[31437] in Kerberos
Re: CISCO and kerberos
daemon@ATHENA.MIT.EDU (Nikolay Shopik)
Tue Sep 1 11:20:30 2009
X-Barracuda-Envelope-From: gcekg-kerberos@m.gmane.org
To: kerberos@mit.edu
From: Nikolay Shopik <shopik@inblock.ru>
Date: Tue, 01 Sep 2009 17:41:03 +0400
Message-ID: <h7j8a9$6k3$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <h7iui4$ltq$1@ulysses.noc.ntua.gr>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 01.09.2009 14:55, Nikos Nikoleris wrote:
> jarek wrote:
>> Hi all!
>>
>> I'd like to configure CISCO Catalyst to use kerberos against AD server
>> W2008. I'd like to login to cisco using ticket and telnet.krb5 from
>> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm
>> getting:
>>
>> [ Kerberos V5 refuses authentication ]
>> kerberos_server_auth: Couldn't authenticate client from
>> test-nms.test.local.
>>
>> What can be wrong ?
>>
>> Has someone working example of CISCO config for such scenario ?
>>
>> J.
>
> Hi Jarek,
>
> A cisco working here with kerberos authentication but the kdc is heidmal
> kerberos. Some suggestions are:
> * Timing issues, you have to make sure both the kdc and the cisco are
> sync'd... (That's very important)
> * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco
> principal...
> * Your cisco should have a configuration like:
> aaa new-model
> aaa authentication login default krb5-telnet krb5 local enable
> aaa authorization exec default krb5-instance
> kerberos local-realm YOUR.REALM
> kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH@YOUR.REALM (there should
> be some numbers here as well)
> kerberos clients mandatory
> kerberos server YOUR.REALM $(IP of your KDC)
> kerberos instance map admin 15 # this will map kerberos users */admin to
> the superuser of cisco
> kerberos credentials forward # that's optinal
>
> # I strongly suggest this as well adjusted to your case
> ntp server your.ntp.server
> clock timezone GMT -6
> clock summer-time CDT recurring
>
> -- Nikos
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Hi Nikos,
If I'm not mistaken they don't yet support kerberos for SSH aren't they?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos