See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate). ASA Configuration Create a Crypto Keypair crypto key generate rsa label VPN_KEY modulus 2048 Create a CA Trustpoint crypto… Continue reading CCNP SIMOS: ASA AnyConnect IKEv2/IPSec VPN
This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client. RADIUS Server Configuration For authorization Admin users will… Continue reading Configuring Cisco IOS SSL-VPN with RADIUS
Telnet to VTY Line As default the VTY lines are configured with the command “login” line vty 0 4 login If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line… Continue reading CCNP ROUTE 2.0: Telnet, VTY, AAA
It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet. Configure the Cisco device with a hostname and domain name Switch (config)#… Continue reading Securing VTY lines on Cisco Router/Switches
This post describes how to configure a Cisco Catalyst switch and a RADIUS server for 802.1x authentication. It is assumed that a Windows 2008 Active Directory domain, Certificate Authority and NPS RADIUS is already installed. Configuring the Switch Switch# configure terminal Switch(config)# aaa new-model Switch1(config)# radius-server host 192.168.20.20 key cisco123 Switch(config)# aaa authentication dot1x default… Continue reading Configuring 802.1x authentication on Cisco Catalyst switches
This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.
Configuring the Switch
The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS
Configuring the Windows RADIUS Server
Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.
- Open the NPS console and select “RADIUS Clients”
- Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
- Once completed click OK
- Select “Policies” > “Network Policies”
- Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
- Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
- “Specify Access Permission” as “Granted”
- “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
- “Configure Contraints”, nothing to configure. Click Next
- “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
- Add a new attribute of “Service Type” and a value of “Login”
- “Configure Settings”, select “Vendor Specific”
- Click “Add”, select “Cisco” from the drop down box
- Click “Add” and click “Add” again