Jimmys Cyber Corner » Uncategorized

ASA user authentication with Active Directory

Jimmy Larsson — Wed, 25 Aug 2010 16:19:19 +0000

Most often we Cisco-guys uses radius or tacacs when we are about to do authentication of users. But did you know that doing authentication from VPN to a user-database in an Active Directory doesn´t require IAS, ACS or any third party software at all. In fact there are multiple ways in ASA to talk to AD built-in.

I have tried them in my home lab by using an ASA firewall and a Windows 2003 Server with Active Directory installed.

LDAP

aaa-server LDAP protocol ldap aaa-server LDAP (outside) host 192.168.1.51 ldap-base-dn CN=Users,DC=kvistofta,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn CN=admin,CN=Users,DC=kvistofta,DC=local server-type microsoft

Verification:
FW(config)# test aaa authen KERBEROS host 192.168.1.51 username vpnuser passwo$ INFO: Attempting Authentication test to IP address <192.168.1.51> (timeout: 12 seconds) INFO: Authentication Successful FW(config)# test aaa authen LDAP host 192.168.1.51 username vpnuser password 1$ INFO: Attempting Authenticatio [75] Session Start n test to IP address <192.168.1.51> (timeout: 12 seconds) [75] New request Session, context 0xd5954260, reqType = 1 [75] Fiber started [75] Creating LDAP context with uri=ldap://192.168.1.51:389 [75] Connect to LDAP server: ldap://192.168.1.51:389, status = Successful [75] supportedLDAPVersion: value = 3 [75] supportedLDAPVersion: value = 2 [75] Binding as administrator [75] Performing Simple authentication for admin to 192.168.1.51 [75] LDAP Search: Base DN = [CN=Users,DC=kvistofta,DC=local] Filter = [sAMAccountName=vpnuser] Scope = [SUBTREE] [75] User DN = [CN=vpnuser,CN=Users,DC=kvistofta,DC=local] [75] Talking to Active Directory server 192.168.1.51 [75] Reading password policy for vpnuser, dn:CN=vpnuser,CN=Users,DC=kvistofta,DC=local [75] Read bad password count 0 [75] Binding as user [75] Performing Simple authentication for vpnuser to 192.168.1.51 [75] Processing LDAP response for user vpnuser [75] Authentication successful for vpnuser to 192.168.1.51 [75] Retrieved User Attributes: [75] objectClass: value = top [75] objectClass: value = person [75] objectClass: value = organizationalPerson [75] objectClass: value = user [75] cn: value = vpnuser [75] givenName: value = vpnuser [75] distinguishedName: value = CN=vpnuser,CN=Users,DC=kvistofta,DC=local [75] instanceType: value = 4 [75] whenCreated: value = 20100706114926.0Z [75] whenChanged: value = 20100706114926.0Z [75] displayName: value = vpnuser [75] uSNCreated: value = 13726 [75] uSNChanged: value = 13731 [75] name: value = vpnuser [75] objectGUID: value = ..1....O.c.v.... [75] userAccountControl: value = 66048 [75] badPwdCount: value = 0 [75] codePage: value = 0 [75] countryCode: value = 0 [75] badPasswordTime: value = 0 [75] lastLogoff: value = 0 [75] lastLogon: value = 129228917453688826 [75] pwdLastSet: value = 129228905663476095 [75] primaryGroupID: value = 513 [75] objectSid: value = .............LP...r{..."S... [75] accountExpires: value = 9223372036854775807 [75] logonCount: value = 5 [75] sAMAccountName: value = vpnuser [75] sAMAccountType: value = 805306368 [75] userPrincipalName: value = vpnuser@kvistofta.local [75] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=kvistofta,DC=local [75] Fiber exit Tx=547 bytes Rx=2053 bytes, status=1 [75] Session End INFO: Authentication Successful FW(config)#

KERBEROS

aaa-server KERBEROS protocol kerberos aaa-server KERBEROS (outside) host 192.168.1.51 kerberos-realm KVISTOFTA.LOCAL

Verification:
FW(config)# test aaa authen KERBEROS host 192.168.1.51 username vpnuser passwo$ INFO: Attempting Authentication test to IP address <192.168.1.51> (timeout: 12 seconds) kip_lookup_by_sessID: kip with id 76l not found Kerberos library reports: "Additional preauthentication required" INFO: Authentication Successful FW(config)#

NT Domain

aaa-server NT (outside) host 192.168.1.51 nt-auth-domain-controller kvistofta

Verification:
FW(config)# test aaa auth NT host 192.168.1.51 username vpnuser password 1qaz!$ INFO: Attempting Authentication test to IP address <192.168.1.51> (timeout: 12 seconds) smb_iod_request : smb_iod_process_message : smb_iod_negotiate : iod_state = No connect smb_iod_negotiate : tcreate smb_iod_negotiate : bind smb_iod_negotiate : tconnect smb_iod_addrq : smb_iod_sendrq : iod_state = transport active smb_iod_waitrq : smb_iod_removerq : smb_iod_negotiate : completed smb_iod_process_message : smb_iod_thread : going to sleep for 2 secs 0 nsecs smb_iod_process_message : smb_iod_thread : going to sleep for 2 secs 0 nsecs smb_iod_request : smb_iod_process_message : smb_iod_ssnsetup : iod_state = unknown stat(3) smb_iod_addrq : smb_iod_sendrq : iod_state = unknown stat(4) smb_iod_waitrq : smb_iod_removerq : smb_iod_ssnsetup : completed smb_iod_process_message : smb_iod_thread : going to sleep for 2 secs 0 nsecs smb_iod_process_message : smb_iod_thread : going to sleep for 2 secs 0 nsecs Connected to VPNUSER smb_iod_request : smb_iod_process_message : smb_iod_addrq : smb_iod_sendrq : iod_state = session established smb_iod_waitrq : smb_iod_removerq : smb_iod_process_message : smb_iod_thread : going to sleep for 2 secs 0 nsecs smb_iod_request : smb_iod_process_message : INFO: Authentication Successful FW(config)#

Doing some magic translations in Cisco ASA

Jimmy Larsson — Mon, 05 Jul 2010 18:59:01 +0000

I recently got a question from a collegue regarding address translations in Cisco ASA. He wrote:

Got a question from a customer if you can do the following:

1. NAT the . IP address of a machine located on the DMZ to inside with the same address as the NAT has been: at the outside (ie publish public address inwards too)

2. Source NAT for inside addresses (clients) when they must go above the DMZ server (in the “public” address) so that the source is a different puclic address.

Have not tested yet so I do not know but the config must be abit weird.

ok. Lets try. I put together a quick lab-setup. A 3-legged ASA with a one-legged router on each firewall-interface:

interface Vlan10 nameif outside security-level 0 ip address 200.1.1.1 255.255.255.0 ! interface Vlan20 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! interface Vlan30 no forward interface Vlan20 nameif dmz security-level 50 ip address 10.2.2.1 255.255.255.0 !

And the routers.

R1:
interface FastEthernet0 ip address 200.1.1.99 255.255.255.0 duplex auto speed auto end

R2:
interface FastEthernet0 ip address 10.1.1.99 255.255.255.0 duplex auto speed auto end

and R3:
interface FastEthernet0 ip address 10.2.2.2 255.255.255.0 duplex auto speed auto end

Ok. R1 is the outside host on internet. R2 is an inside host on our corporate network. R3 is this magical server on DMZ. In this example it is a high performance telnet server!

line vty 0 4 no login

First, make sure that this is reachable from internet. We do a static and allow the traffic on outside acl:

static (dmz,outside) 200.1.1.2 10.2.2.2 netmask 255.255.255.255 access-list OUTSIDE extended permit tcp any host 200.1.1.2 eq telnet

Verification. Telnet from R1 to public IP:
R1#telnet 200.1.1.2 Trying 200.1.1.2 ... Open R3>

Great. Now we want to reach the DMZ server from inside. Since this is higher security level to lower and we dont have any acl on inside we dont have to care about open the traffic. But we want to use an OUTSIDE address as destination ip to reach a DMZ host. Lets try a static:

FW(config)# static (dmz,inside) 200.1.1.2 10.2.2.2

The command above seems weird, right? I agree. Someday when I have a lot of time I will explain the theory but for now, just trust me!

Verification:
R2#telnet 200.1.1.2 Trying 200.1.1.2 ... Open R3>

Next step is to hide the source address of that telnet client on inside. Right now it is using its own source ip:
R3>en Password: R3# R3#sh users Line User Host(s) Idle Location 0 con 0 idle 00:08:09 * 6 vty 0 idle 00:00:00 10.1.1.99


  Interface    User               Mode         Idle     Peer Address

R3#

So, how do we accomplish that? The easiest way is to use a policy nat-statement. We create an access-list which defines which traffic to translate. We then create a nat-statement with a nat-id of your choice and call the access-list. Finaly we define which global ip to use. (outside. Remember dmz is outside relative to inside since dmz has lower security-level)
access-list Inside2DMZ extended permit tcp 10.1.1.0 255.255.255.0 host 200.1.1.2 eq telnet nat (inside) 1 access-list Inside2DMZ global (dmz) 1 200.1.1.10

Verification:
R2#telnet 200.1.1.2 Trying 200.1.1.2 ... Open


R3>sh users

    Line       User       Host(s)              Idle       Location

*  6 vty 0                idle                 00:00:00 200.1.1.10
  Interface    User               Mode         Idle     Peer Address

R3>

Voila! So, the client is on a private ip network 10.1.1.0 and establish a connection to what he think is on outside, because it is an public/outside ip. The traffic passes the magic ASA and the server on DMZ believes that the client is on internet since it has a public/outside source ip.

Mission accomplished.

EzVPN Server on IOS in three different flavous

Jimmy Larsson — Thu, 13 May 2010 21:06:16 +0000

Comparizon between 3 different ways to configure EzVPN on IOS.

Example 1: EzVPN-server vanilla-style

aaa new-model ! ! aaa authentication login default none aaa authentication login AAA-AUTHEN local aaa authorization network default none aaa authorization network AAA-AUTHOR local ! ! username cisco password 0 cisco ! ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp client configuration group MYGROUP key cisco dns 8.8.8.8 pool LOCALPOOL acl SPLITTUNNEL save-password ! ! crypto ipsec transform-set TSET esp-aes esp-sha-hmac ! crypto dynamic-map DYNMAP 10 set transform-set TSET reverse-route ! ! crypto map CMAP client authentication list AAA-AUTHEN crypto map CMAP isakmp authorization list AAA-AUTHOR crypto map CMAP client configuration address respond crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP ! interface GigabitEthernet0/1 crypto map CMAP ! ! ip access-list extended SPLITTUNNEL permit ip 8.9.5.0 0.0.0.255 any permit ip 8.9.6.0 0.0.0.255 any ! !

Example 2: Vanilla-style with ISAKMP profile on top

aaa new-model ! ! aaa authentication login default none aaa authentication login AAA-AUTHEN local aaa authorization network default none aaa authorization network AAA-AUTHOR local ! ! crypto keyring EZVPN-KEYRING pre-shared-key address 0.0.0.0 0.0.0.0 key cisco ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp client configuration group MYGROUP key cisco dns 8.8.8.8 pool LOCALPOOL acl SPLITTUNNEL save-password ! crypto isakmp profile ISAKMP-PROFILE keyring EZVPN-KEYRING match identity group MYGROUP client authentication list AAA-AUTHEN isakmp authorization list AAA-AUTHOR client configuration address respond ! ! crypto ipsec transform-set TSET esp-aes esp-sha-hmac ! crypto dynamic-map DYNMAP 10 set transform-set TSET set isakmp-profile ISAKMP-PROFILE reverse-route ! ! crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP ! ! interface GigabitEthernet0/1 crypto map CMAP ! ip local pool LOCALPOOL 8.9.24.201 8.9.24.254 ! ! ! ip access-list extended SPLITTUNNEL permit ip 8.9.5.0 0.0.0.255 any permit ip 8.9.6.0 0.0.0.255 any ! !

Differences between Example 1 and Example 2:
crypto keyring EZVPN-KEYRING pre-shared-key address 0.0.0.0 0.0.0.0 key cisco ! crypto isakmp profile ISAKMP-PROFILE keyring EZVPN-KEYRING match identity group MYGROUP client authentication list AAA-AUTHEN isakmp authorization list AAA-AUTHOR client configuration address respond ! crypto dynamic-map DYNMAP 10 set isakmp-profile ISAKMP-PROFILE ! crypto map CMAP client authentication list AAA-AUTHEN crypto map CMAP isakmp authorization list AAA-AUTHOR crypto map CMAP client configuration address respond

Example 3: DVTI
aaa new-model ! ! aaa authentication login default none aaa authentication login AAA-AUTHEN local aaa authorization network default none aaa authorization network AAA-AUTHOR local ! ! username cisco password 0 cisco ! crypto keyring EZVPN-KEYRING pre-shared-key address 0.0.0.0 0.0.0.0 key cisco ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp client configuration group MYGROUP key cisco dns 8.8.8.8 pool LOCALPOOL acl SPLITTUNNEL save-password ! crypto isakmp profile ISAKMP-PROFILE keyring EZVPN-KEYRING match identity group MYGROUP client authentication list AAA-AUTHEN isakmp authorization list AAA-AUTHOR client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set TSET esp-aes esp-sha-hmac ! crypto ipsec profile IPSEC-PROFILE set transform-set TSET set isakmp-profile ISAKMP-PROFILE ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/1 tunnel source GigabitEthernet0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE ! ip local pool LOCALPOOL 8.9.24.201 8.9.24.254 ! ! ip access-list extended SPLITTUNNEL permit ip 8.9.5.0 0.0.0.255 any permit ip 8.9.6.0 0.0.0.255 any

Differences between Example 2 and Example 3
crypto isakmp profile ISAKMP-PROFILE virtual-template 1 ! crypto ipsec profile IPSEC-PROFILE set transform-set TSET set isakmp-profile ISAKMP-PROFILE ! crypto dynamic-map DYNMAP 10 set transform-set TSET set isakmp-profile ISAKMP-PROFILE reverse-route ! ! crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP ! interface GigabitEthernet0/0 crypto map CMAP ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/1 tunnel source GigabitEthernet0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE !

Lab notes – WB1 Lab4 Part 1

Jimmy Larsson — Fri, 26 Feb 2010 13:46:22 +0000

Today I started to work with IPExpert CCIE Security workbook 1 Lab 4a – VPN-solutions. During my work I made the following notes which might be interresting to read for other CCIE-candidates. I will also from now on continue to do these notes and post them on this blog. Explaining and writing is simply a great way for me to learn.

Also, if my boss some day ask me what the heck I am doing all these work-hours, I will gladly give him a link to this blog.

Task 4.1 – IOS CA

This was quite straight-forward. Make an IOS become a root certificate authority for later use.

What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.

Task 4.2 – IOS L2L

This is all about enrollment of certificates from the CA in previous task to two IOS-routers and setup an ipsec-tunnel.

What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.

Task 4.3 – VPN IOS-ASA

The task was to setup a tunnel between IOS and ASA. Preshared-key, all straight-forward. However, I was asked to prioritize to certan traffic going into the tunnel from the IOS-router. This was done by creating a service-policy on outside-interface like this:

class-map match-all VPN-CLASS

match access-group 150 ! The ACL that defines the traffic to prioritize

policy-map VPN-POLICY

class VPNCLASS


priority 200 (I was also assign to restrict the prioritized traffic to 200kbps)
interface Fa1/1

service-policy output VPN-POLICY

And, dont forget to do “qos pre-classify” on the crypto map! Otherwise your class-map has to look for ESP-traffic and that is not very granular, is it?
“create lo3 on r2, assign it ip 192.168.3.2/24″ and “create a vpn tunnel between Vlan100 and the newly created loopback network”. I used “host 192.168.3.2″ in acl, but it clearly states “the loopback _network_”. Darn!

Task 4.4 L2L Aggressive mode with PSK

Stuck Twice.

I PROMISE NEVER TO FORGET TO APPLY THE CRYPTO MAP TO THE INTERFACE AGAIN

I PROMISE NOT TO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN

I PROMISE NOTTO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN

Stuck again. Couldn´t get the tunnel up even when comparing my configs with the solution guide. After getting help from OSL I made it:

I am struggling with this task, I simply cannot get the tunnel up. And I cant see what Ive done wrong.

Background: Make a tunnle between r2 and r5. Assume that r5-ip is dynamic, the tunnel should only be initiated from r5. (that is: dynamic map on r2).

The relevant parts of the config looks like this:

Answer from Brandon:

Not sure if this is it or not but you have crypto isakmp key ipexpert
hostname r5.ipexpert.com and the debug shows FQDN name : R5.ipexpert.com

Voila! Changed the “r5″ to “R5″ and it started working!

Task 4.5 L2L Overlapping subnets.

The task was to create a tunnel between 4 routers to protect traffic between internal nets. The restrictions was: no static routing, no crypto maps and no GRE.

I havent worked very much with tunnel-interfaces but this was a pleasant first date. It´s kind of magic making a virtual interface and make the router route traffic thru it. Even more coolish when you encrypt the traffic and make a routing protocol talk thru the tunnel.
Since I wasn´t allowed to use static routing I had to create loopback-interfaces to force knowledge of that local networks translated address-space into the routing-protocol. I was thinking of some kind of “add-reverse-route”-option for the “ip nat source static network”-command but I guess there is no such solution? Or could this routing-issue be solved in another way?

Task 4.6 – Easy VPN Server on IOS

This task deals with connecting a plain ipsec-client from XP workstation to an VPN-server on ios. First step was to verify connectivity on XP. Wrong IP, changing it. Now, a good advice from someone “who knows”: Do NOT add a default route on the student NIC of the labb pc:s. It has 2 nics and the other one is convinently named “Outside NIC – Do not Touch!” which is fine because thats how you reach the machine over internet. But if you add a default “gateway” on the student nic (which you are allowed to fool with) you will convert that kind little XP-machine into an unpredicible beast. If you are lucky u will reach it after a while and remove that default gw. So I´ve heard.
IOS auto-enroll and the enroll-feature of ipsec vpn client is cool. Just point it to http:///cgi-bin/pkiclient.exe and request a certificate.
I had to look at the solution guide quite alot in this case. Even when doing that I couldnt get the vpn-client to connect. I just got these error messages:


Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH    (peer 8.9.2.200)
Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH    (peer 8.9.2.200)

Suddenly I looked at the bottom right corner of my screen and saw tht the time was 3 minutes until the lab-period was over. I have never backed up a bunch of routers this fast before. First thing next lab-attempt will be to load the configs and troubleshoot the EasyVPN-config of R4.

Conclusion of this lab so far: It´s intense! I´ve been configuring plenty of VPN-solutions before, but I guess that my experience covers only 20-30% of the VPN-related topics in this lab. All these profiles-configurations in IOS are all new to me. I guess I have some CCO-chapters to read during the weekend…

Here are my current configurations: asa1, r2, r4, r5 and r6.