نمایش نتایج: از شماره 1 تا 3 از مجموع 3

موضوع: AAA Protocol

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    AAA Protocol

    کد:
    http://www.forum.persianadmins.ir/showthread.php?t=11694

    which AAA protocol to use between ASA - PIX and Active Directory



    This is on an ASA5520 running “Cisco Adaptive Security Appliance Software Version 7.0(6)”
    aaa-server protocol nt , ldap, kerberos, radius or tacacs for active directory authentication? I thought googling for “aaa-server protocol nt” might bring up some decent results but instead I found one of my own posts in the first page of results. Fail.
    As noted in the above linked post, NT is easy to set up, but I wonder if it’s supported by newer software. Apparently NT uses NTLMv1, bad.
    It sounds like kerberos would work with active directory (I know AD has kerb likeness, but i never trust microsoft’s implementations of this crap to actually work in the same way as everything else, see the obfuscated SMB/CIFS protocol). There’s an interesting caveat with this implementation not supporting changing passwords during negotiation due to password expiration. I don’t think anything we use currently supports that anyways. I wonder if you can change expired domain passwords via OWA yet.
    There are a number of examples (1, 2) out there using RADIUS, but that’s so old skewl. Cisco has some code / walkthrough (adsm) for doing kerb/ldap for authentication and authorization respectively here.
    کد:
    aaa-server mykerb protocol kerberos
    aaa-server mykerb  host 10.0.0.xx
    kerberos-realm CORP.EXAMPLE.COM
    aaa-server mykerb  host 10.0.0.xy
    kerberos-realm CORP.EXAMPLE.COM
    aaa-server myldap  protocol ldap
    aaa-server myldap host 10.0.0.xx
    ldap-base-dn  ou=CORP_USERS
    ldap-scope onelevel
    ldap-naming-attribute uid
    aaa-server  myldap host 10.0.0.xy
    ldap-base-dn ou=CORP_USERS
    ldap-scope  onelevel
    ldap-naming-attribute uid
    Then testing halfworks:
    کد:
    test aaa-server authentication mykerb host 10.0.0.xx   username USER password PASS
    This produces “ERROR: Authentication Rejected: Unspecified” when username and password are correct, otherwise “ERROR: Authentication Rejected: Invalid password” or “ERROR: Authentication Rejected: User was not found”. So something’s working right, but I thought a computer account needed to exist for kerb.
    The one Cisco page notes two things to check in troubleshooting, 1) clock skew (normal for kerb, I setup ntp already) and 2) “pre-authentication”. They fail to explain the latter. I found the information I needed here. “0×19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required”. I take it that windows sends this kerb error if you’re trying to do kerb but aren’t authenticated, say via a computer account. Meh. Checking the “Do not require kerberos preauthentication” box on the account tab of the active directory account brought back a success in the above cisco test command, but I’m not sure that the tradeoff is acceptable. Other cisco access server software has you configure an account for it, however complex the process looks.
    Since this is only DES from all I can tell, which makes everyone gawk, but I can’t find any evidence that Windows Kerberos support 3des, whilst I can find evidence of people having to switch from 3des to des to make other kerberos implementations work with Windows. ktpass, a windows utility for fscking around with kerberos has these options:
    کد:
    [- /]       crypto : DES-CBC-CRC : for compatibility
    [-  /]       crypto : DES-CBC-MD5 : for compatibliity
    [- /]       crypto  : RC4-HMAC-NT : default 128-bit encryption
    So I’m not feeling like kerberos is really a huge step up as far as password security goes. It’s certainly progress over NTLMv1 and it’s low-entropy retardedness, but RADIUS just might be the right choice here. WinKerb would use RC4-HMAC, but I’m sure it’s using DES to talk to the Crisco.
    Ken Caruso pointed out some commands in IOS for configuring preauth, but they don’t appear to exist in ASA v7.0.
    So, I guess it’s trusting RADIUS + MD5.
    It does appear that ASA v8.0 supports NTLMv2, perhaps other features? Worth upgrading? Hmm




    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Configuring FreeRADIUS to support Cisco AAA Clients

    کد:
    http://evilrouters.net/2008/11/19/configuring-freeradius-to-support-cisco-aaa-clients/

    In this demonstration, we’re going to install FreeRADIUS onto a CentOS 5.2 server and configure it to support AAA on Cisco devices.
    “FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. It is also widely used in the academic community, including eduroam. The server is fast, feature-rich, modular, and scalable.” –FreeRADIUS home page
    I’ve been using FreeRADIUS in production for a few years now, mostly to support wireless users. One of the benefits of FreeRADIUS — besides being open source, of course — is the numbers of backends one can use for authentication:
    “If a password is not available locally for some reason, the server can pass the authentication to another system such as LDAP, PAM, Unix (/etc/passwd), Kerberos, Active Directory, or RADIUS server via RADIUS proxying. Local programs (e.g. CGI scripts) can also be used to authenticate users via shell scripts or any other method. Perl or Python scripts can be pre-loaded into the server, which significantly lowers the cost of running such programs.”
    Powerful, huh? Indeed.
    For this demonstration, I’m installing a new CentOS 5.2 virtual machine on my MacBook under VMware Fusion. Installing the operating system, however, is beyond the scope of this document. Also, we’ll just be using the local system database for now — we’ll save SQL and LDAP (perhaps even Active Directory) authentication for later. After we get FreeRADIUS up and running, we’ll set up a user account and then configure a Cisco router to use RADIUS for authentication.
    Let’s begin with installing FreeRADIUS by running (as root) the following command:
    کد:
       [root@bertram ~]# yum -y install freeradius
    “yum” should have went out, grabbed the appropriates packages and dependencies, and installed them. If the end of your output looks like this, you’re all set:
    کد:
    Complete!
    [root@bertram ~]#
    Because FreeRADIUS will need to use the local system database for authentication, we need to set ‘user = root’ and ‘group = root’ in radiusd.conf. This is easy enough, just open up /etc/raddb/radiusd.conf, and change the lines that reads “user = radiusd” and “group = radiusd” to “user = root” and “group = root”, respectively. Note that this (running our daemons as root) is almost always something we want to avoid. Using other authentication backends, such as SQL or LDAP, would not require this change and would allow the FreeRADIUS service to run under the default “radiusd” unprivileged account.
    Next, we need to let FreeRADIUS know about our NAS — in this case, our Cisco router. For the sake of this demonstration, our router (R1) will have IP address 192.168.1.201. We’ll also need a shared secret that the router and RADIUS server use. Let’s use the ever popular “SECRET_KEY”. Add the following to the end of /etc/raddb/clients.conf:
    کد:
    client 192.168.1.201 {
            secret = SECRET_KEY
            shortname = R1
            nastype = cisco
    }
    Then, on the FreeRADIUS side, we need to create a user account in the local user database that we’ll use for actually authenticating to R1. Nothing special here, just creating a new user account and setting the password. I’ve passed the plain-text password into “passwd” via stdin so that you can see it. Normally, we wouldn’t do that — just run “passwd cisco” and enter the password when prompted:
    کد:
    [root@bertram ~]# /usr/sbin/useradd cisco
    [root@bertram ~]# echo secret | passwd --stdin cisco
    Changing password for user cisco.
    passwd: all authentication tokens updated successfully.
    [root@bertram ~]#
    We now have a local user named “cisco” with a password of “secret” that we’ll use when it comes time to authenticate to R1. Before we can do that, however, we must let FreeRADIUS know about the user. Append the following to /etc/raddb/users:
    کد:
    cisco   Auth-Type := System
            Service-Type = NAS-Prompt-User,
            cisco-avpair = "shell:priv-lvl=15"
    This notifies FreeRADIUS of a local user account named “cisco”. Using the “cisco-avpair” attribute in this manner allows us to automatically assign privilege level 15 to the user, removing the requirement for the user to issue “enable” (and the enable secret) in order to gain elevated access.
    Let’s get started configuring R1. I’m going to assume that you’re starting from a default configuration. The first thing we want to do is create a “fallback” user account (on the router itself) that we can use to authenticate if, for some reason, connectivity to the RADIUS server is lost. Let’s create a user named “admin” with a password of “letmein”:
    کد:
    R1(config)#username admin privilege 15 secret letmein
    Under normal circumstances, we’ll never use this local account — only when the RADIUS server is unavailable.
    The first thing I need to do is configure my interface on R1 and verify we can ping the RADIUS server. Assuming you already have your router up and running, you can likely skip this step:
    کد:
    R1(config)#interface fastethernet 3/0
    R1(config-if)#ip address 192.168.1.201 255.255.255.0
    R1(config-if)#no shutdown
    R1(config-if)#
    *Mar  1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed  state to up
    *Mar  1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface  FastEthernet3/0, changed state to up
    R1(config-if)#do ping 192.168.1.51
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2 seconds:
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24 ms
    R1(config-if)#
    Excellent, all set! Let’s start configuring R1 for AAA:
    کد:
    R1(config)#aaa new-model
    R1(config)#radius-server host 192.168.1.51 auth-port 1812 acct-port 1813  key SECRET_KEY
    AAA should now be enabled on R1. Note that we provided the IP address of the RADIUS server as well as the shared secret we configured in FreeRADIUS earlier. In addition, we must specify the “auth-port” and “acct-port” used by FreeRADIUS, as these are different from Cisco’s defaults (1645 and 1646). Let’s configure authentication:
    کد:
    R1(config)#aaa authentication login default group radius local
    R1(config)#line vty 0 4
    R1(config-line)#login authentication default
    R1(config-line)#line con 0
    R1(config-line)#login authentication default
    Here, we’ve told R1 to use RADIUS for authentication and to fall back to the local user database if the RADIUS server is not available. We don’t want to DoS ourselves!
    The following command will allow the user to run an “exec” shell when logging into the router:
    کد:
    R1(config)#aaa authorization exec default group radius  if-authenticated
    Last, but not least, we want accounting (the final “A” in “AAA”):
    کد:
    R1(config)#aaa accounting exec default start-stop group radius
    R1(config)#aaa accounting system default start-stop group radius
    That should be enough to allow us to login with our local (Linux) system account “cisco” that we created earlier. Let’s give it a shot:
    کد:
    macbook:~ jlgaddis$ telnet 192.168.1.201
    Trying 192.168.1.201...
    Connected to 192.168.1.201.
    Escape character is '^]'.
    
    
    User Access Verification
    
    Username: cisco
    Password:
    
    R1#show ip interface brief
    Interface                  IP-Address      OK? Method Status                 Protocol
    Ethernet0/0                unassigned      YES unset  administratively  down down
    Ethernet0/1                unassigned      YES unset  administratively  down down
    Ethernet0/2                unassigned      YES unset  administratively  down down
    Ethernet0/3                unassigned      YES unset  administratively  down down
    Serial1/0                  unassigned      YES unset  administratively  down down
    Serial1/1                  unassigned      YES unset  administratively  down down
    Serial1/2                  unassigned      YES unset  administratively  down down
    Serial1/3                  unassigned      YES unset  administratively  down down
    FastEthernet3/0            192.168.1.201   YES manual up                     up
    R1#exit
    Connection closed by foreign host.
    macbook:~ jlgaddis$
    Success! We’ve installed FreeRADIUS, added a local user account, set up the NAS client (R1) and configured it to authenticate against the RADIUS server. Let’s take a look at what was logged by FreeRADIUS:
    کد:
    [root@bertram ~]# cat  /var/log/radius/radacct/192.168.1.201/detail-20081119
    Wed Nov 19 00:24:47 2008
            Acct-Session-Id = "00000005"
            User-Name = "cisco"
            Acct-Authentic = RADIUS
            Acct-Status-Type = Start
            NAS-Port = 130
            NAS-Port-Id = "tty130"
            NAS-Port-Type = Virtual
            Calling-Station-Id = "192.168.1.49"
            Service-Type = NAS-Prompt-User
            NAS-IP-Address = 192.168.1.201
            Acct-Delay-Time = 0
            Client-IP-Address = 192.168.1.201
            Acct-Unique-Session-Id = "31b757fca2145e79"
            Timestamp = 1227072287
    
    Wed Nov 19 00:25:14 2008
            Acct-Session-Id = "00000005"
            User-Name = "cisco"
            Acct-Authentic = RADIUS
            Acct-Terminate-Cause = User-Request
            Acct-Session-Time = 27
            Acct-Status-Type = Stop
            NAS-Port = 130
            NAS-Port-Id = "tty130"
            NAS-Port-Type = Virtual
            Calling-Station-Id = "192.168.1.49"
            Service-Type = NAS-Prompt-User
            NAS-IP-Address = 192.168.1.201
            Acct-Delay-Time = 0
            Client-IP-Address = 192.168.1.201
            Acct-Unique-Session-Id = "31b757fca2145e79"
            Timestamp = 1227072314
    
    [root@bertram ~]#
    If there’s interest, I may expand on this later to include huntgroups, multiple RADIUS servers, using MySQL for accounting, or even through some LDAP and/or Active Directory authentication into the mix. If you’re interested, please leave a comment below




  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    AAA RADIUS authentication with Windows Server 2008

    کد:
    http://youritguy.wordpress.com/2009/10/02/aaa-radius-authentication-with-windows-server-2008/

    Note: Windows Server 2008 Enterprise with SP2 and Cisco 2650XM router with Cisco IOS Advanced Enterprise, version 12.4(15)T9 are used in the configuration below.
    1. Go to Server Manager, select ‘Add Roles‘ and check “Network Policies and Access Services“.
    Install ‘Network Policy Server‘, ‘Routing and Remote Access Services‘, ‘Remote Access Service‘, and ‘Routing‘.
    2. In Server Manager, go to Roles->Network Policy and Access Services->NPS (Local)->RADIUS Clients and Servers and right-click ‘RADIUS Clients‘ and select “New RADIUS Client“.

    3. Give it a name, IP address of the router, and select “Manual” for the shared secret (remember this) and type in a password which in for here is cisco123. Press OK when finished.
    4. Go to Policies and right-click ‘Network Policies‘ and select “New“.
    5. Give it a name and leave the “Type of network access server” to ‘Unspecified‘.
    6. Click ‘Next’ and add in Windows, Machines, or User Groups. In this case, I selected “User Groups” and added in the group Cisco_Users (make sure there is a user account with a password belonging to the group).

    7. In the next screen, make sure “Access granted” is selected before moving on.

    8. Uncheck everything except “Unencrypted authentication“.

    9. Configure any constraints. I left it alone.

    10. Clear out anything in the Radius Attributes Standard.
    11. Add in the attribute ‘Service-type‘ and select “Login” for ‘Others‘.

    12. Select “Vendor Specifics” and click ‘Add‘. Select “Cisco” for ‘Vendor‘. Select “Cisco-AV-Pair” and click ‘Add’.
    13. Copy and paste in: shellriv-lvl=15

    14. Telnet or SSH into the router to test it out.


    Commands entered:
    hostname Router2650XM
    ip domain-name homelab
    crypto key generate rsa modulus 1024
    ip ssh version 2
    username remote-user secret router2650xm
    enable secret password
    aaa new-model
    aaa group server radius SERVER2008
    server-private 172.16.1.1 key cisco123
    exit
    ! radius-server host 172.16.1.1 key cisco123
    ! can also work
    aaa authentication login default group SERVER2008 local
    ! if local is not added in at the end, then you may lock yourself
    ! out of the router if it cannot access the RADIUS server.
    ! Performing password recovery is pain in the ass.
    !
    ! aaa authentication login default group radius local
    ! use this if the radius-server command is used
    line vty 0 181
    transport input ssh telnet
    ! telnet traffic can be sniffed. SSH is more secure.
    login authentication default
    exit





کلمات کلیدی در جستجوها:

ERROR: Authentication Rejected: Unspecified

error authentication rejected unspecified asa

error: authentication rejected: aaa failure

aaa user authentication rejected : reason = unspecified

cisco asa kerberos error authentication rejected unspecified

cisco asa aaa user authentication rejected reason unspecified

authorization rejected: unspecified

cisco asa cannot change password with kerberos

asa authen freeradius

freeradius virtual machine prebuilt

authorization rejected unspecified

asa AAA user authentication Rejected : reason = Unspecified

TACACS nps

aaa user authentication rejected : reason = invalid password

cisco asa 5520 do not require kerberos preauthentication

kerberos authorization cisco microsoft 2008 active directory

aaa user authentication rejected reason = unspecified

3

aaa user authentication rejected : reason = unspecified :

asa kerberos error authentication rejected unspecified

authorization rejected aaa failure

error: authentication rejected: unspecified ASA to ldapcisco asa aaa kerberos error: authentication rejected: unspecifiedcisco asa reason = aaa failure cisco asa 5520 aaa attribute type radius

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •