Posts Tagged ‘Active Directory’

ASA RADIUS authentication

RADIUS authentication is a good easy way to integrate Cisco login with AD credentials.

I had to configure a new RADIUS server today and it is a great opportunity to go over the commands, in my case it is done on ASA 5505.

This is all you have to configure on the Cisco side:

aaa-server vpn protocol radius
aaa-server vpn (inside) host
key password

Let’s break down the commands:
aaa-server vpn -> vpn is the group name (will be used later as a tunnel-group attribute)
protocol radius -> set authentication type to RADIUS
aaa-server vpn (inside) -> describe the interface that connect to RADIUS. inside in this case is the firewall LAN
host -> IP address and of the RADIUS server
key password -> set a password. RADIUS password must match between the router and the RADIUS server.

Applying this to a tunnel group is also very simple:

tunnel-group Web_Users general-attributes
authentication-server-group vpn LOCAL

The RADIUS side is almost as easy as the Cisco side. I’m using Microsoft IAS on one of my management 2003 servers. I had to hide some of the parameters but the idea is clearly presented:

And the properties of my ASA connection – this is where you use the password we typed on the router:


Rename a Computer using Netdom.exe

March 18, 2010 Leave a comment

It is one of those daily tasks that we don’t think about too much: renaming a computer.
Using the first initial last name method I set a machine name for my XP users. When possible I prefer the window based method as described in KB295017:

  • Click Start, right-click My Computer, and then click Properties.
  • Click Start, click Run, type sysdm.cpl, and then click OK.
  • Click Start, click Control Panel, double-click Performance and Maintenance, and then click System.

And the next step:

  1. Click the Computer Name tab, and then click Change.
  2. Type the new computer name in the Computer name dialog box.
  3. Type the new domain or workgroup in either the Domain dialog box or the Workgroup dialog box.
  4. Click More to change the primary Domain Name System (DNS) suffix.
  5. Click OK three times, and then restart the computer.

This is all nice and easy to follow BUT it does not always work.
Today when I tried to rename a PC the following error prompted:

A connection to the server could not be performed because the maximum number of simultaneous connections has been reached.

It is not the first time I’ve seen it and though you would expect it to disappear after you boot the machine, the same error show up every time.

At this point there are two types of administrators: the first type is the warrior who spend hours or days to find the reason, post the problem on every forum and maybe (but not always) find a solution.
I’m the other type, the busy administrator who cannot afford spending so much time on something that can be resolved in few minutes using a different method.

If you never heard of Netdom.exe (and Windows XP Support Tools) it is about time. If you’re familiar with this package and specifically with Netdom.exe, I’m sure a reminder wouldn’t hurt.

This is the syntax used to change a machine name using Netdom.exe

netdom renamecomputer machine /newname:new_computername /userd:domainname\administrator_id /passwordd:* /usero:local_admin
/passwordo:* /reboot:seconds before automatic reboot

You can find the full details either on the KB page or via command line HELP.

After hitting the Enter key you’ll be prompted for one or two passwords, based on the options you choose. Few seconds later the process is completed and after you boot the computer (either using the /reboot option or manually if you didn’t use it) the machine will have a new name in Active Directory.

Securing your Router

January 15, 2010 3 comments

The Device Hardening chapter is loooong and very detailed. If you’re coming off your CCNA exam you will be familiar with many of the subjects with the difference being the level of details.

The first part review management protocols, their security weaknesses and ways to better secure them. Going over SNMP, NTP and SSH I found it a funny coincidence that an upgrade of our time-server was due at the same week, using NTP v3 based solution…
I use Domain Time II, a time sync software that provide time synchronization for the network and detailed reports and audit capabilities for the compliance officer. So here is the real life connection to my study materials 🙂

I found the Network Attacks topic very interesting but the details, oh the details. Though I was familiar with most of the attacks and their capabilities it surprised how many versions and counter attack options are there. I will definitely have to watch that video again and read the related paragraphs in the book, I bet those details will be in the exam.
One question I couldn’t answer is why was the word Reconnaissance chosen over Spying? it is such a weird name for a network attack…

Using ASA & PIX I get to work with ASDM many times. It was nice to see that Cisco allow many of the CLI commands in SDM and after the earlier VPN configuration that proved to be much easier using SDM on both ends of the connection, AutoSecure add to the SDM value. Using AutoSecure to test the network is a great tool even if you’re not going to fix it and fixing problems is easy and intuitive.

Out of this whole list of attacks and their solutions I found one new topic, something I never saw in the real world and as long as I work in the small to mid-size organizations sphere, I do not think I’ll ever see: Role-Based CLI
Creating Views and Superviews remind me of Active Directory where you can place few different groups into one bigger group and each of these groups can join different groups.
Views are sets of commands that can be assigned to a user.
Superview is a group of Views that can be assigned to a user as a package.
If you find this topic interesting you can check this configuration example.

Two weeks later and I can start thinking about exam dates. I’m not there yet but as I get closer to the end of the reading, watching and summarizing, I know that for this exam only few selected topics require a full comprehensive second review.
My plan for the coming long weekend is to finish the last topics and start working on my lab. I’ll have to figure out which way to go with the lab and will post my setup in the coming days