[31436] in Kerberos
Re: CISCO and kerberos
daemon@ATHENA.MIT.EDU (Nikos Nikoleris)
Tue Sep 1 09:33:09 2009
From: Nikos Nikoleris <nikos@ece.ntua.gr>
Date: Tue, 01 Sep 2009 12:55:01 +0200
Message-ID: <h7iui4$ltq$1@ulysses.noc.ntua.gr>
Mime-Version: 1.0
X-Complaints-To: usenet@ulysses.noc.ntua.gr
In-Reply-To: <h4s1u2$nsc$1@nemesis.news.neostrada.pl>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
jarek wrote:
> Hi all!
>
> I'd like to configure CISCO Catalyst to use kerberos against AD server
> W2008. I'd like to login to cisco using ticket and telnet.krb5 from
> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm
> getting:
>
> [ Kerberos V5 refuses authentication ]
> kerberos_server_auth: Couldn't authenticate client from
> test-nms.test.local.
>
> What can be wrong ?
>
> Has someone working example of CISCO config for such scenario ?
>
> J.
Hi Jarek,
A cisco working here with kerberos authentication but the kdc is heidmal
kerberos. Some suggestions are:
* Timing issues, you have to make sure both the kdc and the cisco are
sync'd... (That's very important)
* Try uploading the keytab using only the DES-CBC-CRC enc of the cisco
principal...
* Your cisco should have a configuration like:
aaa new-model
aaa authentication login default krb5-telnet krb5 local enable
aaa authorization exec default krb5-instance
kerberos local-realm YOUR.REALM
kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH@YOUR.REALM (there should
be some numbers here as well)
kerberos clients mandatory
kerberos server YOUR.REALM $(IP of your KDC)
kerberos instance map admin 15 # this will map kerberos users */admin to
the superuser of cisco
kerberos credentials forward # that's optinal
# I strongly suggest this as well adjusted to your case
ntp server your.ntp.server
clock timezone GMT -6
clock summer-time CDT recurring
-- Nikos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
