Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts

Thursday, October 23, 2014

Cisco and Freeradius configuration

 Installation description

    In our case, the Freeradius aims to authenticate a remote access on network equipment. I have decided to use an existing database (Active directory).

    FreeRadius paquets installations:
    apt-get install freeradius
    apt-get install freeradius-utils
    apt-get install freeradius-ldap


    Configure the radiusd.conf file

    Modify the file radiusd.conf (/etc/freeradius/radiusd.conf) in order to specify the listen ports:
    -          Authentification (2050)
    -          Accounting (2051)

     listen {
            type = auth
            ipaddr = *       
           port = 2050
    }
    listen {
            ipaddr = *
            port = 2051
            type = acct
    }
           auth = yes

     Uncomment the following lines in order to have more details in logs messages:
            msg_goodpass = "Host %n"
            msg_badpass = "Host %n"

    Configure the Users file

    Modify the file users (/etc/freeradius/users) .

    This file includes users which are authorized to take control on 'client' (network equipment for us).
    - We can use a local database:
    Username Cleartext-Password := "Password"
           Service-Type = NAS-Prompt-User,
           Cisco-AVPair = "shell:priv-lvl=15"

    - Or an external database. In this example, only members of groups 'Group_Network_Admin' (Active Directory) are authorized to access:
    DEFAULT         LDAP-Group == "Group_Network_Admin"
                    Service-Type = Administrative-User,
                    Cisco-AVPair = "shell:priv-lvl=15"
    DEFAULT    LDAP-Group != "Group_Network_Admin", Auth-Type := Reject


    Enable authentication via LDAP:

    Modify the file ldap (/etc/freeradius/sites-enabled/ default) by uncommenting the following lines :
    ldap
            Auth-Type LDAP {
                    ldap
            }

    Create clients of the radius server

    Modify the file users (/etc/freeradius/users). Clients are hosts which forward request of authentication to the radius server (ex: Cisco switch).
    In the example below, I have added a complete subnet. All hosts in this subnet are authorized to send request.
    We also defined the share key in this file:

    client 10.110.22.0/24 {
            secret          = SharedKey
            nastype         = cisco
            shortname       = SWITCH-Branch-London
    }


    Configure request to Active Directory

    Modify the file ldap (/etc/freeradius/modules/ldap). You will find below an example of configuration :
    ldap {
            server = 'ldap://mydomain.com'
            identity = "Username@mydomain.com"
            password = "Password"
            basedn = "DC=mydomain,DC=com"
            filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
      
           groupname_attribute = cn
           groupmembership_attribute = "memberOf"
    Uncomment the following lines:
           chase_referrals = yes
            rebind = yes

    Tuesday, November 26, 2013

    Key Based SSH Authentication on a Linux Host using Putty

    In order to be more secure, I have decided to use a key instead of a password authentication. I'm using putty to connect to my linux server. I have used the following steps in order to configure it:
    • Generate a public and private key with PuTTYgen (click on Generate):
    The key is generated by mouving randomly the mouse.
    • Save the public and private key.
    • The next step is to add the public key on the server:
    mkdir ~/.ssh
    chmod 700 ~/.ssh
    • Paste the public key to the following file:
    vim ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys
    • Configure the putty session:
      • Create a new session and save it:

      • Select data and configure 'Auto-login' (usersame used by the created key):

      • Configure the path to the private key:


    After this, if you open the session, you will be directly prompted to the linux host.



    Tuesday, November 19, 2013

    Change phpmyadmin well-know url

    In order to access to the web interface of phpmyadmin, by default you have to use the well-know url: mywebsite.com/phpmyadmin.
    If you want to change this default url, you can use the following procedure:
    • Open the apache.conf file, this file is located in /etc/phpmyadmin (for many Linux servers).
    By default, this file looks like:
    # phpMyAdmin default Apache configuration
    Alias /phpmyadmin /usr/share/phpmyadmin
    • Edit the file apache.conf by changing the alias
    # phpMyAdmin default Apache configuration

    Alias /urlsecret /usr/share/phpmyadmin
    • Restart the apache service:
    sudo /etc/init.d/apache2 restart

    Tuesday, March 13, 2012

    Good bye ARP, welcome ICMPv6

    Today I was working on an IPv6 lab. I wanted discover the relation between an address MAC and an IP address. So, on the windows machine I execute the command 'arp -a'. It's a bad reflex, why ? ARP no longer exists in IPv6. The equivalent is now realized with ICMPv6. So to discover the correlation between MAC and IP address we have to use these commands:
    • On a windows laptop:
    C:\Users\Administrator>netsh interface ipv6 show neighbors 14

    Interface 14: LAB

    Internet Address                               Physical Address    Type
    --------------------------------------------           -----------------             -----------
    fe80::2                                             00-14-1c-c9-d9-a8    Stale (Router)
    fe80::214:1cff:fec9:d9a8                     00-14-1c-c9-d9-a8    Stale (Router)
    ff02::2                                              33-33-00-00-00-02     Permanent
    ff02::5                                              33-33-00-00-00-05     Permanent
    ff02::c                                              33-33-00-00-00-0c     Permanent
    ff02::16                                            33-33-00-00-00-16     Permanent
    ff02::1:2                                           33-33-00-01-00-02     Permanent
    ff02::1:3                                           33-33-00-01-00-03     Permanent
    ff02::1:ff00:2                                     33-33-ff-00-00-02      Permanent
    ff02::1:ff00:d                                     33-33-ff-00-00-0d      Permanent
    ff02::1:ff00:f                                      33-33-ff-00-00-0f       Permanent
    ff02::1:ff08:c77                                 33-33-ff-08-0c-77       Permanent
    ff02::1:ffae:564d                               33-33-ff-ae-56-4d       Permanent
    ff02::1:ffc9:d9a8                               33-33-ff-c9-d9-a8       Permanent  

      
    • On a Linux laptop (has to be validated):
    ip -f inet6 neigh show

    • On a Cisco router:
    R2#show ipv6 neighbors
    IPv6 Address                                         Age Link-layer Addr    State      Interface
    FE80::4491:69A9:39F3:7344                   5     000c.2928.4c53  STALE    Fa0/0
    2001:DB9:1:1:DD52:657C:D340:F2FF      19   000c.2980.fc6c   STALE    Fa0/0
    2001:DB9:1:1:B140:2298:3E92:A99B       6     000c.2928.4c53  STALE    Fa0/0
    FE80::1                                                 4     0016.479a.f630   STALE    Fa0/0
    FE80::20C:29FF:FE80:FC6C                  19    000c.2980.fc6c   STALE    Fa0/0
    2001:DB9:1:1::1                                     22    0016.479a.f630  STALE    Fa0/0