Authenticating SSH login on a Cisco IOS switch to AD

Brett Littrell Blittrell at musd.org
Wed Feb 9 17:21:06 CET 2011


Yep, simple auth should be no problem, I was referring to pushing the
authorization out to the switch.  So for us, we login and are
automatically at the enable level we defined in TACACS.  When I was
researching this, I believe it said you could get all the same stuff
with Radius, the only real difference is that TACACS encrypts more of
the authentication requests then Radius and does better accounting.  Of
course it only really works on Cisco which is a major draw back.
 
 
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE


>>> On Wednesday, February 09, 2011 at 8:11 AM, in message
<9938_1297267879_4D52BCA7_9938_10000_2_D9B37353831173459FDAA836D3B43499AF0FA72D at WADPMBXV0.waddell.com>,
Gary Gatten <Ggatten at waddell.com> wrote:


Authentication with ntlm-auth and *require-membership-of* works well
for us.  Right now we simply authenticate the login/vty session with AD,
and the secret is *authorized* locally by the switch.  So, each person
gets the vty session with their own unique credentials validated via
ntlm-auth and AD.  Everyone knows the secret password.  Works well.  On
our *dev* FR instance I have an FR users file to return various Cisco
attribute-value pairs.  This works well too.  Somewhere down the road
I*ll go for a full authorization process with AD on the back side, or
since a relatively small number of users access our gear, might just
stick to users file.  Guess it depends how skilled I get with
LDAP/AD/unlang/whatever else*
G
 
 


From:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org]
On Behalf Of Brett Littrell
Sent: Wednesday, February 09, 2011 9:57 AM
To: FreeRadius users mailing list
Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD

 

Hi Chris,

 

    We use TACACS+ to administer our switches here and I can tell you
that I had to add extra stuff to the TACACS replies to allow
authorization to manage the switches.  So you may be able to login via
radius but somewhere you are going to have to send information to the
switch on what authorization is given per user.  This means that your
going to have to have AD respond with this information or have some
other method that will inject those values when you login.

 

    I think it is possible but I do not think it will be to easy if you
are only using AD as the back-end, you may need to use local files to
define groups with attributes or some scripts to inject the values Cisco
wants.

 

Hope that helps.

 

 

 

Brett Littrell

Network Manager

MUSD

CISSP, CCSP, CCVP, MCNE



>>> On Wednesday, February 09, 2011 at 7:24 AM, in message
<604AAF035805AB46B4F293945AE8F9FC182FEB879C at pzex01-07>, "Schaatsbergen,
Chris" <Chris.Schaatsbergen at aleo-solar.de> wrote:


Greetings all,

We have a couple of Cisco switches that we administer using SSH
sessions. Now I have been asked if we can authenticate the SSH login on
our Windows 2008 Active Directory using our Freeradius (2.1.10)
installation.

I have been looking and found:
http://wiki.freeradius.org/Cisco
for authenticating inbound shell users and 
http://deployingradius.com/documents/configuration/active_directory.html
for authenticating users on AD.

Now I am trying to combine those two. 

On the Freeradius server Samba and Kerberos are configured, the
ntlm_auth returns an NT_STATUS_OK.

First question: Would this at all be possible?

And if so my second question: Unfortunately, when I add ntlm_auth to
the authenticate section of sites-enabled/default and run freeradius -X
I get an error that the ntlm_auth module could not be loaded though I
have created the ntlm_auth file in the modules folder as described in
the link. How should I get that to work?

Help would be highly appreciated.

Chris Schaatsbergen

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and its
attachments, if any, is strictly prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system." 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110209/89eda8cb/attachment.html>


More information about the Freeradius-Users mailing list