07-11-2022 10:15 AM
I would like to using my Cisco ISE 3.1 patch 3 to authenticate linux ssh login via Cisco ISE with radius authentication.
I have it working with my Redhat Linux and Cisco ISE 3.1 patch-3 using radius PAP authentication. However, PAP is not a secure method and I would like to implement PEAP/msCHAPv2. However, I have not been able to find any useful documentation on how to implement this.
Has anyone done this before? If so, can you share your knowledge? TIA.
07-11-2022 10:39 AM
So PEAP is a form on EAP. EAP is not in play here since there isn't an endpoint or supplicant configuration. It is just the text-based username/password entered into the SSH attempt on the Linux machine. Is your Linux machine capable of encapsulating that plain text admin/password into a PEAP packet?
07-11-2022 10:46 AM
I have successfully configured my redhat Linux to use radius authentication via Cisco ISE but only with PAP. I would like to do it via msCHAPv2 or PEAP. I've successfully configured my PaloAlto firewalls to authtenticate via ssh and https via PEAP/msCHAPv2. I want to do the same thing on my redhat linux machine.
What make you think EAP is not in play here? yes, it is a text based but the authentication piece is much more complex than you think.
I know PEAP/msCHAPv2 is definitely doable, just just don't know how to go about configuring it.
07-13-2022 06:39 AM
Please provide some screenshots of the configurations you did on the redhat Linux and PaltoAlto firewalls for the SSH access so we may understand better.
07-14-2022 09:45 AM
There is no screenshot on the linux. It is all CLI based. You can easily find it on the Internet for PAP. For PaloAlto firewalls, it is very simple, I just changed it from PAP to "PEAP mschapv2" with "anonymous" on the outer shell. There is nothing to it.
For linux: https://unix.stackexchange.com/questions/202233/simple-radius-authentication
i did that but there doesn't seem to be documentation to setup msCHAP-v2
07-16-2022 04:40 PM
It's possible that Palo Alto firewall has a special client implementation for such communication option with a RADIUS AAA server.
For Linux, you would need either find one with more protocol support or write one yourself.
02-06-2023 03:35 AM
May please write how you configure ISE Radius for Linux?
07-17-2023 02:07 AM - edited 07-17-2023 02:48 AM
Hello, how did you do it? I am trying with Rocky 8.8 (which is more or less like RHEL 8), but ssh with ISE-radius is not working.
It's ok when I just do a radtest from Linux-server, but not with real ssh connection (wrong user name or password).
It seems that Linux needs to have the user (without password) also local to authenticate him against Radius?
Which is not very comfortable.
07-17-2023 06:08 AM
@chris-doro: Please send me a private message and I will send you the instruction on how to do this.
08-02-2023 12:17 PM
@adamscottmaster2013were you able to get the authentication working with msCHAP-v2?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide