Configuring link aggregation between a Cisco and ProCurve switch

This scenario configures link aggregation between a Cisco Catalyst 3560-8 switch (IOS version 12.2.53) and an HP ProCurve 2610-48 switch (firmware version R.11.22) using the LACP protocol.

Cisco refers to an aggregated link as a “channel-group” whereas HP refers to it as a “Trunk”. To confuse things even more Cisco refers to an 802.1q tag port as “Trunk” where as HP refers to it as “Tagged”.

Cisco switch configuration

Configure the trunk on interfaces fa 0/1 and 0/2, configure as Trunk and create a Channel Group.

Create VLAN 600/601 and define IP addresses

Continue reading Configuring link aggregation between a Cisco and ProCurve switch

Configuring Citrix Web Interface and Load Balancing with Windows NLB

To configure Windows server 2008 R2 to load balance Citrix Web Interface 5.x is very simple procedure. The following procedure describes the basic steps involved.

Configure Citrix Web Interface

Open the Citrix Web Interface Management console

Click “XenApp Web Sites” and click “Create Site”

Modify the IIS site settings if required

Click “Set as the default page for the IIS site”

Specify the point of the authentication as “At Web Interface”

Click “Next” to finish creation of the site

Once the site is successfully created click “Next” to configure the site

Specify the Citrix Farm name, Citrix Servers and the XML port

Continue reading Configuring Citrix Web Interface and Load Balancing with Windows NLB

Configuring Citrix Receiver/Online Plug-in via Group Policy

To automatically configure Citrix Receiver or Online Plug-in with the Web Server Address on client computers you can utilise Group Policy Preferences to create the necessary registry key.

  • Create a new or modify an existing GPO and browse to Computer Configuration > Preferences > Windows Settings > Registry

  • Create “New” > “Registry Item”

Action – Replace

Hive – “HKEY_LOCAL_MACHINE”

Key Path – SOFTWARE\Citrix\PNAgent (32-bit client computers) OR

Key Path – SOFTWARE\Wow6432Node\Citrix\PNAgent (64-bit client computers)

Value Name – ServerURL

Value Type – REG_SZ

Value Data – http://SERVERNAME/Citrix/PNagent/config.xml

  • Click OK to finish
  • Once the Group Policies have been refreshed on the client computers, the registry entries should have been enforced.

  • Running the Citrix Online Plug-in should reveal the setting changes have been applied.

Troubleshooting WSUS

Clients disappearing from WSUS Console

Client computers registered in the WSUS console appeared to disappear / overwrite each other. Research revealed this was related to the fact the OS was imaged and the servers had an identical “SusClientID” registry key entries.

To resolve this issue, perform the following steps

  • Delete the SusClientId registry key

reg delete “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v SusClientId /f

  • Restart the “Windows Update” service

net stop wuauserv
net start wuauserv

  • Reset the WSUS authorization. From a command line enter the following command

wuauclt /resetauthorization /detectnow

Automatic Update client unable communicate with WSUS Server – Error 80072ee2

Several computers (all running Server 2008) failed to communicate with the internal WSUS server. The servers were not experiencing any networking problems and there was no firewall blocking traffic. Checking the C:\Windows\WindowsUpdate.log revealed the following error message.

WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <192.168.1.254>

Researching the issue revealed that Window Update does NOT rely on Internet Explorer’s Proxy server settings (which in this instance were blank) but rather the WinHTTP service. This service is configured via netsh.

  • Run “netsh winhttp show proxy” to show the whether WinHTTP proxy is configured

  • Run “netsh winhttp reset proxy” to connect to Internet directly without using any kind of proxy server.
  • Force Update detection by running “wuauclt /detectnow” from a command prompt

Checking the WindowsUpdate.log file again, browse to the end of the log file should start logging entries

2012-02-22    14:17:54:295     780    d5c    AU    Triggering AU detection through DetectNow API

2012-02-22    14:17:54:295     780    d5c    AU    Triggering Online detection (non-interactive)

2012-02-22    14:17:54:295     780    1fd4    AU    #############

2012-02-22    14:17:54:295     780    1fd4    AU    ## START ## AU: Search for updates

2012-02-22    14:17:54:295     780    1fd4    AU    #########

Check the WSUS console after a period of time will hopefully reveal the client server is now able to communicate successfully.

Configuring Windows Server 2008 R2 Roles via Powershell

 

The following commands are useful when

  • Open Powershell
  • Type “Import-Module servermanager” to import the servermanager module into powershell. Failure to do so will mean the following commands will not work.
  • To list the Roles type “Get-WindowsFeature“.

  • To install a Windows Role type “Add-WindowsFeature NAME”. NAME refers to the name of the Role listed under the Name column when the Get-WindowsFeature command was run.
  • To install multiple Roles at the same time simple put a comma between role names

E.g. Add-WindowsFeature DHCP, Print-Server

  • To remove an installed Role simply type “Remove-WindowsFeature NAME”

Configuring 802.1x authentication on Cisco Catalyst switches

This post describes how to configure a Cisco Catalyst switch and a RADIUS server for 802.1x authentication. It is assumed that a Windows 2008 Active Directory domain, Certificate Authority and NPS RADIUS is already installed.

Configuring the Switch

Switch# configure terminal
Switch(config)# aaa new-model
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end 

Configuring the RADIUS Server

  • Open the “Network Policy Server” MMC console
  • Click “Policies” > “Network Policies”
  • Create a new “Network Policy” with a descriptive name e.g. “dot1x Authentication Policy”. Click Next
  • “Specify Condition”, click Add and select the “Machine Groups” option, add the “Domain Computers” group. Click Next
  • “Access Granted”, ensure “Access granted” is select. Click Next
  • “Constraints”, select “Authentication Methods”. For “EAP Types” click Add and select “Microsoft: Protected EAP (PEAP). Click Next


Continue reading Configuring 802.1x authentication on Cisco Catalyst switches

Configuring a Cisco Switch for AAA with Windows NPS RADIUS

This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.

Configuring the Switch

The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS

Configuring the Windows RADIUS Server

Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.

  • Open the NPS console and select “RADIUS Clients”
  • Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
  • Once completed click OK
  • Select “Policies” > “Network Policies”
  • Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
  • Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
  • “Specify Access Permission” as “Granted”
  • “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
  • “Configure Contraints”, nothing to configure. Click Next
  • “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
  • Add a new attribute of “Service Type” and a value of “Login”
  • “Configure Settings”, select “Vendor Specific”
  • Click “Add”, select “Cisco” from the drop down box
  • Click “Add” and click “Add” again

Continue reading Configuring a Cisco Switch for AAA with Windows NPS RADIUS

PacketU

What's on your wire[s]?

popravak

Just another WordPress.com site

mrn-cciew

My CCIE Wireless Journey & More.....

CCIE or Null!

My journey to CCIE!

Daniels networking blog

Networking articles by CCIE #37149

DreezSecurityBlog

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

Danielhertzberg's Blog

My name is Daniel Hertzberg CCIE#37401 I blog about all things Network!

Packet6

Network & Wireless Engineering