<HTML><HEAD>
<META content="text/html; charset=iso-8859-15" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16671"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV>Hey Oli,</DIV>
<DIV> </DIV>
<DIV> I think it is always a good idea to keep the switch management on a separate management vlan, regardless of wether you encrypt the info or not. Between Cisco and Radius servers it does encrypt the password but I don't think it does much else. Gary may be right that it just hashes the password to be compared. Granted, someone may be able to see what level you login as from a Radius request, the question is wether it matters? If they do not have the password they will have to run some sort of crack on the switch that should throw up warning flags in your Radius logs and hopefully lock your AD account with a intruder lockout. </DIV>
<DIV> </DIV>
<DIV> Having a separate vlan for switch management is a lot like a hidden SSID, it is by no means the most secure way to protect a network but it keeps the rif-raf from trying to hack your network. People who know how to flood the arp tables can bypass vlans if need be, just as someone can get the SSID from a hidden Wireless network, that does not mean you have to make it easier for them:)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>
<DIV>Brett Littrell</DIV>
<DIV>Network Manager</DIV>
<DIV>MUSD</DIV>
<DIV>CISSP, CCSP, CCVP, MCNE</DIV><BR><BR>>>> On Wednesday, February 09, 2011 at 9:20 AM, in message <9935_1297272057_4D52CCF9_9935_1355_2_D9B37353831173459FDAA836D3B43499AF0FA730@WADPMBXV0.waddell.com>, Gary Gatten <Ggatten@waddell.com> wrote:<BR></DIV>
<TABLE style="MARGIN: 0px 0px 0px 15px; FONT-SIZE: 1em" border=0 bgColor=#f3f3f3>
<TBODY>
<TR>
<TD>
<DIV style="BORDER-LEFT: #050505 1px solid; PADDING-LEFT: 7px">I *think* you are correct. Between FR and AD it may just be a one-way-hash of the pw, but not sure. FR can't support anything the NAS doesn't. Well, it could but what good would it do?<BR><BR>I remember reading about a new / different flavor of RADIUS that includes encryption, but I forget what it's called. And again, no Cisco stuff I'm using supports it so I didn't really put much effort into it.<BR><BR>We don't necessarily have ssh "everywhere" so obviously unencrypted passwords are a possibility.<BR><BR>I can think of several....what's the opposite of elegant.... F'd up ways to encrypt this - but not pretty. Network isolation (VLAN's) with strict ACL's would at least be a good start - ie:, an "authentication" vlan. If the data can't be accessed on the wire, then it doesn't really matter if it's encrypted - right? Yeah, I know - better encrypted and some compliance issues may pop up as a result on unencrypted stuff "flying" around.<BR><BR>Interesting....<BR><BR><BR>-----Original Message-----<BR>From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Oliver Elliott<BR>Sent: Wednesday, February 09, 2011 11:05 AM<BR>To: freeradius-users@lists.freeradius.org<BR>Subject: Re: AW: Authenticating SSH login on a Cisco IOS switch to AD<BR><BR>I had a look into this and as far as I could tell, the conversation <BR>between the switch and the radius server was not encrypted unless you <BR>use TACACS. Does anyone know if this conversation can be encrypted while <BR>using Freeradius, as otherwise the domain login details are presumably <BR>being sent over the network in clear text?<BR><BR>Oli<BR><BR><BR>On 09/02/11 16:30, Schaatsbergen, Chris wrote:<BR>> Greetings Gary,<BR>><BR>> Well, this does sound like what I would like to achieve, we only have 3<BR>> users to administer the Cisco switches, though all domain admins (7)<BR>> could do it.<BR>><BR>> We currently have one admin user account and all domain admins know the<BR>> password.<BR>><BR>> To go to priv level (enable) we will continue to use one password, we<BR>> only would like the SSH login to be authenticated against AD.<BR>><BR>> I am in no hurry (going home now anyway) but would love to hear your<BR>> solution a little more detailed.<BR>><BR>> Chris<BR>><BR>> *Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org<BR>> [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org]<BR>> *Im Auftrag von *Gary Gatten<BR>> *Gesendet:* Mittwoch, 9. Februar 2011 17:11<BR>> *An:* 'FreeRadius users mailing list'<BR>> *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD<BR>><BR>> Authentication with ntlm-auth and "require-membership-of" works well for<BR>> us. Right now we simply authenticate the login/vty session with AD, and<BR>> the secret is "authorized" locally by the switch. So, each person gets<BR>> the vty session with their own unique credentials validated via<BR>> ntlm-auth and AD. Everyone knows the secret password. Works well. On our<BR>> "dev" FR instance I have an FR users file to return various Cisco<BR>> attribute-value pairs. This works well too. Somewhere down the road I'll<BR>> go for a full authorization process with AD on the back side, or since a<BR>> relatively small number of users access our gear, might just stick to<BR>> users file. Guess it depends how skilled I get with<BR>> LDAP/AD/unlang/whatever else...<BR>><BR>> G<BR>><BR>> ------------------------------------------------------------------------<BR>><BR>> *From:*freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org<BR>> [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org]<BR>> *On Behalf Of *Brett Littrell<BR>> *Sent:* Wednesday, February 09, 2011 9:57 AM<BR>> *To:* FreeRadius users mailing list<BR>> *Subject:* Re: Authenticating SSH login on a Cisco IOS switch to AD<BR>><BR>> Hi Chris,<BR>><BR>> We use TACACS+ to administer our switches here and I can tell you that I<BR>> had to add extra stuff to the TACACS replies to allow authorization to<BR>> manage the switches. So you may be able to login via radius but<BR>> somewhere you are going to have to send information to the switch on<BR>> what authorization is given per user. This means that your going to have<BR>> to have AD respond with this information or have some other method that<BR>> will inject those values when you login.<BR>><BR>> I think it is possible but I do not think it will be to easy if you are<BR>> only using AD as the back-end, you may need to use local files to define<BR>> groups with attributes or some scripts to inject the values Cisco wants.<BR>><BR>> Hope that helps.<BR>><BR>> Brett Littrell<BR>><BR>> Network Manager<BR>><BR>> MUSD<BR>><BR>> CISSP, CCSP, CCVP, MCNE<BR>><BR>><BR>><BR>>> >> On Wednesday, February 09, 2011 at 7:24 AM, in message<BR>> <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen,<BR>> Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote:<BR>><BR>> Greetings all,<BR>><BR>> We have a couple of Cisco switches that we administer using SSH<BR>> sessions. Now I have been asked if we can authenticate the SSH login on<BR>> our Windows 2008 Active Directory using our Freeradius (2.1.10)<BR>> installation.<BR>><BR>> I have been looking and found:<BR>> <A href="http://wiki.freeradius.org/Cisco">http://wiki.freeradius.org/Cisco</A><BR>> for authenticating inbound shell users and<BR>> <A href="http://deployingradius.com/documents/configuration/active_directory.html">http://deployingradius.com/documents/configuration/active_directory.html</A><BR>> for authenticating users on AD.<BR>><BR>> Now I am trying to combine those two.<BR>><BR>> On the Freeradius server Samba and Kerberos are configured, the<BR>> ntlm_auth returns an NT_STATUS_OK.<BR>><BR>> First question: Would this at all be possible?<BR>><BR>> And if so my second question: Unfortunately, when I add ntlm_auth to the<BR>> authenticate section of sites-enabled/default and run freeradius -X I<BR>> get an error that the ntlm_auth module could not be loaded though I have<BR>> created the ntlm_auth file in the modules folder as described in the<BR>> link. How should I get that to work?<BR>><BR>> Help would be highly appreciated.<BR>><BR>> Chris Schaatsbergen<BR>><BR>> -<BR>> List info/subscribe/unsubscribe? See<BR>> <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR>><BR>> "This email is intended to be reviewed by only the intended recipient<BR>> and may contain information that is privileged and/or confidential. If<BR>> you are not the intended recipient, you are hereby notified that any<BR>> review, use, dissemination, disclosure or copying of this email and its<BR>> attachments, if any, is strictly prohibited. If you have received this<BR>> email in error, please immediately notify the sender by return email and<BR>> delete this email from your system."<BR>><BR>><BR>><BR>> -<BR>> List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR><BR>-- <BR>Oliver Elliott<BR>Network Specialist<BR>Information Services<BR>University of Bristol<BR>e: Oliver.Elliott@bristol.ac.uk<BR>t: 0117 92 (87861)<BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR><BR><BR><BR><BR><BR><font size="1"><BR><div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'><BR></div><BR>"This email is intended to be reviewed by only the intended recipient<BR>and may contain information that is privileged and/or confidential.<BR>If you are not the intended recipient, you are hereby notified that<BR>any review, use, dissemination, disclosure or copying of this email<BR>and its attachments, if any, is strictly prohibited. If you have<BR>received this email in error, please immediately notify the sender by<BR>return email and delete this email from your system."<BR></font><BR><BR><BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR></DIV></TD></TR></TBODY></TABLE></BODY></HTML>