George Starcher

Reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wp697557

Scenario:
Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET”

Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.

(more…)

Man. Today I was putting a core 4507R switch onto our Tacacs AAA controls. The main IT admin for that site got all fussy about what if my tacacs account is locked out and its an emergency? Did not like the answer well call the Corporate helpdesk to have it unlocked. So I had to figure out how to make only the console port ignore tacacs AAA and use the local login database instead. Here is what I had to add to the aaa commands.

1. Create a local user account under global config mode.
   username local-MYNAMEHERE privilege 15 password MYPASSWORDHERE
2. Next under global config mode
   aaa authentication login console local
   aaa authorization exec console local
   aaa authorization commands 0 console local
   aaa authorization commands 1 console local
   aaa authorization commands 15 console local
   aaa authorization console
3. Then under the console line interface
   authorization commands 0 console
   authorization commands 1 console
   authorization commands 15 console
   authorization exec console
   login authentication console

I love Cisco fast etherchannel. Over the Christmas break we turned up a second fiber link between our two buildings here in town. When we built the second building I made sure that there were two six strand fiber pulls each in their own interduct and that inside one large interduct under the ground between the buildings. So bond one pair from each pull and you have a pretty good chance of the link staying up even if they snag the main interduct with a backhoe. Not to mention with dual supervisor cards in the main 4506R we bonded the first gig port from each sup card to make this channel. So basically if a card goes, we stay up. If a gbic burns out we stay up. And if they partially break the fiber in the ground the odds are we stay up. And in the mean time we get the benefit of both fiber links being active. By default it is load balancing by source IP.  Sort of a round robin deal.

Early in 2008 we are going to mount up a wireless bridge and set it up with spanning tree values to stay down unless the entire fiber bonded link is lost. Pretty cool.

Uploaded with Skitch!

If you are looking for a simple down and dirty procedure for setting up an SSID with WPA 1 or 2 preshared key on a Cisco 1200AP here ya go.

• This assumes you have a working Cisco 1200 AP with all other configuration done.
• This assumes you have setup a trunk port and have multiple vlans setup for your network

An example switch interface supporting this access point would look like below: This is a trunk port using dot1q trunking protocol to the Access Point with native vlan as vlan 15 where vlan18 may be the new SSID with WPA we are allowing

interface FastEthernet0/1
description FrontOffice AP
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk vlan 15
switchport trunk allowed vlan 15,18
no ip address
duplex full
speed 100
spanning-tree portfast

1. Log into web interface of 1200 AP
2. Click Security
3. Click SSID Manager
4. Click Define Vlan link next to the VLAN pull down box on the right
5. <NEW> should be highlighted in the Current VLAN List box
6. Enter the numerical vlan number in the VLAN ID: box to the right
7. Enter a name if you wish it is optional. The VLAN Name: box to the right
8. Click Apply
9. Click Security
10. Click SSID Manager
11. <NEW> should be highlighted in the Current SSID List box
12. Enter your new SSID in the SSID: box to the right
13. Pull down the VLAN: Box and select the vlan you defined
14. Check the box for Interace: Radio0-802.11G (or the radio you want if you have more than one)
15. Scroll down and Click the First APPLY button.
16. Click Security
17. Click Encryption Manager
18. Select the VLAN in the Set Encryption Mode and Keys for VLAN: pulldown box
19. Select the Cipher radio button
20. For WPA-PSK select TKIP in the Cipher pull down box
21. For WPA2-PSK select AES CCMP in the Cipher pull down box
22. If you want WPA Mixed mode select AES CCMP + TKIP in the Cipher pull down box.  This allows clients to use the same SSID for either WPA2 or WPA1
23. Leave Encryption Keys section blank
24. Ensure Broadcast Key Rotation Interval is Disable Rotation under Global Properties
25. Click the APPLY button
26. Click Security
27. Click SSID Manager
28. Click the desired SSID we are setting up under the Current SSID List scroll box
29. Scroll down to Authenticated Key Managent section leaving all other options default
30. Select Mandatory in the Key Management pull down box
31. Check the WPA check box to the right
32. Enter your desired WPA preshared key in the WPA Pre-shared Key: text box
33. Assuming you are using regular text leave ASCII selected.
34. Scroll down and Click the First APPLY button.

It is always a good idea to fix your equipment to time out your sessions in case you get distracted. Not that we ever get pulled away from things in IT work.

• exec-timeout 5 – apply a five minute timeout under all consoles, line vtys etc.