Cisco IOS VPN Authentication via Windows Radius/IAS

Posted on November 3, 2011 by Rich Kreider

Here are the important pieces of the puzzle…

Router:

aaa new-model
!
!
aaa authentication login default group radius
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
!
aaa session-id common
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnclient
 key remote
 dns 10.0.0.10
 domain techish.net
 pool ippool
 acl 105
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map clientmap
!
ip radius source-interface FastEthernet0/1
!
! Split tunnel VPN traffic
access-list 105 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
radius-server host 10.147.204.12 auth-port 1645 acct-port 1646 key cisco

Windows Server 2003 IAS:
Screenshots soon…

Logoff a VPN Session from Cisco ASA 5505

Posted on September 21, 2011 by Rich Kreider

First, review some of the available commands with vpn-sessiondb:

ciscoasa# vpn-sess logoff ?

  all           All sessions
  email-proxy   Email-Proxy sessions
  index         Index specific session
  ipaddress     IP Address specific sessions
  l2l           IPsec LAN-to-LAN sessions
  name          Username specific sessions
  protocol      Protocol specific sessions
  remote        IPsec Remote Access sessions
  svc           SSL VPN Client sessions
  tunnel-group  Tunnel-group sessions
  vpn-lb        VPN Load Balancing Mgmt sessions
  webvpn        WebVPN sessions

Here’s how I log off a VPN session from an ASA. You can also log off all sessions.

Log off single session based on index.

First, get the index.

# show vpn-sessiondb remote

Username     : remoteuser1               Index        : 10030
Assigned IP  : 172.16.0.182           Public IP    : 1.2.3.4
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : DES 3DES               Hashing      : MD5 SHA1
Bytes Tx     : 220                    Bytes Rx     : 844
Group Policy : MyGroupPolicy         Tunnel Group : tpm
Login Time   : 09:59:32 EDT Wed Sep 21 2011
Duration     : 0h:01m:15s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Look for the user and associated index ID (in bold).

Log off that specific ID:

# vpn-sessiondb logoff index 10030
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 10030 has been logged off

Note, you can also logoff a specific sesson based on name (as well as index) if you know the name.

You can log off all sessions by simply using

vpn-sessiondb logoff all

White Paper: Cisco IOS and NX-OS Software Reference Guide

Posted on August 18, 2011 by Rich Kreider

From time to time I forget the release naming conventions for IOS/NX-OS software from Cisco.

I just happened to find this document today when I was trying to refresh my memory; explains what I needed QUITE well!

http://www.cisco.com/web/about/security/intelligence/ios-ref.html

This is always a great guide if you’re not too familiar with Cisco IOS (12) operations.

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcfbook.pdf

ManageEngine NetFlow Analyzer Cisco ASA Configuration

Posted on August 10, 2011 by Rich Kreider

ASDM Configuration Guide

https://blogs.manageengine.com/netflowanalyzer/2010/07/22/configuring-cisco-asa-netflow-via-asdm

CLI Configuration Guide

https://forums.manageengine.com/#Topic/49000003577055

Valkyrie’s Wireless Point-to-Point Bridge

Posted on July 23, 2005 by Rich Kreider

Wireless Point-To-Point Bridge

Photos courtesy Rick Nash

NL-2511MP Plus 802.11b miniPCI	Soekris 4511-30

Cutting Board (for mounting in NEMA)	NEMA Box (with cut holes for adapters)

Connector	NEMA + Soekris 4511-30

Completed

Background

Currently, I’m setting this up on a Soekris 4511-30 board, with a 128MB CF flash card. The system is using HostAP drivers for the prism2 NL-2511 MP Plus 802.11b miniPCI card.

Objective

There are two phases I’m going to go through: Manual creation, and Automatic creation.

Create a local bridge (br0) on each AP of wlan0 and eth0.
Successfully bridge each AP together using WDS (Wireless Distribution System)Network1: eth0 <-> wlan0 = br0 <—–> br0 = wlan0 <-> eth0 :Network2(eth0 on each AP is connected to a network, in turn, they get bridged together once both APs have been bridged)

PHASE 1: MANUAL

Step 1: Local Bridge Creation# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0
# brctl addif wlan0

I have now created a bridge (br0) device and added eth0 interface to it along with (wlan0) interface. Now, I’m ready to move on.

To create the AP to AP bridge, I’ll need both MAC address of the radio cards, and then I can issue a command that will tell wlan0 to only allow the other AP’s wlan0 interface access via it’s MAC address.

# iwpriv wlan0 wds_add 00:02:6F:37:FB:DA
# brctl addif br0 wlan0wds0

I have now added the MAC address of the other AP radio card to it’s list of APs. Being this is a point-to-point AP bridge, I’ll only add one. I’ve also added the newly created wlan0wds0 interface to my bridge (br0). Now, I can tell it I only want one WDS point.

# iwpriv wlan0 max_wds 1

(NOTE: I have done this on both APs at this point)

Now, I need to assign the interfaces IPs.

# ifconfig eth0 0.0.0.0
# ifconfig wlan0 0.0.0.0
# ifconfig wlan0wds0 0.0.0.0
# ifconfig br0 10.0.0.100 netmask 255.255.255.0 broadcast 0 up
# route add default gw 10.0.0.1

I have only assigned the bridge interface (br0) an IP of 10.0.0.100. On the second AP, I have assigned br0 an IP of 10.0.0.200. Also, the up portion of the last command there tells the interface to come “up”, e.g., start-up now.

At this point, I am able to now ping 10.0.0.200 from 10.0.0.100, e.g., AP1 to AP2!

PHASE 2: AUTOMATIC

Phew, that was fun. Now, I don’t want to have to do that everytime the AP is turned off then back on! So, what I am going to do is add a start-up script. I have done it this way, via /etc/rcS.d/, instead of /etc/network/interfaces because I had some issues MYSELF. You DON’T have to do it this way if you know what you’re doing — but I don’t. =PI created a file called S99network.
```
#!/bin/sh
echo "MAC FILTERING:  00:02:6F:37:FB:DF"
iwpriv wlan0 wds_add 00:02:6F:37:FB:DF

echo "Creating bridge..."
brctl addbr br0

echo "Adding eth0 to bridge"
brctl addif br0 eth0
echo "Adding wlan0 to bridge"
brctl addif br0 wlan0
echo "Adding wlan0wds0 to bridge"
brctl addif br0 wlan0wds0
echo "Configuring eth0 IP: 0.0.0.0"
ifconfig eth0 0.0.0.0
echo "Configuring wlan0 IP: 0.0.0.0"
ifconfig wlan0 0.0.0.0
echo "Configuring wlan0wds0 IP: 0.0.0.0"
ifconfig wlan0wds0 0.0.0.0
echo "Bringing bridge UP"
ifconfig br0 12.156.71.228 netmask 255.255.255.192 broadcast 12.156.71.255 up
ifdown eth0
ifdown wlan0
ifup eth0
ifup wlan0
ifup br0
sleep 20
```
I now have a script that will automatically configure my interfaces for me so I don’t have to manually do it.

The last step for me is to edit my /etc/resolv.conf to reflect my nameservers, and that’s it!
rjk@techish.net

http://www.techish.net/

Tue Apr 8 22:35:48 EDT 2008

Techish.net

Rich Kreider's Tech Blog

Category Archives: Networking