07-03-2007 10:32 AM - edited 03-10-2019 03:15 PM
Hi,
I'm trying to configure kerberos authentication for local users on Cisco. KDC is running under Windows 2003, but I got folowing error from debugging:
AAA/BIND(000002D4): Bind i/f
AAA/AUTHEN/LOGIN (000002D4): Pick method list 'default'
Kerberos: All dialogue with KDC will now use default interface as source
Kerberos: Sent TGT request to KDC 192.168.11.14
Kerberos: Received TGT reply from KDC 192.168.11.14
Kerberos: KRB_ERROR (code=52) returned
Kerberos(000002D4): Received invalid credential.
Where I can find those cisco KRB_ERROR codes?
Best regards,
Vladimir
07-03-2007 11:19 AM
Hi Vladmir,
It's caused by AD needing to return a particularly large number of groups that a user belongs to, and trying to switch to TCP instead of UDP because of UDP packet size limits
Older versions of Kerberos don't support TCP, and thus don't know what to do.
Hope that helps !
Regards,
~JG
07-04-2007 12:55 AM
Thanks a lot for a quick answer. However, I am still confused how to solve this problem between Cisco and Windows AD.
I would like to use Kerberos to authenticate local Cisco users instead of radius authentication.
Under Windows 2003, I have created the user: cisco1, to be able to create keytab:
C:\Documents and Settings\admin>ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /pass PaSsWoRd123 /out cisco.keytab /princ host/cisco1.company.domain@COMPANY.LOCAL /mapuser cisco1@COMPANY.LOCAL
Targeting domain controller: ad01.company.local
Successfully mapped host/cisco1.company.domain to cisco1.
Key created.
Output keytab to cisco.keytab:
Keytab version: 0x502
keysize 68 host/cisco1.company.domain@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL)
vno 4 etype 0x1 (DES-CBC-CRC) keylength 8 (0x233d1f4c91341029)
Account cisco1 has been set for DES-only encryption.
Cisco configuration:
aaa authentication login default krb5 local
username ciscoadmin password 7 ********
username joe password 7 ********
Comment: ciscoadmin and joe users under AD are members of 7 groups and they have different password than local users ciscoadmin and joe under cisco router.
kerberos local-realm COMPANY.LOCAL
kerberos srvtab entry host/cisco1.company.domain@COMPANY.LOCAL
kerberos server COMPANY.LOCAL 192.168.11.14
kerberos preauth encrypted-kerberos-timestamp
kerberos credentials forward
Does Cisco kerberos client under IOS Version 12.4(12) using TCP or it's using UDP protocol only?
Regards,
Vladimir
07-05-2007 10:08 AM
Hi,
What kind of users we are trying to authenticate, like VPN or wireless etc ?
Regards,
~JG
07-05-2007 11:15 AM
Hi,
Just a local cisco user that should has access to router and run some set of show commands.
The same username is active in AD.
With radius it's working but swithing to kerberos is making this problem above.
Regards,
Vladimir
07-09-2007 06:17 AM
Keeping the thread live for inputs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: