Cisco and Freeradius configuration

 Installation description

In our case, the Freeradius aims to authenticate a remote access on network equipment. I have decided to use an existing database (Active directory).

FreeRadius paquets installations:

apt-get install freeradius

apt-get install freeradius-utils

apt-get install freeradius-ldap

Configure the radiusd.conf file

Modify the file radiusd.conf (/etc/freeradius/radiusd.conf) in order to specify the listen ports:

-          Authentification (2050)

-          Accounting (2051)

 listen {

        type = auth

        ipaddr = *       

       port = 2050

}

listen {

        ipaddr = *

        port = 2051

        type = acct

}

       auth = yes

 Uncomment the following lines in order to have more details in logs messages:

        msg_goodpass = "Host %n"

        msg_badpass = "Host %n"

Configure the Users file

Modify the file users (/etc/freeradius/users) .

This file includes users which are authorized to take control on 'client' (network equipment for us).

- We can use a local database:

Username Cleartext-Password := "Password"

       Service-Type = NAS-Prompt-User,

       Cisco-AVPair = "shell:priv-lvl=15"

- Or an external database. In this example, only members of groups 'Group_Network_Admin' (Active Directory) are authorized to access:

DEFAULT         LDAP-Group == "Group_Network_Admin"

                Service-Type = Administrative-User,

                Cisco-AVPair = "shell:priv-lvl=15"

DEFAULT    LDAP-Group != "Group_Network_Admin", Auth-Type := Reject

Enable authentication via LDAP:

Modify the file ldap (/etc/freeradius/sites-enabled/ default) by uncommenting the following lines :

ldap

        Auth-Type LDAP {

                ldap

        }

Create clients of the radius server

Modify the file users (/etc/freeradius/users). Clients are hosts which forward request of authentication to the radius server (ex: Cisco switch).

In the example below, I have added a complete subnet. All hosts in this subnet are authorized to send request.

We also defined the share key in this file:

client 10.110.22.0/24 {

        secret          = SharedKey

        nastype         = cisco

        shortname       = SWITCH-Branch-London

}

Configure request to Active Directory

Modify the file ldap (/etc/freeradius/modules/ldap). You will find below an example of configuration :

ldap {

        server = 'ldap://mydomain.com'

        identity = "Username@mydomain.com"

        password = "Password"

        basedn = "DC=mydomain,DC=com"

        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

  

       groupname_attribute = cn

       groupmembership_attribute = "memberOf"

Uncomment the following lines:

       chase_referrals = yes

        rebind = yes

Command Line Tricks for HP Procurve Switchs

Below some helpful commands.

• Display logs or debug on current session:
• terminal monitor (Cisco)
• debug destination session (HP Procurve)
• By default HP Procurve switch don't display packets drops by queue. You can enable the monitoring only on 1 interface with the command below:
• qos watch-queue xx out (where XX is the interface you want to monitor)
• Obtain 'show tech':
• copy command-output "show tech all" sftp user ftpuser 10.10.10.10 show-tech.txt
• Filter a 'show runnning' command:
• Like Cisco, it's possible to use '|' after the 'show running'

Switch# show running-config | include router

ip router-id 1.1.1.1

router ospf

router vrrp

Switch# show running-config | begin router

ip router-id 1.1.3.1

Play with MACSEC on copper interface with 3750X

The Cisco documentation is not clear on the switch-to-switch (via copper) macsec feasibility.
Also, I have decided to test it between two 3750x:

• 3750X-24TS (without service module)
• 3750X-48TS (without service module)

I have applied the following configuration on each switch:

I have plugged the cable between this 2 switchs and checked that SAP 'succeeded':

Interface is up and configuration looks fine. But I have prefer checked by myself that the traffic is well encrypted. The best way to do this is to use a hub. But this equipment has disappeared from IT services and is very rare!! Also we have designed our own RJ45 TAP:).

I have used this magic TAP and wireshark to sniff the traffic between our both switchs.
Below, you can see the result of a packet when it's encrypted by MACSEC (802.1ae). We can see the Ethertype (88e5) used by this protocol.

To resume, MACSEC is available on Cisco Switch (switch-to-switch) on copper interface without Service Module. This configuration is not available on 3560X. I guess, the service module is mandatory for it.

TCN received from stackport1 on 3750

I was troubleshooting a network issue and during this time, I have done the following command on a 3750 stack:

show spanning-tree vlan 200 detail

Bridge Identifier has priority 20480, sysid 200, address a8b1.d36f.c670

  Configured hello time 2, max age 20, forward delay 15

  Current root has priority 8392, address 0021.e809.0670

  Root port is 568 (Port-channel11), cost of root path is 3

  Topology change flag not set, detected flag not set

  Number of topology changes 27 last change occurred 1w2d ago

          from StackPort1

As you can see, the source of the TCN is the StackPort1 on the switch!!!

But what is the meaning of this StackPort1 and how to determinate the real source of the topology change ?

In fact as my SSH session is open on the master and the TCN come from another switch of the stack, the source for my session is the stack port of the master switch. In order to determine which interface is really the source I have to open a session on each switch in order to find the TCN source.

For example, I have opened a session on the 2nd switch of the stack:

C3750#session 2

C3750-2# show spanning-tree detail | i from|exec|occur

 VLAN0001 is executing the ieee compatible Spanning Tree protocol

  Number of topology changes 26 last change occurred 1w2d ago

          from GigabitEthernet2/0/52

 VLAN0040 is executing the ieee compatible Spanning Tree protocol

  Number of topology changes 26 last change occurred 1w2d ago

          from GigabitEthernet2/0/52

As you can see above, we have found the real source of the TCN.

Install Netflow collector on Cacti

This tuto explains how to install the flowview plugin on Cacti. I have worked with Cacti 0.8.8b installed on an Ubuntu server.

Install and configure flow-capture

In order to capture netflow traffic, I have used flow-capture. In order to install it on Ubuntu, you can use apt:
apt-get install flow-capture

Once flow-capture is installed, you can configure the flow-capture.conf file:
vim /etc/flow-tools/flow-capture.conf

# Example 1:
# Capture flows from router at 10.1.1.10, listening at port 3000.
# Store flows in /var/netflow/flows/myrouter.
-w /var/netflow/flows/myrouter 0/10.1.1.10/3000

Add the file in dedicated folder:
mkdir /var/netflow/flows/myrouter

Configure a Router in order to export netflow

This configuration is different for each constructor. For example, I have configured an netflow export on a Cisco 4500:

flow record R1
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect counter bytes
!
flow exporter CACTI
 destination 10.10.10.10
 export-protocol netflow-v5 => flow-capture is only v5 capable
!
flow monitor M1
 exporter CACTI
 cache entries 1000
 record R1
!
interface Port-channel1
 ip flow monitor M1 input

Install and configure flowview on Cacti

Download the flowview plugin (http://docs.cacti.net/plugin:flowview) and untar it in:
/usr/share/cacti/site/plugins

Go to the Cacti console
Configuration>Plugin Management
And enable Flowview

Configure the path in order to read the netflow file created by flow-capture:
Go to the Cacti console
Configuration>Settings>Misc
Under Flows directory, specified your folder (for example /var/netflow/flows/)

Not able to execute 'copy running-config startup-config' command

Today, I have encountered the following problem:

MY-SWITCH#copy running-config startup-config
startup-config file open failed (Device or resource busy)

In a first step, I was thinking that the nvram: was corrupted because I was not able to see files in the nvram (dir nvram:). In fact, we were 2 users connected on the switch.


MY-SWITCH#show users
    Line       User       Host(s)              Idle       Location
*  1 vty 0     admin      idle                 00:00:00 10.10.10.10 => My session
   2 vty 1     admin      idle                 00:07:09 10.10.20.10

 Also, I have just ejected my colleague with the following command:

MY-SWITCH#clear line 2

After that, I was able to backup my configuration.

Troubleshoot OSPF neighbors (Hellos check)

In order to become neighbors, routers perform several checks. If this check fails, we have to troubleshoot and find the cause of this issue. You will find below several examples of neighbor failed. I have added logs messages and debug messages in order to easily find the cause.

• Area mismatch:

• Authentication key mismatch:

• Duplicate Router-id:

• Subnet/mask Mismatch:

• Area Type Mismatch: