Friday, December 7, 2012

Indonesian CCIE Dinner

Last night, I had an exclusive dinner for Indonesian CCIEs. This dinner was initiated by Mr. Himawan Nugroho, a famous Cisco Advanced Service Engineer from Cisco (http://www.himawan.nu/).


It was a cool Dinner, we had a lot of great conversation and share our experiences. Mr. Himawan & Mr. Tedhi have a vision to make Indonesian CCIEs  can connecting with each other by providing some kind of portal that is dedicated to the Indonesian CCIEs.

Altough only several CCIEs attend this Dinner, where a lot of them either working abroad or having a job during that time, but the event was really unforgettable \(^0^)/.


Thursday, November 22, 2012

Cert-Monkey Guy part-2

This week I just passed the CCNP-Security, Alhamdulillah. Hmm, interesting story about this Certification.

I study the Security track, since in my current employment, one of the biggest customer currently 'Cisco-Minded' thing, so they deploy Cisco on all their LAN component. That is why I play around with the security.

I play around with the Cisco Security Technology, which involving Router, ASA, ACS, IPS, and VPN Technology to fill my gap in the Security.

Suddenly my Company want me to take the CCNP-Security Certification for Project purposes. Given this opportunity, I just suddenly said "Yes", then I started to take CCNA-security from that time.

On the Associate and Professional Level of the Security ini Cisco, Currently they used GUI instead of CLI, so I have to ported most of my stuff, which is using CLI to the GUI. Sure enough GUI is much more simpler compare to the GUI one, especially in the VPN stuff \(^0^)/, but for the troubleshooting purposes, I think CLI is much more powerfull ;)

When you got the opportunity, I think it is better to say 'yes' first instead of analyzing the 'another additional work' ;)


Wednesday, October 3, 2012

Deploying 802.1X in Cisco Catalyst Switch

802.1X is method to authenticate a User to get Access to a Layer 2. In this blog, I will share how to deploy a simple 802.1X on the Cisco Catalyst Switch.



In this lab I tried to configure the Switch (3560) to deploy 802.1X Implementation. Before we move on, I’m gonna give the L2 Diagram





The Lab scenario would be like this, SW2 will implementing 802.1X Feature on Fa0/21 to the Windows XP Client. SW2 will use ACS as a RADIUS service, both authentication and authorization would be provided by the ACS. I used the old ACSv4.2.

If the supplicant (client) doesn’t support the 802.1X the Switch will assign VLAN 999 to the Fa0/21. If the supplicant is successfully authenticate, the Client will be placed in the VLAN 10 (will be pushed by RADIUS). If the Client FAIL to authenticate, the client will be put in the vlan 666!

Before we starting, in order to make sure Win_XP capable to do the 802.1X first we must makes sure the wired autoconfig services is enabled (using run à Services.msc), and switch the Authentication Method to be MD5-Challange :)

Here are the config of the Switch:
!
! Last configuration change at 16:06:32 UTC Wed Feb 15 2012 by ciscolab
! NVRAM config last updated at 15:01:58 UTC Wed Feb 15 2012
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$TOml$h6t3G4CdauK.G6AWOtSEk1
!
username admin privilege 15 secret 5 $1$49uN$FQNcFpUOdQpds2Ne2q7Zz1
username sdd privilege 15 secret 5 $1$S2Wi$i8KNWS/rcCWBprsMDuaMi/
username ciscolab privilege 15 secret 5 $1$pabM$41n8I8AjEhmdqvNPoja3./
!
!
aaa new-model
!
!
aaa authentication login CONSOLE local
aaa authentication dot1x default group radius local-case
aaa authorization network default group radius local
!
!
!
aaa session-id common
system mtu routing 1500
vtp domain HAMSTERVIEL
vtp mode transparent
ip routing
no ip domain-lookup
ip host ASA 10.24.64.10
ip host R1 110.5.46.1
ip host R2 10.24.64.2
!
!
dot1x system-auth-control
dot1x test timeout 30
dot1x guest-vlan supplicant
!
!
!
errdisable detect cause security-violation shutdown vlan
errdisable recovery cause security-violation
errdisable recovery interval 30
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
 name SUCCESS_802.1X
!
vlan 13,20,23,100
!
vlan 666
 name FAILED_802.1X
!
vlan 999
 name GUEST_VLAN
!
!
interface FastEthernet0/21
 switchport access vlan 666
 switchport mode access
 switchport nonegotiate
 authentication event fail action authorize vlan 666
 authentication event no-response action authorize vlan 999
 authentication port-control auto
 authentication timer restart 30
 authentication timer inactivity 1800
 dot1x pae authenticator
 spanning-tree portfast
!
interface FastEthernet0/22
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
!
!
interface Vlan20
 ip address 192.168.12.12 255.255.255.0
!
ip classless
ip http secure-server
!
!
ip sla enable reaction-alerts
logging trap debugging
logging 192.168.12.213
!
radius-server host 192.168.12.213 auth-port 1645 acct-port 1646 key CISCO
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication CONSOLE
line vty 5 15
!
end

For the Radius Configuration We have to enable option 64,65,81, and 83 On the RADIUS IETF and then fill the following variable :)



Here is some of the verification
SW2#show dot1x interface fa0/21
Dot1x Info for FastEthernet0/21
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30




First of, I tried to disable 802.1X Feature on the Windows_XP. After I plugged the cable, the switch will notify some syslog message like this
If the client has no-response (Not suport the 802.1X), he will be assigned VLAN 999

Feb 15 16:23:00.274: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/21 AuditSessionID
Feb 15 16:23:00.274: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-7-NOMOREMETHODS: Exhausted al
SW2(config-if)#l authentication methods for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-5-VLANASSIGN: VLAN 999 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
SW2(config-if)#
Feb 15 16:23:01.290: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up
Feb 15 16:23:01.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1

SW2#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/24, Gi0/1
                                                Gi0/2
10   SUCCESS_802.1X                   active   
13   VLAN0013                         active
20   VLAN0020                         active    Fa0/22
23   VLAN0023                         active
100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/16
666  FAILED_802.1X                    active
999  GUEST_VLAN                       activeFa0/21
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

If the Client Successfully Login, he will be assigned VLAN 10
SW2(config-if)#
Feb 15 16:30:59.121: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:10.798: %DOT1X-5-SUCCESS: Authentication successful for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID
Feb 15 16:31:10.798: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:10.798: %AUTHMGR-5-VLANASSIGN: VLAN 10 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:11.822: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up
Feb 15 16:31:11.839: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA

SW2#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/24, Gi0/1
                                                Gi0/2
10   SUCCESS_802.1X                   active    Fa0/21
13   VLAN0013                         active
20   VLAN0020                         active    Fa0/22
23   VLAN0023                         active
100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/16
666  FAILED_802.1X                    active
999  GUEST_VLAN                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup


If the Client Fail the Authentication, the client will still be put in the VLAN 666 (Restricted VLAN)
Feb 15 17:32:58.588: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26
SW2(config-if)#
Feb 15 17:33:12.153: %DOT1X-5-FAIL: Authentication failed for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID
SW2(config-if)#
Feb 15 17:33:12.153: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26