Cisco ACS 5.X - How to configure it for APC UPS (NMC/NMC2) RADIUS Authentication.

If you’d like to use RADIUS server for APC NMC/NMC2 Authentication, you should know there are 4 user types available:
• Administrator
• Device
• Read-Only
• Network-Only

By default (without specific configuration on RADIUS server side) you will get Read-Only rights. There are two ways how to configure Cisco ACS 5.X to provide Administrator privilege:

Proper way

• Add APC VSA attributes to the dictionary:
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “Create” > “Name: APC”, “Vendor ID: 318” > Submit.
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “APC” > “Create” > “Attribute: APC-Service-Type”, “Vendor Attribute ID: 1”, “Attribute Type: Unsigned Integer 32” > “Submit”.
• Create an “Authorization Profile”: “Policy Elements” > “Authorization and Permissions” > “Network Access” > “Authorization Profiles” > “Create” > “Name: APC_Admin” > go to “RADIUS Attributes” tab, add “APC-Service-Type” as “Static” with value 1 (to get Administrator user privilege) > “Submit”.
• Use created “Authorization Profile” in “Access Policies”…

Simplest way

Instead of adding a new VSA attribute, you can use RADIUS IETF named “Service-Type” (ID: 6) and configure it to provide “Administrative” value (ID: 6). It will work the same way as previous one. Checked.

Useful links

How to configure RADIUS server to authenticate APC Network Enabled device? (Official KB FA156083 article)
How to configure FreeRADIUS for APC UPS Authentication (Official KB FA232648 article)

Cisco WLC and Windows NPS as a RADIUS server.

Today I was needed to reconfigure AIR-CT5760 to use Windows NPS as RADIUS servers for Wireless client authentication.

Here is a list of useful documents about it:
5760/3850 Series WLC PEAP Authentication with Microsoft NPS Configuration Example - MUST READ.
External RADIUS Server EAP Authentication with 5760/3850 WLC Configuration Example.
Converged Access -802.1X/EAP using External server, Local radius/LDAP on 5760 WLC and 3850.

If you have only one RADIUS server the configuration is pretty simple:

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 exit

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

If you have two servers and you really want to be sure that switchover will work, you have to configure a little bit more (please refer to the greatest document from Cisco - Demystifying RADIUS Server Configurations):

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

radius server NPS-192.168.1.2
 address ipv4 192.168.1.2
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 server name NPS-192.168.1.2
 exit

radius-server dead-criteria time 15 tries 2
radius-server deadtime 5

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

For me, the most useful show command listed below:

AIR-CT5760-WLC#show aaa servers | i id|State|Dead|Quarant|request
RADIUS: id 1, priority 1, host 192.168.1.1, auth-port 1645, acct-port 1646
     State: current UP, duration 73029s, previous duration 0s
     Dead: total time 0s, count 84
     Quarantined: No
     Authen: request 1429752, timeouts 14115, failover 0, retransmission 10956
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
RADIUS: id 2, priority 2, host 192.168.1.2, auth-port 1645, acct-port 1646
     State: current UP, duration 150814s, previous duration 0s
     Dead: total time 0s, count 10
     Quarantined: No
     Authen: request 8417, timeouts 8085, failover 2209, retransmission 6084
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 619681, timeouts 593, failover 0, retransmission 593
AIR-CT5760-WLC#

Cisco - Demystifying RADIUS Server Configurations.

Just found the greatest Cisco document regarding RADIUS - Demystifying RADIUS Server Configurations - MUST READ.

Cisco IOS as PPTP server (VPDN) and Windows RADIUS server for remote user authentication. [TESTED]

Router’s config

• Well, ‘aaa new-model’ command is required to go further, and if Router use local authentication for CLI login, we have to make sure that we will be able to login after our changes. To do so:

username LOCALUSER privilege 15 secret SOMEPASSWORD
aaa new-model
aaa authorization exec default local

• Then we can go further. Configure RADIUS server group:

aaa group server radius VPDN_Auth
 server-private 10.0.0.240 key SECRET
 ip radius source-interface Loopback0
 exit

• The following statements (BOTH) are important. Without authorization portion you will get “Error 742”.

aaa authentication ppp default group VPDN_Auth
aaa authorization network default group VPDN_Auth if-authenticated

Windows 2008 as RADIUS server

I set up Windows 2008 R2 Server with NPS (Network Policy Server) (nps.msc) as RADIUS server for VDPN Auth. It’s really simple thing.
• Download 7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso
• Read this post to setup roles, AD forest, etc.
• Then read this post about how to configure NPS.

About the UDP ports: According to the documentation NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters by default.

ACS 5.X as RADIUS server for VPDN authentication

Basically, it’s easy to configure ACS 5.X for VDPN:

• Network Resources > Network Device and AAA Clients > Create > Important fiels: IP, RADIUS Shared Secret > Submit.
• Users and Identity Stores > Internal Identity Stores > Users > Create > Name, Password > Submit.
• Access Policies > Access Service > Default Network Access > Allowed Protocols tab > Allow MS-CHAPv2 > Submit.

I tried to use ACS 5.3 as RADIUS server for VPDN, but no luck. I got “Error 742: The remote computer does not support the required data encryption type.” all the time. I tried to find a solution, did some research. So, the problem with MPPE:

Router#debug ppp mppe events
MPPE Events debugging is on
Router#
*Dec 31 08:59:46.066: Vi3 MPPE: RADIUS keying material missing
Router#

IP Tunneling > PPTP Frequently Asked Questions > Q. What does “Error 742” mean?:

Q. What does “Error 742” mean?

A. This error means that the remote computer does not support the required data encryption type. For example, if you set the PC for “encrypted only” and delete the pptp encrypt mppe auto command from the router, then the PC and the router cannot agree on encryption. The debug ppp negotiation command shows this output.

04:41:09: Vi1 LCP: O PROTREJ
[Open] id 5 len 16 protocol CCP (0×80FD0102000A1206010000B0)

Another example involves the router MPPE RADIUS problem. If you set the router for ppp encrypt mppe auto required and the PC for “encryption allowed with authentication to a RADIUS server not returning the MPPE key,” then you get an error on the PC that states, “Error 742: The remote computer does not support the required data encryption type.” The router debug shows a “Call-Clear-Request” (bytes 9 and 10 = 0×000C = 12 = Call-Clear-Request per RFC) as seen here.

00:45:58: Tnl 17 PPTP: CC I 001000011A2B3C4D000C000000000000
00:45:58: Vi1 Tnl/Cl 17/17 PPTP: CC I ClearRQ

I compared successful and failed ‘debug radius’ outputs and made sure that MS-MPPE-Send-Key (16) and MS-MPPE-Recv-Key (17) attributes are absent in access-accept message from ACS.

BUT according to this official document:

In ACS 5.1, you cannot configure these attributes. These are added to the profile as required.

I also find few ACS BUGs related to MPPE functionality. For example:

CSCty11627 - ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets
CSCtx90637 - ACS MSCHAPV2 is not hashing the mschap success correctly

Some useful links:

Configuring CiscoSecure ACS for Windows Router PPTP Authentication
Cisco Secure ACS for Windows Router PPTP Authentication

Well, I just stopped. Don’t want to waste my time for this tiny little buggy thing…

Barracuda Spam Firewall.

Brief Overview and model comparison (PDF).
Barracuda Spam Firewall - Overview > Barracuda Spam Firewall Quick Start Guide in English (PDF).
Barracuda Spam Firewall Panel Indicators, Ports, and Connectors.

Чтобы найти какую-то тему проще скачать всю документацию целиком Download entire product и затем, используя Ctrl+F по PDF документу, уже искать нужное.

Securing the Barracuda Spam Firewall - В этом разделе указана возможность аутентификации пользователей посредством RADIUS сервера.

При логине по HTTPS снизу страницы можно видеть серийник, версию софта и модель:

Serial #BAR-SF-123456 EAFE
Firmware v5.0.0.020 (2011-03-03 17:09:04)
Model: 400

А вот прикольная инфа о том как получить root-а на таких девайсах.

Admin area