Posts Tagged ‘eap’

I’ve always said that, when it comes to Cisco, my brains go boom, temperature increases and I end up having 30 Firefox tab trying to search on cisco.com what on earth some kinky cisco-ish feature does and _how_ precisely.

After the latest IPsec adventure with Cisco’s Customer Support (CCIE Security) which advised me to run commands that were not even available on my IOS (yes, I had previously given them my config and IOS version), I said that whenever I have Cisco-related issues I go straight to my team lead, the guy being able to fix no matter issue I encountered on Cisco – at least on the IPsec side…

Now, I’ve had the honor of having to move an EoU/WebAuth config from a 3750 to a 6500. While I was feeling pretty good about myself being able to configure and understand the way to configure EoU and WebAuth on Cisco (EoU is NAC L2, I am using L2 interfaces in a L2 vlan in mode access and use the “ip admission” command on the L2 interface, while WebAuth gets configured as a fallback to 802.1x using the “dot1x fallback dot1x-www” on the L2 interface), I have now realized that I am FAR FAR AWAY from the truth. I’ve woken up on this twisted 6500, where I have the possibily of configuring:

1. 802.1x – fair enough, I am not using 802.1x here anyways

2. NAC Layer 2 IP / LAN Port IP – which can be configured this way (as per Cisco’s KB)

Router# configure terminal
Router(config)# ip admission name nac eapoudp
Router(config)# access-list 5 permit any any
Router(config)# interface gigabitethernet 2/0/1
Router(config-if)# ip access-group 5 in
Router(config-if)# ip admission nac
Router(config-if)# exit
Router(config)# aaa new-model
Router(config)# aaa authentication eou default group radius
Router(config)# radius-server host admin key rad123
Router(config)# radius-server vsa send authentication
Router(config)# ip device tracking probe count 2
Router(config)# eou logging
Router(config)# end

3. LAN Port IP – which, ignoring their own definition from some KBs, now appears as a “Web-Based Authentication” and gets configured…nowhere says _how_

4. NAC Layer 3 IP / NAC Gateway IP – which should be enabled on L3 interfaces

Router(config)# ip admission name webauth1 proxy http

Router(config)# interface fastethernet 5/1

Router(config-if)# ip admission webauth1

Router(config-if)# authentication order webauth

Router(config-if)# exit

Router(config)# ip device tracking

Router(config)# ip admission proxy http login page file disk1:login.htm

Router(config)# ip admission proxy http success page file disk1:success.htm

Router(config)# ip admission proxy http fail page file disk1:fail.htm

Router(config)# ip admission proxy http login expired page file disk1:expired.htm

5. NAC Gateway IP – which is configured as auth-proxy, this way:

Router(config)# ip auth-proxy name webauth http inactivity-time 60

Router(config)#interface GigabitEthernet3/15

Router(config-if)# description WEBAUTH

Router(config-if)# switchport

Router(config-if)# switchport access vlan 502

Router(config-if)# switchport mode access

Router(config-if)# ip access-group www in

Router(config-if)# spanning-tree portfast edge

Router(config-if)# ip auth-proxy webauth

Router(config)# ip access-list extended www

Router(config)# permit tcp any any eq www

Router(config)# deny   ip any any

The “aaa authentication login default radius” is on. The “ip http server” is on. The “aaa authorization auth-proxy default group radius ” is on also.

Now, I am no EoU, WebAuth, and by far no Cisco guru, but, what gives? Why so many auth methods? And, specially, why the method I use to configure one way on a 3750 (WebAuth using the “auth-proxy” set of commands) is configured some other way on 6500 (WebAuth using the “ip admission <name> proxy http” set of commands) – while keeping the “auth-proxy” set of commands – which here do something else. Why is it so hard to be consistent all over your own set of devices?

I have done 802.1x on Summit (netlogin called in there), WebAuth on Summit and WebAuth on HP switches. None of them seemed so damn confusing 😦 I am lost.

Advertisements

Stoke is quite a cool company when it comes to VPN gateways, and I mention here the SSX-3000, the only device I had the pleasure of working with. I could see on their website that new investments are made in LTE technologies, which should make this company even more attractive for me.

Well, this post is going to be about a specific thinggie of the SSX-3000 and StokeOS, that funky colored box, namely how they work with digital certificates. The scenario I am using them on is a classic Remote-Access scenario, for IKEv2. The StokeOS gateway is getting authenticated by the roadwarrior via digital certificate, while the roadwarrior authenticates via EAP.

First of all, we need digital certificates for the StokeOS. Following the User Guide got me nowhere, so we had to be inventive 😀

A. The official version

1. Create a CSR on the Stoke:

Stoke[local]#certificate request new name newcsr.pem days 100 keylength 1024

2. Copy – paste the content of the CSR (or copy the file onto an ftp/tftp server), then generate a certificate using a CA (I had a Windows 2003 Server) => results a signed certificate – I used to download them in base64 format

3. Copy – paste the CA’s certificate and the Stoke’s certificate we’ve just signed onto Stoke and run the command:

Stoke[local]#certificate device-certificate new ca-certfile cacert.pem format pemcertfile signed-ssx-ca.pem format pem name mypkcs12

— This command should “link” the CA, the signed certificate and the Stoke’s private RSA key to a PKCS12 file that this device uses for authentication. This is how Stoke authenticates 🙂

*** PROBLEM: when generating the CSR, the private key doesn’t get saved anywhere. I have looked everywhere:  ” -r” : /hd/…, /cfint, /cfext… – so, the latest mightiest command is not working.

B.  The working version

1. Do not create the CSR on the DUT 😛

2. Generate a “Server Certificate” from IE and download it to a tftp/ftp server – it will be in pfx format

3. Export the private key to a separate key file – I have used openssl

4. Upload the CA’s certificate, signed certificate and the private key file on SSX and run the command (assuming I have put these files on /hd/Certs directory):

Stoke[local]#certificate device-certificate new name SSX format pem ca-certfile /hd/Certs/cacert.pem format pem signed-certificate /hd/Certs/signed-ssx-ca.pem format pem private-key /hd/Certs/signed-ssx-ca-key.pem

and now it works 🙂

as you can see from

Stoke[local]#sh certificate device-certificate all

Certificate Name

————————

SSX

Further on, create a context – I have called it test and a name for the radius session – I have called it ikev2, instruct the Stoke to do session authentication on radius, create a management interface on the same subnet as the radius machine, configure a radius server (where the Stoke should connect for session authentication) and, of course, the IKEv2 policies that make it work and the Configuration Payload (as we like to call the famous “mode-configuration” in IKEv2). The config should look like this:

stoke

(more…)