Archive

Archive for the ‘Cisco’ Category

Too Many Passwords? NPS/RADIUS on Windows Server 2008

January 24, 2011 Leave a comment

I had a requirement to add Network Policy Services to allow Active Directory Authentication on Cisco devices:

Network Policy Server Setup for AD:

  • Create AD global security group in domain.
  • Install NPS components from the Roles console in Windows Server 2008.
  • Install Network Policy Server.
  • Install Routing and Remote Access Service.
    • Install Remote Access Service component.
    • Install Routing component.
  • Launch NPS Console.
  • Add Remote Access Clients (Radius Clients and Servers > Radius Clients > New):
    • Friendly Name:  Router1
    • IP Address:  192.168.1.254
    • Shared Secret:  CiscoRocks
    • Advanced > Vendor:  Cisco
    • Added remote access policy(Policies > Network Policies > New):
      • Name:  CiscoAuth
      • Access Permission:  Granted
      • Conditions: Add > Windows Groups > cisco.admin
      • Constraints: Authentication > Unencrypted Authentication PAP, SPAP
      • Idle Timeout:  10 minutes
      • Settings:
        • Service-Type = Login
        • Framed-Protocol = PPP

RADIUS Setup for Cisco Device:

  • Configure local user.
  • Configure SSH.
  • Configure Loopback
  • aaa new-model
  • radius-server host 192.168.1.10 auth-port 1645 acct-port 1646 key CiscoRocks
  • aaa authentication login AUTH group radius group ADRADIUS local
  • ip radius source-interface Loopback0
  • aaa group server radius ADRADIUS
  • server 192.168.1.10
  • line vty 0 4
  • login authentication AUTH
  • Allow 1723 & GRE in any ACLs between hosts.

Debug Commands:

debug aaa authentication
debug radius authentication
term mon

Advertisements

No inter-VLAN comms? A classic example of KISS

January 22, 2011 Leave a comment

So, here’s the problem (exhibit below):

  • You have 2 VLANs terminated on a firewall with discrete subnets (VLAN100 & VLAN200).
  • Both VLANs are configured identically.
  • VLAN100 has subnet 192.168.192.192/28.
  • VLAN200 has subnet 192.168.192.208/28
  • The VLANs lead to two separate virtual servers on the same physical host (vServer1 & vServer2).
  • VLAN100 has full IP connectivity to other VLANs and to the Internet.
  • The virtual server on VLAN200 can PING the default gateway on the Firewall.
  • The firewall can PING the virtual server on VLAN200.
  • The virtual server on VLAN200 can’t reach any other IP connected host or interface including the virtual server on the same physical host.

What’s the solution?

VLAN Configuration

Drum roll please…

The default gateway on vServer2 had been set to the network address of: 192.168.192.208 instead of the actual next hop of 192.168.192.209.

Moral of the story: Always verify the obvious, in spite of assurances from Windows Admins and Keep It Simple Stupid!

Can’t believe I wasted 30 minutes trawling through configs for this! Grumble, grumble…