topic Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE in Network Access Control

Authenticate Redhat Linux ssh login using radius on Cisco ISE

adamscottmaster2013 — Mon, 11 Jul 2022 17:15:26 GMT

I would like to using my Cisco ISE 3.1 patch 3 to authenticate linux ssh login via Cisco ISE with radius authentication.

I have it working with my Redhat Linux and Cisco ISE 3.1 patch-3 using radius PAP authentication. However, PAP is not a secure method and I would like to implement PEAP/msCHAPv2. However, I have not been able to find any useful documentation on how to implement this.

Has anyone done this before? If so, can you share your knowledge? TIA.

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

ahollifield — Mon, 11 Jul 2022 17:39:08 GMT

So PEAP is a form on EAP. EAP is not in play here since there isn't an endpoint or supplicant configuration. It is just the text-based username/password entered into the SSH attempt on the Linux machine. Is your Linux machine capable of encapsulating that plain text admin/password into a PEAP packet?

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

adamscottmaster2013 — Mon, 11 Jul 2022 17:46:19 GMT

I have successfully configured my redhat Linux to use radius authentication via Cisco ISE but only with PAP. I would like to do it via msCHAPv2 or PEAP. I've successfully configured my PaloAlto firewalls to authtenticate via ssh and https via PEAP/msCHAPv2. I want to do the same thing on my redhat linux machine.

What make you think EAP is not in play here? yes, it is a text based but the authentication piece is much more complex than you think.

I know PEAP/msCHAPv2 is definitely doable, just just don't know how to go about configuring it.

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

hslai — Wed, 13 Jul 2022 13:39:09 GMT

Please provide some screenshots of the configurations you did on the redhat Linux and PaltoAlto firewalls for the SSH access so we may understand better.

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

adamscottmaster2013 — Thu, 14 Jul 2022 16:45:11 GMT

There is no screenshot on the linux. It is all CLI based. You can easily find it on the Internet for PAP. For PaloAlto firewalls, it is very simple, I just changed it from PAP to "PEAP mschapv2" with "anonymous" on the outer shell. There is nothing to it.

For linux: https://unix.stackexchange.com/questions/202233/simple-radius-authentication

i did that but there doesn't seem to be documentation to setup msCHAP-v2

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

hslai — Sat, 16 Jul 2022 23:40:43 GMT

It's possible that Palo Alto firewall has a special client implementation for such communication option with a RADIUS AAA server.

For Linux, you would need either find one with more protocol support or write one yourself.

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

netbfc — Mon, 06 Feb 2023 11:35:36 GMT

May please write how you configure ISE Radius for Linux?

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

chris-doro — Mon, 17 Jul 2023 09:48:22 GMT

Hello, how did you do it? I am trying with Rocky 8.8 (which is more or less like RHEL 8), but ssh with ISE-radius is not working.
It's ok when I just do a radtest from Linux-server, but not with real ssh connection (wrong user name or password).

It seems that Linux needs to have the user (without password) also local to authenticate him against Radius?
Which is not very comfortable.

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

adamscottmaster2013 — Mon, 17 Jul 2023 13:08:34 GMT

@chris-doro: Please send me a private message and I will send you the instruction on how to do this.

Re: Authenticate Redhat Linux ssh login using radius on Cisco ISE

franksilva — Wed, 02 Aug 2023 19:17:05 GMT

@adamscottmaster2013were you able to get the authentication working with msCHAP-v2?