Thursday, November 24, 2011

Call Restrictions on Cisco IP Phone using FAC

Some phones in your network might be located at an unsecure location where external or rogue users could misuse them by making GSM or international calls. You could use the Call Manager's FAC feature to lock GSM and international dialling on these particular phones. The below example we will be only be implementing restriction to GSM calls from phones. Similar method could be used for restricting International calls also.

Step 1
: First step would be to login to the Call Manager, go to Call Routing > Class of Control > Partition and then click Add New to create a new partition. Enter name as PT_FORCED_GSM (or any sensible name starting with PT to let you know that it's a Partition).

Step 2: Next we need to create a new Route Pattern with FAC enabled. For this go to Call Routing > Route/Hunt > Route Pattern, click Find to see all the existing Route Patterns on your Call Manager. Since we are planning to Restrict GSM Calls, find the Route Pattern for GSM Numbers, lets say you have a Route Pattern for GSM with Pattern 0[3567]XXXXXXX, which matches GSM numbers staring with 3,5,6 or 7 (with the initial 0 for outgoing calls). Click on the Copy icon corresponding to this Pattern to create a Copy. Rename the Description to RP_FOR_GSM_FAC (to identify that its an Route Pattern for GSM with FAC). Then click the check box Require Forced Authorization Code to enable FAC and enter a value for Authorization Level, lets say 0 (it could be a value from 0 to 255 but it should not be overlapping with any existing Authorization level's). In the Route Partition box select the Partition created before (PT_FORCED_GSM) and click Save.

Step 3: Next step is to create a Calling Search Space or CSS which includes the new PT_FORCED_GSM. Go to Call Routing > Class of Control > Calling Search Space and click on Find to see all existing CSS's. Copy a CSS that comes close to your requirement or click Add New to create a new CSS. Give a name, lets say CSS_LOCAL_WITH_FAC_FOR_GSM and select PT_FORCED_GSM along with all the Partitions needed (do not select the partition that allows GSM calls without a FAC) and click Save.

Step 4:Now go to Device > Phone and find the phone for which the Call Restrictions should to be applied. For the required line number change the Calling Search Space to the new CSS created, CSS_LOCAL_WITH_FAC_FOR_GSM and click Save to apply the setting to the phone. Similarly for all phones which need GSM Call Restriction change the CSS to CSS_LOCAL_WITH_FAC_FOR_GSM.

Step 5: To create a FAC code, go to Call Routing > Forced Authorization Codes and click Add New to create a new FAC. Give an Authorization Code Name (say GSM_PIN), Authorization Code with a PIN Number (say 1234) and Authorization Level as 0 (or the Authorization level chosen in Step 2).

Now after a GSM number is dialled on the applied phone, the phone will ask for a FAC code, where you can enter 1234 to make a GSM call.

Monday, August 15, 2011

TACACS+ Authentication for Cisco Unified Operations Manager 8.X

Cisco Unfied Operations Manager (CUOM) supports ACS Authentication and Authorization. The procedure is similar to integrating CiscoWorks LMS with ACS for TACACS+ authentication. Once CUOM has been successfully integrated with Cisco Secure ACS, Operations Manager, Service Monitor and Common Services will be added as Shared Profile components in ACS. This will import applications tasks and user roles into ACS.

To integrate the Operation Manager server with Cisco Secure ACS, first on the Operations Manager create a System Identity User. Before you create a System Identity User, you need to create a Local User which will later be mapped to the System Identity User. To create a Local user, go to Administration > Server Administration (Common Services) Security > Local User Setup and click on Add to create a new user. Enter the username (say cuomadmin) and a password. Select the Full Authorization radio button so that the user has all the privilege rights. Authorization could fail if you try to perform certain tasks in Operations Manager and if the user does not have Full Authorization. Next step is to create the System Identity User, choose Administration > Server Administration (Common Services) > System identity Setup, replace the System Identity Setup username with the local username you created in the previous step (cuomadmin) and enter the same password and click Apply.

On the ACS, create an administrator user (cuomadmin) with all privileges in ACS. CUOM registration with ACS can fail if this user does not have administrator privilege. On ACS 4.2, go to User Setup, in the User: box enter the username (cuomadmin) and click Add/Edit. Enter the password for the user and also give the user account all privileges. Now add the Operations Manager server as a AAA client on the ACS. For this go to Network Configuration and click on Add Entry. Enter the AAA Client Hostname, AAA Client IP Address (CUOM IP Address), Shared Secret (say P@ssw0rd) and select TACACS+ (Cisco IOS) from the drop down list for Authenticate Using.

Now on the CUOM, Go to Administration > Server Administration (Common Services) > Security > AAA Mode Setup and then select the ACS radio button. Enter the ACS IP address and port number as 49. If you have multiple ACS Servers, enter the secondary and tertiary ACS details also. In the Login box enter the ACS Administrator name and password (You must know the ACS Administrator HTTP credential to register the CUOM with the ACS server). Also enter the ACS Shared Secret (P@ssw0rd) that we created when we added the CUOM as an AAA Client in ACS. To register all the installed application with ACS select the corresponding check box. Then Click Apply. Click Ok if the registration is successfull. Now you will have to restart the CUOM daemon manager for the changes to take effect. In the Server, on the CLI go to NMSROOT\bin (where NMSROOT is the directory where CUOM is installed, default is C:\Program Files\CSCOpx) and enter the following commands

net stop crmdmgtd
net start crmdmgtd


If the registration was successful, on the ACS you should be able to see Cisco Unified Operations, Cisco Unified Service Monitor and Ciscoworks Common Services under the Shared Profile Components. Here you could edit roles and create custom roles. Create users in ACS with the required privilege. Ensure that the System Identity User in ACS is assigned all roles and that Common Services users have been assigned the proper privileges. Now you can log into the CUOM with the username defined in ACS.

In case if you are locked out or if your ACS Admin user does not have enough privileges, you can revert from the ACS mode back to local user mode by first shutting down the daemons and run the following script

NMSROOT\bin\perl ResetLoginModule.pl

Then restart the daemon.

Tuesday, July 12, 2011

Implementing eBGP for MPLS Redundancy

All MPLS Service Providers provide SLA's with High Redundancy for MPLS connectivity. These SLA's can be achieved using HSRP, eBGP, iBGP, ..etc., the choice is upto the customer. As a MPLS customer, configuring for BGP can be a hassle sometimes. In the below configuration we will be configuring eBGP with a single Layer 3 switch. The network weight command adds a weight to the routes, so that the route with the highest weight is the preferred route.

interface GigabitEthernet0/1
description *** Connected to SP SW1 ***
ip address 192.168.123.2 255.255.255.252
!
interface GigabitEthernet0/2
description *** Connected to SP SW2 ***
ip address 192.168.123.6 255.255.255.252
!
interface Vlan124
description *** USER VLAN ***
ip address 192.168.124.254 255.255.255.0
!
router bgp 65013
no synchronization
network 192.168.124.0 mask 255.255.255.0
neighbor 192.168.123.1 remote-as 64512
neighbor 192.168.123.1 weight 200
neighbor 192.168.123.5 remote-as 64512
neighbor 192.168.123.5 weight 100

Friday, March 4, 2011

Cisco Autonomous Access Point Configuration for PEAP Authentication with Windows RADIUS Server

Refer the link below for configuring Microsoft IAS Server (RADIUS Server)


and the Cisco Autonomous Access-Point configuration needs to be as below

aaa group server radius rad_eap
server <RADIUS_SERVER_IP> auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
dot11 ssid PUBLIC
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
guest-mode
!
interface Dot11Radio0
encryption mode ciphers tkip (or aes-ccm)
ssid PUBLIC
!
radius-server host <RADIUS_SERVER_IP> auth-port 1812 acct-port 1813 key <RADIUS_KEY>

Thursday, March 3, 2011

Configuring RADIUS VSA on ACS 5.2 for APC Authentication

If Cisco ACS is configured to do normal RADIUS authentication for APC UPS devices, the RADIUS user gets only Read-Only priviledges on the APC User Interface.

To get Admin priviledges for RADIUS users, Vendor Specific Attributes (VSA) have to be configured on Cisco ACS. Following are the Vendor Specific Attributes (can be obtained online, or from a VSA dictionary file) for APC devices.

VENDOR APC 318

ATTRIBUTE APC-Service-Type 1 integer APC

VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3

To configure VSA Attributes in Cisco ACS 5.2, Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA, click Create and Enter the Name: APC and Vendor ID: 318 and click Submit. Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA > APC (or from the Vendor Specific Dictionary Page, check the box next to APC and click Show Vendor Attributes), click Create and enter the following values, Attribute: APC-Service-Type, Vendor Attribute ID: 1, Direction: BOTH, Multiple Allowed: True and Attribute Type: Unsigned Integer 32 and click Submit.

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, click Create and under the General tab enter a Name for the Profile (say RADIUS_AUTH). Then under the RADIUS Attributes tab, Select RADIUS-APC from the Dictionary Type drop down list, Select RADIUS Attribute as APC-Service-Type and enter the Attribute Value as Static with value 1 (to get Admin user privilege) and click Add^ to Manually Enter the Attribute and then click Submit.

To Add the APC device to Cisco ACS 5.2, go to Network Resources > Device Type, and click Create to create a new group for APC. Enter the Name: APC Devices. Then go to Network Resources > Network Devices and AAA Clients. Click Create and Then on the create page enter the Host name of the APC Device in the Name field, Device Type: APC Devices, Enter the IP of the APC Device in the IP field. Check the RADIUS check box and enter the Shared Secret.

To add a user to the ACS, go to Users and Identity Stores > Identity Groups, click Create and add a Group with the Name: APC User under All Groups. Then go to Users and Identity Stores > Internal Identity Stores > Users and create an user under APC User Indentity Group.

Now we need to tie up the created user and device with the RADIUS Authorization Profile by creating a policy. To do that go to Access Policies > Access Services, click Create and enter the Name: RADIUS Admin, Select User Selected Service Type and Network Access from the drop down list. From the Policy Structure select Identity and Authorization and then click Next. On the Allowed Protocols page select Allow PAP/ASCII and click Finish.

Go to Access Policies > Access Services > RADIUS Admin > Identity, Select Single result selection radio button and Select Internal Users as the Identity Source and click Save Changes. Go to Access Policies > Access Services > RADIUS Admin > Authorization, click on Customize (lower right of the screen) and choose Identity Group as the Conditions and Authorization Profiles as the Results and click Ok. Click Create to create a Network Access Authorization Policy. Under Conditions, Select Identity Group as APC User (created under Users and Identity Stores above) and under Results Select RADIUS_AUTH (depends on what you created under Policy Elements above) and click Ok.

Final step is to go to Access Policies > Access Services > Service Selection Rules, click on Customize. Select Conditions as Device Type and Protocol. Click Ok to save it. Now go to Access Policies > Access Services > Service Selection Rules, click Create... to create a new Service Selection Policy. Select Conditions, Device Type as APC Devices, Protocol as Radius and Results (Service) as RADIUS Admin. Click Ok to Save the Service Policy. With this user you should be able to login into the APC UI with Administrator privileges.

This might look very complicated, but its actually like solving a math problem. ACS 5.X is very flexible in creating policies. The above steps can be used for configuring RADIUS VSA for any other devices also.

Wednesday, February 23, 2011

Blue Coat PacketShaper TACACS Authenitication with Cisco ACS

The Blue Coat PacketShaper Configuration is pretty straight foward. After opening the Blue Coat PacketShaper using your Admin account, click on the Legacy UI link on the top right of the Home Page. Once in the legacy UI, click on the Setup tab. Choose TACACS+ client from the Choose Setup Page drop down list.

From the TACACS+ client Settings page, Select on from the Authentication drop down list to turn TACACS+ Authenitcation on. Choose Authentication method as ASCII. Enter the IP Address of the Primary Authentication Host, Port 49 and a Shared Secret. If you have a secondary ACS Server, add it as the Secondary Authentication Host. Accounting can also be enabled similar to Authentication. Click on apply changes ... to save the configuration.

The Blue Coat Packetshaper can also be configured via CLI if you have an SSH access to the device.

setup tacacs auth primary <host ip address> <shared_secret> [<port>]
setup tacacs auth on
setup tacacs acct primary <host ip address> <shared_secret> [<port>]
setup tacacs acct on

e.g.,
setup tacacs auth primary 192.168.10.100 $ecret
setup tacacs auth on

by default port 49 is used for tacacs. Use setup tacacs show to display your current configuration.

Configuration on ACS 4.2

Go to Network Configuration > Add Entry, and enter the Network Device Group Name as Bluecoat. Then Go to Network Configuration > Bluecoat > Add Entry, then enter the PacketShaper Hostname, IP Address and Shared Secret (which should be same as configured on the PacketShaper). Select TACACS+ (Cisco IOS) from the Authenticate Using drop down list and click Submit + Apply.

On Interface Configuration > TACACS+ (Cisco IOS), from the TACACS+ services window, Check both the User and Group Column checkbox for Shell (exec).

If a user needs access to Blue Coat, go to User Setup > Enter the name of user and click on Add/Edit.

or If a group of users need access to Blue Coat, got to Group Setup > Select the group from the drop down list and click Edit Settings.

Scroll down to TACACS+ Settings Section, Select the Shell (exec) checkbox. Select the Custom Attributes checkbox, then enter the following custom attributes
role*PC:touch
access*touch
replace * with =, if you want the attributes to be mandatory, else use * for optional.

Saturday, January 29, 2011

Cisco 3D Icons

Recently came across these Cisco 3D Icons, the ones you usually see in Cisco Press Books and Materials. I really liked it, but it had white backgrounds but who cares when they are awesome. You can download from the below link.