Cisco ACS 5.X - How to configure it for APC UPS (NMC/NMC2) RADIUS Authentication.

If you’d like to use RADIUS server for APC NMC/NMC2 Authentication, you should know there are 4 user types available:
• Administrator
• Device
• Read-Only
• Network-Only

By default (without specific configuration on RADIUS server side) you will get Read-Only rights. There are two ways how to configure Cisco ACS 5.X to provide Administrator privilege:

Proper way

• Add APC VSA attributes to the dictionary:
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “Create” > “Name: APC”, “Vendor ID: 318” > Submit.
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “APC” > “Create” > “Attribute: APC-Service-Type”, “Vendor Attribute ID: 1”, “Attribute Type: Unsigned Integer 32” > “Submit”.
• Create an “Authorization Profile”: “Policy Elements” > “Authorization and Permissions” > “Network Access” > “Authorization Profiles” > “Create” > “Name: APC_Admin” > go to “RADIUS Attributes” tab, add “APC-Service-Type” as “Static” with value 1 (to get Administrator user privilege) > “Submit”.
• Use created “Authorization Profile” in “Access Policies”…

Simplest way

Instead of adding a new VSA attribute, you can use RADIUS IETF named “Service-Type” (ID: 6) and configure it to provide “Administrative” value (ID: 6). It will work the same way as previous one. Checked.

Useful links

How to configure RADIUS server to authenticate APC Network Enabled device? (Official KB FA156083 article)
How to configure FreeRADIUS for APC UPS Authentication (Official KB FA232648 article)

How to test SMTP server using TELNET. [TESTED]

Just for copy/paste. I use it to test SMTP from Cisco CLI.

telnet 192.168.1.1 25 /source-interface fa0/0

HELO
MAIL FROM: test@example.com
RCPT TO: alexey@example.com
DATA
Subject: Test Message

This is just a test message
.
QUIT

Windows 8 - AnyConnect error - Failed to initialize connection subsystem. [SOLVED]

We had a problem with the AnyConnect client v3.1.05187 on Windows 8. We got the error message - “Failed to initialize connection subsystem”. We solved it using the following procedure:

• Install all windows updates on Windows 8.
• Reboot the PC.
• Update AnyConnect client to the latest version using anyconnect-win-3.1.07021-pre-deploy-k9.msi file.
• Reboot the PC - This is important.

Enjoy!

Cisco IP SLA - How to generate SYSLOG messages for IP SLA status changes.

Just real quick. For example, you want to get a collect a basic statistics about internet connectivity disruptions - you would configure IP SLA job towards carriers router (your default gateway), enable logging into the buffer. By default, IOS does not generate SYSLOG messages for IP SLA status changes, you have to configure track. Here is an example.

ip sla 1
 icmp-jitter 192.168.1.2 source-ip 192.168.1.1 num-packets 3 interval 2000
  threshold 2000
  timeout 3000
  frequency 10
  exit
ip sla schedule 1 life forever start-time now

track 1 ip sla 1

logging buffered

BTW, I chose icmp-jitter type because it has better flexibility than icmp-echo. So, you will get the following result:

Apr  8 07:05:41.363: %TRACKING-5-STATE: 1 ip sla 2 state Up->Down
Apr  8 07:06:41.363: %TRACKING-5-STATE: 1 ip sla 2 state Down->Up

Show command for verification:

Router#show track
Track 1
  IP SLA 1 state
  State is Up
    5 changes, last change 01:26:00
  Latest operation return code: OK
  Latest RTT (millisecs) 52
Router#

We can go further and configure EEM to send us an email in case if status changes:

conf t

event manager applet Mail_Track_SLA_1
 event track 13 state any
 action 1.0 mail server "192.168.1.1" to "alexey@example.com" from "Router@example.com" subject "IP SLA1 status" body "IP SLA1 status has changed"

Show command for verification:

Router#show track
Track 1
  IP SLA 1 state
  State is Up
    5 changes, last change 01:38:24
  Latest operation return code: OK
  Latest RTT (millisecs) 48
  Tracked by:
    EEM applet Mail_Track_SLA_1
Router#

EEM applet for collecting traceroute after IP SLA down

Here is a simple example how to use EEM applet for collecting traceroute after IP SLA state goes DOWN.

event manager applet APPLET_NAME
 event track 13 state down maxrun 90
 action 001 syslog msg "--- Event detected ---"
 action 002 cli command "enable"
 action 003 puts "--- Executing: ping 8.8.8.8 ---"
 action 004 cli command "ping 8.8.8.8"
 action 005 puts "$_cli_result"
 action 006 puts "--- Executing: traceroute 8.8.8.8 ---"
 action 007 cli command "traceroute 8.8.8.8 numeric timeout 1 probe 2 ttl 1 25"
 action 008 puts "$_cli_result"
 action 009 puts "--- Action finished ---"

Notes:
• “enable” mode is required if you want to use advanced parameters for traceroute.
• You will see all the output in monitor (terminal monitor) and in logging buffer. Syslog messages will NOT be generated. If you need to send all the output as a syslog messages - read this thread (replace “action … puts “$_cli_result”" by “action … syslog msg “$_cli_result”").
• “maxrun 90” is required, we need to increase default runtime from default 20sec because traceroute command sometime takes much more time to complete. In other case, you will not get the result, debugs will say the following:

... EEM policy APPLET_NAME has exceeded it's elapsed time limit of 20.0 seconds

There’s an issue with the Cisco IOS, it uses UDP for traceroute. In most cases you will not see all hops. The best way is to use ICMP which Cisco IOS does not support. You can use Linux or Windows to create a script OR, if you have a Cisco ASA in your network, modify EEM applet to connect to ASA and run traceroute use-icmp. BTW, ASA version 9.2.1 and later does supports EEM - proof link.

• We have to use nested quotes, EEM 3.20 does not support them. We are going to use workaround - EEM variable for quote.
• During the tests, I figured out that it’s working only for remote connection to the Cisco IOS, Cisco ASA is not working that way. You can find more here.

event manager environment quote "

event manager applet APPLET_NAME
 event track 13 state down maxrun 90
 action 001 puts "--- Event detected ---"
 action 002 cli command "ssh -l USERNAME 10.1.1.1 $quote traceroute 8.8.8.8 numeric use-icmp $quote" pattern "word:"
 action 003 cli command "PASSWORD"
 action 004 puts "$_cli_result"

Cisco WLC and Windows NPS as a RADIUS server.

Today I was needed to reconfigure AIR-CT5760 to use Windows NPS as RADIUS servers for Wireless client authentication.

Here is a list of useful documents about it:
5760/3850 Series WLC PEAP Authentication with Microsoft NPS Configuration Example - MUST READ.
External RADIUS Server EAP Authentication with 5760/3850 WLC Configuration Example.
Converged Access -802.1X/EAP using External server, Local radius/LDAP on 5760 WLC and 3850.

If you have only one RADIUS server the configuration is pretty simple:

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 exit

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

If you have two servers and you really want to be sure that switchover will work, you have to configure a little bit more (please refer to the greatest document from Cisco - Demystifying RADIUS Server Configurations):

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

radius server NPS-192.168.1.2
 address ipv4 192.168.1.2
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 server name NPS-192.168.1.2
 exit

radius-server dead-criteria time 15 tries 2
radius-server deadtime 5

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

For me, the most useful show command listed below:

AIR-CT5760-WLC#show aaa servers | i id|State|Dead|Quarant|request
RADIUS: id 1, priority 1, host 192.168.1.1, auth-port 1645, acct-port 1646
     State: current UP, duration 73029s, previous duration 0s
     Dead: total time 0s, count 84
     Quarantined: No
     Authen: request 1429752, timeouts 14115, failover 0, retransmission 10956
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
RADIUS: id 2, priority 2, host 192.168.1.2, auth-port 1645, acct-port 1646
     State: current UP, duration 150814s, previous duration 0s
     Dead: total time 0s, count 10
     Quarantined: No
     Authen: request 8417, timeouts 8085, failover 2209, retransmission 6084
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 619681, timeouts 593, failover 0, retransmission 593
AIR-CT5760-WLC#

Admin area