To restrict an Active Directory Group to a single VPN Tunnel Group


Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET”

Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.

Continue reading “To restrict an Active Directory Group to a single VPN Tunnel Group”

Cisco – AAA Exclude Console Port for Local Backup access

Man. Today I was putting a core 4507R switch onto our Tacacs AAA controls. The main IT admin for that site got all fussy about what if my tacacs account is locked out and its an emergency? Did not like the answer well call the Corporate helpdesk to have it unlocked. So I had to figure out how to make only the console port ignore tacacs AAA and use the local login database instead. Here is what I had to add to the aaa commands.

  1. Create a local user account under global config mode.
    username local-MYNAMEHERE privilege 15 password MYPASSWORDHERE
  2. Next under global config mode
    aaa authentication login console local
    aaa authorization exec console local
    aaa authorization commands 0 console local
    aaa authorization commands 1 console local
    aaa authorization commands 15 console local
    aaa authorization console
  3. Then under the console line interface
    authorization commands 0 console
    authorization commands 1 console
    authorization commands 15 console
    authorization exec console
    login authentication console

Cisco 1200 AP – WPA(1&2)-PSK

If you are looking for a simple down and dirty procedure for setting up an SSID with WPA 1 or 2 preshared key on a Cisco 1200AP here ya go.

  • This assumes you have a working Cisco 1200 AP with all other configuration done.
  • This assumes you have setup a trunk port and have multiple vlans setup for your network

An example switch interface supporting this access point would look like below: This is a trunk port using dot1q trunking protocol to the Access Point with native vlan as vlan 15 where vlan18 may be the new SSID with WPA we are allowing

interface FastEthernet0/1
description FrontOffice AP
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk vlan 15
switchport trunk allowed vlan 15,18
no ip address
duplex full
speed 100
spanning-tree portfast

  1. Log into web interface of 1200 AP
  2. Click Security
  3. Click SSID Manager
  4. Click Define Vlan link next to the VLAN pull down box on the right
  5. <NEW> should be highlighted in the Current VLAN List box
  6. Enter the numerical vlan number in the VLAN ID: box to the right
  7. Enter a name if you wish it is optional. The VLAN Name: box to the right
  8. Click Apply
  9. Click Security
  10. Click SSID Manager
  11. <NEW> should be highlighted in the Current SSID List box
  12. Enter your new SSID in the SSID: box to the right
  13. Pull down the VLAN: Box and select the vlan you defined
  14. Check the box for Interace: Radio0-802.11G (or the radio you want if you have more than one)
  15. Scroll down and Click the First APPLY button.
  16. Click Security
  17. Click Encryption Manager
  18. Select the VLAN in the Set Encryption Mode and Keys for VLAN: pulldown box
  19. Select the Cipher radio button
  20. For WPA-PSK select TKIP in the Cipher pull down box
  21. For WPA2-PSK select AES CCMP in the Cipher pull down box
  22. If you want WPA Mixed mode select AES CCMP + TKIP in the Cipher pull down box.  This allows clients to use the same SSID for either WPA2 or WPA1
  23. Leave Encryption Keys section blank
  24. Ensure Broadcast Key Rotation Interval is Disable Rotation under Global Properties
  25. Click the APPLY button
  26. Click Security
  27. Click SSID Manager
  28. Click the desired SSID we are setting up under the Current SSID List scroll box
  29. Scroll down to Authenticated Key Managent section leaving all other options default
  30. Select Mandatory in the Key Management pull down box
  31. Check the WPA check box to the right
  32. Enter your desired WPA preshared key in the WPA Pre-shared Key: text box
  33. Assuming you are using regular text leave ASCII selected.
  34. Scroll down and Click the First APPLY button.

Cisco Console Time Outs

It is always a good idea to fix your equipment to time out your sessions in case you get distracted. Not that we ever get pulled away from things in IT work.

  • exec-timeout 5 – apply a five minute timeout under all consoles, line vtys etc.

Cisco Devices and HTTP

As a rule running web interface control on a Cisco device is a bad idea. But there are times when you may want to run it. Some of Cisco’s management tools expect it.

  • no ip http server – Kill HTTP when possible
  • ip http secure-server – If you have to run web management use HTTPS for encryption
  • ip http access-class XX – Apply an ACL to restrict hosts that can reach the web management, where XX you replace with your ACL number

Cisco Router Global Commands

Here is some follow-up to my previous post on Interface level commands. Here are some to consider for global config mode.

  1. no ip source-route – Source routing allows a packet to specify how it should be routed through a network instead of following the routers designated by the internal network’s routing protocols.
  2. no service tcp-small-servers – These services include the echo, discard, daytime, and chargen services. These services rarely serve any purpose on a modern network and should be disabled on all routers.
  3. no service udp-small-servers– These services include the echo, discard, daytime, and chargen services. These are old school services rarely of any use modern network.
  4. no ip finger – The finger service can allow remote users to find out who is logged into the router. Usernames are not something you want to easily give away.
  5. service password-encryption – This ensures passwords are not saved in the configuration unencrypted.
  6. security passwords min-length 10 [Starting IOS 12.3(1)] – This requires local passwords to be minimum ten characters in length.
  7. no service password-recovery – This option should only be used for network equipment in sites where there is not a high level of physical security or on site IT staff. Secondary warehouses, sales offices or remote distribution sites are examples of such locations. It prevents any manual password bypass of network hardware without wiping the existing configuration.
  8. security authentication failure rate 5 log – This causes a 15 second authentication delay after 5 attempts and sends a syslog alert message.
  9. login delay 15 [Starting IOS 12.3(4)T] – This causes a 15 second delay between successive login attempts. This reduces effectiveness of dictionary login attacks.
  10. login block-for 120 attempts 10 [Starting IOS 12.3(4)T] – This will block the next login attempt for 120 seconds if 10 failed attempts occur consecutively. This reduces the effectiveness of dictionary login attacks.
  11. banner motd – A login warning banner should be in use on all network devices that support it. It may be customized to be acceptable for a given country.

Cisco Router Interface Commands

I wrote a guidelines document at work this week pulling together many different commands for Cisco routers, switches etc that our IT group should be doing to better secure things. Granted we already do most of these but I wanted one document to get everyone on the same page and help any newer staff. This is the first section for commands to apply to all router Interfaces. I cover this in the upcoming In the Trenches show in the Cisco Corner.  Next time we move into commands for the global config mode.

  1. no ip unreachable – ICMP unreachable replies are sent whenever a host attempts to send a packet to a destination that doesn’t exist or isn’t supported. Disabling unreachables making network mapping harder.
  2. no ip directed broadcast – This prevents Smurf attacks which is when a ping to the network address causes all hosts to send replies to the source of the ping.
  3. no ip proxy-arp – Proxy Address Resolution Protocol (ARP) assists hosts that have no default router or gateway configured get to remote destinations. The router answers ARP requests on behalf of the remote destination so clients send to the router and transparently are relayed to the far end.
  4. no ip redirects – ICMP redirects allow systems to change the way packets are routed through a network.
  5. no cdp enable – CDP is the Cisco Discovery Protocol that provides information on remote interfaces connected to each Cisco router. CDP should be disabled on all Internet facing Interfaces.