Mar 30

Securing a router or a switch involves not only filtering traffic with ACLs, but also means securing the device itself. Creating users with certain privilege levels is an important first step.  This can be done on a device by device basis or using a centralized authentication server. In any case, it involves using AAA (Authentication, Authorization and Accounting).

If using a centralized system for user authentication, the router or switch would be an authentication client. It will need to communicate with a server using a specialized protocol. Two such protocols are wide known: TACACS, a Cisco proprietary protocol and RADIUS, an open standard protocol. In a Cisco-centered  network, IOS authentication would work with Cisco’s ACS (Access Control Server), but in some cases , specially for lab purposes, ACS could be harder to get an setup.

A very quick way to setup an authentication server is to use FreeRADIUS, an open source server that uses the RADIUS protocol. It can be easily installed on a Linux box and used with minimum configurations. Here are the steps to setup:

Install the packet:

root@radiusserver# apt-get install freeradius

Add each client (router or switch) in the /etc/freeradius/clients.conf file. Each client is identified by its hostname and requires a password (secret).

root@radiusserver# vim /etc/freeradius/clients.conf

Client 192.168.0.2
{
secret = authentications3cr3t
shortname = ClientRouter

}

Add each user that is allowed on the device.

root@radiusserver# vim /etc/freeradius/users.conf

iosuser Cleartext-Password := “icanhazroot”
DEFAULT Auth-Type := Reject

Start or restart the FreeRADIUS server:

root@radiusserver# /etc/init.d/freeradius restart

On the client side (the network device), AAA needs to be enabled, the RADIUS server configured and then the authentication need to be set to use an external server.

ClientRouter(config)# aaa new-model
ClientRouter(config)# radius-server host $RADIUS_SERVER_IP auth 1812 acct 1813 key authentications3cr3t
ClientRouter(config)# aaa authentication login default group radius

This is a basic configuration of a FreeRADIUS server, but it can also provide features like LDAP intergration.

Dec 30

IOS + Linux = Quagga

Posted by Alex Juncu

Cisco IOS’s shell is a popular interface for devices in the networking world. But also in the network world, there are a lot of Linux/Open Source fans. The Quagga open source project tries to bring together IOS and Linux, by providing an IOS-like interface for configuring Linux’s interfaces, routing table and firewall, along side its own implementations of RIP, OSPF and BGP daemons.

The Quagga Software Routing Suite comes as a set of daemos. The main one is the zerbra daemon (Zebra is the old name of the project). This core daemon does the interaction with the Linux kernel and, also, with other daemons like ripd (RIP daemon), ospfd (OSPF daemon), bgpd (BGP daoemon). Quagga is modular, so you can implement new protocols if needed via a standard API.

To configure Quagga, you first need to start the daemons (at least the core one), in the /etc/quagga/daemons file. Each daemon has its own configuration file (ex. /etc/quagga/zebra.conf, /etc/quagga/ripd.conf etc.). Accessing the IOS-like shell is done via the vtysh command. Once in this shell, most commands available in Cisco’s IOS are available.

Router / # cd
Router ~ # vtysh

Hello, this is Quagga (version 0.99.18).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

Router# conf t
Router(config)# hostname  LinuxRouter
LinuxRouter(config)# exit
LinuxRouter# show ?
bgp             BGP information
clns            clns network information
daemons         Show list of running daemons
debugging       State of each debugging option

[...]

Keep in mind that some things are not 100% identical to a Cisco router (ex. the interface names). Here’s an example of how to configure an interface.

LinuxRouter# conf t
LinuxRouter(config)# interface  eth0
LinuxRouter(config-if)# ip address  141.85.42.1 ?
A.B.C.D/M  IP address (e.g. 10.0.0.1/8)
LinuxRouter(config-if)# ip address  141.85.42.1/24
LinuxRouter(config-if)# link-detect

Monitor output (show commands) are similar aside some Linux specific details (ex. Kernel routes are available in Linux, but not in IOS).

Router# sh ip route
Codes: K – kernel route, C – connected, S – static, R – RIP, O – OSPF,
I – ISIS, B – BGP, > – selected route, * – FIB route

K * 0.0.0.0/0 via 192.0.2.1, venet0 inactive
O 10.10.12.0/24 [110/10] is directly connected, eth0, 00:03:41
C>* 10.10.12.0/24 is directly connected, eth0
O 10.10.14.0/24 [110/10] is directly connected, eth1, 00:03:36
C>* 10.10.14.0/24 is directly connected, eth1
O>* 10.10.23.0/24 [110/20] via 10.10.12.2, eth0, 00:02:46
O>* 10.10.24.0/24 [110/20] via 10.10.12.2, eth0, 00:02:14
*via 10.10.14.4, eth1, 00:02:14
O>* 10.10.25.0/24 [110/20] via 10.10.12.2, eth0, 00:02:41
O>* 10.10.35.0/24 [110/30] via 10.10.12.2, eth0, 00:01:21
* via 10.10.14.4, eth1, 00:01:21
O>* 10.10.45.0/24 [110/20] via 10.10.14.4, eth1, 00:02:08
C>* 127.0.0.0/8 is directly connected, lo
C>* 127.0.0.1/32 is directly connected, venet0
C>* 172.10.10.0/32 is directly connected, venet0
K>* 192.0.2.1/32 is directly connected, venet0

Configuring a routing protocol instance is also similar:

LinuxRouter# conf t
LinuxRouter(config)# router ospf
LinuxRouter(config-router)# network  192.168.123.0/0 area 0

As you can see, coming from an IOS background, this tool is very easy to use on your Linux box. It is far from perfect since it doesn’t have the years in production like IOS or iproute2, but it is cool to test out.

Nov 4

In labs we use reverse telnet to access our equipment (as in “routers and switches”) directly into console. To make things a little bit easier for our students we created a web page with “telnet://” links pointing directly to each router/switch.
That should be enough to solve all those pesky little questions like “what was that address again ?”. And it is. At least when the computer used by our students is running Windows. But we do have a little problem because all our computers in the lab are running Ubuntu. And Firefox. And it appears that Firefox in Ubuntu doesn’t know how to handle “telnet://” links.

I solved the problem by installing Opera browser and add the telnet handler in Opera. Or even better, install Opera and Putty and use Putty to handle “telnet://”. But the problem with Firefox kept bugging me and even if I’m lazy i knew that it became personal.
So I started to search the allmighty internet. I found out that I can add telnet protocol in user prefs in Firefox. But it didn’t work. So I kept searching and finally I’ved put the bits and pieces together and solved the problem. Here it goes.

First thing to do is to tell Firefox that we WANT to use telnet:// links. To do that we must open Firefox and type “about:config” in address bar. And we create a new boolean preference (right click on an empty space), name it “network.protocol-handler.expose.telnet” and set the value “false” and restart the browser. That should be enough for Firefox to let us select an external application to open “telnet://” links.
From this point forward we can choose the easy way and choose putty or the hard way and use gnome-terminal/xterm/konsole. The “hard way” because telnet in terminal doesn’t know how to handle “address:port” format. So how should we do that ? Simple, we create a shell script and we use that script as the default application to open “telnet://” links in Firefox.

The script is pretty easy :


#!/bin/sh

address=`echo ${*##telnet://} | sed 's/:/ /g'`

#For xterm junkies :
xterm -e "telnet $address"

#For gnome-terminal users :
#uncomment the next line but comment
#all other terminal launchers (xterm, konsole)
#gnome-terminal -e "telnet $address"

#For konsole hipsters :
#konsole sends args separately to command so we use "" only for telnet
#uncomment the next line but comment
#all other terminal launchers (gnome-terminal, xterm)
#konsole -e "telnet" $address

And voila, sit back, relax and enjoy a cold beer…

Nov 3

Run remote procedures & GNS3

Posted by Dragos Draghicescu

An interesting and pretty new capability of Cisco IOS is scripting through TCL language. What is not that well documented is that you can configure a router in some situations and the interesting thing is that you can store the configuration procedure remotely, like on a tftp server for example. What I will present may be useful in lab environments, for simulation purposes. I used it to prepare a huge exercise for the CCNA 2 class.

First of all, I will suppose that you have configured a tftp server somewhere in your LAN. Second thing is you can configure a bridge between your Ethernet interface and a tap interface (a virtual interface, for use with the emulated router). In Linux, you can use the Bridge-utils and uml-utilities to do that. You can find a tutorial on how to do a bridge <here>.

Now lets get to work! :)

In GNS3 (ran as root) you have to link the router with a clouds tap interface. In the cloud configuration panel, add a tap interface into the NIO tap tab (lets say tap0). Next, configure the router interface IP address like its part of your LAN. You can ping your gateway to verify that.

It’s all said and done. The script I wrote reads a number of Loopback interfaces to be configured from the user input. The output looks like this:

IOS output

IOS output

The output is incomplete, but the script configured Loopback 0 to 4 with ip addresses.

I hope some will find what can be done with IOS TCL pretty interesting.

Good luck!

DD

Oct 26

Wake on LAN

Posted by Dragos Draghicescu

As I was looking through the DD-WRT Linux distribution capabilities I have seen an interesting protocol named Wake on LAN, allowing one to power up a device remotely.

Basically, for implementation, you have to configure the BIOS on the PC (usually in Power Management section) to support it. After that, your network card will remain active even after you power off the PC, waiting in a low-power state for a “magic packet” to turn it back on. I managed to implement it in a lab and it’s really nice to have full control over configuring a host PC from turn on to shut down. And in a lab with 45 PC’s.. it kind of helps :) .

I’ve played a little with an embedded ARM device with Linux, and cross-compiled the program <here> for use with the command line. The script that fires it lies <here>. I apologise for not having around the latest version at the time writing this. It looks like this:

WOL_screen

WOL_screen

You can look on the web for more information about WOL (it’s very well documented).

Good luck!

DD