I have a server successfully authenticating users using eap-mschapv2 or eap-ttls for eduroam and wired 802.1x. I'm now trying to expand the system to include authorisation/authentication for console and telnet access to cisco switches.
For telnet access, I now have:
A new file modules/ntlm_auth which contains,
exec ntlm_auth { wait = yes program = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=%{User-Name} --password=%{User-Password}" }
At the end of the users file,
DEFAULT NAS-Port-Type = Virtual, NAS-IP-Address = x.x.x.x, Auth-Type := ntlm_auth
Put this after pap in authorize section of default virtual server instead: if(!control:Auth-Type) { update control { Auth-Type - "ntlm_auth" } }
And at the end of the sites-enabled/default and sites-enabled/inner-tunnel authenticate sections, immediately after eap
ntlm_auth
It works though interestingly (for me at least) if I comment out ntlm_auth from the inner-tunnel file, the server fails to start with an "Unknown value ntlm_auth for attribute Auth-Type" error. I don't understand that as I don't want to use this authentication method with peap!
That's because users file is common for both (all) virtual servers. If you use that unlang you don't need an entry in inner-tunnel server.
Obviously the users entry above only works for a single switch as the IP address is specified. Next step is to specify groups of switches.
Just adapt if statement so it fires when you want it to. You can add Huntgroup-Name oor something like that into it.