which aaa protocol to use between asa/pix and active directory?

This is on an ASA5520 running “Cisco Adaptive Security Appliance Software Version 7.0(6)”

aaa-server protocol nt , ldap, kerberos, radius or tacacs for active directory authentication? I thought googling for “aaa-server protocol nt” might bring up some decent results but instead I found one of my own posts in the first page of results. Fail.

As noted in the above linked post, NT is easy to set up, but I wonder if it’s supported by newer software. Apparently NT uses NTLMv1, bad.

It sounds like kerberos would work with active directory (I know AD has kerb likeness, but i never trust microsoft’s implementations of this crap to actually work in the same way as everything else, see the obfuscated SMB/CIFS protocol). There’s an interesting caveat with this implementation not supporting changing passwords during negotiation due to password expiration. I don’t think anything we use currently supports that anyways. I wonder if you can change expired domain passwords via OWA yet.

There are a number of examples (1, 2) out there using RADIUS, but that’s so old skewl. Cisco has some code / walkthrough (adsm) for doing kerb/ldap for authentication and authorization respectively here.

aaa-server mykerb protocol kerberos
aaa-server mykerb host 10.0.0.xx
kerberos-realm CORP.EXAMPLE.COM
aaa-server mykerb host 10.0.0.xy
kerberos-realm CORP.EXAMPLE.COM
aaa-server myldap protocol ldap
aaa-server myldap host 10.0.0.xx
ldap-base-dn ou=CORP_USERS
ldap-scope onelevel
ldap-naming-attribute uid
aaa-server myldap host 10.0.0.xy
ldap-base-dn ou=CORP_USERS
ldap-scope onelevel
ldap-naming-attribute uid

Then testing halfworks:

test aaa-server authentication mykerb host 10.0.0.xx username USER password PASS

This produces “ERROR: Authentication Rejected: Unspecified” when username and password are correct, otherwise “ERROR: Authentication Rejected: Invalid password” or “ERROR: Authentication Rejected: User was not found”. So something’s working right, but I thought a computer account needed to exist for kerb.

The one Cisco page notes two things to check in troubleshooting, 1) clock skew (normal for kerb, I setup ntp already) and 2) “pre-authentication”. They fail to explain the latter. I found the information I needed here. “0x19 – KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required”. I take it that windows sends this kerb error if you’re trying to do kerb but aren’t authenticated, say via a computer account. Meh. Checking the “Do not require kerberos preauthentication” box on the account tab of the active directory account brought back a success in the above cisco test command, but I’m not sure that the tradeoff is acceptable. Other cisco access server software has you configure an account for it, however complex the process looks.

Since this is only DES from all I can tell, which makes everyone gawk, but I can’t find any evidence that Windows Kerberos support 3des, whilst I can find evidence of people having to switch from 3des to des to make other kerberos implementations work with Windows. ktpass, a windows utility for fscking around with kerberos has these options:

[- /] crypto : DES-CBC-CRC : for compatibility
[- /] crypto : DES-CBC-MD5 : for compatibliity
[- /] crypto : RC4-HMAC-NT : default 128-bit encryption

So I’m not feeling like kerberos is really a huge step up as far as password security goes. It’s certainly progress over NTLMv1 and it’s low-entropy retardedness, but RADIUS just might be the right choice here. WinKerb would use RC4-HMAC, but I’m sure it’s using DES to talk to the Crisco.

Ken Caruso pointed out some commands in IOS for configuring preauth, but they don’t appear to exist in ASA v7.0.

So, I guess it’s trusting RADIUS + MD5.

It does appear that ASA v8.0 supports NTLMv2, perhaps other features? Worth upgrading? Hmm.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.