วันพฤหัสบดีที่ 20 ตุลาคม พ.ศ. 2554

An ISR 819 Router in Extreme Conditions

สุดยอดของเราเตอร์ Cisco ISR819 แกร่ง ทน อึด เอาไปใช้กับพื้นที่เสียงที่จะเกิดอุทกภัยได้เลยครับ :)

วันพฤหัสบดีที่ 15 กันยายน พ.ศ. 2554

Cut Through Authentication on the ASA


Cut-Through Authentication proxy on the ASA is an excellent way to track and authorize users when they access resources on the network that you may not want them to access to originally. I have used it to track user activities, authorize users to different network devices from time to time that they really should not be accessing whenever they feel, and to provide a user a way to override the firewall policies that have been defined for a given subnet. In other words, it is a very useful function and I believe it’s function is vital for users as well as the network administrator. Just so you know, this feature is just like the Auth-Proxy or Network Admission technologies on an IOS router.

Here is the topology we will be working with. I have setup a PC so we can simulate a typical user experience.



Guidelines

Any user on the 192.0.2.0/24 subnet (Inside) will have to authenticate through to the ASA when accessing the IOS Firewall Router.
This user authentication through the ASA will be of the most secure form.
The ASA will use local authentication for the users for the time being
Setup Cut-Through Proxy

So the first step would be to define IP addressing and initialize interfaces as well as routing. The HTTP services have been enabled on the IOS router as well as local authentication/authorization of users to this service. We will focus our efforts on the ASA for our cut through authentication.

So step one is going to make sure we have connectivity to the devices first. So let us make sure we can ping 198.18.0.2 from our PC (PC is 192.0.2.100 in my environment)

C:\ >ping 198.18.0.2
Pinging 198.18.0.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 198.18.0.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Ok, already not a good start. From the ASA I can ping the PC as well as the IOS router. The default gateway of each of these devices points to the ASA. Hmmm. Don’t forget about icmp inspection or allowing icmp echo-replies back through the firewall on the outside interface. Here we will inspect icmp.

ciscoasa(config)# fixup protocol icmp
INFO: converting ‘fixup protocol icmp ‘ to MPF commands
Ok, now lets try our ping again

C:\ >ping 198.18.0.2
Pinging 198.18.0.2 with 32 bytes of data:
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Ping statistics for 198.18.0.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
oximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Ok, that looks better. The other test I like to do is access the http server on the IOS Router to make sure that we are able to get the default web page from the router so we know that this worked before we started our configuration. This will make it so there is one less thing to check if it doesn’t work. So let’s define an access-list to classify the interesting traffic for cut-through proxy:

ciscoasa(config)# access-list ctap permit ip any host 198.18.0.2
And let’s configure our local username and password as our guidelines say to use the local database:

ciscoasa(config)# username cisco password cisco
Now we will enable cut-through proxy with our interesting traffic and local database authentication :

ciscoasa(config)# aaa authentication match ctap inside LOCAL
So what should we see at this point is a web authentication box popup that is asking us for credentials. This is the cut through authentication service requesting user credentials before allowing the connection onto the IOS router. So we will enter our credentials of cisco/cisco. Then click on “OK” for the web authentication and we should be allowed to the IOS Router now.

Let’s verify the user on the ASA

ciscoasa(config)# sh uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 1 1
user ‘cisco’ at 192.0.2.100, authenticated
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
With the ASA we have another option in which the user authentication experience occurs. Instead of the popup, we can have a webpage display the authentication prompt. It is a little more user friendly this way and is more like the auth-proxy http web page from an IOS router, only better. To do this we enter the following command.

ciscoasa(config)# aaa authentication listener http inside redirect
Using the above option, we could also redirect the authentication to another port if needed using the argument “port ‘#’” in the command shown above.

So in our guidelines we actually wanted the most secure mode of communications. Well, using http in this fashion is not secure at all. So we will want to change our configuration so that we request the user credentials using https.

To do this, we will install 2 commands.

ciscoasa(config)# aaa authentication listener https inside redirect
ciscoasa(config)# aaa authentication secure-http-client
Now depending on how the ASA is configured for PKI support, you will either come to a page with a certificate warning or you will go right the authentication page. This is now a secure login screen for the user.

This concludes our quick introduction into Cut-Through Authentication on the ASA. There are several more features than can become involved such as including an ACS server for authentication/authorization, virtual telnet/http, and even downloadable access-lists that can override an interface access-list. Join me in feature posts where we will discuss these enhancements. I hope this is useful to you and thank you for visiting this post.

วันพุธที่ 14 กันยายน พ.ศ. 2554

How to enable web-based authentication on Cisco Catalyst Series Switches

Use the web-based authentication feature, known as web authentication proxy, to authenticate end users on host systems that do not run the IEEE 802.1x supplicant. You can configure web-based authentication on Layer 2 and Layer 3 interfaces.

When you initiate an HTTP session, web-based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users. The users enter their credentials, which the web-based authentication feature sends to the authentication, authorization, and accounting (AAA) server for authentication.
If authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and applies the access policies returned by the AAA server.
If authentication fails, web-based authentication forwards a Login-Fail HTML page to the user, prompting the user to retry the login. If the user exceeds the maximum number of attempts, web-based authentication forwards a Login-Expired HTML page to the host, and the user is placed on a watch list for a waiting period.

This example shows how to enable web-based authentication

Switch(config)# ip admission name webauth1 proxy http

Switch(config)# interface fastethernet 5/1

Switch(config-if)# ip admission webauth1

Switch(config-if)# exit

Switch(config)# ip device tracking

This example shows how to verify the configuration:

Switch# show ip admission configuration

Authentication Proxy Banner not configured

Authentication global cache time is 60 minutes

Authentication global absolute time is 0 minutes

Authentication global init state time is 2 minutes

Authentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration

Auth-proxy name webauth1

http list not specified inactivity-time 60 minutes

Authentication Proxy Auditing is disabled

Max Login attempts per user is 5

วันจันทร์ที่ 15 สิงหาคม พ.ศ. 2554

What is Cisco Virtualization Experience Infrastructure (VXI)?

What is Cisco Virtualization Experience Infrastructure (VXI)?

Cisco VXI is an end-to-end system that spans three architectures: Borderless Networks, Collaboration, and Data Center/Virtualization, to deliver a fully virtualized collaborative workspace. VXI enables IT organizations, business owners, and end-users to benefit from the convergence of virtual desktops and media-rich collaborative applications, hosted by Cisco's data center fabric and delivered across a pervasive, secure and efficient networking infrastructure to any device, anywhere. This provides users a converged virtual desktop that embraces the suite of communications tools that workers depend on today without sacrificing user experience.

VXI de-risks the move to the fully virtualized collaborative workspace, by providing an end-to-end system and roadmap that’s underpinned by Cisco Validated Designs, enabling organizations to move from small pilots to large scale production, with consistent performance, and predictable results.

What is Desktop Virtualization and VDI?

Desktop virtualization is a mainstream IT initiative designed to improve the flexibility and security of traditional desktops, while reducing costs. VDI, the fastest growing desktop virtualization model is estimated by Gartner to grow by 56 million desktops between 2012 and 2014. VDI abstracts the operating system, applications, and user profile settings traditionally associated with a user’s desktop, and delivers a virtualized instance of the desktop, hosted on a server-based virtual machine from within a data center infrastructure.

Cisco has partnered with desktop virtualization leaders, Citrix and VMware to deliver optimized desktop virtualization infrastructure solutions based on Cisco UCS, as a pillar of the broader Cisco VXI cross architecture initiative.

What are the Benefits of Cisco Data Center Fabric for VXI?

Cisco's Data Center Fabric and Cisco UCS are ideally suited to hosting desktop virtualization, and form a key pillar of the broader VXI solution by offering:

A highly scalable data center fabric that delivers consistent application performance and user experience from hundreds of users through thousands of users
A simplified IT operational model that enables the rapid deployment and scaling of virtual desktops with greater efficiency and reduced cost
A more secure, controlled environment that ensures desktop workloads are isolated from mission-critical enterprise applications, while enabling virtual-machine level policy

วันพฤหัสบดีที่ 11 สิงหาคม พ.ศ. 2554

New 200/300 Series Switching Maintenance Release V.1.1

วันนี้ผมจะมาอัพเดทถึงตัว Feature ใหม่ๆ บน Switch ในกลุ่มของ SBTG Product หรือ Small Business Technology Group นะครับ ซึ่งทางซิสโก้ได้นำ Feature ใหม่หลักๆ มาให้ 2 ฟังก์ชั่น ที่ผมจะแจ้งมาตามด้านล่างนี้นะครับ

1. เรื่อง Voice Feature - สวิตซ์สามารถสร้าง Voice VLAN ได้ภายในตัว interface เดียวกันกับ Data vlan ผ่านทางโปรโตคอล CDP (Cisco Discovery Protocol) สามารถทำผ่านทาง smartport บนตัว CCA software (Cisco Configuration Assistance – ดาวน์โหลดได้ฟรี) ได้เลยครับ หรือบนตัว GUI ที่ Embedded มากับตัวสวิตซ์เลยก็ได้ครับ ตัว Feature นี้จะมีอยู่ทั้ง Cisco 200 (SLM Switch) และ Cisco 300 (SRW Swtich) นะครับ
2. เรื่องของ CLI (Cisco Textview) – หลายๆ ท่านที่เคย configure สวิตซ์ Cisco Classic ในตระกูล Catalyst switch แล้วใช้ command line ในการทำคำสั่งให้กับสวิตซ์มา คงรอ Feature นี้อยู่นะครับ ส่วนตัวผมมองว่า CLI (Command Line Interface) ช่วยให้เราเก็บรายละเอียด configure ได้ทั่วถึงกว่า ถ้าเป็น GUI (Graphic User Interface) อาจจะมีบางแง่มุมที่เราลืมเช็คได้ง่ายๆ

การทำ configuration template สำหรับ CLI ก็ง่ายกว่า แค่ text file เล็กๆ ไฟล์เดียว คนที่พอจะมีความรู้ความเข้าใจอยู่บ้าง ดู template แป๊บเดียวก็จะเก็บรายละเอียดเกือบจะทั้งหมดได้ในทันทีครับ และนี่คือประโยชน์ของการ Configure อุปกรณ์สวิตซ์บน Command Line ครับ ซึ่ง Cisco 300 Series (SRW Switch) ได้ให้มาในตัว firmware release 1.1 ใหม่แล้ว (ใครที่ใช้ release 1.0 อยู่สามารถ download release 1.1 มา upgrade firmware ให้กับ Switch ได้ครับ) และคำสั่งก็คล้ายๆ กับบนตัว Cisco Classic มากครับ ทำให้เราไม่ค่อยงงกับคำสั่ง ยกตัวอย่างเช่น show run ก็ไว้สำหรับดูรายละเอียดของ configuration ทั้งหมด เป็นต้นครับ