Chris
*Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org]
*Im Auftrag von *Gary Gatten
*Gesendet:* Mittwoch, 9. Februar 2011 17:11
*An:* 'FreeRadius users mailing list'
*Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD
Authentication with ntlm-auth and “require-membership-of” works well for
us. Right now we simply authenticate the login/vty session with AD, and
the secret is “authorized” locally by the switch. So, each person gets
the vty session with their own unique credentials validated via
ntlm-auth and AD. Everyone knows the secret password. Works well. On our
“dev” FR instance I have an FR users file to return various Cisco
attribute-value pairs. This works well too. Somewhere down the road I’ll
go for a full authorization process with AD on the back side, or since a
relatively small number of users access our gear, might just stick to
users file. Guess it depends how skilled I get with
LDAP/AD/unlang/whatever else…
G
------------------------------------------------------------------------
*From:*freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org]
*On Behalf Of *Brett Littrell
*Sent:* Wednesday, February 09, 2011 9:57 AM
*To:* FreeRadius users mailing list
*Subject:* Re: Authenticating SSH login on a Cisco IOS switch to AD
Hi Chris,
We use TACACS+ to administer our switches here and I can tell you that I
had to add extra stuff to the TACACS replies to allow authorization to
manage the switches. So you may be able to login via radius but
somewhere you are going to have to send information to the switch on
what authorization is given per user. This means that your going to have
to have AD respond with this information or have some other method that
will inject those values when you login.
I think it is possible but I do not think it will be to easy if you are
only using AD as the back-end, you may need to use local files to define
groups with attributes or some scripts to inject the values Cisco wants.
Hope that helps.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
>> On Wednesday, February 09, 2011 at 7:24 AM, in message
<604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen,
Chris" <chris.schaatsber...@aleo-solar.de> wrote:
Greetings all,
We have a couple of Cisco switches that we administer using SSH
sessions. Now I have been asked if we can authenticate the SSH login on
our Windows 2008 Active Directory using our Freeradius (2.1.10)
installation.
I have been looking and found:
http://wiki.freeradius.org/Cisco
for authenticating inbound shell users and
http://deployingradius.com/documents/configuration/active_directory.html
for authenticating users on AD.
Now I am trying to combine those two.
On the Freeradius server Samba and Kerberos are configured, the
ntlm_auth returns an NT_STATUS_OK.
First question: Would this at all be possible?
And if so my second question: Unfortunately, when I add ntlm_auth to the
authenticate section of sites-enabled/default and run freeradius -X I
get an error that the ntlm_auth module could not be loaded though I have
created the ntlm_auth file in the modules folder as described in the
link. How should I get that to work?
Help would be highly appreciated.
Chris Schaatsbergen
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and its
attachments, if any, is strictly prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Oliver Elliott
Network Specialist
Information Services
University of Bristol
e: oliver.elli...@bristol.ac.uk
t: 0117 92 (87861)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
