Thursday, 8 March 2012

Default 802.1X Configuration

Enabling 802.1X Authentication
Step 1 configure terminal
 Enter global configuration mode.
Step 2 aaa new-model Enable AAA.

Step 3 aaa authentication dot1x {default}
method1 [method2...]
Create an 802.1X authentication method list.
To create a default list that is used when a named list is not specified in
the authentication command, use the default keyword followed by the
methods that are to be used in default situations. The default method list
is automatically applied to all interfaces.
Enter at least one of these keywords:
• group radius—Use the list of all RADIUS servers for authentication.
• none—Use no authentication. The client is automatically
authenticated without the switch using the information supplied by
the client.

Step 4 interface interface-id
 Enter interface configuration mode, and specify the interface to be
enabled for 802.1X authentication.

Step 5 dot1x port-control auto Enable 802.1X authentication on the interface.
For feature interaction information with trunk, dynamic, dynamic-access,
EtherChannel, secure, and SPAN ports see the “802.1X Configuration
Guidelines” section on page 8-7.

Step 6 end Return to privileged EXEC mode.

Step 7 show dot1x Verify your entries.
Check the Status column in the 802.1X Port Summary section of the
display. An enabled status means the port-control value is set either to
auto or to force-unauthorized.

Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
eg:
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# interface fastethernet0/1
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end

Configuring the Switch-to-RADIUS-Server Communication

Step 1 configure terminal Enter global configuration mode.
Step 2 radius-server host {hostname |
ip-address} auth-port port-number key
string
Configure the RADIUS server parameters on the switch.
For hostname | ip-address, specify the host name or IP address of the
remote RADIUS server.
For auth-port port-number, specify the UDP destination port for
authentication requests. The default is 1812.
For key string, specify the authentication and encryption key used
between the switch and the RADIUS daemon running on the RADIUS
server. The key is a text string that must match the encryption key used on
the RADIUS server.
Note Always configure the key as the last item in the radius-server
host command syntax because leading spaces are ignored, but
spaces within and at the end of the key are used. If you use spaces
in the key, do not enclose the key in quotation marks unless the
quotation marks are part of the key. This key must match the
encryption used on the RADIUS daemon.
If you want to use multiple RADIUS servers, re-enter this command.
Step 3 end Return to privileged EXEC mode.
Step 4 show running-config Verify your entries.
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.

To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global
configuration command.
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to
use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the
RADIUS server:
Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using the radius-server host global configuration command. If you want to configure these
options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the
radius-server key global configuration commands.

Enabling Periodic Re-Authentication
Step 1 configure terminal Enter global configuration mode.
Step 2 dot1x re-authentication Enable periodic re-authentication of the client, which is disabled by
default.
Step 3 dot1x timeout re-authperiod seconds Set the number of seconds between re-authentication attempts.
The range is 1 to 4294967295; the default is 3600 seconds.
This command affects the behavior of the switch only if periodic
re-authentication is enabled.
Step 4 end Return to privileged EXEC mode.
Step 5 show dot1x Verify your entries.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

Switch(config)# dot1x re-authentication
Switch(config)# dot1x timeout re-authperiod 4000

Manually Re-Authenticating a Client Connected to a Port
You can manually re-authenticate the client connected to a specific port at any time by entering the
dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or
disable periodic re-authentication
Switch# dot1x re-authenticate interface fastethernet0/1
Starting reauthentication on FastEthernet0/1
Posted by at No comments:

Dynamic Multipoint VPN (DMVPN)

Configuring an IPsec Profile.
The IPsec profile shares most of the same commands with the crypto map configuration, but only a
subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can
be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list
(ACL) to match the packets that are to be encrypted.
Prerequisites
Before configuring an IPsec profile, you must define a transform set by using the crypto ipsec
transform-set command.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec profile name
4. set transform-set transform-set-name
5. set identity
6. set security association lifetime {seconds seconds | kilobytes kilobytes}
7. set pfs [group1 | group2]


Step 1 enable
Example:
Router> enable (enableEnables higher privilege levels, such as privileged EXEC
mode.Enter your password if prompted.)

Step 2 configure terminal
Example:
Router# configure terminal (Enters global configuration mode).

Step 3 crypto ipsec profile name
Example:
Router(config)# crypto ipsec profile vpnprof (Defines the IPsec parameters that are to be used for IPsec
encryption between “spoke and hub” and “spoke and spoke”
routers.
This command enters crypto map configuration mode.
• The name argument specifies the name of the IPsec
profile).

Step 4 set transform-set transform-set-name
Example:
Router(config-crypto-map)# set transform-set
trans2
Specifies which transform sets can be used with the IPsec
profile.
• The transform-set-name argument specifies the name
of the transform set.

Step 5 set identity
Example:
Router(config-crypto-map)# set identity
(Optional) Specifies identity restrictions to be used with the
IPsec profile.

Step 6 set security association lifetime {seconds
seconds | kilobytes kilobytes}
Example:
Router(config-crypto-map)# set security
association lifetime seconds 1800
(Optional) Overrides the global lifetime value for the IPsec
profile.
• The seconds seconds option specifies the number of
seconds a security association will live before expiring;
the kilobytes kilobytes option specifies the volume of
traffic (in kilobytes) that can pass between IPsec peers
using a given security association before that security
association expires.
• The default for the seconds argument is 3600 seconds.

Step 7 set pfs [group1 | group2]
Example:
Router(config-crypto-map)# set pfs group2
(Optional) Specifies that IPsec should ask for perfect
forward secrecy (PFS) when requesting new security
associations for this IPsec profile. If this command is not
specified, the default (group1) will be enabled.
• The group1 keyword specifies that IPsec should use the
768-bit Diffie-Hellman (DH) prime modulus group
when performing the new DH exchange; the group2
keyword specifies the 1024-bit DH prime modulus
group.

Configuring the Hub for DMVPN
To configure the hub router for mGRE and IPsec integration (that is, associate the tunnel with the IPsec

profile configured in the previous procedure), use the following commands:
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask [secondary]
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map multicast dynamic
8. ip nhrp network-id number
9. tunnel source {ip-address | type number}
10. tunnel key key-number
11. tunnel mode gre multipoint
12. tunnel protection ipsec profile name
13. bandwidth kbps
14. ip tcp adjust-mss max-segment-size
15. ip nhrp holdtime seconds
16. delay number

Step 1 enable
Example:
Router> enable
Enables higher privilege levels, such as privileged EXEC
mode.
Enter your password if prompted.

Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
14
Cisco IOS Security Configuration Guide

Step 3 interface tunnel number
Example:
Router(config)# interface tunnel 5
Configures a tunnel interface and enters interface
configuration mode
• The number argument specifies the number of the
tunnel interface that you want to create or configure.
There is no limit on the number of tunnel interfaces you
can create.

Step 4 ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Sets a primary or secondary IP address for the tunnel
interface.
Note All hubs and spokes that are in the same DMVPN
network must be addressed in the same IP subnet.

Step 5 ip mtu bytes
Example:
Router(config-if)# ip mtu 1400
Sets the maximum transmission unit (MTU) size, in bytes,
of IP packets sent on an interface.

Step 6 ip nhrp authentication string
Example:
Router(config-if)# ip nhrp authentication
donttell
Configures the authentication string for an interface using
NHRP.
Note The NHRP authentication string must be set to the
same value on all hubs and spokes that are in the
same DMVPN network.

Step 7 ip nhrp map multicast dynamic
Example:
Router(config-if)# ip nhrp map multicast dynamic
Allows NHRP to automatically add spoke routers to the
multicast NHRP mappings.

Step 8 ip nhrp network-id number
Example:
Router(config-if)# ip nhrp network-id 99
Enables NHRP on an interface.
• The number argument specifies a globally unique
32-bit network identifier from a nonbroadcast
multiaccess (NBMA) network. The range is from 1 to
4294967295.

Step 9 tunnel source {ip-address | type number}
Example:
Router (config-if)# tunnel source Ethernet0
Sets source address for a tunnel interface.

Step 10 tunnel key key-number
Example:
Router (config-if)# tunnel key 100000
(Optional) Enables an ID key for a tunnel interface.
• The key-number argument specifies a number from 0 to
4,294,967,295 that identifies the tunnel key.
Note The key number must be set to the same value on all
hubs and spokes that are in the same DMVPN
network.
Note This command should not be configured if you are
using a Cisco 6500 or Cisco 7600 platform.
Command or Action Purpose
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
15
Cisco IOS Security Configuration Guide

Step 11 tunnel mode gre multipoint
Example:
Router(config-if)# tunnel mode gre multipoint
Sets the encapsulation mode to mGRE for the tunnel
interface.

Step 12 tunnel protection ipsec profile name
Example:
Router(config-if)# tunnel protection ipsec
profile vpnprof
Associates a tunnel interface with an IPsec profile.
• The name argument specifies the name of the IPsec
profile; this value must match the name specified in the
crypto ipsec profile name command.

Step 13 bandwidth kbps
Example:
Router(config-if)# bandwidth 1000
Sets the current bandwidth value for an interface to
higher-level protocols.
• The kbps argument specifies the bandwidth in kilobits
per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.
Setting the bandwidth value to at least 1000 is critical if
EIGRP is used over the tunnel interface. Higher bandwidth
values may be necessary depending on the number of
spokes supported by a hub.

Step 14 ip tcp adjust-mss max-segment-size
Example:
Router(config-if)# ip tcp adjust-mss 1360
Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
• The max-segment-size argument specifies the
maximum segment size, in bytes. The range is from 500
to 1460.
The recommended value is 1360 when the number of IP
MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.

Step 15 ip nhrp holdtime seconds
Example:
Router(config-if)# ip nhrp holdtime 450
Changes the number of seconds that NHRP NBMA
addresses are advertised as valid in authoritative NHRP
responses.
• The seconds argument specifies the time in seconds that
NBMA addresses are advertised as valid in positive
authoritative NHRP responses. The recommended
value ranges from 300 seconds to 600 seconds.

Step 16 delay number
Example:
Router(config-if)# delay 1000
(Optional) Used to change the EIGRP routing metric for
routes learned over the tunnel interface.
• The number argument specifies the delay time in


Configuring the Spoke for DMVPN
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask [secondary]
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
8. ip nhrp map multicast hub-physical-ip-address
9. ip nhrp nhs hub-tunnel-ip-address
10. ip nhrp network-id number
11. tunnel source {ip-address | type number}
12. tunnel key key-number
13. tunnel mode gre multipoint
or
tunnel destination hub-physical-ip-address
14. tunnel protection ipsec profile name
15. bandwidth kbps
16. ip tcp adjust-mss max-segment-size
17. ip nhrp holdtime seconds
18. delay number

Step 1 enable
Example:
Router> enable
Enables higher privilege levels, such as privileged EXEC
mode.
Enter your password if prompted.

Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
17
Cisco IOS Security Configuration Guide

Step 3 interface tunnel number
Example:
Router(config)# interface tunnel 5
Configures a tunnel interface and enters interface
configuration mode.
• The number argument specifies the number of the
tunnel interface that you want to create or configure.
There is no limit on the number of tunnel interfaces you
can create.

Step 4 ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.0.0.2
255.255.255.0
Sets a primary or secondary IP address for the tunnel
interface.
Note All hubs and spokes that are in the same DMVPN
network must be addressed in the same IP subnet.

Step 5 ip mtu bytes
Example:
Router(config-if)# ip mtu 1400
Sets the MTU size, in bytes, of IP packets sent on an
interface.

Step 6 ip nhrp authentication string
Example:
Router(config-if)# ip nhrp authentication
donttell
Configures the authentication string for an interface using
NHRP.
Note The NHRP authentication string be set to the same
value on all hubs and spokes that are in the same
DMVPN network.

Step 7 ip nhrp map hub-tunnel-ip-address
hub-physical-ip-address
Example:
Router(config-if)# ip nhrp map 10.0.0.1
172.17.0.1
Statically configures the IP-to-NBMA address mapping of
IP destinations connected to an MBMA network.
• hub-tunnel-ip-address—Defines the NHRP server at
the hub, which is permanently mapped to the static
public IP address of the hub.
• hub-physical-ip-address—Defines the static public IP
address of the hub.

Step 8 ip nhrp map multicast hub-physical-ip-address
Example:
Router(config-if)# ip nhrp map multicast
172.17.0.1
Enables the use of a dynamic routing protocol between the
spoke and hub, and sends multicast packets to the hub
router.

Step 9 ip nhrp nhs hub-tunnel-ip-address
Example:
Router(config-if)# ip nhrp nhs 10.0.0.1
Configures the hub router as the NHRP next-hop server.

Step 10 ip nhrp network-id number
Example:
Router(config-if)# ip nhrp network-id 99
Enables NHRP on an interface.
• The number argument specifies a globally unique
32-bit network identifier from a NBMA network. The
range is from 1 to 4294967295.

Step 11 tunnel source {ip-address | type number}
Example:
Router (config-if)# tunnel source Ethernet0
Sets the source address for a tunnel interface.
Command or Action Purpose
Dynamic Multipoint VPN (DMVPN)
How to Configure Dynamic Multipoint VPN (DMVPN)
18
Cisco IOS Security Configuration Guide

Step 12 tunnel key key-number
Example:
Router (config-if)# tunnel key 100000
(Optional) Enables an ID key for a tunnel interface.
• The key-number argument specifies a number from 0 to
4,294,967,295 that identifies the tunnel key.
• The key number must be set to the same value on all
hubs and spokes that are in the same DMVPN network.
Note This command should not be configured if you are
using a Cisco 6500 or Cisco 7600 platform.

Step 13 tunnel mode gre multipoint
or
tunnel destination hub-physical-ip-address
Example:
Router(config-if)# tunnel mode gre multipoint
or
Router(config-if)# tunnel destination
172.17.0.1
Sets the encapsulation mode to mGRE for the tunnel
interface.
Use this command if data traffic can use dynamic
spoke-to-spoke traffic.
Specifies the destination for a tunnel interface.
Use this command if data traffic can use hub-and-spoke
tunnels.

Step 14 tunnel protection ipsec profile name
Example:
Router(config-if)# tunnel protection ipsec
profile vpnprof
Associates a tunnel interface with an IPsec profile.
• The name argument specifies the name of the IPsec
profile; this value must match the name specified in the
crypto ipsec profile name command.

Step 15 bandwidth kbps
Example:
Router(config-if)# bandwidth 1000
Sets the current bandwidth value for an interface to
higher-level protocols.
• The kbps argument specifies the bandwidth in kilobits
per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.
The bandwidth setting for the spoke does not need to equal
the bandwidth setting for the DMVPN hub. It is usually
easier if all of the spokes use the same or similar value.

Step 16 ip tcp adjust-mss max-segment-size
Example:
Router(config-if)# ip tcp adjust-mss 1360
Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
• The max-segment-size argument specifies the
maximum segment size, in bytes. The range is from 500
to 1460.
The recommended number value is 1360 when the number
of IP MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.
Command or Action Purpose.
Posted by at No comments:

Sunday, 4 March 2012

Configuring Dynamic Access Lists (Lock-and-Key Security)

A host (R1′s vlan network) to access a web server ( R2′s vlan network) on a remote box. Again this is basic as it is going to get.
First configure the access-list on R2 for the Dynamic ACL
  • access-list 101 permit tcp any any eq 23 (we need to allow telnet through so we can authenticate. Now we can get away without this line here since we have permit ip any any at the bottom of the ACL. This will all depend on how you have to build out the ACL if you need this or not.)
  • access-list 101 dynamic HTTP permit tcp any any eq 80 (we could specify a specific host that is allowed access here or a subnet but we want to allow anyone that can authenticate for this example.)
  • access-list 101 deny tcp any any eq 80 (Here we are blocking access to anyone that doesn’t authenticate for web traffic.)
  • access-list 101 permit ip any any (Here we are allowing the rest of the incoming traffic in.)

We need to configure login access now. Usually I would authenticate everyone against my active directory, but we will just use local login for this.
  • username r1 password cisco
Need to apply the access-list on the incoming interface.
  • int s0/0
  • ip access-group 101 in
Now we just need to configure the telnet lines
  • line vty 0 4
  • login local
  • autocommand access-enable
Just need to telnet to r2 and authenticate and then we will have access to the web server on the remote end.
This is what our access-list should look like once we have authenticated:
10 permit tcp any any eq telnet (183 matches)
20 Dynamic HTTP permit tcp any any eq www
permit tcp any any eq www (72 matches)
30 deny tcp any any eq www (9 matches)
40 permit ip any any
Notice the line statement under line 20. This is showing that the dynamic acl is active.
If you want to clear the access-list you need to use this command:
clear access-template [access-list-number | name] [dynamic-name] [source] [destination]
Posted by at No comments:
Subscribe to: Posts (Atom)