Passwordless (Lookup type) authentication against AD

andy!doesnt!like!uucp · ‎07-14-2021

Hi Gents

i want strange :0) i need user authentication against AD with Lookup type instead of MS-RPC.

the idea behind is to keep current authentication identity source in admin-authentication policy while allowing admin to login on NAD with his SSH public key.

I stuck on the ISE is using MS-RPC with expected result of Authen failure:

24344 RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,IMADMIN@MyAD.local
24408 User authentication against Active Directory failed since user has entered the wrong password - MyAD

is it possible to force kinda Lookup authentication type instead of RPC like we do it when testing user/computer against AD? any ideas plzzz?

Arne Bier · ‎01-13-2022

Did you get a solution to this?

Isn't this determined by the SSH client and how it accesses the NAS? I am not 100% sure, but I was under the impression that when connecting to devices using a public key, there is no involvement from ISE needed - auth is done based on the saved keys in the SSH client and the IOS device.

Therefore, when regular username/password auth is needed to the same NAS, then ISE is involved again.

I might also be totally wrong.

andy!doesnt!like!uucp · ‎01-14-2022

no Arne. ssh login conducts Login service type when aaa authen login is bound to RADIUS authC.

this is where (i'm not sure about options) username is mandatory & ISE will request AD if it's configured & will use MS-RPC anyway.

from other side SSH-enabled host may have different authorized keys corresponding to different accounts on the host?

How the SSHD host will recognize which authorized keys storage to use w/o account name?

br andy