Quick setup for WPA on Cisco Aironet 350 Access Point to remind myself…
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid HomeWIFI
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 s3cr3t
Quick example of setting up SSH access on a Cisco router. I have a few dozen routers in my lab I’m working on and actually made this scripted. This is here for me to remember in the future.
Router(config)# crypto key generate rsa usage-keys label rtr-key The name for the keys will be: rtr-key Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Router(config)#exit
Check to make sure SSH is now enabled.
Router(config)# do sh ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3
Configure access now, setting SSH to perferred transport.
Router#conf t ! line vty 0 4 access-class 1 in exec-timeout 30 0 privilege level 15 login local transport preferred ssh transport input ssh !
Go play.
On a Cisco ASA you can configure capturing of data to allow for deeper troubleshooting of issues. With the recent issue of the Heartbleed bug, I needed a way to capture HTTPS traffic and inspect remote hosts for the vulnerability. If the site was vulnerable, I would create a temporary block until that site patched.
On the Cisco ASA I setup an access-list:
access-list heartbleed line 1 extended permit tcp any any eq https
I create a capture:
capture heartbleed access-list heartbleed interface inside
Then I can view the capture:
show capture heartbleed
Example output of the above command:
1025: 09:52:27.882385 10.147.204.104.55665 > 74.125.228.5.443: . ack 3734113485 win 64860 1026: 09:52:27.882858 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798098736 win 64860 1027: 09:52:27.883239 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798101496 win 64860 1028: 09:52:27.883438 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798104256 win 64860
Alternatively, while the capture is enabled it is accessible via the web interface of the ASA.
https://192.168.1.1/admin/capture/heartbleed
Had an issue with a user that was failing to log into the VPN from remote. Couldn’t initially figure it out while at home while troubleshooting the authentication. So here’s how to test authentication from the Cisco ASA CLI.
ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t
The blue highlights are values that need specified. If not sure of the AAA-SERVER, use the following command to list all the authentication servers.
ciscoasa# show aaa-server
This lists all the aaa-servers; to narrow it down, as in my case, I specified some additional arguments.
ciscoasa# show aaa-server authentication protocol nt
Here is a list of available protocols.
ciscoasa# show aaa-server protocol ?
http-form Protocol HTTP form-based
kerberos Protocol Kerberos
ldap Protocol LDAP
nt Protocol NT
radius Protocol RADIUS
sdi Protocol SDI
tacacs+ Protocol TACACS+
So the output from showing the aaa-server type of NT is follows for me.
Server Group: AUTH2K8 Server Protocol: nt Server Address: 192.168.1.2 Server port: 139 Server status: ACTIVE, Last transaction at 13:16:58 EDT Wed Mar 26 2014 Number of pending requests 0 Average round trip time 0ms Number of authentication requests 435 Number of authorization requests 0 Number of accounting requests 0 Number of retransmissions 0 Number of accepts 389 Number of rejects 31 Number of challenges 0 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 15 Number of unrecognized responses 0
I used the highlighted values in my test case. Again, here is my command.
ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds) ERROR: Authentication Rejected: AAA failure ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password sup3rs3cr3t INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds) INFO: Authentication Successful
My issue was actually related to a setting on the account profile in Active Directory restricting server logons which inherently prevented authentication from working.
I set up a Cisco router to send an email whenever a VPN user connected. I did this for accounting purposes before I moved to RADIUS. I’ll put this up here because someone else may be interested in this for their own use.
I like to configure variables to use throughout my EEM applets so I don’t get crazy with having to remember everything. These setup a few such as a mail server, from email, to email.
router(config)#event manager environment _email_server 192.168.1.10 router(config)#event manager environment _email_from alerts@domain.local router(config)#event manager environment _email_to admin@domain.local
Creating the applet is quite simple.
router(config)#event manager applet audit-vpn-login-ok
This creates the applet and puts you into its config mode to allow you to configure additional information.
I simply look for a syslog pattern that corresponds to a Virtual-Access adapter being created (which indicates in my setup that a VPN has been established successfully).
router(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up"
After I tell it what to look for, I give it some actions.
For information purposes, I run a “show crypto ipsec sa | include local crypto” which stores the output of that command to a $_cli_results variable. This is helpful for telling me which IP address created the VPN. I could further this by looking for a username segment, but in this simple example, I’m sticking to just what IP established the VPN.
router(config-applet)#action 1.0 cli command "enable" router(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto"
Now I send the Email using the variables defined above and also include the $_cli_result (output of the command above stored as a variable) in the body.
router(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User Connected" body "Connection:n$_cli_result"
Finally, I send a syslog message notifying a VPN connection established as well.
router(config-applet)#action 2.5 syslog priority notifications msg "VPN UP - Mail Sent"
router(config)#event manager environment _email_server 192.168.1.10 router(config)#event manager environment _email_from alerts@domain.local router(config)#event manager environment _email_to admin@domain.local router(config)#event manager applet audit-vpn-login-ok router(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up" router(config-applet)#action 1.0 cli command "enable" router(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto" router(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User Connected" body "Connection:n$_cli_result" router(config-applet)#action 2.5 syslog priority notifications msg "VPN UP - Mail Sent"