Cisco ACS 5.X - How to configure it for APC UPS (NMC/NMC2) RADIUS Authentication.

If you’d like to use RADIUS server for APC NMC/NMC2 Authentication, you should know there are 4 user types available:
• Administrator
• Device
• Read-Only
• Network-Only

By default (without specific configuration on RADIUS server side) you will get Read-Only rights. There are two ways how to configure Cisco ACS 5.X to provide Administrator privilege:

Proper way

• Add APC VSA attributes to the dictionary:
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “Create” > “Name: APC”, “Vendor ID: 318” > Submit.
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “APC” > “Create” > “Attribute: APC-Service-Type”, “Vendor Attribute ID: 1”, “Attribute Type: Unsigned Integer 32” > “Submit”.
• Create an “Authorization Profile”: “Policy Elements” > “Authorization and Permissions” > “Network Access” > “Authorization Profiles” > “Create” > “Name: APC_Admin” > go to “RADIUS Attributes” tab, add “APC-Service-Type” as “Static” with value 1 (to get Administrator user privilege) > “Submit”.
• Use created “Authorization Profile” in “Access Policies”…

Simplest way

Instead of adding a new VSA attribute, you can use RADIUS IETF named “Service-Type” (ID: 6) and configure it to provide “Administrative” value (ID: 6). It will work the same way as previous one. Checked.

Useful links

How to configure RADIUS server to authenticate APC Network Enabled device? (Official KB FA156083 article)
How to configure FreeRADIUS for APC UPS Authentication (Official KB FA232648 article)

How to test SMTP server using TELNET. [TESTED]

Just for copy/paste. I use it to test SMTP from Cisco CLI.

telnet 192.168.1.1 25 /source-interface fa0/0

HELO
MAIL FROM: test@example.com
RCPT TO: alexey@example.com
DATA
Subject: Test Message

This is just a test message
.
QUIT

Windows 8 - AnyConnect error - Failed to initialize connection subsystem. [SOLVED]

We had a problem with the AnyConnect client v3.1.05187 on Windows 8. We got the error message - “Failed to initialize connection subsystem”. We solved it using the following procedure:

• Install all windows updates on Windows 8.
• Reboot the PC.
• Update AnyConnect client to the latest version using anyconnect-win-3.1.07021-pre-deploy-k9.msi file.
• Reboot the PC - This is important.

Enjoy!

Cisco IP SLA - How to generate SYSLOG messages for IP SLA status changes.

Just real quick. For example, you want to get a collect a basic statistics about internet connectivity disruptions - you would configure IP SLA job towards carriers router (your default gateway), enable logging into the buffer. By default, IOS does not generate SYSLOG messages for IP SLA status changes, you have to configure track. Here is an example.

ip sla 1
 icmp-jitter 192.168.1.2 source-ip 192.168.1.1 num-packets 3 interval 2000
  threshold 2000
  timeout 3000
  frequency 10
  exit
ip sla schedule 1 life forever start-time now

track 1 ip sla 1

logging buffered

BTW, I chose icmp-jitter type because it has better flexibility than icmp-echo. So, you will get the following result:

Apr  8 07:05:41.363: %TRACKING-5-STATE: 1 ip sla 2 state Up->Down
Apr  8 07:06:41.363: %TRACKING-5-STATE: 1 ip sla 2 state Down->Up

Show command for verification:

Router#show track
Track 1
  IP SLA 1 state
  State is Up
    5 changes, last change 01:26:00
  Latest operation return code: OK
  Latest RTT (millisecs) 52
Router#

We can go further and configure EEM to send us an email in case if status changes:

conf t

event manager applet Mail_Track_SLA_1
 event track 13 state any
 action 1.0 mail server "192.168.1.1" to "alexey@example.com" from "Router@example.com" subject "IP SLA1 status" body "IP SLA1 status has changed"

Show command for verification:

Router#show track
Track 1
  IP SLA 1 state
  State is Up
    5 changes, last change 01:38:24
  Latest operation return code: OK
  Latest RTT (millisecs) 48
  Tracked by:
    EEM applet Mail_Track_SLA_1
Router#

EEM applet for collecting traceroute after IP SLA down

Here is a simple example how to use EEM applet for collecting traceroute after IP SLA state goes DOWN.

event manager applet APPLET_NAME
 event track 13 state down maxrun 90
 action 001 syslog msg "--- Event detected ---"
 action 002 cli command "enable"
 action 003 puts "--- Executing: ping 8.8.8.8 ---"
 action 004 cli command "ping 8.8.8.8"
 action 005 puts "$_cli_result"
 action 006 puts "--- Executing: traceroute 8.8.8.8 ---"
 action 007 cli command "traceroute 8.8.8.8 numeric timeout 1 probe 2 ttl 1 25"
 action 008 puts "$_cli_result"
 action 009 puts "--- Action finished ---"

Notes:
• “enable” mode is required if you want to use advanced parameters for traceroute.
• You will see all the output in monitor (terminal monitor) and in logging buffer. Syslog messages will NOT be generated. If you need to send all the output as a syslog messages - read this thread (replace “action … puts “$_cli_result”" by “action … syslog msg “$_cli_result”").
• “maxrun 90” is required, we need to increase default runtime from default 20sec because traceroute command sometime takes much more time to complete. In other case, you will not get the result, debugs will say the following:

... EEM policy APPLET_NAME has exceeded it's elapsed time limit of 20.0 seconds

There’s an issue with the Cisco IOS, it uses UDP for traceroute. In most cases you will not see all hops. The best way is to use ICMP which Cisco IOS does not support. You can use Linux or Windows to create a script OR, if you have a Cisco ASA in your network, modify EEM applet to connect to ASA and run traceroute use-icmp. BTW, ASA version 9.2.1 and later does supports EEM - proof link.

• We have to use nested quotes, EEM 3.20 does not support them. We are going to use workaround - EEM variable for quote.
• During the tests, I figured out that it’s working only for remote connection to the Cisco IOS, Cisco ASA is not working that way. You can find more here.

event manager environment quote "

event manager applet APPLET_NAME
 event track 13 state down maxrun 90
 action 001 puts "--- Event detected ---"
 action 002 cli command "ssh -l USERNAME 10.1.1.1 $quote traceroute 8.8.8.8 numeric use-icmp $quote" pattern "word:"
 action 003 cli command "PASSWORD"
 action 004 puts "$_cli_result"

How to monitor Cisco Catalyst Stack.

1 - The most easiest and stupid way - routed interface on each member

If you have simple NMS system which uses ICMP to get a node status - you have to add each Stack Member as an individual node, each node must have its own IP address. To get it done, you must configure routed interface on each member. Some notes:
• It’s impossible in case of L2 switches like Catalyst 2960-S.
• It’s impossible to bring not connected interface UP (it is possible on Cisco Router), thus you need to connect it to somewhere OR Create a Loopback Plug for an RJ-45 Ethernet Interface - cross pin 1 (TX+) and pin 3 (RX+) together, and cross pin 2 (TX-) and pin 6 (RX-) together. Moreover, you must disable “keepalive” feature on those interfaces to avoid the following behavior:

*Mar  1 01:05:41.591: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/1.
*Mar  1 01:05:41.591: %PM-4-ERR_DISABLE: loopback error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state

2 - Using SNMP Polling

2.1 Monitor StackSub Interfaces

You can monitor the status of StackSub Interfaces that shows you the status of the nodes, but indirectly (anyways, it’s better than nothing).

2.2 Monitor member status - the best way

We can use CISCO-STACKWISE-MIB::cswSwitchState:

Values:
1 : waiting
2 : progressing
3 : added
4 : ready
5 : sdmMismatch
6 : verMismatch
7 : featureMismatch
8 : newMasterInit
9 : provisioned
10 : invalid
11 : removed

snmpwalk -c 'COMMUNITY' -v 2c -On 192.168.1.1 1.3.6.1.4.1.9.9.500.1.2.1.1.6
.1.3.6.1.4.1.9.9.500.1.2.1.1.6.1001 = INTEGER: 4
.1.3.6.1.4.1.9.9.500.1.2.1.1.6.2001 = INTEGER: 11

• Start > “Universtal Device Poller” > “New Universal Device Poller”
• OID: 1.3.6.1.4.1.9.9.500.1.2.1.1.6
• Click on “Browse MIB Tree”. It might takes some time, up to 10 seconds…
• Choose any Cisco Catalyst Stack and press “Test”. Normally, you will get a table. If yo get it - hit “Select”.
• Name: cswSwitchState (to keep it short)
• Hit “Show Advanced Options” > Format: Enumeration > Map Values > Create a table (as listed below) to map raw digits to correspond state.
• Keep Historical Data: No.
• Group: Change to “Cisco”, then press “Next”.
• Mark any Cisco Catalyst Stack and hit “Test” to see the result. You will get like: 4, 4, 4, 4. Click “Next”.
• Choose “Use labels from a table column” > pick any Cisco Catalyst Stack and hit “Test”.
• Choose the 1st one column - “cswSwitchNumCurrent” > “Next”.
• Select “Table” for “Node Details - Summary” > “Finish”.

3 - Using SNMP Trap messages

Additional configuration on NMS and Switch side required…

4 - Using SYSLOG messages

Not all NMS systems are able to utilize this method…

Admin area