Oliver Hansen » LinkedIn

Using IAS (RADIUS) For Client VPN Authentication To Cisco PIX

Oliver — Wed, 28 Jan 2009 02:32:32 +0000

I just had an opportunity to set this up again. The domain controller we had that was the RADIUS server crashed over the weekend so this is one of many things I had to get going again. Yes, our backup strategy needs some attention. So anyways, it did give me an opportunity to re-learn how to get this going. The purpose of using RADIUS for the VPN connections is to allow VPN access for the employees we want to have it and let them use their credentials already stored in Active Directory. The less user-names and passwords for employees to remember, the better.

The first thing is that the PIX Firewall (with VPN) was already set up when I got here so I won’t get into that configuration. It used to be configured with local accounts for each person who needed VPN and they had a static password. This was a bit cumbersome and insecure as the password never changed. I had used RADIUS to set up the same sort of thing for wireless authentication so I decided to see if I could get it working for the VPN. It took a little doing but I got it.

On Windows Server 2003, you need to install IAS (Internet Authentication Service). Go to Add/Remove Programs (appwiz.cpl) and then select Add/Remove Windows Components on the left side. Select Networking Services then Details, then put a check next to Internet Authentication Service. Select OK and Next and it will be installed. You will find the program under Administrative Tools in the Start Menu.

Once you open IAS, you will need to right click Internet Authentication Service (Local) and select Register Server in Active Directory. This will add the computer to a security group in Active Directory and register the service. Next, right click on RADIUS Clients and select New Radius Client. Here, you will put in the info about your PIX device. Now, even though there is an option in Client-Vendor for Cisco, we will leave it at the default value of RADIUS Standard. Here, you also choose a shared secret. I strongly recommend using a very long string of numbers, letters and symbols. You will only need to enter this here and in the PIX one time and then you can forget about it so don’t worry about making it something easy to remember. One final important note on this step is to leave the box unchecked for Message Authenticator attribute.

Next go to the Remote Access Policies window. Right click and select New Remote Access Policy. Now, I’m going to suggest you do it a little differently than I did originally but it will save you making a few changes later. Instead of using the wizard, select Set up a custom policy. You can name it something like “Allow VPN Access”. Now, in policy conditions select NAS-IP-Address and then enter the IP address of your PIX. The second attribute we’ll select is Windows-Groups. You will need to have created a group in Active Directory first before you can select it so create one called “VPN Access” or something similar. This is the security group you’ll place all users who you want to have access. If a user that does not have access tries to use it when they are not in the group it will fail. After you have added the group, click next and you will be finished. Note the order of the policies — the server will attempt to match each rule starting with the first and if it matches the default rule that denies connections first then it won’t even evaluate yours.

Now that you have your rule in place, open it up for more details. Click on the Advanced tab then Add. Here, you want to add Ignore-User-Dialin-Properties and set it to True. This tells IAS to ignore the properties of each user in their profile which gives them dial-in privileges. I assume this was a previous way of configuring remote access that is not used much anymore. Having users in the security group you created earlier controls the permission of users connecting. Next, go to the Encryption tab and select every encryption but the no encryption box. Then on to Authentication and choose only Unencrypted authentication (PAP, SPAP). Now, this last one with no encryption — I tried very hard to see if there was another way because I don’t want any credentials floating around in plain text but I didn’t see a way. I’m no security expert but when I analyzed some traffic establishing the connection, it looks like the pre-shared key we set up before encrypts the authentication so it is in plain text but only inside of an already encrypted tunnel so it should be safe. Feel free to correct me because I’m still learning about VPNs. After that setting you should be done with the IAS setup.

Now for the PIX. For this I used the PDM interface. I know the true Cisco experts will prefer the command line and I do for switches usually but for the VPN I’m sticking with the PDM interface for now. Once you are logged in, go to Configuration. Once there, select the System Properties tab and then navigate to the AAA category. Under AAA Server Groups you will see RADIUS among others. The only thing I set was Dead Time to 0. If you have more than one RADIUS server you may want to set this to 10 minutes or so because it is the time it will consider a server dead if it can’t contact it and then it will use another server during this time period. On to AAA Servers. Click Add and select RADIUS for the group, inside for the interface, the IP address and also your key that you created back in IAS. Make sure you are applying these settings as you go. Next, we move to the VPN tab and select the IKE category. Find the XAuth/Mode Config and edit the outside interface. Here you’ll select RADIUS for server group and if you want you can check the box to use LOCAL accounts when the RADIUS fails. If for some reason your RADIUS server goes down, you could connect using a local account (such as administrator). This would mostly benefit the admins who know the password as other users wouldn’t know what to type. However, if you have a weak password I suppose it could be a security risk. After you have that set you can apply then save the changes to the PIX.

There is always troubleshooting of course. In the PIX, you can click the Monitoring icon and then view the PDM Log. This should show you when a RADIUS lookup is attempted or if it is not then what is. In IAS you’ll want to look under your normal event logs in the System setting. You will see IAS as Source and you can see what policy is matched. If your policy is not being matched then you need to find out why. It does give you good information such as the IPs, user-name, the authentication and encryption being used. If any of those do not match you may see it is being matched against another Policy-Name and that will give you some clues.

Possibly Related Posts:

Moving and Organizing My Home Server Closet

Oliver — Sat, 20 Dec 2008 22:45:29 +0000

I actually did this back in August but I didn’t get around to uploading the photos til today so here it is!

Some wise person suggested that since I had a free room that I move my servers to the closet in that room instead of keeping them in my own closet. I’ve gotten used to closing the door to the walk-in closet each night to lessen the noise of the fans but having them in another room would be even better! I decided if I was going to do this that I should do it a little better than last time. I now have three servers: One acting as my router and running IPCop, a second running a web server for local development and testing, and a third running Samba and acting as my main file server. It started as just one and grew to more.

Instead of taking up more floor space, I decided to stop by the local thrift store and find some sort of small desk. I found a pretty beat up rolling desk and paid $10 for it. One wheel fell off while I was rolling it out to the car but oh well. haha. Anyways, it fit in the closet and had two levels for my computers to sit on.

I had some zip ties and cable running hardware from when I planned to re-run my grandma’s phone line a while back so I used those to run the cable along the wall instead of the gaff tape I used previously. I couldn’t mount the switch on the wall but I did put it up above on the top shelf of the closet. I used zip ties as cable management to run the permanent cables up to the switch. As I get more or have temporary cables I won’t worry about the neatness so much but at least the existing cables are managed nicely. It’s not perfect by any standards but I think it’s a step up and not bad for an amateur with a couple hours.

Photos below:

Possibly Related Posts:

Reply On Top Of Message In Thunderbird 2.0.0.18 Linux

Oliver — Thu, 11 Dec 2008 01:46:57 +0000

I know I found the option to do this in Windows but I couldn’t find it in my Linux Mint version of Thunderbird. The default behavior seems to be starting your reply at the bottom of the last message you received which is actually considered good etiquette for mailing lists and such but when responding to personal emails I like to reply on the top.

For some reason I couldn’t find this in the normal settings so I went to advanced under Edit -> Preferences -> Advanced. Under the General tab, click on Config Editor then type “reply” into the filter box. The entry you want is mail.identity.default.reply_on_top which was set to “0″. Set it to “1″ (true in boolean) and you’re set!

Possibly Related Posts:

Replace First Domain Controller in Forest

Oliver — Mon, 17 Nov 2008 15:03:10 +0000

This is the first in some posts that will be from the wiki I use at work. I’ll remove the work-specific details but leave the general info for others to use. Many of it is compiled from different MS Knowledge Base articles.

Add NewServer to the domain

Either join the server to the domain during setup or after

Promote NewServer to a Domain Controller

Click Start->Run and type dcpromo.exe

Follow the prompts to add a Domain Controller to an existing domain

Make NewServer a Global Catalog Server

Having at least one Global Catalog server in the domain is critical. If you already have more than one GC in the domain you may choose to skip this step.

Open Active Directory Sites and Services, expand Sites->”Site Containing NewServer”->Servers->NewServer, right-click NTDS Settings, check the box next to Global Catalog.

The process of replicating the GC to NewServer may take a while depending on the network setup and size. Look for EventID 1119 under Event Viewer->Directory Services to confirm that the server is now a GC.

Transfer FSMO roles from OldServer to NewServer

Before you can transfer the schema master role to the new server you must register a dll file. To do this, open a command prompt and type regsvr32 schmmgmt.dll then wait for the command to finish.

Transfer the Schema Master Role
1. Click Start, click Run, type mmc in the Open box, and then click OK.
2. On the File, menu click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema, click Add, click Close, and then click OK.
5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
8. Click Change.
9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role
1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
3. Do one of the following:
• In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

-or-
• In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.

4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.

-or-
• In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.

4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure – Must do all 3), and then click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.

Note: When configuring a forest with multiple domains and every domain controller is not a GC server you must not place the Infrastructure Master role on the same server holding the GC role. If configuring a server in a single domain forest, the GC and infrastructure master roles can both be on the same server. From http://support.microsoft.com/kb/223346/

Demote Old Server

Dcpromo.exe

Before running dcpromo.exe, ensure that the DNS settings for the Domain Controller’s network adapters are pointing to another DNS server. If it is pointing to it’s own IP address then it will not be able to continue once the AD DNS records are removed. This is only if the DC is running the DNS service.

Source: http://support.microsoft.com/kb/324801

Possibly Related Posts:

Use nslookup To Find MX Records

Oliver — Sun, 29 Jun 2008 17:14:06 +0000

I wasn’t sure if there was a way to do this but I found you can actually change the type of record you are looking up in windows with nslookup. After opening the nslookup console by typing nslookup at the command prompt, simply type:
set type=mx
I also found you can set type to any other lookup (ptr, a) and find the results. Nice and easy.