SSH Logins to Cisco Switch. RADIUS/Active Directory
Hi, I am trying to authenticate SSH logins to my Cisco 3750 switches using RADIUS/Active Directory. I think this means I will need the Cisco switches to send an MSCHAPv2 challenge to the RADIUS server? I am struggling to achieve this and wondered if anyone else had come across this and could offer some advice? Essentially, all I want is to remotely access the switches on my network using Active Directory credentials. Are there any other/better methods if the above is not possible? Any help is greatly appreciated :-)
On 27 Jan 2014, at 21:57, Luke Ramsden <lukermsdn@gmail.com> wrote:
Hi, I am trying to authenticate SSH logins to my Cisco 3750 switches using RADIUS/Active Directory. I think this means I will need the Cisco switches to send an MSCHAPv2 challenge to the RADIUS server? I am struggling to achieve this and wondered if anyone else had come across this and could offer some advice?
Essentially, all I want is to remotely access the switches on my network using Active Directory credentials. Are there any other/better methods if the above is not possible?
They'll support PAP, in which case you can just use LDAP auth (LDAP Bind) against the AD server. You don't need to use MSCHAPv2. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thanks for the reply. If I use LDAP bind and PAP would that mean running 'radiusd -X' on the radius server would display users' AD password in plaintext when showing the contents of the Access-Request? Thanks -Luke On 27 Jan 2014, at 21:57, Luke Ramsden <lukermsdn@gmail.com> wrote:
Hi, I am trying to authenticate SSH logins to my Cisco 3750 switches using RADIUS/Active Directory. I think this means I will need the Cisco switches to send an MSCHAPv2 challenge to the RADIUS server? I am struggling to achieve this and wondered if anyone else had come across this and could offer some advice?
Essentially, all I want is to remotely access the switches on my network using Active Directory credentials. Are there any other/better methods if the above is not possible?
They'll support PAP, in which case you can just use LDAP auth (LDAP Bind) against the AD server. You don't need to use MSCHAPv2. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28 Jan 2014, at 00:14, Luke Ramsden <lukermsdn@gmail.com> wrote:
Thanks for the reply.
If I use LDAP bind and PAP would that mean running 'radiusd -X' on the radius server would display users' AD password in plaintext when showing the contents of the Access-Request
Only if you get the shared secret right :) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I have my shared secrets set in clients.conf and then on the cisco switch using the 'radius-server' command: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad... Is this hard-coded approach incorrect? When I view the radiusd -X output for a PAP request I dont have to get the shared secret right as its already there. Hope that makes sense. -Luke On 28 Jan 2014 01:00, "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> wrote:
On 28 Jan 2014, at 00:14, Luke Ramsden <lukermsdn@gmail.com> wrote:
Thanks for the reply.
If I use LDAP bind and PAP would that mean running 'radiusd -X' on the radius server would display users' AD password in plaintext when showing the contents of the Access-Request
Only if you get the shared secret right :)
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28 Jan 2014, at 09:50, Luke Ramsden <lukermsdn@gmail.com> wrote:
I have my shared secrets set in clients.conf and then on the cisco switch using the 'radius-server' command: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad...
Is this hard-coded approach incorrect? When I view the radiusd -X output for a PAP request I dont have to get the shared secret right as its already there. Hope that makes sense.
Yes, it's fine to hardcode your shared secrets. Yes, you'll see the cleartext password if running in debugging mode. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I have experimented with using LDAP bind before and encountered problems (see link below). One of the responses on the thread said I must use MSCHAPv2 if I do not have plaintext passwords in AD - which I do not: "Unless you are storing passwords in Active Directory in plain text or you want to use Kerberos authentication, you will have to use MSCHAPv2 (or its EAP equivalent, EAP-MSCHAPv2)." Previous thread relating to LDAP auth: http://freeradius.1045715.n5.nabble.com/LDAP-Active-Directory-Authentication... Is this correct? Must I use MSCHAPv2? If so, I guess that goes back to my original question. Many thanks -Luke On Tue, Jan 28, 2014 at 10:22 AM, arr2036 [via FreeRADIUS] < ml-node+s1045715n5724717h88@n5.nabble.com> wrote:
On 28 Jan 2014, at 09:50, Luke Ramsden <[hidden email]<http://user/SendEmail.jtp?type=node&node=5724717&i=0>> wrote:
I have my shared secrets set in clients.conf and then on the cisco switch using the 'radius-server' command:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad...
Is this hard-coded approach incorrect? When I view the radiusd -X output for a PAP request I dont have to get the shared secret right as its
already
there. Hope that makes sense.
Yes, it's fine to hardcode your shared secrets. Yes, you'll see the cleartext password if running in debugging mode.
Arran Cudbard-Bell <[hidden email]<http://user/SendEmail.jtp?type=node&node=5724717&i=1>>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
*signature.asc* (899 bytes) Download Attachment<http://freeradius.1045715.n5.nabble.com/attachment/5724717/0/signature.asc>
------------------------------ If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/SSH-Logins-to-Cisco-Switch-RADIUS-Ac... To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=bHVrZXJtc2RuQGdtYWlsLmNvbXwyNzQwNjkzfDEzNTUwMTYxMDg=> . NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
On 28 Jan 2014, at 11:35, Luke Ramsden <lukermsdn@gmail.com> wrote:
I have experimented with using LDAP bind before and encountered problems (see link below). One of the responses on the thread said I must use MSCHAPv2 if I do not have plaintext passwords in AD - which I do not:
"Unless you are storing passwords in Active Directory in plain text or you want to use Kerberos authentication, you will have to use MSCHAPv2 (or its EAP equivalent, EAP-MSCHAPv2)."
Previous thread relating to LDAP auth: http://freeradius.1045715.n5.nabble.com/LDAP-Active-Directory-Authentication...
Stefan's answer was slightly misleading. If you have the Cleartext-Password from the user you can attempt to bind as the user again the AD LDAP interface and use the bind result to determine whether to reject or allow the user. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I've set up the LDAP bind how I think it should be done and it seems to be binding correctly. It, however, is not successfully authenticating a user. This is the radiusd -X output: Ready to process requests. rad_recv: Access-Request packet from host 10.10.20.40 port 1645, id=15, length=95 NAS-IP-Address = 10.10.20.40 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = 'user' Calling-Station-Id = '10.10.1.35' User-Password = 'password' (1) # Executing section authorize from file /usr/local/etc/raddb/sites- enabled/default (1) authorize { (1) filter_username filter_username { (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'user' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok rlm_ldap (ldap): Reserved connection (4) (1) ldap : expand: "(uid:%{%{Stripped-User-Name} :- %{User-Name}})" -> '(uid=user)' (1) ldap : expand: "ou=DOMAIN Users,dc=DOMAIN,dc=com" -> 'ou=DOMAIN Users,DC=DOMAIN,DC=com' (1) ldap : Performing search in 'ou=DOMAIN Users,dc=DOMAIN,dc=com' with filter '(uid=user)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "CN=Joe Bloggs,OU=GROUP,OU=DOMAIN Users,DC=DOMAIN,DC=com" rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Opening additional connection (5) rlm_ldap (ldap): Connection to domaincontroller.DOMAIN.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "user", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop rlm_ldap (ldap): Reserved connection (5) (1) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=user)' (1) ldap : expand: "ou=DOMAIN Users,dc=DOMAIN,dc=com" -> 'ou=DOMAIN Users,DC=DOMAIN,DC=com' (1) ldap : Performing search in 'ou=DOMAIN Users,dc=DOMAIN,dc=com' with filter '(uid=user)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "CN=Joe Bloggs,OU=GROUP,OU=DOMAIN Users,DC=DOMAIN,DC=com" rlm_ldap (ldap): Released connection (5) (1) [ldap] = ok (1) [expiration] = noop (1) [logintime] = noop (1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type. (1) WARNING: pap : Authentication will fail unless a "known good" password is available. (1) [pap] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed the authenticate the user. (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : expand: "%{User-Name}" -> 'user' (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (1) [eap] = noop (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) ? if (reply:EAP-Message && reply:Reply-Message) (1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Finished request 1. Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed reject Sending Access-Reject of id 15 from 10.10.20.26 port 1812 to 10.10.20.40 port 1645 Waking up in 4.9 seconds. Thanks -Luke On Tue, Jan 28, 2014 at 11:57 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 28 Jan 2014, at 11:35, Luke Ramsden <lukermsdn@gmail.com> wrote:
I have experimented with using LDAP bind before and encountered problems (see link below). One of the responses on the thread said I must use MSCHAPv2 if I do not have plaintext passwords in AD - which I do not:
"Unless you are storing passwords in Active Directory in plain text or you want to use Kerberos authentication, you will have to use MSCHAPv2 (or its EAP equivalent, EAP-MSCHAPv2)."
Previous thread relating to LDAP auth: http://freeradius.1045715.n5.nabble.com/LDAP-Active-Directory-Authentication...
Stefan's answer was slightly misleading.
If you have the Cleartext-Password from the user you can attempt to bind as the user again the AD LDAP interface and use the bind result to determine whether to reject or allow the user.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Jan 28, 2014 at 11:57 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 28 Jan 2014, at 11:35, Luke Ramsden <lukermsdn@gmail.com> wrote:
I have experimented with using LDAP bind before and encountered problems (see link below). One of the responses on the thread said I must use MSCHAPv2 if I do not have plaintext passwords in AD - which I do not:
"Unless you are storing passwords in Active Directory in plain text or you want to use Kerberos authentication, you will have to use MSCHAPv2 (or its EAP equivalent, EAP-MSCHAPv2)."
Previous thread relating to LDAP auth: http://freeradius.1045715.n5.nabble.com/LDAP-Active-Directory-Authentication...
Stefan's answer was slightly misleading.
If you have the Cleartext-Password from the user you can attempt to bind as the user again the AD LDAP interface and use the bind result to determine whether to reject or allow the user.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28 Jan 2014, at 14:44, Luke Ramsden <lukermsdn@gmail.com> wrote:
I've set up the LDAP bind how I think it should be done and it seems to be binding correctly.
Authorization is not Authentication. You want something like: authorize { if (User-Password) { update { control:Auth-Type := LDAP } } } authenticate { Auth-Type LDAP { ldap } } Where you list the module changes which operation it performs. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (2)
-
Arran Cudbard-Bell -
Luke Ramsden