April 22, 2012: 6:49 pm: Cisco Security, Windows Security


Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET”

Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.


October 21, 2010: 7:19 pm: Admin Tricks

This is sort of a follow up to my SSH screencast series for remote access to your Mac.  Maybe you are paranoid like me and want to know when a connection has been made to your mac, when a wrong user name has been tried or even a failure to login on a good username.  You also want to know this no matter where you are.

I was inspired by the script written by Whitson Gordon, over at Macworld on automating turning off your wireless Airport interface.  Note what I have below has only been tested on my Snow Leopard setup.  I leave it up to you if you are on Leopard or even Tiger.  BTW update your system if you are as far back as Tiger. C’mon join the modern world.

You will have to have Growl installed, also install growlnotify and last you need a Growl to push notification service like Prowl.  Then have the Prowl app on your iPhone or iPad.

Read on for the scripts and how to get it all working.


April 1, 2008: 7:07 pm: Cisco Security

Man. Today I was putting a core 4507R switch onto our Tacacs AAA controls. The main IT admin for that site got all fussy about what if my tacacs account is locked out and its an emergency? Did not like the answer well call the Corporate helpdesk to have it unlocked. So I had to figure out how to make only the console port ignore tacacs AAA and use the local login database instead. Here is what I had to add to the aaa commands.

  1. Create a local user account under global config mode.
    username local-MYNAMEHERE privilege 15 password MYPASSWORDHERE
  2. Next under global config mode
    aaa authentication login console local
    aaa authorization exec console local
    aaa authorization commands 0 console local
    aaa authorization commands 1 console local
    aaa authorization commands 15 console local
    aaa authorization console
  3. Then under the console line interface
    authorization commands 0 console
    authorization commands 1 console
    authorization commands 15 console
    authorization exec console
    login authentication console
September 5, 2007: 10:01 pm: Password Security

Talk about the wrong way to make a piece of software. I was helping a friend get iGet working with his mac. We did not want to leave SSH running on port 22. It was getting hit with all sorts of brute force user guessing attacks. Here are some examples

Sep 4 09:29:27 sshd[13637]: Invalid user admin
Sep 4 09:29:37 sshd[13641]: Invalid user stud
Sep 4 09:29:45 sshd[13643]: Invalid user trash
Sep 4 09:29:51 sshd[13645]: Invalid user aaron
Sep 4 09:29:56 sshd[13647]: Invalid user gt05
Sep 4 09:30:00 sshd[13649]: Invalid user william
Sep 4 09:30:03 sshd[13651]: Invalid user stephanie
Sep 4 09:30:40 sshd[13664]: Invalid user gary from
Sep 3 16:51:06 sshd[10423]: Invalid user nagios
Sep 3 16:51:07 sshd[10425]: Invalid user backuppc
Sep 3 16:51:09 sshd[10427]: Invalid user wolfgang
Sep 3 16:51:10 sshd[10430]: Invalid user vmware
Sep 3 16:51:13 sshd[10432]: Invalid user stats
Sep 3 16:51:14 sshd[10434]: Invalid user kor
Sep 3 16:51:15 sshd[10436]: Invalid user wei
Sep 3 16:51:16 sshd[10438]: Invalid user cvsuser

Also we wanted to fix up public key authentication instead of passwords. So we used his Apple airport extreme to map an external port say 3622 to 22 on his Mac in his home network. Then we whipped up public-private key pair. “ssh-keygen -t rsa” was good enough to do that. We of course put a good strong passphrase on it.

Now things like iTerm and Cyberduck on the mac worked great with his new setup. Both the port and the private key. But he has this thing called iGet. It claims key support. But I did let it work with key authentication if the private key had a passphrase. So we had to whip up a second keypair just for that program and append the new public key to his authorized_keys file in his .ssh folder. The worst part is the vendor tried to say that using keys is not inherently more secure than a password because iGet just uses SSH to start the connection then takes over with its own protocol. How stupid. And such a bad attitude. Cyberduck is free and it works way better on key support. Sure iGet has some neat features like access to the remote machine’s spotlight etc. But kiss that advantage goodbye once Leopard comes out. But personally I would not give iGet my money for their product with that attitude and poor private key with passphrase support. By default keys get dumped right into your .ssh folder on a Mac. If there is no passphrase and someone somehow runs code that lets them grab the entire folder contents they would have your access into machines via SSH. At least if it has a passphrase they still have to brute force the key just to use it.

After all it is not two factor authentication if it is just a key without a passphrase.  Its one factor.  Something you have.  Adding something you know (the passphrase) greatly improves the security so in the world of iGet 2=1.

September 2, 2007: 6:53 pm: Password Security

I came back from Birmingham today to find my Paypal security token arrived yesterday.  It came with a nice instruction card on how to add it to your Paypal account.  Only problem it’s wrong.  I tried going to the Token link and logging it.  It did not take me straight to adding the key.  I had to go into my account page then clicking the link to the security key.  From there it is straight forward to add it.

As an added bonus.  If you use Verisign PiP for OpenID you can add the same token to logon authorization there as well.   Then all you do is go to your account details.  Click the Add Credential.  It wants two fields to be filled in.  The top one is the code on the back of your Paypal security token.  The long number over the barcode, the token’s serial number.  The second field is a keycode from the token.  So flip it back over and press the button.  Enter the displayed six digit number into the second field and submit.

Now when you log into Paypal or Verisign PiP you have to know your logon name, password AND the six digit number on your token at the time you sign in.  There is a slight difference in how you enter it though.  On Paypal, append the six digits to your password when you type in your password.  On Verisign logon as normal and it will prompt you for the six digit code after you submit your name and password.

That is it.  Now you have two factor authentication.  Your password (something you know) and  the code the security token provides (something you have).  Without the token your accounts cannot be used.