Cisco IOS as PPTP server (VPDN) and Windows RADIUS server for remote user authentication. [TESTED]

Router’s config

• Well, ‘aaa new-model’ command is required to go further, and if Router use local authentication for CLI login, we have to make sure that we will be able to login after our changes. To do so:

username LOCALUSER privilege 15 secret SOMEPASSWORD
aaa new-model
aaa authorization exec default local

• Then we can go further. Configure RADIUS server group:

aaa group server radius VPDN_Auth
 server-private 10.0.0.240 key SECRET
 ip radius source-interface Loopback0
 exit

• The following statements (BOTH) are important. Without authorization portion you will get “Error 742”.

aaa authentication ppp default group VPDN_Auth
aaa authorization network default group VPDN_Auth if-authenticated

Windows 2008 as RADIUS server

I set up Windows 2008 R2 Server with NPS (Network Policy Server) (nps.msc) as RADIUS server for VDPN Auth. It’s really simple thing.
• Download 7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso
• Read this post to setup roles, AD forest, etc.
• Then read this post about how to configure NPS.

About the UDP ports: According to the documentation NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters by default.

ACS 5.X as RADIUS server for VPDN authentication

Basically, it’s easy to configure ACS 5.X for VDPN:

• Network Resources > Network Device and AAA Clients > Create > Important fiels: IP, RADIUS Shared Secret > Submit.
• Users and Identity Stores > Internal Identity Stores > Users > Create > Name, Password > Submit.
• Access Policies > Access Service > Default Network Access > Allowed Protocols tab > Allow MS-CHAPv2 > Submit.

I tried to use ACS 5.3 as RADIUS server for VPDN, but no luck. I got “Error 742: The remote computer does not support the required data encryption type.” all the time. I tried to find a solution, did some research. So, the problem with MPPE:

Router#debug ppp mppe events
MPPE Events debugging is on
Router#
*Dec 31 08:59:46.066: Vi3 MPPE: RADIUS keying material missing
Router#

IP Tunneling > PPTP Frequently Asked Questions > Q. What does “Error 742” mean?:

Q. What does “Error 742” mean?

A. This error means that the remote computer does not support the required data encryption type. For example, if you set the PC for “encrypted only” and delete the pptp encrypt mppe auto command from the router, then the PC and the router cannot agree on encryption. The debug ppp negotiation command shows this output.

04:41:09: Vi1 LCP: O PROTREJ
[Open] id 5 len 16 protocol CCP (0×80FD0102000A1206010000B0)

Another example involves the router MPPE RADIUS problem. If you set the router for ppp encrypt mppe auto required and the PC for “encryption allowed with authentication to a RADIUS server not returning the MPPE key,” then you get an error on the PC that states, “Error 742: The remote computer does not support the required data encryption type.” The router debug shows a “Call-Clear-Request” (bytes 9 and 10 = 0×000C = 12 = Call-Clear-Request per RFC) as seen here.

00:45:58: Tnl 17 PPTP: CC I 001000011A2B3C4D000C000000000000
00:45:58: Vi1 Tnl/Cl 17/17 PPTP: CC I ClearRQ

I compared successful and failed ‘debug radius’ outputs and made sure that MS-MPPE-Send-Key (16) and MS-MPPE-Recv-Key (17) attributes are absent in access-accept message from ACS.

BUT according to this official document:

In ACS 5.1, you cannot configure these attributes. These are added to the profile as required.

I also find few ACS BUGs related to MPPE functionality. For example:

CSCty11627 - ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets
CSCtx90637 - ACS MSCHAPV2 is not hashing the mschap success correctly

Some useful links:

Configuring CiscoSecure ACS for Windows Router PPTP Authentication
Cisco Secure ACS for Windows Router PPTP Authentication

Well, I just stopped. Don’t want to waste my time for this tiny little buggy thing…

How to integrate Cisco ACS 5.X and Cisco Prime. [TESTED]

Here is the quick instruction how to configure Cisco ACS for Cisco Prime (tested on ACS 5.X and Prime Infrastructure 2.X). First of all, you need to know that we can integrate ACS and CPI in more then one different way:

• ACS for user authentication during login to CPI Web GUI.
• ACS for user authentication during login to CPI CLI.
• ACS as ACS View.

ACS and CPI WebGUI

Cisco Prime Infrastructure 2.2 Administrator Guide > Controlling User Access > Configuring ACS 5.x says NOTHING about how to configure ACS 5.X.
Cisco Prime Infrastructure 2.2 Administrator Guide > Best Practices: Server Security Hardening > Authenticating With External AAA provides wrong instructions:

Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.
Step 2 Select Administration > Users, Roles & AAA > TACACS+ or Administration > Users, Roles & AAA > RADIUS.
Step 3 Enter the TACACS+ or RADIUS server IP address and shared secret in the appropriate fields.
Step 4 Select Administration > Users, Roles & AAA > AAA Mode Settings.
Step 5 Set the AAA mode as appropriate.

So, if you configure regular access you get the following error during login:

No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server.

You can find solution HERE.

Solution

• HTTPS://_CPI_IP_/ root/_your_root_password_
• Administration > Users, Roles & AAA > TACACS+ Servers > “– Select a command –” Add TACACS+ server > …
• AAA Mode Settings > TACACS+ > Enable fallback to Local > on authentication failure or no server response > Save. Note that “Install time root user is going to be always authenticated locally irrespective of the AAA Mode Settings“. So, if you have root with no other users configured locally plus AAA users, AAA mode doesn’t make sense…
• User Groups > Press “Task List” button for Group Name “Root”.
• Copy left column (TACACS+ Custom Attributes) to notepad.
• Add virtual-domain0=ROOT-DOMAIN to the list.
• Go to ACS Shell Profiles > Custom Attributes > Bulk Edit > Paste all entries > OK.
• Test login.

Again, I used the following list of attributes for CPI 2.1 and the list is different for CPI 2.2:

role0=Root
task0=View Alerts and Events
task1=Run Job
task2=Device Reports
task3=Alarm Stat Panel Access
task4=WAN Optimization Multisegment Access
task5=RADIUS Servers
task6=Raw NetFlow Reports
task7=Network Summary Reports
task8=Edit Audit Logs Purge Settings Access
task9=Discovery View Privilege
task10=Configure ACS View Servers
task11=Run Reports List
task12=View Audit Logs Purge Settings Access
task13=View CAS Notifications Only
task14=Administration Menu Access
task15=Monitor Clients
task16=Configure Guest Users
task17=Monitor Media Streams
task18=Configure Lightweight Access Point Templates
task19=Monitor Chokepoints
task20=Maps Read Write
task21=Configure Access Points
task22=Virtual Domains List
task23=All
task24=Users and Groups
task25=View Group Members
task26=Edit Device Access
task27=Saved Reports List
task28=Migration Templates
task29=Monitor Spectrum Experts
task30=Configure Autonomous Access Point Templates
task31=Audit Trails
task32=Swim Collection
task33=Client Location
task34=Delete Device Access
task35=Device WorkCenter
task36=TrustSec Readiness Assessment
task37=PnP Profile Deploy Read-Write Access
task38=Monitor Access Points
task39=Data Collection Management Access
task40=CleanAir Reports
task41=Configure Ethernet Switches
task42=Configure Ethernet Switch Ports
task43=TACACS+ Servers
task44=Edit Job
task45=Mobility Service Management
task46=Autonomous AP Reports
task47=Swim Upgrade Analysis
task48=Delete Groups
task49=Performance Reports
task50=Configure Controllers
task51=Help Menu Access
task52=Packet Capture Access
task53=WorkflowsReadWriteAccess
task54=MSAP Reports
task55=Scheduled Tasks and Data Collection
task56=Monitor Tags
task57=Details Dashboard Access
task58=Search Access
task59=Scheduled Configuration Tasks
task60=View Groups
task61=Configure WIPS Profiles
task62=Delete Job
task63=Client Reports
task64=Troubleshoot
task65=Services Menu Access
task66=Configure Templates
task67=System Jobs Tab Access
task68=System Settings
task69=Report Launch Pad
task70=Remove Clients
task71=Performance Dashboard Access
task72=Alarm Browser Access
task73=Configure Config Groups
task74=Application and Services Access
task75=Export Device Access
task76=Mesh Reports
task77=Swim Info Update
task78=High Availability Configuration
task79=License Center
task80=View Audit Logs Access
task81=Lobby Ambassador Defaults Configuration
task82=Design Monitoring Template Access
task83=Add Group Members
task84=Monitor Controllers
task85=Deploy Configuring Access
task86=View Job
task87=Monitor Security
task88=Track Clients
task89=Monitor Menu Access
task90=Export Audit Logs Access
task91=Design Configuration Template Access
task92=Schedule Job
task93=SSO Servers
task94=Monitor Interferers
task95=Configure Switch Location Configuration Templates
task96=Configure WiFi TDOA Receivers
task97=Add Groups
task98=Cancel Job
task99=Swim Distribution
task100=PnP Preferences Read-Write Access
task101=Discovery CRUD Privilege
task102=WAN Optimization Dashboard Access
task103=nbiAccessPrivilege
task104=Voice Audit Report
task105=Admin Dashboard Access
task106=PnP Deploy History Read-Write Access
task107=Global SSID Groups
task108=Modify Groups
task109=Report Run History
task110=Maps Read Only
task111=Compliance Reports
task112=Disable Clients
task113=Custom NetFlow Reports
task114=WIPS Service
task115=Security Reports
task116=Application Server Management Access
task117=Configure Spectrum Experts
task118=Appliance
task119=View Security Index Issues
task120=Swim Access Privilege
task121=Configure Mobility Devices
task122=Device Bulk Import Access
task123=Home Menu Access
task124=Health Monitor Details
task125=Monitor WiFi TDOA Receivers
task126=Add Device Access
task127=Approve Job
task128=View Alert Condition
task129=User Preferences
task130=Guest Reports
task131=Config Archive Read-Write Task
task132=Logging
task133=Device View configuration Access
task134=Swim Preference Save
task135=Automated Feedback
task136=Delete and Clear Alerts
task137=Identity Search Engine
task138=Configure Third Party Controllers and Access Point
task139=Email Notification
task140=License Check
task141=SSO Server AAA Mode
task142=Rogue Location
task143=Swim Recommondation
task144=Identify Unknown Users
task145=Delete Group Members
task146=Reports Menu Access
task147=PnP Profile Read-Write Access
task148=Configure ISE Servers
task149=Tools Menu Access
task150=Config Audit Dashboard
task151=Incidents Alarms Events Access
task152=Virtual Domain Management
task153=Monitor Ethernet Switches
task154=TAC Case Management Tool
task155=Pause Job
task156=Discovery Schedule Privilege
task157=Monitor Mobility Devices
task158=Context Aware Reports
task159=Voice Diagnostics
task160=Configure Choke Points
task161=MSE Analytics
task162=RRM Dashboard
task163=Swim Delete
task164=Theme Changer Access
task165=Import Policy Update
task166=Design Endpoint Site Association Access
task167=Diagnostic Information
task168=Planning Mode
task169=Pick and Unpick Alerts
task170=Configure Menu Access
task171=Ack and Unack Security Index Issues
task172=Deploy Monitoring Template Access
task173=Ack and Unack Alerts
task174=Auto Provisioning
virtual-domain0=ROOT-DOMAIN

If you add role0 and virtual-domain0 only, it’s not gonna work! TESTED.

ACS and CPI CLI

Cisco Prime Infrastructure 2.2 Administrator Guide > Best Practices: Server Security Hardening > Authenticating With External AAA > To set up remote user authentication via the CLI provides you comprehensive steps:

aaa authentication tacacs+ server 192.168.1.1 key plain TACACS_SHARED_KEY
username USERNAME password remote role admin email ADMIN.EXAMPLE.COM

Note:

• The 2nd command is required, without it you will see Authorization requests with correct TACACS Shared Key, you will see correct username, but WRONG PASSWORD. Tested it with CPI 2.2. It will be fine as soon as you add username statement.
• If you configured “ACS for WebGUI” as I mentioned above, no other action on ACS side is required.
• If you configure ACS for both (WebGUI and CLI) you can easily determine who is who. Authentication request for WebGUI or CLI by looking at “Remote Address” field in request message. If it’s WebGUI you will see CPI’s IP address in “Remote Address” field, if it’s CLI, you will see client’s IP address.

How to configure Cisco Nexus 7K for Cisco ACS (TACACS). [SOLVED]

So, I was needed to configure Cisco Nexus 7K with NX-OS 6.x to use TACACS server configured on Cisco ACS 5.X. I decided to build minimal lab to test it before deployment on real hardware: NX-OS and Cisco ACS. I have already had Cisco ACS but I was needed to get some NX-OS virtual device. Cisco Nexus 1000v was not the case because I had VMware Workstation ONLY and had no time to install Cisco Nexus 1000v in a nested ESXi installed on Workstation. Thus I tried to use Cisco Titanium 5.1.2.

Installing Cisco Nexus Titanium on VMware Workstation

* Prepare your VMware Workstation.
* Download .RAR with “Titanium-VM” (just use Google to find the file).
* Import VMware into VMware Workstation: Open > ….vmx > “I Copied”.
* Add Serial port to the VM like this:
* Connect to the Serial port using PuTTY (you will see nothing before VM is booted).
* Start VM. You will see the the following, but it’s OK. BTW, you will see CLI prompt after VM booted (just wait for a while) and NO ANY messages in VM console.

Loader Loading stage1.5.

Loader loading, please wait...
WARNING: Ancient bootloader, some functionality may be limited!

* After VM is booted you will see the following:

.
*****************
 Username: admin
 Password: cisco
*****************
.N7K login:

* Then you probably would reconfigure Management interface to let VM access to your network:

N7K(config)# int mgmt 0
N7K(config-if)# ip address 10.0.0.200/24
N7K(config-if)# no sh
N7K(config-if)# this config

interface mgmt0
  vrf member management
  ip address 10.0.0.200/24

N7K(config-if)# end
N7K# ping 10.0.0.1 vrf management
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=63 time=94.748 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=2.842 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=4.994 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=3.653 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=7.946 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 2.842/22.836/94.748 ms
N7K# copy run start
[########################################] 100%
Copy complete, now saving to disk (please wait)...
N7K#

* TACACS+ feature is disabled by default:

N7K# show feature | i Feature|tacacs
Feature Name          Instance  State
tacacs                1         disabled
N7K#
N7K# conf t
N7K(config)# feature tacacs+
N7K(config)# exit
N7K# show feature | i Feature|tacacs
Feature Name          Instance  State
tacacs                1         enabled
N7K#

* Template:

! Before start you have to make sure that your username, password and role is configured locally.
! Then I suggest you to configure local authentication for console connectins.
aaa authentication login console local

tacacs-server host 10.0.0.100 key $SECRET$
tacacs-server host 10.0.0.100 timeout 3

aaa group server tacacs+ AAA
 server 10.0.0.100
 use-vrf management
 source-interface mgmt0
 exit

! For test purposes you can test authentication procedure:
test aaa group AAA USERNAME PASSWORD
user has been authenticated

...
aaa accounting default group AAA
...

! Some optional timeouts.
line console
 exec-timeout 15
 exit
line vty
 exec-timeout 15
 exit

! Save configuration.
copy run start

Some useful links:
* Cisco Secure Access Control System > Nexus Integration with ACS 5.2 Configuration Example.
* Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x > Configuring TACACS+.
* TACACS+ configuration on Nexus 7000.

* http://roadtocciedc.blogspot.com/2014/01/cisco-titanium-nx-os-emulator.html
* http://routing-bits.com/2011/05/24/nexus-user-roles/
* http://networkhobo.com/2014/01/23/configure-tacacs-access-on-nexus-7k/

Cisco ACS 5.5 - How to add SFTP repository and configure scheduled backup. [SOLVED]

I’ve created a short note about “freeSSHd” few moments ago. I’ve installed it for ACS, to store a Backup files.

Add a repository (by CLI or Web GUI). Anyhow, you have to add “hostkey” (RSA) for the SFTP server manually using CLI. If you wouldn’t do that you will get the following:

hostname/admin# show backup history
Thu Oct 30 14:13:48 PDT 2014: backup test-141030-1413.tar.gpg to repository Backup: error - transfer failed
hostname/admin#
hostname/admin# show repository Backup
% Error : Operation failed due to one of the following reasons
1. host key is not configured
2. host key is removed because of re-image
3. host key is removed from some other repository having same ip/hostname
% Please add the host key using the crypto host_key exec command
% SSH connect error
hostname/admin#
hostname/admin# repository Backup
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.
hostname/admin(config-Repository)#

GUI says:

Note: Host key of sftp server must be added through CLI using host-key option

The solution is really simple:

hostname/admin# crypto host_key add host 1.1.1.1
host key fingerprint added
# Host 1.1.1.1 found: line 1 type RSA
1024 ad:ea:e2:44:83:db:04:f8:56:1c:56:a5:49:be:65:38 1.1.1.1 (RSA)
hostname/admin# show crypto host_keys
1024 ad:ea:e2:44:83:db:04:f8:56:1c:56:a5:49:be:65:38 1.1.1.1 (RSA)
hostname/admin#

Then you can configure scheduled backup using official documentation:

ACS Backup with an FTP Repository Configuration Example.
Configuring Data Purging and Incremental Backup.

Basically you have to look thru the following configuration sections:
• acsadmin > System Administration > Operations > Scheduled Backups
• acsview > Monitoring Configuration > System Operations > Data Management > Removal and Backup

Cisco ACS 5.5 - Patch installation. [SOLVED]

Официальная документация “Upgrading the Cisco Secure Access Control System” не содержит подробной инфы и примера, как себя должна повести железка и время восстановления…

Итак, сначала скачиваем патч (в моем случае это 5-5-0-46-6.tar.gpg) и Readme к нему. Заливаем на репозитарий (в моем случае, это обычный FTP сервер запущенный на лаптопе). Лично я использую Quick ‘n Easy FTP Server Lite Version 3.2 потому, что он работает на всех виндах портабильный.

Смотрим текущую версию софта. Ради интереса смотрим состояние сервиса. Его состояние, как я понял, неважно для апгрейда, все равно он будет выключен.

acs-test-1/admin# show application version acs

Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.5.0.46
Internal Build ID : B.723

acs-test-1/admin#
acs-test-1/admin# show application status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#

Далее создаем репозитарий. Можно сделать через Web GUI, но можно все делать через консоль, в любом случае устанавливать патча нужно из CLI. И смотрим какие доступны файлы.

acs-test-1/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
acs-test-1/admin(config)#  repository TEMP
acs-test-1/admin(config-Repository)# url ftp://10.0.0.254/
acs-test-1/admin(config-Repository)# user ftpuser password plain ftppass
acs-test-1/admin(config-Repository)# do show repository TEMP
5-5-0-46-6.tar.gpg
Acs-55Patch6-Readme.txt
acs-test-1/admin(config-Repository)#
acs-test-1/admin(config-Repository)# exit
acs-test-1/admin(config)# exit
acs-test-1/admin#

Загружаем патч, отвечаем ДА на вопрос о перезагрузке сервера. Сервер уходит в ребут и вернется минуты через 3, но сервис поднимется минут через 6 в общей сложности.

acs-test-1/admin# acs patch install 5-5-0-46-6.tar.gpg repository TEMP
 MD5: 2d13ba8888b572c09d84905b70265656
 SHA256: 396aa5860ca181854e020ac9a693f28ff8926d0aa5b1a3d1bb0a7271c027e194
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? y
Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
Calculating disk size for /opt/CSCOacs/patches
Total size of patch files are 810 M.
Max Size defined for patch files are 2000 M.
Stopping ACS.
Stopping Management and View...............................................................
Stopping Runtime...........................
Stopping Database........
Stopping Ntpd...............
Cleanup..
Stopping log forwarding .....
Installing patch version '5.5.0.46.6'
Installing ADE-OS 2.0 patch.  Please wait...
About to install files
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
This patch includes security fixes which requires ACS server reboot. It is highly recommended to proceed with reboot
Do you want to reboot the server ? Y/N : y
You have choosen to reboot the server, Rebooting ...

Broadcast message from root (pts/1) (Mon Oct 20 14:51:30 2014):

The system is going down for reboot NOW!

Broadcast message from root (pts/1) (Mon Oct 20 14:51:30 2014):

The system is going down for reboot NOW!
/opt/CSCOacs/patches/5-5-0-46-6
Patch '5-5-0-46-6' version '5.5.0.46.6' successfully installed
Starting ACS ....

To verify that ACS processes are running, use the
'show application status acs' command.
acs-test-1/admin#

Когда сервер вернулся проверяем версию и статус:

login as: admin
Using keyboard-interactive authentication.
Password:
Last login: Mon Oct 20 14:37:49 2014 from 10.0.0.254
acs-test-1/admin# show application version acs

Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.5.0.46.6
Internal Build ID : B.723
Patches :
5-5-0-46-6

acs-test-1/admin#
acs-test-1/admin# show app status acs

ACS is busy applying a recent configuration change
requiring enabling/disabling of processes.
Status is unavailable.
Please check again in a minute.

acs-test-1/admin# show app status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                Changed
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#
acs-test-1/admin# show app status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running (HTTP is nonresponsive)
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#
acs-test-1/admin# show app status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#

На этом все. У меня установка патча прошла успешно на стенде VMware и на боевом сервере.

Admin area