Posts Tagged: Cisco

To restrict an Active Directory Group to a single VPN Tunnel Group

Reference: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wp697557 Scenario: Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET” Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.

Read More

Cisco – AAA Exclude Console Port for Local Backup access

Man. Today I was putting a core 4507R switch onto our Tacacs AAA controls. The main IT admin for that site got all fussy about what if my tacacs account is locked out and its an emergency? Did not like the answer well call the Corporate helpdesk to have it unlocked. So I had to figure out how to make only the console port ignore tacacs AAA and use the local login database instead. Here is what I had to add to the aaa commands. Create a local user account under global config mode. username local-MYNAMEHERE privilege 15 password MYPASSWORDHERE Next under global config mode aaa authentication login console local aaa authorization exec console local aaa authorization commands 0 console local aaa authorization commands 1 console local aaa authorization commands 15 console local aaa authorization console Then under the console line interface authorization commands 0 console authorization commands 1 console authorization commands 15 console authorization exec console login authentication console

Read More

Cisco – Fast etherchannel for redundant fiber links

I love Cisco fast etherchannel. Over the Christmas break we turned up a second fiber link between our two buildings here in town. When we built the second building I made sure that there were two six strand fiber pulls each in their own interduct and that inside one large interduct under the ground between the buildings. So bond one pair from each pull and you have a pretty good chance of the link staying up even if they snag the main interduct with a backhoe. Not to mention with dual supervisor cards in the main 4506R we bonded the first gig port from each sup card to make this channel. So basically if a card goes, we stay up. If a gbic burns out we stay up. And if they partially break the fiber in the ground the odds are we stay up. And in the mean time we get the benefit of both fiber links being active. By default it is load balancing by source IP.  Sort of a round robin deal. Early in 2008 we are going to mount up a wireless bridge and set it up with spanning tree values to stay down unless the entire fiber bonded link is lost. Pretty cool. Uploaded with Skitch!

Read More

Cisco 1200 AP – WPA(1&2)-PSK

If you are looking for a simple down and dirty procedure for setting up an SSID with WPA 1 or 2 preshared key on a Cisco 1200AP here ya go. This assumes you have a working Cisco 1200 AP with all other configuration done. This assumes you have setup a trunk port and have multiple vlans setup for your network An example switch interface supporting this access point would look like below: This is a trunk port using dot1q trunking protocol to the Access Point with native vlan as vlan 15 where vlan18 may be the new SSID with WPA we are allowing interface FastEthernet0/1 description FrontOffice AP switchport trunk encapsulation dot1q switchport mode trunk switchport trunk vlan 15 switchport trunk allowed vlan 15,18 no ip address duplex full speed 100 spanning-tree portfast Log into web interface of 1200 AP Click Security Click SSID Manager Click Define Vlan link next to the VLAN pull down box on the right <NEW> should be highlighted in the Current VLAN List box Enter the numerical vlan number in the VLAN ID: box to the right Enter a name if you wish it is optional. The VLAN Name: box to the right Click Apply Click Security Click SSID Manager <NEW> should be highlighted in the Current SSID List box Enter your new SSID in the SSID: box to the right Pull down the VLAN: Box and select the vlan you defined Check the box for Interace: Radio0-802.11G (or the radio you want if you have more than one) Scroll down and Click the First APPLY button. Click Security Click Encryption Manager Select the VLAN in the Set Encryption Mode and Keys for VLAN: pulldown box Select the Cipher radio button For WPA-PSK select TKIP in the Cipher pull down box For WPA2-PSK select AES CCMP in the Cipher pull down box If you want WPA Mixed mode select AES CCMP + TKIP in the Cipher pull down box.  This allows clients to use the same SSID for either WPA2 or WPA1 Leave Encryption Keys section blank Ensure Broadcast Key Rotation Interval is Disable Rotation under Global Properties Click the APPLY button Click Security Click SSID Manager Click the desired SSID we are setting up under the Current SSID List scroll box Scroll down to Authenticated Key Managent section leaving all other options default Select Mandatory in the Key Management pull down box Check the WPA check box to the right Enter your desired WPA preshared key in the WPA Pre-shared Key: text box Assuming you are using regular text leave ASCII selected. Scroll down and Click the First APPLY button.

Read More

Cisco Console Time Outs

It is always a good idea to fix your equipment to time out your sessions in case you get distracted. Not that we ever get pulled away from things in IT work. exec-timeout 5 – apply a five minute timeout under all consoles, line vtys etc.

Read More

Cisco Devices and HTTP

As a rule running web interface control on a Cisco device is a bad idea. But there are times when you may want to run it. Some of Cisco’s management tools expect it. no ip http server – Kill HTTP when possible ip http secure-server – If you have to run web management use HTTPS for encryption ip http access-class XX – Apply an ACL to restrict hosts that can reach the web management, where XX you replace with your ACL number

Read More

Cisco Router Global Commands

Here is some follow-up to my previous post on Interface level commands. Here are some to consider for global config mode. no ip source-route – Source routing allows a packet to specify how it should be routed through a network instead of following the routers designated by the internal network’s routing protocols. no service tcp-small-servers – These services include the echo, discard, daytime, and chargen services. These services rarely serve any purpose on a modern network and should be disabled on all routers. no service udp-small-servers- These services include the echo, discard, daytime, and chargen services. These are old school services rarely of any use modern network. no ip finger – The finger service can allow remote users to find out who is logged into the router. Usernames are not something you want to easily give away. service password-encryption – This ensures passwords are not saved in the configuration unencrypted. security passwords min-length 10 [Starting IOS 12.3(1)] – This requires local passwords to be minimum ten characters in length. no service password-recovery – This option should only be used for network equipment in sites where there is not a high level of physical security or on site IT staff. Secondary warehouses, sales offices or remote distribution sites are examples of such locations. It prevents any manual password bypass of network hardware without wiping the existing configuration. security authentication failure rate 5 log – This causes a 15 second authentication delay after 5 attempts and sends a syslog alert message. login delay 15 [Starting IOS 12.3(4)T] – This causes a 15 second delay between successive login attempts. This reduces effectiveness of dictionary login attacks. login block-for 120 attempts 10 [Starting IOS 12.3(4)T] – This will block the next login attempt for 120 seconds if 10 failed attempts occur consecutively. This reduces the effectiveness of dictionary login attacks. banner motd – A login warning banner should be in use on all network devices that support it. It may be customized to be acceptable for a given country.

Read More

Cisco Router Interface Commands

I wrote a guidelines document at work this week pulling together many different commands for Cisco routers, switches etc that our IT group should be doing to better secure things. Granted we already do most of these but I wanted one document to get everyone on the same page and help any newer staff. This is the first section for commands to apply to all router Interfaces. I cover this in the upcoming In the Trenches show in the Cisco Corner.  Next time we move into commands for the global config mode. no ip unreachable – ICMP unreachable replies are sent whenever a host attempts to send a packet to a destination that doesn’t exist or isn’t supported. Disabling unreachables making network mapping harder. no ip directed broadcast – This prevents Smurf attacks which is when a ping to the network address causes all hosts to send replies to the source of the ping. no ip proxy-arp – Proxy Address Resolution Protocol (ARP) assists hosts that have no default router or gateway configured get to remote destinations. The router answers ARP requests on behalf of the remote destination so clients send to the router and transparently are relayed to the far end. no ip redirects – ICMP redirects allow systems to change the way packets are routed through a network. no cdp enable – CDP is the Cisco Discovery Protocol that provides information on remote interfaces connected to each Cisco router. CDP should be disabled on all Internet facing Interfaces.

Read More
TOP