Wednesday, July 26, 2017

Register Cisco APs with Cisco vWLC 8.1 on EVE-NG

EVE (Emulated Virtual Environment) is running in VMWare Workstation in my Laptop. Cisco AP is connected to the Ethernet port of my laptop directly. PoE is given by a power injector. You can see the EVE topology on this capture. A core switch is bridged to external world and connected to vWLC. Service Port of vWLC is bridged to NAT interface of the VMware. If you are not familiar with these kind of virtual networking, following post will be helpful for you to understand how to make this a reality..

https://roshanznet.blogspot.com/2017/01/connect-virtual-devices-in-unleve-to_31.html

Note:- Find the matching country code of your physical access point before you start configuring your WLC. As an example; my AP is Cisco AIR-CAP2602I-E-K9; the 'E' there is indicating the the region, Europe.. This is why I am configuring my WLC country code as GB (Great Britain)

Configuration in WLC

How the WLC is configured can be found in the following post.
https://roshanznet.blogspot.com/2017/02/deploy-vwlc-on-eve-unl.html

After initial configuration, you will have to activate licences.

Log in to WLC with web-GUI and go to Advanced..
Go to Management > Software Activation > Licenses













Click on the ap count and click on the set status tab and accept..

You will not see anything changed, but trust me, this will hold your AP from registering.
After accepting the license, go to Commands > Reboot and click on Save and Reboot tab

Configuration in CORE

CORE(config)#vlan 50
CORE(config)#vlan 60

CORE(config)#interface vlan 50
CORE(config-if)#ip address 192.168.50.254 255.255.255.0

CORE(config)#interface vlan 60
CORE(config-if)#ip address 192.168.60.254 255.255.255.0

CORE(config)#interface e0/0
CORE(config-if)#switchport access vlan 60

CORE(config)#interface e0/1
CORE(config-if)#switchport trunk encapsulation dot1q
CORE(config-if)#switchport mode trunk
CORE(config-if)#witchport trunk allowed vlan 50

Configuration in AP

ap#capwap ap ip address 192.168.60.10 255.255.255.0
ap#capwap ap ip default-gateway 192.168.60.254 255.255.255.0
ap#capwap ap controller ip address 192.168.50.51

Now It everything will work fine.. If still AP is not joining because of a license issue (you can see this on the log of AP and WLC) you may need to reset the AP and try again..

To know the correct way to reset a Cisco AP please go the following link..
https://roshanznet.blogspot.com/2017/07/correct-way-to-factory-reset-cisco-ap.html

Change the Mode of AP to Flex Connect

The SSID you created will not be broadcast unless you do this..
Go to Wireless and click on the name of the AP, change AP mode to FlexConnect and apply..
You will see your SSID is live around you.. :)

Correct Way to Factory Reset Cisco AP (Clear Configurations Completely)

If you have tried to clear old configurations / reset using mode button of a Cisco Lightweight AP and tried to join it to a new WLC, you may have experienced that it is not clearing it's old configurations completely. May be it will join the previous controller again. Sometimes only IP address is clearing, primary controller address is still visible in SET variables. Well, this is the correct way to completely reset it..


The AP I am using is a Cisco 2602i which is a very common AP.

01. First console the AP and log in with username and password, go to privilege mode..

Default Username: Cisco
Default Password: Cisco
Default Enable Password: Cisco

02. Unlock hidden commands..

Because erase command is hidden, you will need to unlock it by the following command.
AP#debug capwap console cli

Note:- This command can be used to go to config mode of a Cisco Lightweight AP too.

03. Erase NVRAM.

NVRAM is where the startup configuration file is located and where the AP maintains the list of previously learned WLC IPs.










Hit the following command to erase the nvram..
AP#erase /all nvram:

After erasing nvram, it will be like this..








04. Delete the Flash or env_vars file in Flash..

Hit a dir flash:/ to see what is inside it..



















If you really want to get your AP to fresh factory reset, you will issue the following command to erase full flash with all the files in it. But proceed with caution because it wipes out the OS too.

Hit the following command to delete flash..
AP#delete /force /recursive flash:

Note:- Flash is where the IOS image and the recovery OS image are stored. If you issue the above command it will wipe out both images. So you will have to upload the recovery image from a TFTP server (your PC) after doing this in rommon mode. If you want to know how to do it please refer this.

A brand new AP comes with a recovery image only. It will download the IOS image from the WLC after it joined one.

So if you don't want to delete the OS, but if you need to clear all the old configurations, hit the following command to delete the env_vars file in Flash..
AP#delete flash:/env_vars

This file is where the set variables are stored. If you don't delete this some of the set variables will be intact even after you reset pushing the mode button.

05. Reset AP using the Mode button

Unplug and plug again the power source of the AP holding the mode button..
Release it after the LED turns steady red.. (about 10 seconds)

Now issue set command and you can see all the set variables are also cleared..
If you did not delete the entire Flash, you can give the following command to set the IOS image to bootup instead of recovery image.

ap:set BOOT flash:/<image-directory>/<image>

In my case it is set BOOT flash:/ap3g2-k9w8-mx.153-3.JBB1/ap3g2-k9w8-mx.153-3.JBB1

Sunday, July 23, 2017

How EAP-PEAP (Protected EAP) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-PEAP

EAP-PEAP (Protected EAP) is an authentication mechanism which can work entirely with certificates or without certificates.

Note:- Certificate is a public key verified by a trusted authority.
When EAP-TLS is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes..

(5) AP/WLC continues with an EAPSTART message asking for the Supplicant Identity
(6) The client sends its Identity to AP/WLC
(7) AP/WLC forwards the Supplicant Identity to the RADIUS server
(8) The RADIUS server sends its certificate to the client through AP/WLC
(9) The client generates a master encryption key and encrypts it using the server certificate and sends       it to the RADIUS server

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. But only the server is authenticated (by its certificate). So the client still needs to be authenticated. Therefore a second authentication phase starts (EAP inside the 1st EAP tunnel, thus the name Protected EAP) where the client is authenticated using a username and password with MSCHAPv2 (for PEAPv0) or GTC (for PEAPv1).

(10) RADIUS server asks client to send credentials to authenticate
(11) The client forwards the credentials to RADIUS server

Now RADIUS server can derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(10) RADIUS server generates the PMK (Pairwise Master Key)
(11) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(12) AP/WLC use the PMK to generate encryption keys for the client traffic

Note:- RADIUS server does not keep the PMK, it just generates it and hands it over to WLC..
At this point, the work of the EAP-PEAP is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..


Saturday, July 22, 2017

How EAP-TLS (Transport Layer Security) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-TLS

EAP-TLS (Transport Layer Security) is an authentication mechanism that relies on certificates. Key pairs (certificate & private key) are installed on the clients and on the RADIUS server.

Note:- Certificate is a public key verified by a trusted authority.

When EAP-TLS is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes.. 

(5) AP/WLC continues with an EAPSTART message asking for the Supplicant Identity (username)
(6) The client sends its Identity to AP/WLC
(7) AP/WLC forwards the Supplicant Identity to the RADIUS server
(8) The RADIUS server responds with its certificate
(9) The client verifies the server certificate and sends its own certificate

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. They use this secure connection to agree on  a way to derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(10) RADIUS server generates the PMK (Pairwise Master Key)
(11) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(12) AP/WLC use the PMK to generate encryption keys for the client traffic

Note:- RADIUS server does not keep the PMK, it just generates it and hands it over to WLC..

At this point, the work of the EAP-TLS is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..




















Note:- EAP-TLS is a very secure method for authentication but certificates will be needed to install on each client so it is not widely used as the enterprises are moving towards BYOD..

Friday, July 21, 2017

802.1X/EAP Authentication Concept in Wireless Security

Because of the weakness in WEP (Wired Equivalent Privacy) which provide one single key for all users in the WLAN and if this key is found (which can be done easily with Kali Linux) the WLAN is compromised. So the need to use a new security concept which separates authentication from encryption was required. Using 802.1x and EAP (Extensible Authentication Protocol), IEEE offered a better solution which is used in WPA/WPA2 (Wireless Protected Access) nowadays.

802.1X

This is a protocol which defines port-based access control. 802.1X states following 3 roles..

1. Supplicant = the end point which wants to access the network
2. Authenticator = the point of connection to the network
3. Authentication Server = the server which actually authenticates the users

When a supplicant connects to the authenticator, the authenticator closes its port except for authentication-related exchanges and asks the supplicant for credentials. Authenticator then passes the received credentials to the authentication server. Authentication server then responds to the authenticator with either a success or a failure message. If the response is a success, the port will be opened and user traffic will be allowed.

In wireless world, the AP (or the AP/WLC pair in a centralized network) acts as the authenticator.
Following steps will take place..
First 4 steps are about basic wireless connectivity.

(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response
At this point AP blocks all traffic from the supplicant until authentication completes..
(5) 802.1X/EAP process starts at this point..
(6) When the 802.1X/EAP process is successful, the client traffic is allowed through the AP..

RADIUS (Remote Dial In User Service) is the main protocol described for the communication in between the authenticator and the authentication server in the 802.1X protocol. This means that the supplicant exchanges the 802.1X messages with the authenticator and the authenticator then translates those 802.1X messages to RADIUS messages and forwards them to a RADIUS server.

So the 802.1X and the RADIUS protocols are the protocols used to transport the authentication dialog between the supplicant and the authentication server.

Note:- RADIUS server uses UDP port 1812 for authentication and UDP 1813 for authorization..

That authentication dialog is what defined by EAP..

EAP (Extensible Authentication Protocol)

The 802.1Xdoes not contain specific methods for wireless clients to send their credentials to the authentication server, nor does it specify how this authentication should occur. So IEEE added EAP to fulfill this requirement.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..
Ex:- EAP-TLS, PEAP, EAP-FAST

If you want to know how EAP-TLS works go here.
If you want to know how PEAP works go here.

Thursday, July 20, 2017

Light Weight Access Point Registration Process with Cisco WLC

This is a 4 step process. They are Getting an IP address, Finding WLCs, Selecting WLCs & Registering with the Primary WLC.. Simple like that.. In Light Weight mode, APs act as end point dumb devices to Wireless LAN Controllers. What they just need is to find a WLC to build it's tunnel (CAPWAP) to transport user traffic where they will be handled as required..

Step 01: Getting an IP address

AP can be assigned an IP address in 2 methods..
1. Static assignment
2. DHCP

If it is not configured statically, it will send a DHCP discover to find a DHCP server to get an IP address along with other network details.. Nothing amazing here as this is what any end point will do when it is plugged in to a network..


Step 02: Finding WLCs

There are 2 WLC discovery methods in Cisco APs; L2 discovery & L3 discovery..
L2 discovery happens first..

Note:- LWAPP & CAPWAP are 2 Light Weight mode protocols which allows APs to join with WLCs. LWAPP stands for Light Weight Access Point Protocol and CAPWAP stands for Control And Provisioning Wireless Access Point. Both accomplishes same task in different ways. CAPWAP seems to do it in a better more secure way. LWAPP is older and only supports in few old platforms.

1. Layer 2 Discovery (supports only on few old platforms using LWAPP)
2. Layer 3 Discovery (supports on all platforms with both LWAPP or CAPWAP)

Steps of L3 Discovery :-

(i). CAPWAP Discovery request broadcast on local subnet (IP broadcast).

(ii). CAPWAP Discovery request sent to controller IP addresses learnt via OTAP feature.

When the feature called OTAP (Over the air provisioning) is configured on a controller, APs that are already been joined to the controller advertise their known controller addresses in neighbor messages that are sent over the air. New APs attempting to discover controllers receive these messages and unicast a discovery request to each controller. WLCs unicast discovery response to APs after receiving these messages.

(iii). CAPWAP discovery request sent to all locally stored WLC IP addresses.

APs maintain a list of WLC IPs previously learnt in its NVRAM. They send unicast messages to these IP addresses. WLCs unicast discovery response to APs after receiving these messages.

(iv). CAPWAP discovery request sent to IP addresses learnt from DHCP option 43.

DHCP option 43 is the IP of the WLC.. You can configure this in DHCP server settings.

(v). CAPWAP discovery request sent to IP addresses learnt from DNS address
CISCO-CAPWAP-CONTROLLER.localdomain

If a WLC gets a discovery request from any above step, it sends a unicast response to AP.
AP runs all these steps to create a list of WLCs. This is called the WLC hunting algorithm.

WLC Hunting Algorithm :-

1. If L2 discovery is supported, send a discovery request in an Ethernet broadcast
2. If L2 discovery is not supported or step 1 fails to find a WLC, proceed to L3 discovery
3. If L3 discovery fails to find  a candidate WLC, reboot and return to step 1


Step 03: Selecting WLCs

WLCs embed the following important information in the LWAPP/CAPWAP Discovery response
1. The controller sysName - hostname of WLC
2. The controller type - platform
3. The controller AP capacity and its current AP load
4. The master controller flag
5. The AP manager IP address

The AP uses this information to make a controller selection

1. If the LAP has been previously configured with primary, secondary and tertiary controller, the LAP will attempt to join these first (specified using the controller sysName)
2. Attempt to join a WLC configured as a master controller
3. Attempt to join a WLC with the greatest excess capacity


Step 04: Registering with the Primary WLC

1. AP sends a join request first..
Join request contains X.509 certificate of AP which WLC validates.

2. WLC sends a join response then..
Join response indicates AP is registered and contains X.509 certificate of WLC which AP validates.

After the joining is complete, following things happen between the WLC & AP..
- Sync firmware on WLC & LAP if it is not matching
- WLC provisions the LAP with configuration parameters (SSID, Security, QoS, etc)

Now the registration is complete. If the primary controller fails, it will register with the secondary controller available in his list..

Friday, July 7, 2017

Create a Local User Who Can Only View Running-Config in Cisco IOS

You will need to create a user who cannot do any other thing except viewing the running config. It will be a requirement when you create usernames for other 3rd parties. Problem is with the architecture of the Cisco IOS. Users can only view the configurations which they are allowed to modify. So if a user is given a level of 7 and if you assign show running-config command to level 7, it will not work because configuration mode is in level 15. If you assign configure terminal command to level 7 to correct this problem, the user will gain access to all the configuration commands.

So if you only need to create a user who can only view the running-config, you can simply do this..

Create a username with level 15
Router(config)#username TEST privilege 15 password cisco

Specify show run command to enter automatically when logged in
Router(config)#username TEST autocommand show run

Of course you will need to specify local login method in telnet/console which the user is using
Router(config)#line vty 0 4
Router(config)#login local

Monday, June 26, 2017

Block Connectivity Between Hosts in a VLAN by Protected Port Config of a Switch

This is like a more simple variation of PVLANs. By a single command you can stop communication between 2 hosts in a same VLAN.

Topology is simple, all the Server and the 2 PCs are in one VLAN (one broadcast domain) and have assigned IP address of the same range.

Requirement is to block PC-A from accessing PC-B. But the both PCs must be able to access the Server. This can be achieved by configuring the ports to be protected.

Note:- This config is local to the switch..


Concept is that you can configure switch ports to be protected and protected ports cannot communicate with each other. But protected ports can communicate with other unprotected ports.. 

SW(config)#int e0/1
SW(config-if)#switchport protected

SW(config)#int e0/2
SW(config-if)#switchport protected

Now the data traffic will not be forwarded in between  e0/1 and e0/2 ports.


Now let's look at trunk port scenarios..
All ports are in a one VLAN..


Scenario 1
If e0/3 of SW is a protected port; 
all the traffic from SW-2 cannot access PC-A. But they can access the Server..
Reason:- e0/1 and e0/3 are protected ports..

Scenario 2
If e0/3 of SW is an unprotected port & 
If e0/0 of SW-2 is a protected port; 
all the traffic from SW-2 can access any port of SW..
Reason:- protected port configuration is local to the switch..

Scenario 3
If e0/0 of SW-2 is a protected port &
If e0/1 of SW-2 is a protected port;
PC-B cannot access any port in of SW..
Reason:- PC-B and the trunk to SW are protected ports..

Tuesday, June 20, 2017

How to Partition Layer 2 Broadcast Domain of a VLAN by Configuring PVLANs

PVLAN (Private VLAN) partitions the layer 2 broadcast domain of a VLAN into sub-domains. This is useful when you need your devices to be in the same VLAN (ip range) but you need to control access with each other.

There are 3 types of VLANs involve when we configure PVLANs..

1) Primary VLANs
2) Isolated VLANs
3) Community VLANs

Primary VLAN is the normal VLAN we create. It is the parent broadcast domain which we partition later using the Isolated & Community VLANs which are called Secondary / Sub VLANs..

There are 3 types of ports involve regarding the VLAN type we assign..

1) Promiscuous ports - Primary VLAN is assigned
2) Isolated ports - Isolated VLANs are assigned
3) Community ports - Community VLANs are assigned

The concept is simple;
The Promiscuous port can communicate with any other port (Isolated, Community)..
An Isolated port can only communicate with the Promiscuous port, They cannot communicate with other Isolated ports of the same Isolated VLAN either.
The Community ports can communicate with the Promiscuous port & the other Community ports which are in the same Community VLAN only..

Let's see the configuration..

Here I am going to create;
Primary VLAN (100)
Isolated VLAN (200)
Community VLANs
- Community-A (VLAN 300)
- Community-B (VLAN 400)

Note:- VTPv1 & VTPv2 modes should be changed to transparent to support PVLANs as they do not support PVLAN configurations. Only VTPv3 will be supported..

Also note that every Cisco switch will not support PVLANs..





Configuration of the Community VLANs
SW(config)#vlan 400
SW(config-vlan)#private-vlan community
SW(config)#vlan 300
SW(config-vlan)#private-vlan community

Configuration of the Isolated VLANs
SW(config)#vlan 200
SW(config-vlan)#private-vlan isolated

Configuration of the Primary VLAN
SW(config)#vlan 100
SW(config-vlan)#private-vlan primary
SW(config-vlan)#private-vlan association 200,300,400

Configuration of the Promiscuous port
SW(config)#int e0/0
SW(config-if)#switchport mode private-vlan promiscuous
SW(config-if)#switchport private-vlan mapping 100 200,300,400

Configuration of the Isolated ports
SW(config)#int range e0/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 200

Configuration of the Community-A ports
SW(config)#int range e1/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 300

Configuration of the Community-B ports
SW(config)#int range e2/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 400

Show Commands to verify the PVLAN configurations..
SW#show vlan private-vlan
SW#show int e0/0 switchport

Now you can test the connectivity after assigning IP address to the PCs in the same range..

Note:-
The Default Gateway (a router) should be always connected to the Promiscuous port which all the PCs can reach. If a router is connected to that interface, Hair-Pinning routing can occur which will bend the rules of PVLANs.
Which means that all the PCs will communicate with each other through the default gateway router like in router on stick in inter VLAN routing..
You can stop this by putting an ACL in the router interface to block traffic from the same subnet to the same subnet..

Sunday, June 18, 2017

A Note on Syslog Logging System of Cisco IOS Devices

Network Devices generate messages when something happens. The logging system of these messages is called "Syslog". These messages can help to identify what is happening for troubleshooting or what has happened in the network device for later root cause analysis.

You can view Syslog messages on Cisco CLI using following commands

On Console Line;
R(config)#logging console

On Terminal VTY (SSH, Telnet);
R#terminal monitor

Full Syslog message format in Cisco IOS is as following..

seq no:timestamp: %facility-severity-MNEMONIC: event

Seq No: 
A sequence number to identify the message as by order.
This is useful because some times the output can be out of order on the screen.
You will not see this often because it is disabled by default.
Following command will enable the Seq no,
R(config)#service sequence-numbers

Timestamp:
Date and time of the message or event.
Time stamps are also disabled by default. But you would see it enabled almost all systems because it is very important to identify the time which the events triggered.
Following command will enable the Timestamp,
R(config)#service timestamps log datetime

Facility: 
This tells the protocol, module, or process that generated the message.
Following are the common facilities you may encounter.
SYS for the operating system
IF for an interface
LINK for physical links
LINEPROTO for line protocol

Severity:
A number from 0 to 7 designating the importance of the action reported.
The levels are:
















Levels 0 through 4 are for events that could seriously impact the device, whereas levels 5 through 7 are for less-important events.
By default, Syslog servers receive informational messages (level 6).

To change the minimum severity level that is shown on the console, use the following command.
R(config)#logging console <severity level>

To change the minimum severity level that is shown on the termial, use the following command.
R(config)#logging monitor <severity level>

If you specify a level, that level and all the higher levels will be displayed.
For example, by using the logging console warnings command, all the logging of emergencies, alerts, critical, errors, warnings will be displayed.

MNEMONIC
A string that describes the message in short.

Event
A plain-text description of the event that triggered the Syslog message.


Now let's analyze a typical Syslog message
*Jun 16 16:41:14.958: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

Seq No: none (not configured)
Timestamp: Jun 16 16:41:14.958
FACILTY: LINK
SEVERITY level: 3 (errors)
MNEMONIC: UPDOWN
Event: Interface Ethernet0/0, changed state to up

Storing Syslog Data

By default any Cisco IOS device will store it's Syslog messages in it's internal buffer of 4 Mb.
You can increase the buffer size by the following command.
R(config)#logging buffered <size>

Or you can configure a dedicated Syslog server to store Syslog data and give it's IP by following command;
Router(config)#logging <ip address of the syslog server>

To change the minimum severity level that is sent to the server, use the following command.
Router(config)#logging trap <severity level>

Server must use a Syslog software to capture the Syslog messages sent to this server.

Tuesday, June 13, 2017

Active Directory Directory Services (ADDS) Structure Essentials

Cisco equipment are what make the internet works while Windows Active Directory Domain Services (ADDS) are what makes businesses work.

So network engineers should have at least a basic level of understanding on the way it is structured to serve in an enterprise environment.




This post is just about the basic architecture concepts about ADDS.. Not an in detail explanation..

Domain Controllers

Like the Exchange servers which control email services, the Domain Controllers are the servers which control ADDS which sets security permissions in a Windows environment. Basically it is the server which the System Administrators configure to allow or block certain users or computers from accessing certain resources (emails, VPNs, applications, file servers, printers etc) in a network.

Accounts

There are 2 types of accounts in AD
1) User Accounts
2) Computer Accounts

You can set permissions / apply polices to individual Accounts or Groups.

Schema

The information regarding to User Accounts or Computer Accounts are stored in a structured way which is called a "Schema"..

Ex:- Schema for a User Account
username:
email address:
extension:

In Windows AD, this Schema is extensible / can be modified (fields can be added)..

Groups

Groups are used to apply security..
Administrators create Groups and Assign User Accounts / Computer Accounts to them and they fix policies for the Groups which effect the all members in that group.

There are 2 types of Groups.
1) Security Groups
2) Distribution Groups

Security Groups are normal Groups you will see day to day.. They are used to apply security policies.
Distribution Groups are primarily used by email applications..

Groups can be bundled and assign into some other Groups too..

Ex:- We have a Sales group and a HR group in our company. These Groups are called Global Groups and those Global Groups can be inserted in to a Local Group and apply a security policy at once which effects to all members in both Groups..

Note that a same user can be in several Groups & individual Accounts can also be bundled with Groups..





These Local & Global are 2 scopes of Groups. Actually there are 3 scopes.
1) Global Groups
2) Local Groups
3) Universal Groups

Scopes are determined by 3 characteristics..

Replication - Where Group is created and where it is replicated..
Membership - What members the Group can have..
Availability - Where can the Group be used..

If you need more info about Group Scopes you can find them here.

Organizational Units (OU)

Organizational Units are Groups used to apply policy..
They are the Groups which are created for the Administrative purposes.
Which means there can be a delegated Administrator for that OU.

Domain & Sub Domains / Child Domains

Domain is all the users and all the computers which are tied to the Domain Controller's ADDS..
Sub domains / Child Domains are subsets of the parent domain. Actually a Sub Domain is a separate Domain in the same network with separate Domain Controllers but has the same Schema. Sub Domains can also have their own Sub Domains..

Ex:- google.com and it's sub domains like asia.google.com & europe.google.com
europe.google.com can have sub domains like east.europe.google.com & west.europe.google.com

Trust

When you create Sub Domains to Domains, automatically a 2-Way Trust happens.
And within those 2 Sub Domains a 2-Way Transitive Trust happens.

Which means;
google.com trusts asia.google.com and vice versa
google.com trusts europe.google.com and vice versa

Then asia.google.com trusts europe.google.com and vice versa which we call "Transitive Trust"

Trust simply means that the Admin of google.com can give permissions to a user account from asia.google.com to access resources of google.com and vice versa..

In a Transitive Trust the Admin of europe.google.com can give permissions to a user account from asia.google.com to access resources of europe.google.com and vice versa..

A user can access resources of another Domain using his username and password if the Admin of that Domain permits..

Tree

Because all Sub Domains share the same google.com name space, we call it is in a same Tree.
So a Tree is the entity you get when you add Sub Domains to a Domain.























Forest

A Forest is the entity you get when you add 2 or more Domains together with a Trust..
The difference of the Domains is the difference of the Schema..

Ex:- When google.com buys blogspot.com there is a Forest..

When 2 Domains are trusted, 2 way trusts don't happen like in Domains and Sub Domains. Admins can do only a One-Way Trust. So if 2 Way Trusts are required, Admins should create 2 One-Way Trusts..

Sunday, June 11, 2017

Basic Installation of Microsoft Windows Server 2012 R2 in VMware Workstation

Download the ISO file, you can do this from original Microsoft site as an evaluation copy too.
Next go to the VMware and go to File > New Virtual Machine > Typical > I will install the operating system later and select Windows Server 12 and specify the name if the server and the location to be installed.
60 GB will be enough for the hard disk space for my labs and I will store it as a single file.
It is better if you can give at least 4 GB for RAM and all the CPU cores available.
Don't forget to select the ISO image file from the CD ROM of the VM and make sure it is ticked to connect at power on before you begin.


















Now let's start installing it by powering on the VM..



It willtake some time to pop this up.
Select your preferences and hit Next..

(click on the images to view in full size)









I am selecting the standard server with a GUI..


From this step onward, it is like installing a normal Windows PC operating system.. Just choose your preferences and hit Next..


After the installation, it will reboot and ask for the password of the Administrator account..



After the settings are finalized, you will be able to login from the Administrator password you gave..
You will see the following Dashboard..




























Now it's better to install the VMware tools for smoother operation..
Go to VM > Install VMware tools
Now Go to Start Menu of the Server 2012 > This PC and double click on the CD ROM which will lead you to install VMware tools.. Just few Next, Nexts, it will be done and will reboot the machine..

First thing you will need is to change the IP address to a static IP, you will need to turn off or add some exceptions to the Firewall of the Server to allow pings from your routers to check the connectivity.. Both those activities are just like in your Windows PC..

By default it will assign it self a hostname .. You can change it from the Properties of This PC, just like you do in your Windows PC. It will ask for a reboot..

Sunday, May 14, 2017

Initial Connectivity to FortiGate in EVE / UNL (FortiGate-VM64-KVM)

You can use FortiGate-VM64-KVM image in EVE for lab use. Upload it to your EVE machine's qemu folder as usual qemu image and create a new lab.

Following are the settings of my EVE machine which runs in VMware Workstation.























The important thing here is what I use as my 1st network adapter which I use to log into EVE machine. Typically you would also have the same. It's the NAT adapter.

Go to Edit > Virtual Network Editor to see the IP range assigned for your NAT adapter..










It's 10.1.1.0/24 range. Actually you don't need to look this even. Because It's the IP range of your EVE machine is in. Ex:- My EVE machine is assigned with 10.1.1.200

But if you are using some other VMnet ex:- VMNet1 which is the Host-only adapter, you would have to see this to define the IP address you are going to assign to your Fortigate..

This is for the basic access. In actual hardware, we have several dedicated ports for Management, HA, WAN, LAN etc. We don't have such ports here. All are just equal type ports and by default there will be 4 ports. Of course you can add many as you want later..


Select the Fortigate from menu and wire it up with Cloud 0 connection.
To add a Cloud 0 connection right click on work space and go to Networks.

Cloud 0 is directly connected to the 1st NIC (VMNet8 - NAT adapter in my case).

Now start the FortiGate and use your SSH client to access the terminal..


Default username is admin and there is no password.. Just hit enter, you will go to the privilege mode.







View the IP address in interfaces by following command; do not hit enter at the end of the command, just hit ? and the summary will be displayed..
FortiGate-VM64-KVM # show system interface ?

As you can see, there is no IP address assigned to any port. In actual hardware you will see the management interface which is with a factory assigned IP address..
Here you have to give it manually..

Hit following commands to set the IP for the port 1 which is connected to Cloud 0 (NAT adapter)..
FortiGate-VM64-KVM # config system interface 
FortiGate-VM64-KVM (interface) # edit port1 
FortiGate-VM64-KVM (port1) # set ip 10.1.1.50/24

Now view the interfaces again..
FortiGate-VM64-KVM # show system interface ?
Now you can see it is assigned. You should be able to ping it from your Windows command prompt from now on.. (If you also used NAT adapter like I did..)


Now go to a web browser and type 10.1.1.50 (or the IP you gave to your Forti) on URL field and hit enter..

Name is admin and enter without password.. Now you have your FortiGate working..
(click on the images to view in full size)










Friday, May 12, 2017

A Note on Access Control Lists & Access Group Command

Access Control Lists (ACLs) are used to identify and capture a specific traffic, not to filter traffic. Access Group is the command which we apply to an interface to filter the traffic captured by an ACL.. So the application of ACLs are not limited to control access, but can be used in many situations where we need to capture a specific traffic from a flow..





















In Cisco IOS; you can create an ACL in 2 ways.. Result is same..
- Globally in line
- NACL mode

There are 2 types of ACLs

(1) Standard ACLs
- Number can be 1-99 or 1300-1999 or Can be given a Name instead
- Based only on source IP
- Applied near to destination

(2) Extended ACLs
- Number can be 101-199 or 2000-2699 or Can be given a Name instead
- Based on source IP, Destination IP, Service (protocol), Port Number
- Applied near to source

Referring the above diagram; which the routing is configured correctly, let's configure ACLs..

Standard ACL

Let's assume that 10.1.10.0/24 must not access the server 10.1.30.30, but all other subnets must be able to..

Globally in line mode Syntax;
R(config)#access-list <number> <permit/deny> <source IP address> <wild card mask>

NACL mode Syntax;
R(config)#ip access-list <standard> <number/name>
R(config-std-nacl)#<permit/deny> <source IP address> <wild card mask>

Here are some different ways to configure it..

Via Globally in line mode;
R2(config)#access-list 10 deny 10.1.10.0 0.0.0.255
R2(config)#access-list 10 permit any

Via NACL mode;
R2(config)#ip access-list standard 10
R2(config-std-nacl)#deny 10.1.10.0 0.0.0.255
R2(config-std-nacl)#permit any

You can configure it with a name in NACL mode too..
R2(config)#ip access-list standard TEST
R2(config-std-nacl)#deny 10.1.10.0 0.0.0.255
R2(config-std-nacl)#permit any

Note: There is an implicit deny (deny any) at the end of every ACL to block everything.. So if you configure an ACL with a deny statement for a specific traffic, you should permit all other traffic at the end by the last line.

You should apply a Standard ACL near the destination because it is only capturing traffic based on source IP. If it is applied near the source it will apply for all the traffic coming from that source and block everything at the 1st hop..

Here let's apply it on the e0/1 interface of R2 for outbound traffic..

Syntax;
R(config)#int e0/1
R(config-if)#ip access-group <number> <in/out>

Here is the actual command;
R2(config)#int e0/1
R2(config-if)#ip access-group 10 out

Now the ACL is configured and AG is applied.. The traffic will be filtered as intended..

Extended ACL

Let's assume that only http traffic from 10.1.20.0/24 must access the server 10.1.30.30 and all other traffic must be blocked..

Globally in line mode Syntax;
R(config)#access-list <number> <permit/deny> <protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>

NACL mode Syntax;
R(config)#ip access-list <extended> <number/name>
R(config-ext-nacl)#<protocol> <source IP address> <source wild card mask> <source port number> <destination IP address> <destination wild card mask> <destination port number>

Here are some different ways to configure it..

Via Globally in line mode;
R1(config)#access-list 100 permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80

I have ignored source port number as it is irrelevant, but put the destination port as 80 for http (web) traffic and I have used host instead of wildcard mask because I am restricting access to the exact IP (single host) of the server. Every other traffic will be denied by the implicit deny at the end of the ACL. If you configured an Extended ACL by a deny statement, and you want to allow other all traffic, you should type permit ip any any as the last line.

Via NACL mode;
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80

You can configure it with a name in NACL mode too..
R1(config)#ip access-list standard TEST
R1(config-ext-nacl)#permit tcp 10.1.20.0 0.0.0.255 host 10.1.30.30 eq 80

You can apply an Extended ACL anywhere but as a best practice it is better to apply it near to source. It will reduce unnecessary packets flowing through the network.

Here let's apply it on the e0/2 interface of R1 for inbound traffic..
Syntax is same as in standard ACLs..

Syntax;
R(config)#int e0/2
R(config-if)#ip access-group <number> <in/out>

Here is the actual command;
R(config)#int e0/2
R(config-if)#ip access-group 100 in


Note: 
Windows PC will say "Destination net unreachable" in Ping / Tracert output when it hits an ACL..









Cisco IOS will say "!A" in Traceroute output when it hits an ACL..


Thursday, May 11, 2017

Troubleshooting Basic Routing using Pings & Traceroutes

This is a basic practical to understand the ping & traceroute outputs to troubleshoot the basic routing / connectivity issues. If you need a reference for the output characters you will encounter when using ping & traceroute in Cisco IOS, please go through this.









Only the IP addresses are configured, no routing is placed..
Windows PC has it's gateway configured..
Obviously the PC can ping 10.1.10.1 (gateway) unless there is a physical link failure.

What happens when the PC pings & traceroutes to 10.1.12.1 ??

It works.. PC can ping any interface on R1 without any routing in place because it sends everything it does not know to 10.1.10.1  and R1 knows about the subnet of PC as it is directly connected..

Note that replying host is 10.1.12.1 for the traceroute; not 10.1.10.1




What happens when the PC pings & traceroutes to 10.1.12.2 ??


Result is a
"Request timed out"..



Request timed out comes from the R1's PC connected side interface..




We know PC can reach R1. Let's see from R1's CLI whether it can reach R2's interface..







Obviously R1 can reach the 10.1.12.2 interface of R2 because it is directly connected.
(1st ping is dropped because of the ARP process) Now let's see R2's routing table..
















It knows about 10.1.12.0 subnet so it can reply R1's pings & traceroutes.
But it has no route to the subnet which the PC is in (10.1.10.0/24).

So what happened here is that the packets were routed by the PC to R1, R1 routed it to R2 but R2 does not know how to send reply packets to 10.1.10.0 subnet.. So the replies never come back; timed out..

I am adding a static route to 10.1.10.0 on R2 to fix this..
R2(config)#ip route 10.1.10.0 255.255.255.0 10.1.12.1


Now the replies comes in..

Note that the 1st reply is coming from the PC side interface of R1 and the last one comes from the destination itself..



What happens when the PC pings & traceroutes to 10.1.23.2 ??


Result is a 
"Destination unreachable" message comes from 10.1.10.1..

Here you can see the PC routes the packets to 10.1.10.1 of R1 but R1 is reporting the destination host is unreachable..


Even though we put a static route on R2 to 10.1.10.0/24 subnet, routing seems to be not working for the interfaces of R2 except the interface which the R1 connects.
We know PC can reach R1. Let's see from R1's CLI to findout whether it can reach R2's interface or not..


You can see that R1 cannot ping 10.1.23.2 and the traceroute has not even a one hop listed. Therefore you can figureout that R1 has no route the 10.1.23.0/24 subnet.. Let's analyze the routing table..















I am putting a static route on R1 to 10.1.23.0/24 subnet..
R1(config)#ip route 10.1.23.0 255.255.255.0 10.1.12.2


Now the pings and traceroutes works..
Note that the traceroute reply comes from the R1's side interface which is 10.1.12.2 not from the destination..


Now let's see from PC..


Note that the final traceroute reply comes from the destination not from the PC's side interface of R2 like in Cisco IOS..




What happens when the PC pings & traceroutes to 10.1.23.3 ??

Request timed out & now you know the reason.. It is what happened in the 1st case too.. Routing is OK for the forward direction but not OK for the reply traffic...








Let's add a route on R3 to 10.1.10.0/24 subnet..
R3(config)#ip route 10.1.10.0 255.255.255.0 10.1.23.2


Now it is working fine..








Note:
Though the routing is working fine from PC to R3, pings from R1 will not get replies as it is sending packets from R1's e0/0 interface (10.1.12.1).. Reason is R3 has no route to 10.1.12.0/24 subnet..











But you will be able to successfully ping and traceroute to 10.1.23.3 from R1 if you sourced it from the e0/1 interface of R1 because it is in the 10.1.10.0/24 subnet which R3 now has a route intsalled..










What happens when the PC pings & traceroutes to 3.3.3.3 ??


Destination host unreachable from 10.1.10.1 (R1) which means there is no route to the destination from R1..









Let's add a route on R1 to 3.3.3.0/24 subenet..
R1(config)#ip route 3.3.3.0 255.255.255.0 10.1.12.2

Now let's see what happens..

Now again a destination host unreachable from 10.1.12.2 (R2) which means there is no route to the destination from R2..









Before adding a route on R2, let's see what will be the output of pings & traceroutes from R1 to 3.3.3.3



"U" in ping means Unreachable in IOS while "H" in traceroute means Host Unreachable in IOS..



Let's add a route on R1 to 3.3.3.0/24 subenet..
R2(config)#ip route 3.3.3.0 255.255.255.0 10.1.23.3


Now routing is OK from PC to R3's all the interfaces..









Let's see from R1;







Request timed out.. Now you know why.. There is no route on destination to 10.1.12.0/24 subnet..

Let's add a route on R3 to 10.1.12.0/24 subenet..
R3(config)#ip route 10.1.12.0 255.255.255.0 10.1.23.2

Now R1 also can ping R3's any interface successfully..



Note that the traceroute reply comes from the R1's side interface which is 10.1.12.2 not from the destination like in Windows command prompt..


Conclusions:

In Windows command prompt;
(1) "Destination host unreachable" in ping or in tracert indicates that there is no route to the destination from the reporting router..
(2) "Request timed out" in ping or in tracert indicates that there is no route to the source from the destination for the reply traffic..
(3) Traceroute replies always come from the source's side interfaces of the routing path.. Except the final destination..

In Cisco IOS;
(1) "U" in ping or "H" in traceroute indicates (unreachable) that there is no route to the destination from the reporting router..
(2) "." in ping or "*" in tracert indicates (request timeout) that there is no route to the source from the destination for the reply traffic..
(3) Traceroute replies always come from the source's side interfaces of the routing path.