Check the images below:

He was doubting his alcohol level, because he thought he didn’t drink during the weekend….LOL

He is still developing this blog and working at the layout, but here are some interesting outtakes:

I think Aruba’s VBN is a great solution as addition to their portfolio, there are still some small bumps and glitches concerning the ‘zero-touch’ process but nothing serious. I think VBN is a great solution for companies that want to extend their wireless corporate network to branch offices and home users with the same security benefits. Source

A few weeks ago I’ve passed my JNCIA-EX exam, I’ve used a Juniper EX 4200 Switch  acquired as demonstration model from Juniper Networks which was very helpful for the exam preparation and eventually passing the exam. After unpacking the switch and booting up for the first time it was password protected because the switch wasn’t reset to it’s factory defaults. Source

The RSS feed is already working, so add it to your RSS reader.

I did some testing with multiple browsers and single sign-on with NTLM authentication is working perfectly. The system administrator was also testing, but he was complaining that he couldn’t authenticate. A pop-up box is received and when you enter the appropriate credentials, they aren’t accepted by eSafe. I found out that the customer is using Windows 7 and I was testing with Windows XP and Windows Server 2003.

Windows Vista, Windows 7 and Windows Server 2008 R2 and higher use NTLM v2.0-only by default. eSafe Proxy uses NTLM v1.0. The default setting within Windows can be changed to operate in a mode which is backwards compatible with eSafe Proxy. Take the following steps to change the NTLM settings:

1. 1. Open the Group Policy Editor with gpedit.msc;
2. 2. Go to Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options;
3. 3. Go to the setting: Network security: LAN Manager authentication level
4. 4. Change this setting to: Send LM & NTLM – use NTLMv2 session security if negotiated
5. 5. Apply the policy with gpupdate /force

The picture shows the policy setting within Windows. This should solve the problem with single sign-on on Windows Vista, Windows 7 and Windows Server 2008 R2 and higher.

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         74.124.155.67   YES NVRAM  up                    up
GigabitEthernet0/1         10.10.10.1      YES NVRAM  up                    up
GigabitEthernet0/0/0       unassigned      YES NVRAM  administratively down down
SSLVPN-VIF0                unassigned      NO  unset  up                    up
Tunnel0                    192.168.255.2   YES NVRAM  up                    up

I can explain all interfaces, except the SSLVPN-VIF0 interface. I tried to look at the internet, but that didn’t result in any useful information. I used Cisco’s Output Interpreter, but that didn’t help either.

INFO: The following interfaces show the interface configuration ‘method’ as ‘unset’. SSLVPN-VIFO This means that no configuration changes were made to the interface since the last reload.

I noticed the same interface on a Cisco 1811 router, but not on the Cisco 871 and Cisco 878 routers. The interface cannot be related to SSL VPN functionalities, because that feature isn’t configured on the routers. At least that was what I thought at first. I checked my home router, because it has SSL VPN configured and found that the SSLVPN-VIF0. As the abbreviation implies, SSLVPN-VIF0 stands for “SSLVPN Virtual Interface 0”.

An IP address is assigned to the interface, after establishing a SSLVPN connection. You can retrieve more information about the SSLVPN-VIF interface by using multiple show interface SSLVPN-VIF commands. An example is shown below:

router#show interface SSLVPN-VIF 0 switching
SSLVPN-VIF0 ***Internally created by SSLVPN context home***

Protocol  IP
Switching path    Pkts In   Chars In   Pkts Out  Chars Out
Process         26       2657          4        240
Cache misses          0          -          -          -
Fast          0          0          0          0
Auton/SSE          0          0          0          0

NOTE: all counts are cumulative and reset only after a reload.

So don’t panic when you see the SSLVPN-VIF0 interface on your router. You now know where it is coming from.

2/22/2010:1:14:46 PM:IAS:Information:None:1:N/A:BOOCHES01:User rene was granted access.
2/22/2010:1:09:15 PM:IAS:Information:None:1:N/A:BOOCHES01:User rene was granted access.
2/22/2010:12:19:58 PM:IAS:Information:None:1:N/A:BOOCHES01:User BOOCHES\test was granted access.
2/22/2010:12:03:24 PM:IAS:Information:None:1:N/A:BOOCHES01:User booches was granted access.
2/22/2010:11:58:54 AM:IAS:Information:None:1:N/A:BOOCHES01:User testuser was granted access.
2/22/2010:11:58:13 AM:IAS:Information:None:1:N/A:BOOCHES01:User booches was granted access.
2/22/2010:11:58:07 AM:IAS:Information:None:1:N/A:BOOCHES01:User BOOCHES\test was granted access.
2/22/2010:11:17:13 AM:IAS:Information:None:1:N/A:BOOCHES01:User testuser1 was granted access.

I needed to extract only the unique users. Playing a little with Linux gave me the following output.

User test was granted access.
User booches was granted access.
User rene was granted access.
User testuser was granted access.
User testuser1 was granted access.

It isn’t perfect, but it is good enough for me. The original log file is called log.txt and the output is written to a file called users.txt. I used the following command to accomplish the output above.

cat log.txt | cut –d: –f11 | sed ’s/BOOCHES\\//g’ | sort | uniq >> users.txt

Cat prints the file log.txt to the screen. The –d parameter with cut determines the delimiter and –f selects the column to print. With sed I search for the string “BOOCHES\” and replace the sting with nothing (//). Everything is sorted with sort and all duplicate entries are removed with uniq. The output is written to the file users.txt.

Simple and effective!!!

After importing all template you have the ability to monitor the MAC count on the switch and the memory usage. You also have the option to monitor the CPU usage, but you have to do some extra configuration. The zip file only contains a data template for the HP switches, but no graph template. I created my own graph template by duplicating the Cisco CPU graph template and changed the data source to the HP data template.

I changed the data source for the first 4 Items in the Graph Template to the HP procurve CPU data source. Next I created a device for the HP switches and added the appropriate “Associated Graph Templates” for HP procurve CPU, MAC count and memory usage. Now you only need to create a graph for the template and you are set to go.

The Cisco IOS SSL VPN feature supports multiple options, like:

• Clientless: usage of a web portal;
• Thin client: usage of a web portal with port forwarding feature;
• Full client: usage of the Cisco AnyConnect client;

This example shows you how to configure all options listed above. The fist step involves configuring the authentication method with an AAA method.

aaa new-model
aaa authentication login sslvpn local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55

The authentication method is called sslvpn and uses the local database on the router for authenticating users. Next you have to configure the basic IP and port information for connecting to the SSL VPN feature of the router. I use the public IP address of the router and configured the WebVPN on port TCP/4400. I use the SSL trustpoint from my previous blog post.

webvpn gateway gateway_1
ip address 83.137.194.62 port 4400
ssl trustpoint trustpoint_www
inservice

To use the full client feature, you have to upload an AnyConnect client to the routers flash. You can upload multiple AnyConnect clients for different operating systems. I just upload a client for Windows.

webvpn install svc flash:/webvpn/svc.pkg sequence 1

Next you have to configure a “webvpn context”. Within the webvpn context you define multiple VPN parameters. The webvpn context contains configuration parameters to access an URL through the web portal, define the port forwarding features or apply a policy group to the webvpn context. Below you see an example configuration of a webvpn context.

webvpn context home
title “Booches Portal”
ssl authenticate verify all
!
url-list “WebServers”
heading “WebServers”
url-text “Inside webserver” url-value “http://192.168.1.10″
!
login-message “Booches”
!
port-forward “Port Forwarding”
local-port 444 remote-server “192.168.1.150″ remote-port 5001 description “NAS TCP/5001 (Management)”
local-port 443 remote-server “192.168.1.150″ remote-port 443 description “NAS TCP/443 (Photo,File System)”
local-port 222 remote-server “192.168.1.200″ remote-port 22 description “Ubuntu TCP/22 (Management)”
!
policy group policy1
url-list “WebServers”
port-forward “Port Forwarding”
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
hide-url-bar
svc address-pool “sslvpn”
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0

You can configure multiple webvpn contexts with different authentication methods, url-list or port forwarding parameters. Next you see some screenshots from the WebVPN. To access the WebVPN feature the user has to browse to https://83.137.194.62:4400/home, because I configured gateway gateway_1 domain home (full config at the end). The web portal login page is displayed below.

After logging in you will get to the web portal menu, where you can choose between the multiple client options.

The Bookmarks section list the URL list to access internal websites. The Tunnel Connection (SVC) option starts the Cisco AnyConnect client. If the AnyConnect client isn’t yet installed on the remote client, it will be pushed by the router. The Thin Client Application starts the port forwarding feature.

All the relevant configuration from the example above can be found below.

aaa new-model
aaa authentication login sslvpn local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
!
ip local pool sslvpn 10.10.1.1 10.10.1.254
!
webvpn gateway gateway_1
ip address 83.137.194.62 port 4400
ssl trustpoint trustpoint_www
inservice
!
webvpn install svc flash:/webvpn/svc.pkg sequence 1
!
webvpn context home
title “Booches Portal”
ssl authenticate verify all
!
url-list “WebServers”
heading “WebServers”
url-text “Inside webserver” url-value “http://192.168.1.10″
!
login-message “Booches”
!
port-forward “Port Forwarding”
local-port 444 remote-server “192.168.1.150″ remote-port 5001 description “NAS TCP/5001 (Management)”
local-port 443 remote-server “192.168.1.150″ remote-port 443 description “NAS TCP/443 (Photo,File System)”
local-port 222 remote-server “192.168.1.200″ remote-port 22 description “Ubuntu TCP/22 (Management)”
!
policy group policy1
url-list “WebServers”
port-forward “Port Forwarding”
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
hide-url-bar
svc address-pool “sslvpn”
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0
default-group-policy policy1
aaa authentication list sslvpn
gateway gateway_1 domain home
max-users 2
inservice

I like for SMB solutions the IOS SSL VPN feature, because it is powerful and works over SSL, but it is also flexible and can almost publish every service.

1. 1. I generate a CSR and private key on my own laptop with Cygwin and OpenSSL;
2. 2. I sent the CSR to a CA for signing, like VeriSign or GeoTrust;
3. 3. I create a PKCS12 certificate with the signed cert and the private key;
4. 4. Import the PKCS12 certificate on the router;

With this procedure I always have the “real” certificate, and all related files, on my own laptop for backup purposes. Mostly you can also generate a CSR on an appliance and import the signed certificate to the appliance and you are also done. But sometimes you don’t have the opportunity to export the certificate for backup purposes. So what if the appliance crashes or needs to be replaced?

Now I will show you how to import the PKCS12 to an IOS router. First we need to create a trustpoint on the router. The trustpoint contains the certificate authority that signed the certificate in use.

router(config)#crypto pki trustpoint trustpoint_www
router(ca-trustpoint)#fqdn www.booches.nl
router(ca-trustpoint)#subject-name cn=www.booches.nl
router(ca-trustpoint)#revocation-check crl
router(ca-trustpoint)#rsakeypair trustpoint_www

Next I will import the certificate. There are multiple ways for importing the certificate, but I just use TFTP to transfer the certificate from my laptop to the router.

router(config)#crypto ca import trustpoint_www pkcs12 tftp: passphrase
% Importing pkcs12…
Address or name of remote host []? 10.10.1.58
Source filename [trustpoint_home]? www-booches-nl.pfx
Reading file from tftp://10.10.1.58/www-booches-nl.pfx
Loading www-booches-nl.pfx from 10.10.1.58 (via BVI1): !
[OK - 2629 bytes]

CRYPTO_PKI: Imported PKCS12 file successfully.

The certificate is now successfully imported into the router and can be associated with the WebVPN configuration. Useful commands to verify your trustpoints and certificates are:

show crypto pki certificates
show crypto pki trustpoints

Still the Cisco VPN client is often used to remotely gain access to a network. The Cisco VPN client supports:

• Windows XP, Vista (x86/32-bit only) and Windows 7 (x86/32-bit only);
• Linux (Intel);
• Mac OS X 10.4 & 10.5;
• Solaris UltraSparc (32 and 64-bit);

The Cisco VPN client is available for download if you have a SMARTnet support contract and encryption entitlements. The client can be used in conjunction with VPN concentrators, PIX and ASA firewall and IOS routers. Below you can find a template configuration for enabling the Cisco VPN client on an IOS router (all used IP addresses and credentials are chosen randomly and don’t represent a real configuration). I used the setup from the picture below:

The configuration uses the local database to authenticate users and split-tunneling is configured to only encrypt traffic destined for the LAN network. With split-tunneling enabled you still can access all local resources and the internet.

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group booches-vpn-client
key pr3sh@r3dk3y
dns 192.168.1.10 192.168.1.11
domain booches.local
pool vpnpool
acl 110
netmask 255.255.255.0
!
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
!
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
reverse-route
!
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
!
interface FastEthernet0/0
ip address 83.137.194.62 255.255.255.240
ip nat outside
crypto map client-vpn-map
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
ip local pool vpnpool 10.10.1.1 10.10.1.254
!
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

A very powerful command to revert to the startup-configuration is:

configure replace nvram:startup-config

This command saves you some time because a reboot is not required.