SSH Logins to Cisco Switch. RADIUS/Active Directory

Luke Ramsden lukermsdn at gmail.com
Tue Jan 28 12:35:13 CET 2014


I have experimented with using LDAP bind before and encountered problems
(see link below). One of the responses on the thread said I must use
MSCHAPv2 if I do not have plaintext passwords in AD - which I do not:

         "Unless you are storing passwords in Active Directory in plain
text or you want to use Kerberos authentication, you will have to use
MSCHAPv2 (or its EAP equivalent, EAP-MSCHAPv2)."

Previous thread relating to LDAP auth:
http://freeradius.1045715.n5.nabble.com/LDAP-Active-Directory-Authentication-Issue-td5724001.html#a5724014

Is this correct? Must I use MSCHAPv2? If so, I guess that goes back to my
original question.

Many thanks
-Luke


On Tue, Jan 28, 2014 at 10:22 AM, arr2036 [via FreeRADIUS] <
ml-node+s1045715n5724717h88 at n5.nabble.com> wrote:

>
> On 28 Jan 2014, at 09:50, Luke Ramsden <[hidden email]<http://user/SendEmail.jtp?type=node&node=5724717&i=0>>
> wrote:
>
> > I have my shared secrets set in clients.conf and then on the cisco
> switch
> > using the 'radius-server' command:
> >
> http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html#wp1001000
> >
> > Is this hard-coded approach incorrect? When I view the radiusd -X output
> > for a PAP request I dont have to get the shared secret right as its
> already
> > there. Hope that makes sense.
>
> Yes, it's fine to hardcode your shared secrets.
> Yes, you'll see the cleartext password if running in debugging mode.
>
> Arran Cudbard-Bell <[hidden email]<http://user/SendEmail.jtp?type=node&node=5724717&i=1>>
>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> *signature.asc* (899 bytes) Download Attachment<http://freeradius.1045715.n5.nabble.com/attachment/5724717/0/signature.asc>
>
>
> ------------------------------
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://freeradius.1045715.n5.nabble.com/SSH-Logins-to-Cisco-Switch-RADIUS-Active-Directory-tp5724701p5724717.html
>  To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=bHVrZXJtc2RuQGdtYWlsLmNvbXwyNzQwNjkzfDEzNTUwMTYxMDg=>
> .
> NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140128/507ac6de/attachment.html>


More information about the Freeradius-Users mailing list