Thursday, November 24, 2011

Call Restrictions on Cisco IP Phone using FAC

Some phones in your network might be located at an unsecure location where external or rogue users could misuse them by making GSM or international calls. You could use the Call Manager's FAC feature to lock GSM and international dialling on these particular phones. The below example we will be only be implementing restriction to GSM calls from phones. Similar method could be used for restricting International calls also.

Step 1
: First step would be to login to the Call Manager, go to Call Routing > Class of Control > Partition and then click Add New to create a new partition. Enter name as PT_FORCED_GSM (or any sensible name starting with PT to let you know that it's a Partition).

Step 2: Next we need to create a new Route Pattern with FAC enabled. For this go to Call Routing > Route/Hunt > Route Pattern, click Find to see all the existing Route Patterns on your Call Manager. Since we are planning to Restrict GSM Calls, find the Route Pattern for GSM Numbers, lets say you have a Route Pattern for GSM with Pattern 0[3567]XXXXXXX, which matches GSM numbers staring with 3,5,6 or 7 (with the initial 0 for outgoing calls). Click on the Copy icon corresponding to this Pattern to create a Copy. Rename the Description to RP_FOR_GSM_FAC (to identify that its an Route Pattern for GSM with FAC). Then click the check box Require Forced Authorization Code to enable FAC and enter a value for Authorization Level, lets say 0 (it could be a value from 0 to 255 but it should not be overlapping with any existing Authorization level's). In the Route Partition box select the Partition created before (PT_FORCED_GSM) and click Save.

Step 3: Next step is to create a Calling Search Space or CSS which includes the new PT_FORCED_GSM. Go to Call Routing > Class of Control > Calling Search Space and click on Find to see all existing CSS's. Copy a CSS that comes close to your requirement or click Add New to create a new CSS. Give a name, lets say CSS_LOCAL_WITH_FAC_FOR_GSM and select PT_FORCED_GSM along with all the Partitions needed (do not select the partition that allows GSM calls without a FAC) and click Save.

Step 4:Now go to Device > Phone and find the phone for which the Call Restrictions should to be applied. For the required line number change the Calling Search Space to the new CSS created, CSS_LOCAL_WITH_FAC_FOR_GSM and click Save to apply the setting to the phone. Similarly for all phones which need GSM Call Restriction change the CSS to CSS_LOCAL_WITH_FAC_FOR_GSM.

Step 5: To create a FAC code, go to Call Routing > Forced Authorization Codes and click Add New to create a new FAC. Give an Authorization Code Name (say GSM_PIN), Authorization Code with a PIN Number (say 1234) and Authorization Level as 0 (or the Authorization level chosen in Step 2).

Now after a GSM number is dialled on the applied phone, the phone will ask for a FAC code, where you can enter 1234 to make a GSM call.

Monday, August 15, 2011

TACACS+ Authentication for Cisco Unified Operations Manager 8.X

Cisco Unfied Operations Manager (CUOM) supports ACS Authentication and Authorization. The procedure is similar to integrating CiscoWorks LMS with ACS for TACACS+ authentication. Once CUOM has been successfully integrated with Cisco Secure ACS, Operations Manager, Service Monitor and Common Services will be added as Shared Profile components in ACS. This will import applications tasks and user roles into ACS.

To integrate the Operation Manager server with Cisco Secure ACS, first on the Operations Manager create a System Identity User. Before you create a System Identity User, you need to create a Local User which will later be mapped to the System Identity User. To create a Local user, go to Administration > Server Administration (Common Services) Security > Local User Setup and click on Add to create a new user. Enter the username (say cuomadmin) and a password. Select the Full Authorization radio button so that the user has all the privilege rights. Authorization could fail if you try to perform certain tasks in Operations Manager and if the user does not have Full Authorization. Next step is to create the System Identity User, choose Administration > Server Administration (Common Services) > System identity Setup, replace the System Identity Setup username with the local username you created in the previous step (cuomadmin) and enter the same password and click Apply.

On the ACS, create an administrator user (cuomadmin) with all privileges in ACS. CUOM registration with ACS can fail if this user does not have administrator privilege. On ACS 4.2, go to User Setup, in the User: box enter the username (cuomadmin) and click Add/Edit. Enter the password for the user and also give the user account all privileges. Now add the Operations Manager server as a AAA client on the ACS. For this go to Network Configuration and click on Add Entry. Enter the AAA Client Hostname, AAA Client IP Address (CUOM IP Address), Shared Secret (say P@ssw0rd) and select TACACS+ (Cisco IOS) from the drop down list for Authenticate Using.

Now on the CUOM, Go to Administration > Server Administration (Common Services) > Security > AAA Mode Setup and then select the ACS radio button. Enter the ACS IP address and port number as 49. If you have multiple ACS Servers, enter the secondary and tertiary ACS details also. In the Login box enter the ACS Administrator name and password (You must know the ACS Administrator HTTP credential to register the CUOM with the ACS server). Also enter the ACS Shared Secret (P@ssw0rd) that we created when we added the CUOM as an AAA Client in ACS. To register all the installed application with ACS select the corresponding check box. Then Click Apply. Click Ok if the registration is successfull. Now you will have to restart the CUOM daemon manager for the changes to take effect. In the Server, on the CLI go to NMSROOT\bin (where NMSROOT is the directory where CUOM is installed, default is C:\Program Files\CSCOpx) and enter the following commands

net stop crmdmgtd
net start crmdmgtd


If the registration was successful, on the ACS you should be able to see Cisco Unified Operations, Cisco Unified Service Monitor and Ciscoworks Common Services under the Shared Profile Components. Here you could edit roles and create custom roles. Create users in ACS with the required privilege. Ensure that the System Identity User in ACS is assigned all roles and that Common Services users have been assigned the proper privileges. Now you can log into the CUOM with the username defined in ACS.

In case if you are locked out or if your ACS Admin user does not have enough privileges, you can revert from the ACS mode back to local user mode by first shutting down the daemons and run the following script

NMSROOT\bin\perl ResetLoginModule.pl

Then restart the daemon.

Tuesday, July 12, 2011

Implementing eBGP for MPLS Redundancy

All MPLS Service Providers provide SLA's with High Redundancy for MPLS connectivity. These SLA's can be achieved using HSRP, eBGP, iBGP, ..etc., the choice is upto the customer. As a MPLS customer, configuring for BGP can be a hassle sometimes. In the below configuration we will be configuring eBGP with a single Layer 3 switch. The network weight command adds a weight to the routes, so that the route with the highest weight is the preferred route.

interface GigabitEthernet0/1
description *** Connected to SP SW1 ***
ip address 192.168.123.2 255.255.255.252
!
interface GigabitEthernet0/2
description *** Connected to SP SW2 ***
ip address 192.168.123.6 255.255.255.252
!
interface Vlan124
description *** USER VLAN ***
ip address 192.168.124.254 255.255.255.0
!
router bgp 65013
no synchronization
network 192.168.124.0 mask 255.255.255.0
neighbor 192.168.123.1 remote-as 64512
neighbor 192.168.123.1 weight 200
neighbor 192.168.123.5 remote-as 64512
neighbor 192.168.123.5 weight 100

Friday, March 4, 2011

Cisco Autonomous Access Point Configuration for PEAP Authentication with Windows RADIUS Server

Refer the link below for configuring Microsoft IAS Server (RADIUS Server)


and the Cisco Autonomous Access-Point configuration needs to be as below

aaa group server radius rad_eap
server <RADIUS_SERVER_IP> auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
dot11 ssid PUBLIC
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
guest-mode
!
interface Dot11Radio0
encryption mode ciphers tkip (or aes-ccm)
ssid PUBLIC
!
radius-server host <RADIUS_SERVER_IP> auth-port 1812 acct-port 1813 key <RADIUS_KEY>

Thursday, March 3, 2011

Configuring RADIUS VSA on ACS 5.2 for APC Authentication

If Cisco ACS is configured to do normal RADIUS authentication for APC UPS devices, the RADIUS user gets only Read-Only priviledges on the APC User Interface.

To get Admin priviledges for RADIUS users, Vendor Specific Attributes (VSA) have to be configured on Cisco ACS. Following are the Vendor Specific Attributes (can be obtained online, or from a VSA dictionary file) for APC devices.

VENDOR APC 318

ATTRIBUTE APC-Service-Type 1 integer APC

VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3

To configure VSA Attributes in Cisco ACS 5.2, Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA, click Create and Enter the Name: APC and Vendor ID: 318 and click Submit. Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA > APC (or from the Vendor Specific Dictionary Page, check the box next to APC and click Show Vendor Attributes), click Create and enter the following values, Attribute: APC-Service-Type, Vendor Attribute ID: 1, Direction: BOTH, Multiple Allowed: True and Attribute Type: Unsigned Integer 32 and click Submit.

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, click Create and under the General tab enter a Name for the Profile (say RADIUS_AUTH). Then under the RADIUS Attributes tab, Select RADIUS-APC from the Dictionary Type drop down list, Select RADIUS Attribute as APC-Service-Type and enter the Attribute Value as Static with value 1 (to get Admin user privilege) and click Add^ to Manually Enter the Attribute and then click Submit.

To Add the APC device to Cisco ACS 5.2, go to Network Resources > Device Type, and click Create to create a new group for APC. Enter the Name: APC Devices. Then go to Network Resources > Network Devices and AAA Clients. Click Create and Then on the create page enter the Host name of the APC Device in the Name field, Device Type: APC Devices, Enter the IP of the APC Device in the IP field. Check the RADIUS check box and enter the Shared Secret.

To add a user to the ACS, go to Users and Identity Stores > Identity Groups, click Create and add a Group with the Name: APC User under All Groups. Then go to Users and Identity Stores > Internal Identity Stores > Users and create an user under APC User Indentity Group.

Now we need to tie up the created user and device with the RADIUS Authorization Profile by creating a policy. To do that go to Access Policies > Access Services, click Create and enter the Name: RADIUS Admin, Select User Selected Service Type and Network Access from the drop down list. From the Policy Structure select Identity and Authorization and then click Next. On the Allowed Protocols page select Allow PAP/ASCII and click Finish.

Go to Access Policies > Access Services > RADIUS Admin > Identity, Select Single result selection radio button and Select Internal Users as the Identity Source and click Save Changes. Go to Access Policies > Access Services > RADIUS Admin > Authorization, click on Customize (lower right of the screen) and choose Identity Group as the Conditions and Authorization Profiles as the Results and click Ok. Click Create to create a Network Access Authorization Policy. Under Conditions, Select Identity Group as APC User (created under Users and Identity Stores above) and under Results Select RADIUS_AUTH (depends on what you created under Policy Elements above) and click Ok.

Final step is to go to Access Policies > Access Services > Service Selection Rules, click on Customize. Select Conditions as Device Type and Protocol. Click Ok to save it. Now go to Access Policies > Access Services > Service Selection Rules, click Create... to create a new Service Selection Policy. Select Conditions, Device Type as APC Devices, Protocol as Radius and Results (Service) as RADIUS Admin. Click Ok to Save the Service Policy. With this user you should be able to login into the APC UI with Administrator privileges.

This might look very complicated, but its actually like solving a math problem. ACS 5.X is very flexible in creating policies. The above steps can be used for configuring RADIUS VSA for any other devices also.

Wednesday, February 23, 2011

Blue Coat PacketShaper TACACS Authenitication with Cisco ACS

The Blue Coat PacketShaper Configuration is pretty straight foward. After opening the Blue Coat PacketShaper using your Admin account, click on the Legacy UI link on the top right of the Home Page. Once in the legacy UI, click on the Setup tab. Choose TACACS+ client from the Choose Setup Page drop down list.

From the TACACS+ client Settings page, Select on from the Authentication drop down list to turn TACACS+ Authenitcation on. Choose Authentication method as ASCII. Enter the IP Address of the Primary Authentication Host, Port 49 and a Shared Secret. If you have a secondary ACS Server, add it as the Secondary Authentication Host. Accounting can also be enabled similar to Authentication. Click on apply changes ... to save the configuration.

The Blue Coat Packetshaper can also be configured via CLI if you have an SSH access to the device.

setup tacacs auth primary <host ip address> <shared_secret> [<port>]
setup tacacs auth on
setup tacacs acct primary <host ip address> <shared_secret> [<port>]
setup tacacs acct on

e.g.,
setup tacacs auth primary 192.168.10.100 $ecret
setup tacacs auth on

by default port 49 is used for tacacs. Use setup tacacs show to display your current configuration.

Configuration on ACS 4.2

Go to Network Configuration > Add Entry, and enter the Network Device Group Name as Bluecoat. Then Go to Network Configuration > Bluecoat > Add Entry, then enter the PacketShaper Hostname, IP Address and Shared Secret (which should be same as configured on the PacketShaper). Select TACACS+ (Cisco IOS) from the Authenticate Using drop down list and click Submit + Apply.

On Interface Configuration > TACACS+ (Cisco IOS), from the TACACS+ services window, Check both the User and Group Column checkbox for Shell (exec).

If a user needs access to Blue Coat, go to User Setup > Enter the name of user and click on Add/Edit.

or If a group of users need access to Blue Coat, got to Group Setup > Select the group from the drop down list and click Edit Settings.

Scroll down to TACACS+ Settings Section, Select the Shell (exec) checkbox. Select the Custom Attributes checkbox, then enter the following custom attributes
role*PC:touch
access*touch
replace * with =, if you want the attributes to be mandatory, else use * for optional.

Saturday, January 29, 2011

Cisco 3D Icons

Recently came across these Cisco 3D Icons, the ones you usually see in Cisco Press Books and Materials. I really liked it, but it had white backgrounds but who cares when they are awesome. You can download from the below link.

Sunday, January 23, 2011

Converting Autonomous Access Point to Lightweight Access Point

If you have lot of Access Points to be converted, then you definitely need to use the conversion tool which is available on the Cisco Website. But if it is only a single Access Point you could do it with a TFTP Server and an Autonomous To Lightweight Mode Upgrade Image (downloadable from the Cisco Website).

Connect a Console to the Access Point and power up the Access Point either using a Power Adapter or a Power Injector. If the Access Point is new out of the Box, it is pre-configured to obtain an IP Address from a DHCP Server. If you don't have a DHCP server, assign a static IP Address.

AP(config)#interface bvi 1
AP(config-if)#ip address <ip address> <subnet mask>

Open your TFTP Server, with the Autonomous To Lightweight Mode Upgrade Image copied to its root directory. From the Access Point CLI issue the command

AP#archive download-sw /overwrite /reload tftp://<ip address of the tftp server>/<upgrade image file>

The Access Point will download the file and overwrite the existing image file (/overwrite) in the flash and then reboot (/reload) into LWAPP mode. If the reload does not happen, enter the reload command manually.

Once the Access Point is converted, connect it to your network. The Switch port to which it is connected should be configured in the Access Point Management VLAN, so that the Access Point can communicate with the Wireless LAN Controller. Hold down the mode button on the Access Point before you power up the Access Point and release it once the LED turns amber (approx 10 seconds). This is required to delete the existing configuration on the access point and return it to the factory defaults.

Thursday, January 20, 2011

CS-MARS authentication with Cisco Secure ACS

First on the ACS, to add the CS-MARS device, go to Network Configuration > Add Entry, then add the CS-MARS hostname, IP Address & Shared Secret Key. From the Authenticate Using drop down list select RADIUS (IETF) and click Submit + Apply. Create a user account on the ACS for the user who wants access to the CS-MARS (Go to User Setup to create a user on the ACS).

On the CS-MARS also we need to create an account for the same user. Go to MANAGEMENT > User Management, click Add to create a new user. Enter the Role and the Login (username) of the user and click Submit.

Log into the CS-MARS as pnadmin and go to ADMIN > System Setup > Authentication Configuration. From the AAA Server Configuration: box click Add. Here you define your ACS Server and how MARS should communicate with it. Select whether to configure the ACS server on an existing host that MARS is aware of or on a new host. After entering basic IP address and interface information, click Next and on the Reporting Applications window select Generic AAA Server and click Add. On the AAA Server Configuration Window, enter the Name, Shared Secret Key (as given in the ACS), the Authentication Port (1812) and Accounting Port (1813). You should use the Test Connectivity button to verify that CS-MARS can communicate with the radius server and also to verify that user accounts can be authenticated against. Lastly go to the Authentication Configuration screen again and select AAA Server for Authentication method and select the server you just defined. You can add a secondary AAA Server in the same way.

If, for any reason, you need to change authentications back to Local, you will need to recreate a password for each user. Once the authentication method is changed to radius, all local passwords on the MARS appliance (except the pnadmin user) are deleted.

Wednesday, January 19, 2011

ATA 188 Duplex and Speed Change

Cisco ATA 188 Ethernet port duplexity and speed can be configured from the Cisco ATA web configuration page (http://<ATA-IP-Address>), provided the hardware version number on Cisco ATA is 0x0009 or above (version can be checked from the Device information page, http://<ATA-IP-Address>/DeviceInfo). The ATA 188 has two Ethernet RJ-45 10/100 BASE-T ports, both with configurable duplex and speed. One is used as an uplink connecting to the switch and the other as a data port for connecting to a PC. The IP Address of the ATA device (ATA-IP-Address) can be obtained from the connected switch using show cdp neighbors <interface_type> <module/port> detail command.

The speed & duplex of the Ethernet ports can be configured by changing the values of Switchports parameter on the http://<ATA-IP-Address>/NetCfg page.

Applicable Bits
Bits 0-3 are for the PC port
Bits 4-7 are for the uplink port

Bit Values
0=10 Mbps, half duplex
1=10 Mbps, full duplex
2=100 Mbps, half duplex
3=100 Mbps, full duplex
4 = AUTO detect
Other bit values are not valid

By default the ATA works in 10Mbps, half duplex (0x00000000). The Switchports parameter can be changed to 0x000000FF for 100Mbps, full duplex & 0x00000022 for 100Mbps, half-duplex. After the value has been entered, click on apply. Switch OFF the ATA power and then switch it back ON for the configuration to complete. After switching ON, the Function button on top of the ATA blinks quickly indicating that the ATA is upgrading the configuration.

ATA 188 is past End-of-Life and probably out of most networks, but it could perform auto-negotiation for duplexity and speed and is capable of 10/100 Mbps, full-duplex operation. The Cisco ATA 186 on the other hand is fixed at 10 Mbps, half-duplex operation.

Monday, January 17, 2011

CS-MARS Upgrade

The thought of upgrading the CS-MARS software is a pain for most MARS Administrators, mainly because of the time it consumes to upgrade to the latest version. The upgrading of the MARS software can only be done sequentially, version by version. The recommended method of upgrading a CS-MARS device is through the CLI using the pnupgrade command. The most reliable and easiest pnupgrade method is using a CD-ROM. The software can be downloaded from the Cisco site and burned on to a CD.

pnupgrade cdrom://csmars-6.1.1.3445.zip

Other pnupgrade methods are ftp, http & https. MARS requires that the upgrade server enforces user authentication.

pnupgrade -u username:password ftp://ftpserver/csmars-version.zip

Most people prefer GUI for doing the upgradation, but could end up facing lot of issues. One of the most common errors GUI users face is, Upgrade csmars-6.1.1.3445.zip failed. Failed to pass the version dependency test. Chances are the data versions do not match even though you upgrade the software, version by version. The MARS appliance can screw up the data version numbers giving you this error. You can check this via CLI by typing in the commands.

[pnadmin]$ version
6.0.8 (3428) 36

[pnadmin]$ pnupgrade
CSMARS Upgrade...........[14033]
------------------------------------------------
Package Name Type Version URL
------------------------------------------------
csmars-6.1.1.3445.zip BD 6.1.1.3445.38 N/A
csmars-6.0.8.3428.zip BD 6.0.8.3428.37 N/A
csmars-6.0.7.3404.zip BD 6.0.7.3404.36 N/A
csmars-6.0.6.3368.zip BD 6.0.6.3368.35 N/A
csmars-6.0.5.3358.zip BD 6.0.5.3358.34 N/A
csmars-6.0.4.3229.zip BD 6.0.4.3229.33 N/A
csmars-6.0.3.3190.zip B 6.0.3.3190 N/A
csmars-6.0.3.3188.zip BD 6.0.3.3188.32 N/A
csmars-6.0.2.3102.zip BD 6.0.2.3102.31 N/A

(data version number is highlighted), CS-MARS obtains this upgrade order from the MARSCatalog.xml file embedded in the zip file.

In the above case, 6.1.1 will not get installed because the data version of the previous upgraded software version 6.0.8.3428.36 does not match with the MARSCatalog version 6/0/8/3428/37. To get 6.0.8 (3428) 37, again install 6.0.8 via CLI (It wouldn't run from the GUI). This should resolve the issue.

If your CS-MARS has connectivity to internet, the upgradation could be done directly from the Cisco Website. But you will have to have a valid CCO ID with to ability to download software.