Cisco, ISE, VPN

Configuring Cisco IOS SSL-VPN with RADIUS

This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.

RADIUS Server Configuration

For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.

Step 1 – Define Network Device

Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.

Continue reading


CCNP ROUTE 2.0: Telnet, VTY, AAA

Telnet to VTY Line

As default the VTY lines are configured with the command “login”

line vty 0 4

If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line using the command “password XXXXXX” under the VTY line.

line vty 0 4
password XXXXXX
Continue reading


Securing VTY lines on Cisco Router/Switches

It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet.

Configure the Cisco device with a hostname and domain name

Switch (config)# hostname 3560-1
3560-1(config)# ip domain-name

Enable SSH and use a stronger key modulus greater than the default of 512. Configure the SSH version, SSH time out and retry settings

3560-1(config)# crypto key generate rsa
3560-1(config)# 1024
3560-1(config)# ip ssh version 2
3560-1(config)# ip ssh authentication-retries 3
3560-1(config)# ip ssh time-out 90

Continue reading


Configuring 802.1x authentication on Cisco Catalyst switches

This post describes how to configure a Cisco Catalyst switch and a RADIUS server for 802.1x authentication. It is assumed that a Windows 2008 Active Directory domain, Certificate Authority and NPS RADIUS is already installed.

Configuring the Switch

Switch# configure terminal
Switch(config)# aaa new-model
Switch1(config)# radius-server host key cisco123
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end 

Configuring the RADIUS Server

  • Open the “Network Policy Server” MMC console
  • Click “Policies” > “Network Policies”
  • Create a new “Network Policy” with a descriptive name e.g. “dot1x Authentication Policy”. Click Next
  • “Specify Condition”, click Add and select the “Machine Groups” option, add the “Domain Computers” group. Click Next
  • “Access Granted”, ensure “Access granted” is select. Click Next
  • “Constraints”, select “Authentication Methods”. For “EAP Types” click Add and select “Microsoft: Protected EAP (PEAP). Click Next

Continue reading


Configuring a Cisco Switch for AAA with Windows NPS RADIUS

This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.

Configuring the Switch

The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS

Configuring the Windows RADIUS Server

Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.

  • Open the NPS console and select “RADIUS Clients”
  • Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
  • Once completed click OK
  • Select “Policies” > “Network Policies”
  • Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
  • Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
  • “Specify Access Permission” as “Granted”
  • “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
  • “Configure Contraints”, nothing to configure. Click Next
  • “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
  • Add a new attribute of “Service Type” and a value of “Login”
  • “Configure Settings”, select “Vendor Specific”
  • Click “Add”, select “Cisco” from the drop down box
  • Click “Add” and click “Add” again

Continue reading