All posts by patrickpreuss

How to use RADIUS for Authentication

September 10, 2010 patrickpreuss Leave a comment

How to use RADIUS on Cisco ASA for Shell and Web Authentication

Assume the RADIUS Servers are:

Cisco ACS Server 1	10.120.10.11
Cisco ACS Server 2	10.120.10.12

[sourcecode gutter=”false” autolinks=”false”]
aaa-server AAA-RADIUS protocol radius
!
aaa-server AAA-RADIUS (Management) host 10.120.10.11
key YYYYXXXYYY
!
aaa-server AAA-RADIUS (Management) host 10.120.10.12
key YYYYXXXYYY
!
! Delete the old local only configuration
no aaa authentication http console LOCAL
no aaa authentication ssh console LOCAL
!
aaa authentication http console AAA-RADIUS LOCAL
aaa authentication ssh console AAA-RADIUS LOCAL
aaa authentication enable console AAA-RADIUS LOCAL
aaa authorization command AAA-RADIUS LOCAL
!
[/sourcecode]

If you have allready configured aaa for the ssh you might see something like

[sourcecode autolinks=”false” gutter=”false” highlight=”2″]
asa1(config)# aaa authentication ssh console AAA-RADIUS LOCAL
Range already exists.
[/sourcecode]

Then you must first disable the aaa authentication and than add the new settings.

[sourcecode autolinks=”false” gutter=”false”]
no aaa authentication ssh console LOCAL
aaa authentication ssh console AAA-RADIUS LOCAL
[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

ASA, Cisco, Computer, Network, Routing, Security, VPN

How to use Radius/Tacacs+ and Certificate based Authentication for AnyConnect VPN

September 10, 2010 patrickpreuss Leave a comment

First you have to add a valid Certificate to the ASA, then change following in the configuration.

[sourcecode]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
!
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
[/sourcecode]
Then you can connect to the asa only with username and a user certificate.

Flickr : AnyConnect, Cisco, SSLVPN, Security, UMTS, VPN

ASA, Cisco, Computer, Network, Routing, Security, VPN

How to authenticate AnyConnect VPN against Tacacs+

September 10, 2010 patrickpreuss Leave a comment

How to authentication AnyConnect VPN against Tacacs+

The Authentication against Tacacs+ is quiet easy to configure.

Just add the Tacacs+ Servers as described here.
Than add following to the configuration:

[sourcecode]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

ASA, Cisco, Computer, VPN

Cisco ASA5500 Setup

September 10, 2010 patrickpreuss Leave a comment

Cisco ASA5500 Setup

In my test enviroment i have a ASA5510 with a Basic Configuration. You can use this as a starting point for configuring the ASA5500 Series Firewalls.

The ASA5510 is connected behind the Outside ASA5500 Firewall, this ASA will do the Packet filtering,
because i am a friend of KISS (“keep it simple and straightforward”), things get complicated by it self.
For the same reasons i like diving after the DIR (“Do it right”) Method.

In this post we will begin with a basic Setup of the ASA firewall. In the next posts i will describe other topics based on this setup.

Continue reading Cisco ASA5500 Setup →

ASA, Cisco, Computer, Routing, Security, VPN

How to configure Cisco ASA 5500 for AnyConnect Client

September 9, 2010 patrickpreuss Leave a comment

So i was testing some stuff with the Authentication on the ASA Firewall and the AnyConnect client in the last days. So i feel it is time to write things down a little bit.

First i discovered we have the same problem with Windows 7 Firewall. Windows is not detecting the Interface so the Firewall do not say here we are part of the domain:-( Sad very Sad. But as i described here, there is a workaround but this is not supported by Cisco in any way.
But anyhow, we have to move to the AnyConnect Client to get VPN running with WWAN Cards.

So lets begin with a basic setup, only localusers and connect to the ASA with the AnyConnect Client.
No complex things, just connectivity. So we will start here with the configuration.
In the next posts we will go to the more complex things.

Basic Configuration (see below)
How to authentication AnyConnect VPN against Tacacs+
How to authentication AnyConnect VPN against RADIUS
How to use Radius/Tacacs+ and Certificate based Authentication for AnyConnect VPN
Authentication before Login

Continue reading How to configure Cisco ASA 5500 for AnyConnect Client →

Uncategorized

Playground

September 8, 2010 patrickpreuss Leave a comment

This is a little playground.

For testing some wordpress stuff.

Sourcecode

[sourcecode]

some lines
just for playing around with the stuff
[/sourcecode]

Googlemaps
[googlemaps http://maps.google.de/maps?f=q&source=s_q&hl=de&geocode=&q=zum+Blausteinsee&sll=50.85459,6.274953&sspn=0.019615,0.055747&ie=UTF8&hq=&hnear=Blausteinsee&ll=50.852992,6.275082&spn=0.018965,0.036478&z=14&iwloc=A&output=embed&w=425&h=350]

Diving

CMAS **

September 4, 2010 patrickpreuss Leave a comment

CMAS **

Heute hab ich die letzten Freiwasserübungen für den CMAS ** beendet.

Dann ist jetzt erstmal wieder Tauchen angesagt:-) Werde dann nächste Woche meinen Trocki bei SF-1 einsameln gehen und dann so langsam die Vorbreitung zum Kurs “Tauchsicherheit und Rettug” starten.

Tauchgang	Nummer	Wo
Tauchgang 1	43	Blausteinsee, Eschweiler, Germany
Tauchgang 2	39	Blausteinsee, Eschweiler, Germany
Tauchgang 3	48	Blausteinsee, Eschweiler, Germany
Tauchgang 4	35	Blausteinsee, Eschweiler, Germany
Tauchgang 5 (Teil 1 / Teil 2)	46, 47	Blausteinsee, Eschweiler, Germany

48 Tauchgänge.

Mein taucherischer Werdegang.

Flickr : Blausteinsee, CMAS, Diving, Places, Scubadiving

Diving

CMAS ** Tauchgang 3

September 4, 2010 patrickpreuss Leave a comment

Heute stand dann der CMAS** Tauchgang 3 auf dem Plan. Der Kompasskurs.

Tauchgang Nummer	48
Tauchplatz	Blausteinsee, Eschweiler, Germany
Tiefe	18 Meter
Dauer	30 Minuten
Temperatur	<Temperatur> °
Sicht	1-10 Meter

Mein taucherischer Werdegang.
The worst day diving is better than the best day working:-)

Flickr : Blausteinsee, CMAS, Diving, Places, Scubadiving

Diving

CMAS ** Tauchgang 5 (Teil 2)

September 4, 2010 patrickpreuss Leave a comment

Heute stand dann der CMAS** Tauchgang 5 auf dem Plan, die Rettungsübungen.

Wir haben das Retten von 12 Metern noch einmal geübt.

Tauchgang Nummer	47
Tauchplatz	Blausteinsee, Eschweiler, Germany
Tiefe	18 Meter
Dauer	30 Minuten
Temperatur	<Temperatur> °
Sicht	1-10 Meter

Mein taucherischer Werdegang.
The worst day diving is better than the best day working:-)

Flickr : Blausteinsee, CMAS, Diving, Places, Scubadiving

ASA, Cisco, Computer, Security, VPN

Cisco VPN Clients are not recognized by Windows 7 Firewall

September 2, 2010 patrickpreuss Leave a comment

As i former described we have problems with the Cisco IPSec VPN Client and WWAN Cards. So we are testing the AnyConnect Client. We are now faceing some common problems with both clients.

We discovered that the Network adapter created by the Cisco IPSec VPN Client (Version 5.0.07.0290) and also the Cisco AnyConnect SSL VPN Client (Version 2.5.0217) not recognized by the Windows 7 Advanced Firewall. And therefore the AD Grouppolicy for the Firewall is not applied.

As a Workaround you can drop following lines from the “vpnva.inf” file from the AnyConnect Package:
[sourcecode]
;Vista specific entry — benign on 2K/XP
HKR, , *NdisDeviceType, 0x00010001, 1
[/sourcecode]
or delete the Key for the adapter from the registry.

If you feel this helps a bit or may be not ? Please leave a comment.
Flickr : ASA, Cisco, Security, UMTS, VPN