Friday 22 November 2013

Centralized Authentication for network devices with AAA server (Radius) and IAS

Why should i have Centralized Authentication? or Why should I integrate Active Directory with AAA router?

Of course, Managment is very easy. It is not an integration of AD and AAA, What do we do here is using the Active directory user database for routers' and switches' access. Also every time you need not to login into all the routers and switches just to change password. In order to have a centralized authentication for all the network devices we configured Internet Authentication Service in our Domain Controller to act as a Radius server. Using IAS service we can build a centralized authentication server for all the network devices in both Backbone and Master setup.
AAA client also should be configured in all the network devices in order to communicate with IAS Server. 

What If my Radius Server Fails ?

In this blog, I will be covering the backup authentication method also. In case if your Radius servers fails, still your routers and switches can use their local database to authenticate users. A picture would give you a better idea, refer the snap below.

Installation of IAS Service and configuration in Win2k3

Follow the steps to install Internet Authentication Service in your Windows Server 2003 server. 
  1. Log in as an administrator.
  2. Go to Start | Control Panel, and double-click the Add or Remove Programs applet.
  3. Click Add/Remove Windows Components.
  4. In the Windows Components Wizard, click Networking Services, and click Details.
  5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
  6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
  7. After IAS is installed, click Finish, and then Close.
  8. Then open IAS from Administrative Tools.

How to add a Radius Client in IAS ?

Now we need to add a RADIUS client. Follow these steps:

  1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In the New RADIUS Client dialog box, as shown in the below figure, enter a display name for the client (i.e., your router or switch). I suggest using the router's hostname.
  3. Enter the LAN IP address of the client.
  4. Click Next, and select Cisco for the Client-Vendor.
  5. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used XX as my test password.
  6. Click Finish. 

Create Remote Access Policy in IAS

Next, we need to create a remote access policy. Follow these steps:
  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right-click inside the right pane, and select New Remote Access Policy.
  4. In the Remote Access Policy Wizard, click Next.
  5. Click Set Up A Custom Policy, name it IMSA (for example), and click Next.
  6. Click Add, select Windows-Groups, and click Add, as shown in the below image.

Enter whatever groupname you want to use. In this example, we're using a local Windows server group. You can also use a Windows AD group -- which, of course, is preferable. The below image shows the Groups dialog group with the Senthil_Test group listed.

Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in below image.

Click Next, select Grant Remote Access Permission, and click Next.
Click Edit Profile, and select the Authentication tab.
Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in below image, and click OK.

Next, select the Advanced tab.
Select Service-Type, and click Edit.
In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in following image, and click OK.

Back on the Advanced tab, select Framed-Protocol, and click Remove. Below image displays the resulting dialog box.

All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in the following image.

We're almost there. Click Next, click Finish, and that's it!

How to configure AAA in Cisco Router?

Enable AAA

Login into router with privilege 15 user.
(config)# aaa new-model
The above command will enable aaa in network device.

Configure Radius server details
(config)# radius-server host auth-port 1645 acct-port 1646 key KEY1
In the above command you have to specify radius server IP, authentication port details and shared key.
(config)# ip radius source-interface Vlan1
In ip radius command we need to mention the source which we are using as source interface to communicate with radius server.

Configure AAA fallback to local datavase of Router
(config)# aaa authentication login LIST1 group radius local
In the above command you have to specify authentication list (In our case LIST1) and user database to which fallback should happen.

Creating local user
I suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:
(config)# user ops priv 15 secret secretpass1
(config)# ip domain-name
We also have to specify the domain server with ip domain-name command. This also acts as name server.

Configure line connections to use AAA
Get into line configuration mode by using the below command.
(config)# line vty 0 4
Now use the below command to advise the router to use AAA authentication for telnet and ssh connections.
(config-line)# login authentication LIST1
That’s all. Now all you have to do is verify the settings by testing the below items.

Testing AD User Login

Try to take telnet to any of the AAA client.

Once it’s prompting for Username, Enter your domain controller credentials (blogg) and press Enter.

You will be in Privileged execution mode of the router.

Testing Fallback Support of AAA in Cisco Router

There are cases where you might lose connectivity to your IAS server from your network device. In that case you should also have a fallback so that you can login with local database user and start configuring your device.

I stopped IAS Service to test this fallback by going to Services.msc in IAS server.

Later I tried to login into one of the AAA client. The below image shows this. 

Now local user ops is able to login even the IAS service is stopped. Thanks for visiting, Please post your doubts in comment box.

Thursday 21 November 2013

[Solved] GNS3 Error - 206 Unable to create UDP NIO

In this article, I am going to tell you how to resolve the 206 UDP error. I was so irritated to see this "206 Unable to create UDP NIO" error while trying to open any saved topology. The error looks like below,

Wednesday 13 November 2013

Centreon - Add Host or Router and monitor bandwidth utilization

In this article, We will be walking through the Centreon configuration steps. You will be answered to the following questions while going through this article.

1) What is Centreon?
2) How to add a router/switch/host/server in Centreon?
3) How to monitor a network device's (switch or router) interface bandwidth traffic usage using centreon?
4) How to install Centreon ? Installation steps for Centreon, etc.,
5) Centreon vs nagios, Which is better?
This is basically a Centreon tutorial page for beginners.

What is Centreon?

Centreon is a Automational monitoring system based on Nagios engine. With this great tool you can generate bandwidth reports, availability reports, ping reports, etc.,

Created in 2003, Centreon is an Open Source software package that lets you supervise all the infrastructures and applications comprising your information system.

The only problem i found with this tool is support. You don't get any support, not even a forum or a proper guide for configuration in google. Anyway this page will make you clear on Centreon configurtions.

Here We Begin

For step by step Centreon installation, I recommend you to visit this official page

Once you have installed your Centreon Monitoring engine, you have got add services and hosts to be monitored. To make you clear, it is not a inventory tool to discover hosts. You have to manually add all the hosts and services for each host.

Basics on Centreon Configuration

I hope you know the way to configure pollers. Pollars are nothing but a server placed on a brach office or someother location from where you are going to monitor the devices. 

Before adding a new host, I recommend you to do the following tasks.As part of this tutorial page, I am going to add a router and monitor bandwidth of one of it's interfaces. For availability you can use ping service. Here I am using Check_centreon_snmp_traffic script. I found this on the following path of my server /usr/lib64/nagios/plugins. I verified the script with the following command.

To know how to use this script/service, check it's man page or help. Give you hostname where i've painted with red and community string in place of blue. You can add your interface name and other information also.


Now I am going to modify the centreon's command page according to my needs. For example Centreon considers public as the community string for snmp protocol. Also has it's default parameters to be considered. So it's better to change the command line as we need.

Refer the below image, I have changed the default arguements. I need only interface name as input. Also graph template has been changed to Traffic as it's going to be a bandwidth monitoring.

Now save this, and add a new host with the following details.

After this stage we can create our service template. Same service template can be used for multiple hosts. Here I have called my check_centreon_traffic command.

I am changing the graph template to Traffic in the below image.

Now you got to map your service template to hosts as below.

For example, I have 5 routers and 3 switches. In my case all these network devices has FastEthernet0/0 interface. So I will create a service for FastEthernet0/0 interface traffic and will map that to all these hosts.

That's over, We have created a RTR host, and mapped service interface traffic to it. Not to forget restart Centreon Nagios in the confiuration tab after doing each and every configuration. Now, you should be able to monitor your bandwidth usage and other things after readind this article.

Please post your doubts in comment box, if any.