RSA Authentication Manager provides an authentication mechanism consisting of a “token” – either hardware (e.g. a Keyfob) or software (application that provides same functionally as a keyfob).  A hardware or software token is assigned to an individual, which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the tokens factory-encoded random key (known as the “seed”). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.

In this example, I are using RSA Authentication Manager 6.1, which is running on a purpose built appliance that uses Windows 2003 Server with the RSA server software installed.  This particular solution includes Funk Software’s Steel Belted Radius, which provides a radius authentication mechanism into RSA.  At the time of this writing, this particular appliance and software version is approaching end of life and has since been replaced with Authentication Manager 7.1.  In the appliance version of 7.1 (known as Authentication Manger 3.0), the operating system has moved to Linux with Authentication Manager 7.1 loaded on top of it.  Version 7.1/3.0 also includes a radius server that can be used for radius clients needing to utilize two-factor authentication.

Now, onto the client portion of software used to interface with the RSA server.  As previously mentioned, there are two options, with the first being to use the RSA provided authentication agent for Unix/Linux.  The agent is actually a module that hooks into PAM, which is the central authentication standard used in most modern Unix/Linux systems today.  This option provides the maximimum functionality and interfaces directly with the RSA protocol (which means the RADIUS server is not required).

The second option is to load a RADIUS module into PAM (pam_radius_auth), which would then communicate to the RSA server via it’s built in RADIUS server.  Why would you want to use this option over the first option presented?  The RSA provided client is only supported on  a couple of Linux platforms, namely Red Hat and SuSE, which are both RPM based.  So if you are using any other Linux distribution (Debian based, etc.), there is not an RSA provided option with this client software.

Most Linux software repositories will contain a PAM radius module, which prevents having to download source code and compiling programs.  I’m specifically working on a Debian based system, which includes the module libpam_radius_auth in it’s repository.  The following contains instructions for configuring the system:

First, install the module from the distributions repository:

root@localhost:~# apt-get install libpam-radius-auth
Running /usr/bin/apt-get install libpam-radius-auth
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  radius-server
The following NEW packages will be installed:
  libpam-radius-auth
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.7kB of archives.
After this operation, 127kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main libpam-radius-auth 1.3.16-4.4 [24.7kB]
Fetched 24.7kB in 0s (58.4kB/s)
Selecting previously deselected package libpam-radius-auth.
(Reading database ... 36010 files and directories currently installed.)
Unpacking libpam-radius-auth (from .../libpam-radius-auth_1.3.16-4.4_amd64.deb) ...
Setting up libpam-radius-auth (1.3.16-4.4) ...

Now that the module is installed, it’s time to edit configuration files:

root@localhost:~# vi /etc/pam_radius_auth.conf

My default configuration file had two invalid entries defined to show the format. One of two entries in my configuration file was for 127.0.0.1 with a comment below it that read “having localhost in your radius configuration is a Good Thing”. I don’t know what that is supposed to mean, but don’t leave it in the configuration as we have no Radius server running on the local machine.

After removing the existing (sample) entries and replacing with valid server entries, which contained server[:port], shared_secret, and timeout (separated by tab) – save and close the file. A particular detail to note is that initially I set the timeout value to the displayed default of 3 (seconds). However, I experienced authentication failures until I changed that value to 5 (seconds) – after noticing timeout messages in /var/log/auth.log.

Next, we need to modify a PAM configuration file in order to specify the use of the RADIUS module when authentication occurs. Note: There are several services that make use of the PAM system for authentication. Therefore, by doing what I am about to explain could cause negative impact on an application that uses PAM to authenticate users. Further research should be performed to determine which configuration file the following commands should be placed in, based on what you want to secure.

In this example, there are no applications running that need auth services provided by PAM (such as an FTP server, HTTP server, SAMBA, etc). The goal is to define the use of a global policy that uses the RADIUS module for central authentication. If you wanted to only secure a particular service (like ssh logins for administrator shell access via sshd), a different file other than the following can be modified so to not disrupt any other PAM using applications installed on the machine.

Edit the /etc/pam.d/common-auth configuration file:

root@localhost:/etc/pam.d# vi common-auth

First, find the following line in the configuration:

auth	required	pam_unix.so nullok_secure

Insert a new line BEFORE/ABOVE the previous line and paste the following line into the file.

auth	sufficient	pam_radius_auth.so

Save and exit the file. The previous addition to the common-auth file tells PAM to use the RADIUS module for authentication first (since it is listed first in the configuration). By specifying ‘sufficient’ in our entry, PAM determines that a successful auth using this module is satisfactory, therefore no other modules defined in the configuration file need to be processed. However, if there is a failure from this module (user didn’t exist on RADIUS server), then continue processing entries in this configuration file. Note: By configuring this way, any locally defined users on the system will still authenticate successfully. Therefore, it is advised to only have local ‘emergency accounts’ defined, in case the machine completely looses communications with all configured RADIUS servers – you would still be able to log in with a local user. If you adopt this policy, obviously the people who know the credentials to the locally defined account(s) should be minimal – in order to force the use of individual (RADIUS defined) accounts.

Next, edit the /etc/pam.d/common-account file

root@localhost:/etc/pam.d# vi common-account

Find the line:

account	required	pam_unix.so

Insert the following BEFORE/ABOVE the previous line:

account	required	pam_radius_auth.so

Save and exit the file. The previous addition to the common-account file is to tell PAM to use the RADIUS module for any authorization requirement (like permitting access to a service based on time of day, etc.), prior to checking the local database. By specifying ‘required’ in our entry, PAM determines that the success of the module is required for the module-type facility (in this case authorization is the module-type) to succeed.

Next edit the /etc/pam.d/common-session configuration file:

root@localhost:/etc/pam.d# vi common-session

Find the line:

session	required	pam_unix.so

Insert the following lines BEFORE/ABOVE the previous line:

session	required	pam_radius_auth.so
session	required	pam_mkhomedir.so	skel=/etc/skel/	umask=0022

Save and exit the file. The previous addition to the common-session file is to define tasks to be performed at the start and end of a user control of a service. By specifying ‘required’ in our entry, PAM determines that the success of the module is required for the module-type facility (in this case services is the module-type) to succeed.

As you can see, we added a second module (pam_mkhomedir.so) to the common-session configuration file. This is required in order to have a home directory available for a RADIUS authenticated user. The module will run after a successful authentication and create the user home directory in /etc/skel with the appropriate permissions.

That will complete the configuration setup. There is one final step left that has to be performed for every user that will login to the system via RADIUS. Because RADIUS doesn’t provide a directory service, we have to have UID and GID information pre-populated on our system. This is accomplished by creating the username and groupname on the local system, which will assign the necessary unique user ID and group ID values (numbers).

For example, a user that needs to authenticate via radius using a login id of johnh (that belongs to an associated group called johnh) needs to have the following performed on the local system:

useradd johnh

That will do it, the user will now have an entry that is created in /etc/passwd and /etc/group with an automatically created (unique) ID number.

Before I go any further, it must be stated that commercial packages exist that can do this type of analysis for you.  These software programs usually import CheckPoint logs into a larger data-source and then run various reports against it.  While those packages are extremely valuable to the firewall administrator, often times it is cost prohibitive to the company they work for.  It will be my attempt to share a Do It Yourself, bare bones, just get it done, alternative approach to buying these costly software packages.

As far as prerequisites, not much is needed: I’ll be using a Linux workstation for the utilities, such as cat,grep, and others.  The log data will be imported into a SQLite database for analysis.  Everything I have mentioned thus far is available on a Windows workstation, but will require a little bit of work to find/install it.  My point here is: If you have not taken the plunge to set up a Linux ‘utility’ workstation yet – now would be a great time to knock that out.  Anyway, I will show all my examples and reference the procedure as if it is being performed from a Linux machine.  However, I think it will easily be adaptable to the Windows only administrator.  If not, I will do my best to clarify points as questions are asked.

First, we must get the logs in the format we can work with.  This will require exporting the current CheckPoint log file type to a delimited, plain text type.  The utility required for this will be located in the Firewall1 program directory on the SmartCenter management station.

From a command line on the SmartCenter machine, we want to change to the firewall log directory:

cd \fw1_install_dir\RXX\fw1\log

where fw1_install_dir = SmartCenter installation directory and XX = the version of SmartCenter installed (i.e. R75).

running the ‘dir’ command in this directory will give you the name of the available logfiles for export.  The file names will follow the format of YYYY-MM-DD_HHMMSS_XX.log, select the file for export and run the following:

fwm logexport -n -p -m raw -i [YYYY-MM-DD_HHMMSS_XX.log] -o [YYYY-MM-DD_HHMMSS_XX.txt]

The switches are explained below:

Usage:
fwm logexport [-d delimiter |-s] [-i filename] [-o filename] [-f|-t] [-x start_p
os] [-y end_pos] [-z] [-n] [-p] [-a] [-u unification_scheme_file] [-m (initial|s
emi|raw)]
Where:
-d  - Set the output delimiter. Default is ';'.
-s  - Set the delimiter to be ASCII character #255.
-i  - Input log file name. Default is the active log file, fw.log.
-o  - Output file name. Default is printing to the screen.
-f  - Only in case of active log file - Upon reaching end of file, wait for new
records and export them as well.
-t  - Same as -f flag, only start at end of file.
-x  - Start exporting at the specified position.
-y  - End exporting at the specified position.
-z  - Continue exporting the next records, in case of an error. Default is to stop exporting.
-n  - No IP resolving. Default is to resolve all IPs.
-p  - No port resolving. Default is to resolve all ports.
-a  - Export account records only. Default is export all records.
-u  - Unification scheme file name. Default is log_unification_scheme.C.
-m  - Unification mode: initial-order, semi-unified, or raw. Default is 'initial'.

The switches used in the previous example should be self-explanatory after looking them up using the syntax help above.

Here is the command I ran in my environment

C:\Program Files\CheckPoint\R71\fw1\log>fwm logexport -n -p -m raw -i "2011-09-28_235900_98.log"
 -o "d:\2011-09-28_235900_98.txt"
Starting... There are 20492936 log records in the file
File logexport.ini was opened successfully
Processed 20492936 out of 20492936 records (99%)

Once I did this in my environment for one log file, which contained access information for a 24 hour period, the result was a 5.2G text file.  This would obviously be impossible to open with any editor, which is where our Unix utilities come into play.

At this point, I only want to load the necessary data into the db.  This keeps the database small and makes queries much more responsive.  In order to extract a subset of data from the log output, we will use awk and grep to put the desired results into a separate file.  In this example, I want traffic that was either sourced or destined to 10.16.2.20.

# awk '{q=split($0,a,";");if (NR==1){for (v=1;v<=q;v++) c[a[v]]=v} printf("%s;%s;%s;%s;%s;
%s;%s;%s;%s;%s\n",a[c["date"]],a[c["time"]],a[c["action"]],a[c["rule_uid"]],a[c["rule_name"]],
a[c["src"]],a[c["s_port"]],a[c["dst"]],a[c["service"]],a[c["xlatesrc"]])}' 2011-09-28_235900
_98.txt | grep '\<10.16.2.20\>' > windowsdc01.txt

The previous command uses ‘awk’ to process the file ’2011-09-28_235900_98.txt’ and only print the log fields we are interested in. Awk is being used because for some reason, Checkpoint does not export log files the same way twice.  For example a fwm export one day may contain 51 columns, the next day it might contain only 40.  Obviously this would play havoc on importing the same fields each time into our database.  By extracting just the columns we need, this ensures the same format each time.  This command looks very complex, the only thing you really want to consider is if additional fields are wanted in the output.  If this is the case, just make sure the additional fields are specified in order within the script.  For example, let say you want to add an additional field (i/f_name) to the output.  If you look at the first line of the original exported file, which are the column headers, you will see the “i/f_name” column is between “action” and “rule_uid”.  So hear is what you would add to the existing script (in bold)

a[c["action"]],a[c["i/f_name"]],a[c["rule_uid"]],

You will also need to add an additional %s; after the printf statement for each additional field you add

Moving on, note after the grep command the \< and the \> characters with the ip address in between.  What this does it tell grep to only match this character string if it’s the beginning or end of the word.  If the \< characters were missing from above, then we would also match other hosts like 110.16.2.20 or 210.16.2.20.  Likewise, if the \> were missing off the end, then we would match on 10.16.2.201, 10.16.2.202, and so on.  Finally, the greater than sign followed by a file name, will output the results to a file instead of to the default location of the screen.

Now, I have a separate file that contains only the data I care about at the moment and it is 28Mb vs. the 5Gb source file we started with.  The next thing to do is load it into a sqlite database.  Before we can do that, we have to create the database with a table containing the proper columns to accept the text file import.  We start by invoking sqlite and passing it a variable that will be the name of a new database, which in this example is called data.db.  Once sqlite is invoked, run the SQL script shown below, which is used to create the table. Obviously this sql statement would need to be modified if you added additional fields over what is shown in the previous example.

# sqlite3 data.db
SQLite version 3.7.5
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite>CREATE TABLE tbl_fwlogs(
f_date varchar(10),
f_time varchar(10),
f_action varchar(10),
f_rule_uid varchar(100),
f_rule_name varchar(15),
f_src varchar(10),
f_srcport varchar(10),
f_dst varchar(15),
f_service varchar(10),
f_xlatesrc varchar(10));
sqlite>

Define the separator used in the import file

sqlite> .separator ";"

Finally, import the text file into the database

sqlite> .import file.txt tbl_fwlogs

Now that you have data to query, here is a sample that displays what rules are being used in the rulebase for this particular host.

sqlite> select DISTINCT(f_rule_uid),f_rule_name from tbl_fwlogs;

{3C9A2260-8E75-4488-82C3-A3F279BB72B6};Srv to Srv access
{13385ECB-2S6F-4657-CC20-4DA76F217141};Windows Domain Resources
{3A5A0D9E-1D32-41BD-9795-829ED5CFE366};Time Requests
{5D2726D6-738A-43BA-8B5B-63FA0A7EBF78};Monitoring Servers
{A696790B-2605-46B2-BDA3-8A64A5B98C1A};DNS
{DDDCF882-8121-4E27-8A28-EA17EC5BC47E};Internal ICMP
sqlite>

In this example we see there are 6 rules in use for this host.  From here additional queries would determine src/dest addresses and protocols used so that we could take that info and build a stricter rule set for this host.

First, a few details regarding the example scenario:

A previous upgrade to an IP enabled KVM switch was causing issues with it’s normal operation. There were issues with local use using a directly attached keyboard/monitor/mouse and also when using the viewer plugin remotely. After my co-workers had complained enough, I decided it was time to downgrade the software to the previously running code, which did not have all the issues that was currently happening. Using the management software for the KVM, I downgraded 7 of 8 devices successfully. One device failed during the procedure and subsequently stopped responding on the network.

After giving sufficient time for possible self-recovery with no results, I decided it was time to investigate further. Upon inspecting the device visually, it was determined that the equipment was in recovery mode (The power light was blinking steady with no other lights on the device). This determination was made by going to the hardware manufacturers website and downloading the manual for my particular model, then looking up the device states in the troubleshooting section of the documentation.

The first thing attempted was an obvious one: Try and power cycle the hardware. After turning off and back on, the same result happened – a steadily flashing power light.

The documentation stated that when the device was in recovery mode, it would automatically attempt to download the system image via tftp from the management server. After inspecting the machine running the KVM management software, I was able to determine there was no traffic between it and the failed device. There are several ways to troubleshoot this, my particular method was to run a packet sniffer (Wireshark) from the management server to see if any requests were coming from the KVM’s IP address. If installing Wireshark (or similar program) is not an option on the machine, a portable version is available from the website that can be run out of a directory that either resides on a hard or flash drive.

At this point, a support call would have been the next course of action. However, a current maintenance contract did not exist on this equipment, so tech support was not an option. Truthfully, even if it was an option, I most likely wouldn’t be using it. I would rather be hung upside down (by my toenails), 30 feet in the air, with a pack of flesh eating Hyenas waiting underneath, for me to plummet to my death so they could consume me. Not that there is anything wrong with calling tech support, never mind – I digress…

The device is now officially ‘bricked’ (hence the title of this article). The urban dictionary defines the term as follows:

Bricked refers to ANY hardware that is unable to start up due to bad software; Usually because of a bad software flash, a modification done improperly, loss of necessary files, etc.

Thankfully, the majority of the time a device can be recovered after being in this state.

The next step in my process was to determine if a console was available. After looking at the documentation once again, I found that a serial port was available on this device for management purposes. After recording the applicable serial port settings and grabbing a null modem (serial) cable, it was off to the data center where the device was located.

My thought was to connect the serial cable between a laptop and the KVM device to see if I could get any output using a terminal program. Putty is my terminal program of choice, which has support for serial connections. I configured Putty to connect to COM1 at 9600 baud with 8 bits, No parity, and 1 stop bit (better known as eight, ‘n’, and one). The hope here was maybe the device used a bootloader which is a small piece of software that loads initially (like a BIOS) and in turn loads the full software image for the device. Many times when a bootloader can’t load the main software image, there is a very basic command line structure available to perform recovery functions such as transferring an image, re-issuing boot commands, etc.

After starting Putty and pressing the Enter key several times (which usually prompts the connected device to respond), there was no response. I’m still not sure what was going on with why the console wasn’t working, because I moved on from that very quickly. (My assumption here was the command line via serial port was only available after the firmware was correctly loaded and running on the device)

As I previously mentioned, by reading the documentation, I knew the device was supposed to request a boot image via TFTP. So, I took my laptop and connected it to an isolated switch along with the KVM device’s network interface. After starting Wireshark on the laptop and starting a capture, the KVM was powered on.

AH, progress!

The above image displays a WireShark window running on my laptop.  When this photo was taken, there was a display filter set – so that only traffic from the KVM src mac-address was shown.  (A mac filter was used, since that was the only known information).  The mac-address is always shown, usually via a sticker on the device.  Notice it has an IP of 10.0.0.2, which obviously is hard coded in the firmware – since I didn’t have a DHCP server running on the laptop. The next thing you see is the appliance making a request via TFTP to 10.0.0.3 (again another hard coded entry in the firmware) and is requesting a file with the name DSRxx20.fl.

With this information, the laptop’s network interface can now be set statically to 10.0.0.3. The next thing I needed was a TFTP server loaded on my laptop. This is an easy task, with several available freely on the Internet, download your favorite (my recommendation is tftpd32) TFTP server and run it.

The final step is to put the firmware for the device into the TFTP server ‘home’ directory and make sure the filename matches what is being requested (in this case it was DSRxx20.fl). After the file was in place with the TFTP server running, I power cycled the appliance once again:

As you can see from above, the transfer took place, which then the device proceeded to boot up perfectly! SUCCESS! Although this is not a universal step by step instruction on how to save any ‘bricked’ device – it should help outline the steps required to discover what is needed to bring something you are working on back to life.

First shut the running machine down, luckily my lab was running in a virtual environment and had the vmware tools installed on the guest machine that needed the password reset on.  I opened a console window to the vm and in the viewer selected VM from the menu bar, Power, then Restart Guest (Ctrl+R).  Obviously if this is a physical machine or a virtual without the tools installed, you may have to shut it down / power off not so gracefully.  However, at this point – if you can’t login to the machine – what else can you do?

Make sure your boot order is setup properly in the BIOS, so that the machine will attempt to boot from CD/DVD first, before the hard drive.  Once this is correctly set, be sure to press a key for booting to the DVD, while the message is shown telling you to do so.

Once booted to the DVD, the following screenshot will be the first thing you see.  Select the desired language and click on Next.

The following screen will appear next, which typically you would use the Install now on.  However, there are a couple more options on this screen.  In the lower left hand corner, click on the Repair your computer.

The following screen reflects the next window you will see, which is a question regarding the Windows installation to be repaired.  As you can see below, I have the Windows installation location selected (note it tells you what drive letter will be used during this repair session – D: in this/most cases).  Click on Next.

The following window will then appear, select the Command Prompt link.

After selecting a command prompt link, a cmd window will open like the one below:

Perform the following steps:

- Change to the assigned drive letter Windows is installed on.

- Change to the \Windows\System32 directory.

- Move the existing file utilman.exe to a temporary name, such as utilman.exe.bak

- Copy the command interpretor cmd.exe to utilman.exe

The previously described operations are reflected in the following screenshot:

Exit the command Window and click on the Restart button

After restarting, allow the machine to boot normally from the hard drive.  The following screenshot is the normal Windows login screen you will see.  Press the key combination Windows key + U

After pressing the Windows+U keys, a command window will appear like what is in the following screenshot:

The next step is your normal command line password change commands.  If your not aware of which username you should be changing, use net group “Domain Admins” to determine the userid that needs resetting.

The user Administrator is what I need reset, so use the following command net user Administrator <A secure password> like what is shown in the following screenshot:

At this point, you have successfully reset the Administrator password!  However, there is one more task that needs to be performed.  Shut the machine down and repeat the steps with the Windows 2008 Server install DVD up to the point where you have a command window opened.  Copy the backup file utilman.exe.bak over the existing utilman.exe file (which at this point is a renamed copy of cmd.exe).  Reboot the machine back to the OS installed on the hard drive.

Note:  Failure to perform this step will keep the what is now a potential security hole open on your machine.  So it is important to return the utilman.exe file back to it’s original state.

This file is already opened by (user name). Would you like to make a copy of this file for your use?

The reason I needed to close this file, was because I was running robocopy to mirror a directory from one drive to another. Robocopy detected the file in use and would stall for 30 seconds then retry to copy the file. Since I didn’t specify how many times to retry, the default was one million times. How’s that for bringing a 450GB copy operation to a standing halt! Since this job was over 50 percent complete, I didn’t want to start it over – so the question was: How do I close this file in use?

The answer was a Sysinternals program called handle.exe. When running handle with no switches, it will print out every process and the files opened by it to the screen. This will typically be more information than the default cmd window buffer will handle, thus part of the information will scroll off the window. The easist way to deal with this issue is to pipe the output to a file and then search the text file. Here is an example:

C:\temp>handle > handle.txt

Now open handle.txt in notepad and search for (in my case): ~$Weekly Sales Report.xlsx.

The search yielded the following (edited for brevity):

------------------------------------------------------------------------------
System pid: 4 NT AUTHORITY\SYSTEM
395C: File  (R--)   E:\Personals\Joe.Didley\Reports\~$Weekly Sales Report.xlsx

So now I know that the process id ’4′ had the file open with an assigned id of ’395C’.

The command to close this particular file handle is:

C:\temp>handle -c 395C -p 4

Handle v3.45
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com

395C: File  (R--)   E:\Personals\Joe.Didley\Reports\~$Weekly Sales Report.xlsx
Close handle 395C in System (PID 4)? (y/n) y

Handle closed.

Success! After the file handle was closed, robocopy automatically continued since the file was no longer in use.

In this example, we will use a very nice tool called Expect.  Expect has traditionally been run on Unix variants, but has also been ported to Windows.  Activestate, the company known for Perl on the Windows platform, also offers TCL for Windows – which includes Expect.  This particular article will cover the program running on the Linux platform, with the possibility of revisiting at a later date to explore whether we can run the same processes in Windows.

In today’s times, even if your a full blown Windows user, there are very easy ways to add Linux into your engineering toolbox.  This is most commonly done using Virtual technology, which is offered by multiple vendors.  The more common scenarios are to download a free ‘player’, such as the one provided by vmWare. Once you have an installed VM player, you can proceed by building a basic Linux machine from scratch (which will run on top of your Windows platform), or just download a pre-built ‘appliance’ from the vmWare website. You can easily download the latest and greatest versions of Linux, ready to run, by copying an image to your workstation, hit play on the vmPlayer, login and your ready to work!  It really is that easy!

First, let’s start with a simple expect script and then gradually move into something a little more flexible. For an Operating System, I am using Ubuntu 10.10 Server Edition. The Server Edition just installs the minimum requirements to run a linux machine with basic tools. There is no GUI in the installation, so everything is done at a command line. This keeps the footprint small, which is especially good for running inside a virtual machine like I am doing.

Ok, I am logged into the Linux machine and at a command prompt. In this example, we are going to create a very simple expect script to log into a Cisco router, that is pre-configured to allow a username and password only. After a sucessful login, we will immediately be in priviledged mode. If this is not the way your test device is setup, don’t worry – I will show you how to modify the script, following this example. The script itself contains many comments (lines preceded with the ‘#’ character), which explains what the following line accomplishes.

First, let’s create the script by typing the following command:

root@ubuntu:~/util# vi 1.exp

Once in the vi editor, press ‘i‘ to insert characters and type or paste the following commands: Note: To try this on an actual device, replace the IP address shown below (192.168.1.1) with a valid device address in your network. Also adjust the username and password (admin/cisco) as necessary for your environment.

#!/usr/bin/expect -f
#Tells interpreter where the expect program is located.  This may need adjusting according to
#your specific environment.  Type ' which expect ' (without quotes) at a command prompt
#to find where it is located on your system and adjust the following line accordingly.
#
#
#Use the built in telnet program to connect to an IP and port number
spawn telnet 192.168.1.1 23
#
#The first thing we should see is a User Name prompt
expect "User Name:"
#
#Send a valid username to the device
send "admin\n"
#
#The next thing we should see is a Password prompt
expect "Password:"
#
#Send a vaild password to the device
send "cisco\n"
#
#If the device automatically assigns us to a priviledged level after successful logon,
#then we should be at an enable prompt
expect "#"
#
#Tell the device to turn off paging
send "term length 0\n"
#
#After each command issued at the enable prompt, we expect the enable prompt again to tell us the
#command has executed and is ready for another command
expect "#"
#
#Show us the running configuration on the screen
send "show run\n"
#
#The interact command is part of the expect script, which tells the script to hand off control to the user.
#This will allow you to continue to stay in the device for issuing future commands, instead of just closing
#the session after finishing running all the commands.
interact

Once these commands have been typed, press ESC key to exit out of insert mode. Then press ‘:wq‘ to write to the file 1.exp and exit the vi editor.

If you test device requires an enable password, use this script instead (with the previous mentioned modifications):

#!/usr/bin/expect -f
#Tells interpreter where the expect program is located.  This may need adjusting according to
#your specific environment.  Type ' which expect ' (without quotes) at a command prompt
#to find where it is located on your system and adjust the following line accordingly.
#
#
#Use the built in telnet program to connect to an IP and port number
spawn telnet 192.168.1.1 23
#
#The first thing we should see is a User Name prompt
expect "User Name:"
#
#Send a valid username to the device
send "admin\n"
#
#The next thing we should see is a Password prompt
expect "Password:"
#
#Send a vaild password to the device
send "cisco\n"
#
#If the device requires us to enter an enable password, then we should currently be at a
#non-privileged prompt
expect ">"
#
#Send the command to enter enable mode
send "enable\n"
#
#We should see a prompt asking for the enable password
expect "Password:"
#
#Send the enable password
send "supercisco\n"
#We should be in privileged mode now reflected by a hash prompt
expect "#"
#
#Tell the device to turn off paging
send "term length 0\n"
#
#After each command issued at the enable prompt, we expect the enable prompt again to tell us the
#command has executed and is ready for another command
expect "#"
#
#Show us the running configuration on the screen
send "show run\n"
#
#The interact command is part of the expect script, which tells the script to hand off control to the user.
#This will allow you to continue to stay in the device for issuing future commands, instead of just closing
#the session after finishing running all the commands.
interact

Now, it is time to run our test script:

root@ubuntu:~/util# expect 1.exp

Here is a sample output:

root@ubuntu:~/util# expect 1.exp
spawn telnet 192.168.1.1 23
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

User Name:admin
Password:*****

Router#term length 0
Router#show run
Building configuration...

Current configuration : 3832 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret ****
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
!
no ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Router#

At the end of the script, we are left at the command prompt, so that we may continue interacting with the router.

In the next article, we will take the script to Version 2 (and beyond). Future enhancements include creating a separate file for all the devices and credentials, ability to use telnet or ssh for the connection, copy configurations from different vendors hardware.

The issue I’m speaking about is one regarding Windows Vista/7/2008 Server and the ‘Unidentified network’.  Before we dive into fixing the unidentified network categorization, a little explanation on how the process works:  The Windows Operating System wants to classify each active network interface, in order to determine what category to place the adapter in.  Inside the Control Panel, click on Network and Internet, then click View network status and tasks.  In the default view, this should bring you to the ‘Network and Sharing Center’.  Inside the section ‘View your active networks’, each connected network interface will be displayed.

Each network interface is then categorized as either Public, Private, or Domain.  Once the interface is automatically assigned to one of these categories, certain rules are applied.  The rules are related to the Windows Firewall, Network Discovery, and Network Sharing.

Let’s exclude the Domain category for a moment and talk about Public and Private networks.  Usually when a new network interface is activated (this includes Wireless networks) a window will appear asking you if the network is part of a public or private network.  The Public option is intended to be just that: public areas, which would typically be locations outside of your ‘trust zone’.  With Public networks, you get the most secure settings applied to that interface, which include Firewall, Network Discovery and Sharing settings.  Private networks will get less secure options applied, but usually allow more plug and play functionality like: Windows Firewall being less restrictive, Sharing allowed by default, etc.

Quite honestly, in a company network – most of the time you don’t necessarily want all this automatic stuff to happen.  Us network people like to think we are smart enough to know what is best for our systems and don’t want Windows (or anything else for that matter) to try and figure it out for us.  Nonetheless, most all default software installations and factory hardware configurations are geared toward the automatic, I know what is best for you configuration.

In this specific example, I have a crossover connection between two Windows 2008 servers that will be used with Microsoft Clustering Services.  With this connection, I have the least amount of properties assigned to the interface.  All I need is and IP address and subnet mask.  There won’t be any default gateway, DNS servers, etc – just enough to communicate over a point to point connection with another host.  Another common example of when you would have this same type configuration is when you have a secondary adapter in a machine that is communicating to device on the same subnet and no routing is involved, such as an interface being used for iSCSI storage connection.  Even though this is a common enough configuration in the business world, Windows can’t seem to figure out what to do with it.  So, what happens is the interface becomes part of an ‘Unidentified Network’ and takes on the properties of the Public network settings (strict firewall, no sharing, etc.).

The fix to this is to tell Windows not to try and automatically determine what type of connection it is, but that it is an endpoint device and is not a connection to a true external network.  Consequently, Windows will then ignore the endpoint device when Windows identifies networks. The Network Awareness APIs indicate that the device does not connect the computer to a network. For end users in this situation, the Network and Sharing Center and the network icon in the notification area do not show the NDIS endpoint device as connected. However, the connection is shown in the Network Connections Folder.

So, for every interface that you don’t want showing up as an ‘Unidentified network’ like the example below:

all you have to do is the following:

At a command prompt, run: ipconfig /all

Find the interface that is showing up as Unidentifed, which in this case has been renamed to Crossover:

and make note of the Physical Address (The image above has the mac address erased).

Next, invoke powershell at the command line.  Once that the PS command prompt, issue the command: get-wmiobject win32_networkadapter as shown below:

Once the powershell output is displayed, match up the Physical Address obtained from the previous ipconfig output with the MACAddress field of the Powershell output.  The value that needs to be obtained is the DeviceID.  In our example, the DeviceID is: 10 (shown below)

Now that the proper DeviceID has been obtained, open regedit and browse to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

Underneath the above key, there are numbers listed for each interface on the system.  Click on the number that matches the previously obtained DeviceID.

Add the following new DWORD Key:

*NdisDeviceType (be sure to include the * at the begininng)

Then edit the newly created key *NdisDeviceType and set the value to 1

Close regedit and reboot the machine.

After the machine comes back up, the adapter will no longer appear in the Network and Sharing Center. However, if you click the Adapter settings link which lists all the network connections, you will see the interface.  Only this time, there will be no mention of an Identified network!

Since there is both a 32-bit and a 64-bit version of this service, I have put together a little deployment script that determines the target architecture and then deploys the appropriate client.

In it’s current form, the deployment script depends on the following components to accomplish this task:

• Eventlog to Syslog executable and library
• systeminfo which is a command line program that is installed on Windows XP/2003 machines and above. Note: The systeminfo exe only has to be run from the central computer you are deploying from.
• psexec which is a Sysinternals utility and is obtainable through Microsoft’s website

There are three scripts: one to deploy the 32bit agent, one for the 64bit agent, and the other is to determine if the target is 32 or 64 bit.

The instEvtsys.cmd is executed from the source machine that is performing the deployment. The following is the contents of the instEvtsys script:

Once the determination has been made for the destination platform architecture, the appropriate deployment script is called. Here is a look at the inst64bit.cmd script:

The previous script copies the two needed files, evtsys.exe and evtsys.dll to the destination System32 directory. The evtsys executable is then run on the target machine via psexec using the switch to register it as a service and configure the IP address of the syslog server, where the messages will be sent. The final command will again use psexec and issue the ‘net start’ command for starting the evtsys service.

The following zip file contains all the scripts needed for deployment.  In addition to the contents of this file, you will need to download the evtsys executables and drop them in the appropriate deployment directories.

Evtsys deployment scripts

Let’s get started:

An insurance company in TN named qwikPolicy has decided to open their doors for business and has secured the services to design a network for their business. They have provided a business plan that includes where and how the business will be operated.

Below are key points of information needed for designing the network.

• qwikPolicy will operate in all 95 counties in Tennessee, with a physical office located in each county.
• Three of the county offices will function as a claims center with one in east, middle, and west Tennessee.
• Each county office will average 5 employees, except for the offices that also have a claims center.
• The claims center offices will have an average of 30 employees each and another 10 employees each serving as claims agents, who will all work out of home based offices.
• The company will provide services via the internet for consumers to create quotes, report claims, and to communicate with insurance agents.
• The Engineer is responsible for designing all networking and phone needs.
• Data Center space will be allocated in Nashville and Knoxville
• The I.T. Infrastructure budget has been pre-allocated and is set at $1,000,000.00

The internal services needed for day to day operations are:

• File and Print Services.  Centralized shared directories are needed for different working groups and each person will have a home directory that will provide storage space for automated user profile backups.
• The main suite of insurance applications are web based and will be accessed internally using a browser.
• Email will be provided using a standard email client
• Internet access from each workstation

In the next article we will start laying out the WAN and the two data center areas.

WAN

After reviewing multiple telecom provider offerings, the determination is made to enter into an agreement with bellX. bellX will provide a private MPLS cloud for the wide area network requirements. Ninety two offices will have T1 access into the bellX MPLS cloud with a 512kb port speed. Memphis, which is the only claims combination office without datacenter space, will have a full 1.5mb port speed. The other two combination office/datacenters will have T3 access, with the full 45mb port speed.

With a decision made on how the offices will be connected together, now we can start working on the overall design. Here are a few points that need to be considered during the design phase.

• Redundant internet connections
• Redundant wide area connectivity between the two datacenters
• Centralized phone system, so there is minimal phone infrastructure to manage in each office
• Redundancy in the Phone Switch & Call Center infrastructure
• Redundant internet DMZ for highly available public web sites

The first thing needed is to sketch out a high level design drawing. Visio can be used to quickly sketch out a high level drawing. It can also be used later to expand a high level drawing into a detailed design drawing.  The following is a high level diagram of the datacenter networking: