CCIE Security V4 Lab Workbook SAMPLE Sample

CCIE Security V4 Lab Workbook SAMPLE Sample Piotr Matusiak
CCIE #19860
R&S, Security
C|EH, CCSI #33705
Narbik Kocharians
CCIE #12410
R&S, Security, SP
CCSI #30832
Micronics Training Inc. © 2013
CCIE SECURTY v4 Lab Workbook
Table of Contents
ASA Firewall
LAB 1.1.
BASIC ASA CONFIGURATION 8
LAB 1.2.
BASIC SECURITY POLICY
LAB 1.3.
DYNAMIC ROUTING PROTOCOLS
LAB 1.4.
ASA MANAGEMENT
46
LAB 1.5.
STATIC NAT (8.2)
59
LAB 1.6.
DYNAMIC NAT (8.2)
67
LAB 1.7.
NAT EXEMPTION (8.2) 77
LAB 1.8.
STATIC POLICY NAT (8.2)
81
LAB 1.9.
DYNAMIC POLICY NAT (8.2)
91
LAB 1.10.
STATIC NAT (8.3+)
LAB 1.11.
DYNAMIC NAT (8.3+) 115
LAB 1.12.
BIDIRECTIONAL NAT (8.3+)
LAB 1.13.
MODULAR POLICY FRAMEWORK (MPF)
LAB 1.14.
FTP ADVANCED INSPECTION 138
LAB 1.15.
HTTP ADVANCED INSPECTION
LAB 1.16.
INSTANT MESSAGING ADVANCED INSPECTION
LAB 1.17.
ESMTP ADVANCED INSPECTION
159
LAB 1.18.
DNS ADVANCED INSPECTION
164
LAB 1.19.
ICMP ADVANCED INSPECTION
169
LAB 1.20.
CONFIGURING VIRTUAL FIREWALLS 175
LAB 1.21.
ACTIVE/STANDBY FAILOVER 198
LAB 1.22.
ACTIVE/ACTIVE FAILOVER
212
LAB 1.23.
REDUNDANT INTERFACES
239
LAB 1.24.
TRANSPARENT FIREWALL
246
LAB 1.25.
THREAT DETECTION 260
LAB 1.26.
CONTROLLING ICMP AND FRAGMENTED TRAFFIC 264
LAB 1.27.
TIME BASED ACCESS CONTROL
LAB 1.28.
QOS - PRIORITY QUEUING
276
LAB 1.29.
QOS – TRAFFIC POLICING
280
LAB 1.30.
QOS – TRAFFIC SHAPING
285
LAB 1.31.
QOS – TRAFFIC SHAPING WITH PRIORITIZATION
LAB 1.32.
SLA ROUTE TRACKING
296
LAB 1.33.
ASA IP SERVICES (DHCP)
303
LAB 1.34.
URL FILTERING AND APPLETS BLOCKING
LAB 1.35.
TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS
17
29
99
126
131
146
156
270
Page 2 of 100
290
310
314
CCIE SECURTY v4 Lab Workbook
Site-to-Site VPN
LAB 1.36.
BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS)
326
LAB 1.37.
BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS)
LAB 1.38.
BASIC SITE TO SITE VPN WITH NAT (IOS-IOS)
LAB 1.39.
IOS CERTIFICATE AUTHORITY
LAB 1.40.
SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA)
396
LAB 1.41.
SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS)
410
LAB 1.42.
SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) 420
LAB 1.43.
SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA)
440
LAB 1.44.
SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING)
461
LAB 1.45.
SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS) 475
LAB 1.46.
SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA)
LAB 1.47.
SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS)
LAB 1.48.
GRE OVER IPSEC
550
LAB 1.49.
DMVPN PHASE 1
567
LAB 1.50.
DMVPN PHASE 2 (WITH EIGRP)
584
LAB 1.51.
DMVPN PHASE 2 (WITH OSPF)
603
LAB 1.52.
DMVPN PHASE 3 (WITH EIGRP)
623
LAB 1.53.
DMVPN PHASE 3 (WITH OSPF)
643
LAB 1.54.
DMVPN PHASE 2 DUAL HUB (SINGLE CLOUD)
LAB 1.55.
DMVPN PHASE 2 DUAL HUB (DUAL CLOUD) 697
LAB 1.56.
GET VPN (PSK)
LAB 1.57.
GET VPN (PKI) 760
LAB 1.58.
GET VPN COOP (PKI) 779
352
369
385
484
667
738
Remote Access VPN
LAB 1.59.
CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO IOS)
LAB 1.60.
CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA)
LAB 1.61.
CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK) 831
LAB 1.62.
CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) 841
LAB 1.63.
CONFIGURING SSL VPN (IOS)
865
LAB 1.64.
CONFIGURING SSL VPN (ASA)
882
LAB 1.65.
ANYCONNECT 3.0 BASIC SETUP
895
LAB 1.66.
ANYCONNECT 3.0 ADVANCED FEATURES
LAB 1.67.
EASYVPN SERVER ON ASA WITH LDAP AUTHENTICATION 922
Advanced VPN Features
LAB 1.68.
IPSEC STATEFUL FAILOVER 954
Page 3 of 100
912
CCIE SECURTY v4 Lab Workbook
LAB 1.69.
IPSEC STATIC VTI
967
LAB 1.70.
IKE ENCRYPTED KEYS
LAB 1.71.
IPSEC DYNAMIC VTI 981
LAB 1.72.
REVERSE ROUTE INJECTION (RRI) 991
LAB 1.73.
CALL ADMISSION CONTROL FOR IKE
1008
LAB 1.74.
IPSEC LOAD BALANCING (ASA CLUSTER)
1016
976
Content Security - IPS
LAB 2.1.
SENSOR INITIALIZATION
6
LAB 2.2.
PROMISCUOUS MODE
20
LAB 2.3.
INLINE MODE 36
LAB 2.4.
INLINE VLAN PAIR MODE (ON-A-STICK)
LAB 2.5.
SIGNATURE TUNING 53
LAB 2.6.
CUSTOM HTTP SIGNATURE 62
LAB 2.7.
CUSTOM STRING TCP SIGNATURE 69
LAB 2.8.
CUSTOM ATOMIC IP SIGNATURE
LAB 2.9.
META SIGNATURE
LAB 2.10.
BLOCKING AND RATE LIMITING
LAB 2.11.
RULES 133
LAB 2.12.
ANOMALY DETECTION
LAB 2.13.
VIRTUAL SENSORS
LAB 2.14.
EVENT SUMMARIZATION
LAB 2.15.
APPLICATION INSPECTION AND LOGGING
46
78
86
98
148
156
166
181
Content Security - WSA
LAB 2.16.
WSA BOOTSTRAPPING (OPTIONAL) 196
LAB 2.17.
DNS AND ROUTING CONFIGRATION 206
LAB 2.18.
WSA IDENTITIES AND ACCESS POLICIES
LAB 2.19.
ACTIVE DIRECTORY INTEGRATION 223
LAB 2.20.
USER AUTHENTICATION
LAB 2.21.
CUSTOM URL CATEGORIES 243
LAB 2.22.
DECRYPTION POLICIES
LAB 2.23.
BANDWIDTH AND FILE TYPE LIMITS 255
LAB 2.24.
APPLICATION VISIBILITY AND CONTROL
LAB 2.25.
WEB REPUTATION AND DVS 265
LAB 2.26.
TRANSPARENT PROXY WITH ASA
212
228
249
271
Page 4 of 100
260
CCIE SECURTY v4 Lab Workbook
Identity Management - ACS
LAB 2.27.
ACS BOOTSTRAPPING
281
LAB 2.28.
SETUP AAA CLIENTS 290
LAB 2.29.
USER AUTHENTICATION AND AUTHORIZATION (IOS)
LAB 2.30.
LOCAL USER AUTHENTICATION AND AUTHORIZATION USING AAA (IOS) 306
LAB 2.31.
TACACS+ USER AUTHENTICATION (IOS)
LAB 2.32.
TACACS+ AUTHENTICATION AND AUTHORIZATION (IOS)
LAB 2.33.
ACCOUNTING USING TACACS+ AND RADIUS (IOS) 357
LAB 2.34.
IOS AUTHENTICATION PROXY
367
LAB 2.35.
AUTHENTICATION PROXY ON ASA
386
LAB 2.36.
ACS EXTERNAL IDENTITY STORE
395
300
318
336
Identity Management - ISE
LAB 3.1.
ISE INSTALLATION (OPTIONAL)
9
LAB 3.2.
GENERATE AND INSTALL A CERTIFICATE
LAB 3.3.
ADMINISTRATIVE ACCESS TO ISE
LAB 3.4.
INTEGRATION WITH ACTIVE DIRECTROY
LAB 3.5.
CONFIGURE ISE FOR MAB
LAB 3.6.
CONFIGURE MAC WHITELIST 48
LAB 3.7.
MAB WITH VLAN AUTHORIZATION
LAB 3.8.
WINDOWS 7 AD INTEGRATION (OPTIONAL) 61
LAB 3.9.
CONFIGURE WIRED 802.1X
LAB 3.10.
WIRED 802.1X VLAN ASSIGNMENT
89
LAB 3.11.
CONFIGURE WIRELESS 802.1X
99
LAB 3.12.
LOCAL WEB AUTHENTICATION (LWA) FOR WIRED 121
LAB 3.13.
CENTRAL WEB AUTHENTICATION (CWA) FOR WIRED
LAB 3.14.
CENTRAL WEB AUTHENTICATION (CWA) FOR WIRELESS 151
LAB 3.15.
CONFIGURE ISE FOR GUEST ACCESS
LAB 3.16.
CONFIGURE ISE PROFILER
LAB 3.17.
ANYCONNECT NAM
LAB 3.18.
MACSEC SWITCH-TO-HOST 195
LAB 3.19.
MACSEC SWITCH-TO-SWITCH
19
28
33
38
53
64
165
176
186
203
IOS Advanced Security
LAB 3.20.
BASIC ROUTER SECURITY
211
LAB 3.21.
STANDARD NAMED ACCESS LIST
LAB 3.22.
CONTROLLING TELNET ACCESS AND SSH 223
LAB 3.23.
EXTENDED ACCESS LIST IP AND ICMP
229
LAB 3.24.
EXTENDED ACCESS LIST OSPF & EIGRP
235
220
Page 5 of 100
136
CCIE SECURTY v4 Lab Workbook
LAB 3.25.
EXTENDED ACCESS LIST WITH ESTABLISHED
LAB 3.26.
DYNAMIC ACCESS LIST
242
LAB 3.27.
REFLEXIVE ACCESS-LISTS
252
LAB 3.28.
ACCESS-LIST AND TIME-RANGE
LAB 3.29.
CONFIGURING BASIC CBAC 264
LAB 3.30.
CONFIGURING ADVANCED CBAC
LAB 3.31.
CONFIGURING CBAC & JAVA BLOCKING
LAB 3.32.
CONFIGURING PAM
LAB 3.33.
ZONE BASED POLICY FIREWALL (ZFW)
LAB 3.34.
IMPLEMENTING SECURITY RFCS
LAB 3.35.
USING MQC AS A FILTERING TOOL 315
LAB 3.36.
BLACKHOLE ROUTING USING PBR
LAB 3.37.
CONFIGURING NAT
LAB 3.38.
NAT WITH OVERLAPPING NETWORKS
LAB 3.39.
NAT TCP LOAD BALANCING 342
LAB 3.40.
STATEFUL HIGH AVAILABILITY NAT 345
LAB 3.41.
NAT VIRTUAL INTERFACE
LAB 3.42.
TCP INTERCEPT
LAB 3.43.
CONFIGURING NBAR 365
LAB 3.44.
CONFIGURING NETFLOW
371
LAB 3.45.
CONFIGURING IOS IPS
376
239
258
266
273
275
277
311
322
326
336
355
361
Control and Management Plane Security
LAB 3.46.
CPU PROTECTION MECHANISMS
389
LAB 3.47.
DISABLING UNNECESSARY SERVICES
LAB 3.48.
CONFIGURING SNMP 401
LAB 3.49.
CONFIGURING SYSLOG
LAB 3.50.
CONFIGURING NTP
LAB 3.51.
PROTOCOL AUTHENTICATION AND ROUTE FILTERING
LAB 3.52.
CONTROL PLANE POLICY (COPP)
395
409
414
419
433
Network Attacks
LAB 3.53.
PROTECTING AGAINST FRAGMENTATION ATTACKS
442
LAB 3.54.
PROTECTING AGAINST MALICIOUS IP OPTION USAGE
447
LAB 3.55.
PROTECTING AGAINST NETWORK MAPPING
LAB 3.56.
PROTECTING AGAINST DOS ATTACKS USING CAR 458
LAB 3.57.
PREVENTING PORT REDIRECTION ATTACKS
LAB 3.58.
PROTECTING AGAINST SMURF ATTACKS
LAB 3.59.
PORT SECURITY
LAB 3.60.
PREVENTING VLAN HOPING ATTACKS
462
465
Page 6 of 100
472
454
460
CCIE SECURTY v4 Lab Workbook
LAB 3.61.
VLAN ACCESS LIST
476
LAB 3.62.
DHCP SNOOPING AND DYNAMIC ARP INSPECTION 480
LAB 3.63.
IP SOURCE GUARD
LAB 3.64.
PROTECTING AGAINST BROADCAST STORMS
LAB 3.65.
PROTECTING SPANNING-TREE PROTOCOL 497
LAB 3.66.
PREVENTING IP SPOOFING 501
491
Page 7 of 100
495
CCIE SECURTY v4 Lab Workbook
Physical Topology
Page 8 of 100
CCIE SECURTY v4 Lab Workbook
Page 9 of 100
CCIE SECURTY v4 Lab Workbook
This page is intentionally left blank.
Page 10 of 100
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Site-to-Site VPNs
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 11 of 100
CCIE SECURTY v4 Lab Workbook
LAB 2.1. DMVPN Phase 1
Lab Setup
 R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12
 R2’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay
point-to-point manner
 R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay
point-to-point manner
 Configure Telnet on all routers using password “cisco”
 Configure default routing on R1, R4 and R5 pointing to the R2
IP Addressing
Device
Interface
IP address
R1
Lo0
192.168.1.1/24
F0/0
10.1.12.1/24
Page 12 of 100
CCIE SECURTY v4 Lab Workbook
R2
R4
R5
F0/0
10.1.12.2/24
S0/1/0.25
10.1.25.2/24
S0/1/0.24
10.1.24.2/24
Lo0
192.168.4.4/24
S0/0/0.42
10.1.24.4/24
Lo0
192.168.5.5/24
S0/1/0.52
10.1.25.5/24
Task 1
Configure Hub-and-Spoke GRE tunnels between R1, R4 and R5, where R1
is acting as a Hub. Traffic originated from every Spoke’s loopback
interface should be transmitted securely via the Hub to the other spokes.
You must use EIGRP dynamic routing protocol to let other spokes know
about protected networks. Use the following settings when configuring
tunnels:
•
Tunnel Parameters
o IP address: 172.16.145.0/24
o IP MTU: 1400
o Tunnel Authentication Key: 12345
•
NHRP Parameters
o NHRP ID: 12345
o NHRP Authentication key: cisco123
o NHRP Hub: R1
•
Routing Protocol Parameters
o EIGRP 145
Encrypt the GRE traffic using the following parameters:
•
ISAKMP Parameters
o Authentication: Pre-shared
o Encryption: 3DES
o Hashing: SHA
o DH Group: 2
Page 13 of 100
CCIE SECURTY v4 Lab Workbook
o Pre-Shared Key: cisco123
•
IPSec Parameters
o Encryption: ESP-3DES
o Authentication: ESP-SHA-HMAC

Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by
Cisco in late 2000. This technology has been developed to address needs for
automatically created VPN tunnels when dynamic IP addresses on the spokes
are in use.
In GRE over IPSec (described in the previous lab) both ends of the connection
must have static/unchangeable IP address. It is possible however, to create
many GRE Site-to-Site tunnels from company’s branches to the Headquarters.
This is pure Hub-and-Spoke topology where all branches may communicate
with each other securely through the Hub.
In DMVPN may have dynamic IP addresses on the spokes, but there must be
static IP address on the Hub. There is also an additional technology used to let
the hub know what dynamic IP addresses are in use by the spokes. This is
NHRP (Next Hop Resolution Protocol) which works like ARP but for layer 3. All
it does is building a dynamic database stored on the hub with information about
spokes’ IP addresses. Now the Hub knows IPSec peers and can build the
tunnels with them.
The Hub must be connected to many spokes at the same time so there was
another issue to solve: how to configure the Hub to not have many Tunnel
interfaces (each for Site-to-Site tunnel with spoke). The answer is: use GRE
multipoint type of tunnel, where we do not need to specify the other end of the
tunnel statically.
That being said, there are three DMVPN mutations called phases:

Phase 1: simple Hub and Spoke topology were dynamic IP addresses on
the spokes may be used

Phase 2: Hub and Spoke with Spoke to Spoke direct communication
allowed

Phase 3: Hub and Spoke with Spoke to Spoke direct communication
allowed with better scalability using NHRP Redirects
All above phases will be described in more detail in the next few labs.
Configuration
Complete these steps:
Page 14 of 100
CCIE SECURTY v4 Lab Workbook
Step 1
R1 configuration.
First we need ISAKMP Policy with pre-shared key configured.
Note that in DMVPN we need to configure so-called “wildcard
PSK” because there may be many peers. This is why more
common sulution in DMVPN is to use certificates and PKI.
In DMVPN Phase 1 there is no need for wildcard PSK as there
is only Hub to Spoke tunnel, so that we know the peers.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.0
0.0.0.0
R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R1(cfg-crypto-trans)# mode transport
The “mode transport” is used for decreasing IPSec packet
size (an outer IP header which is present in tunnel mode is
not added in the transport mode).
R1(cfg-crypto-trans)#crypto ipsec profile DMVPN
R1(ipsec-profile)#set transform-set TSET
R1(ipsec-profile)#exi
There is only one interface Tunnel on every DMVPN router.
This is because we use GRE multipoint type of the tunnel.
R1(config)#interface Tunnel0
R1(config-if)#ip address 172.16.145.1 255.255.255.0
R1(config-if)#ip mtu 1400
Maximum Transmission Unit is decreased to ensure that DMVPN
packet would not exceed IP MTU set on non-tunnel IP
interfaces – usually a 1500 bytes (When “transport mode” is
used then DMVPN packet consists of original IP Packet, GRE
header, ESP header and outer IPSec IP header. If oryginal
IP packet size is close to the IP MTU set on real IP
interface then adding GRE and IPSec headers may lead to
exceeding that value)
R1(config-if)#ip nhrp authentication cisco123
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp network-id 12345
The Hub works as NHS (Next Hop Server). The NHRP
configuration on the Hub is straight forward. First, we
Page 15 of 100
CCIE SECURTY v4 Lab Workbook
need NHRP network ID to identify the instance and
authenticate key to secure NHRP registration. There is a
need for NHRP static mapping on the Hub. The Hub must be
able to send down all multicast traffic so that dynamic
routing protocols can distribute routes between spokes. The
line “ip nhrp map multicast dynamic” simply tells the NHRP
server to replicate all multicast traffic to all dynamic
entries in the NHRP table (entries with flag “dynamic”).
R1(config-if)#no ip split-horizon eigrp 145
Since we use EIGRP between the Hub and the Spokes, we need
to disable Split Horizon for that protocol to be able to
send routes gathered from one Spoke to the other Spoke. The
Split Horizon rule says: “information about the routing is
never sent back in the direction from which it was
received”. This is basic rule for loop prevention.
R1(config-if)#tunnel source FastEthernet0/0
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel key 12345
R1(config-if)#tunnel protection ipsec profile DMVPN
A regular GRE tunnel usually needs source and destination
of the tunnel to be specified. However in the GRE
multipoint tunnel type, there is no need for a destination.
This is because there may be many destinations, as many
Spokes are out there. The actual tunnel destination is
derived form NHRP database.
The tunnel has a key for identification purposes, as there
may be many tunnels on one router and the router must know
what tunnel the packet is destined to.
Finally, we must encrypt the traffic. This is done by using
IPSec Profile attached to the tunnel. I recommend to leave
that command aside for a while when configuring DMVPN and
add it to the configuration once we know the tunnels work
fine. DMVPN may work without any encryption, so no worries.
R1(config-if)#exi
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed
state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Tunnel0 has changed its state to “UP”. ISAKMP protocol is
enabled and operates on the router.
R1(config)#router eigrp 145
R1(config-router)#network 172.16.145.0 0.0.0.255
R1(config-router)#network 192.168.1.0
R1(config-router)#no auto-summary
R1(config-router)#exi
Page 16 of 100
CCIE SECURTY v4 Lab Workbook
Finally we need a routing protocol over the tunnel.
Remember, this protocol will be used to carry the info
about networks behind the Spokes (or Hub). Be careful when
configuring it as there is a chance to get into “recursive
loop”. This means we shouldn’t use the same dynamic routing
protocol instance for prefixes available over the tunnel
and to achieve underlaying connectivity between Hub and
Spokes.
Step 2
R5 configuration.
R5 is our first Spoke. Again, we need ISAKMP Policy
configuration and PSK.
R5(config)#crypto isakmp policy 1
R5(config-isakmp)# encr 3des
R5(config-isakmp)# authentication pre-share
R5(config-isakmp)# group 2
R5(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.0
0.0.0.0
R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R5(cfg-crypto-trans)# mode transport
R5(cfg-crypto-trans)#crypto ipsec profile DMVPN
R5(ipsec-profile)# set transform-set TSET
R5(ipsec-profile)#exi
The tunnel interface configuration is slightly different on
the Spoke than on the Hub. This is because the Spoke works
as NHRP Client to the Hub (NHS). Most of belove commands
have been described already.
R5(config)#interface Tunnel0
R5(config-if)# ip address 172.16.145.5 255.255.255.0
R5(config-if)# ip mtu 1400
R5(config-if)# ip nhrp authentication cisco123
R5(config-if)# ip nhrp map 172.16.145.1 10.1.12.1
R5(config-if)# ip nhrp network-id 12345
R5(config-if)# ip nhrp holdtime 360
R5(config-if)# ip nhrp nhs 172.16.145.1
NHRP Client configuration. We need our Spoke to register in
NHS, so that we need to configure the following:

NHRP authentication key – to authenticate
successfully to the NHS

NHRP Network ID – to be authenticated to
correct NHS instance

NHRP Holdtime – to tell the NHS for how long
Page 17 of 100
CCIE SECURTY v4 Lab Workbook
it should treat the registered spokes’ IP
address as valid

NHS – IP address of NHRP Server; note this
is its Private (tunnel) IP address. To
resolve this address to the Public
(Physical) IP address of the NHS, we need
the last command which is:

NHRP static mapping – to resolve NHS’
Physical IP address
This mapping is very important as it causes the Spoke to
initiate the GRE tunnel to the Hub. Without this the Spoke
has no clue how to register to the NHS.
R5(config-if)# tunnel source Serial0/1/0.52
R5(config-if)# tunnel destination 10.1.12.1
R5(config-if)# tunnel key 12345
R5(config-if)# tunnel protection ipsec profile DMVPN
The tunnel configuration is also different. On the Spoke
there is no reason for using GRE multipoint tunnel mode.
This is because there is only one tunnel (Spoke to Hub) in
DMVPN Phase 1. Hence, we are obligated to provide both:
source and destination of the tunnel.
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed
state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R5(config-if)#exi
R5(config)#router eigrp 145
R5(config-router)# network 172.16.145.0 0.0.0.255
R5(config-router)# network 192.168.5.0
R5(config-router)# no auto-summary
R5(config-router)#ex
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.1 (Tunnel0)
is up: new adjacency
R5(config-router)#exi
The router has established EIGRP adjancency through the
tunnel. Note that the adjancency has been established with
the DMVPN hub (172.16.145.1).
Step 3
R4 configuration.
The beauty of this technology is that there is exactly the
same configuration on all Spokes!
R4(config)#crypto isakmp policy 1
Page 18 of 100
CCIE SECURTY v4 Lab Workbook
R4(config-isakmp)# encr 3des
R4(config-isakmp)# authentication pre-share
R4(config-isakmp)# group 2
R4(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.0
0.0.0.0
R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R4(cfg-crypto-trans)# mode transport
R4(cfg-crypto-trans)#crypto ipsec profile DMVPN
R4(ipsec-profile)# set transform-set TSET
R4(ipsec-profile)#exi
R4(config)#interface Tunnel0
R4(config-if)# ip address 172.16.145.4 255.255.255.0
R4(config-if)# ip mtu 1400
R4(config-if)# ip nhrp authentication cisco123
R4(config-if)# ip nhrp map 172.16.145.1 10.1.12.1
R4(config-if)# ip nhrp network-id 12345
R4(config-if)# ip nhrp holdtime 360
R4(config-if)# ip nhrp nhs 172.16.145.1
R4(config-if)# tunnel source Serial0/0/0.42
R4(config-if)# tunnel destination 10.1.12.1
R4(config-if)# tunnel key 12345
R4(config-if)# tunnel protection ipsec profile DMVPN
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed
state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R4(config-if)#exi
R4(config)#router eigrp 145
R4(config-router)# network 172.16.145.0 0.0.0.255
R4(config-router)# network 192.168.4.0
R4(config-router)# no auto-summary
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.1 (Tunnel0)
is up: new adjacency
R4(config-router)#exi
Verification
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
Page 19 of 100
CCIE SECURTY v4 Lab Workbook
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.12.2 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C
172.16.145.0 is directly connected, Tunnel0
D
192.168.4.0/24 [90/27008000] via 172.16.145.4, 00:00:17, Tunnel0
D
192.168.5.0/24 [90/27008000] via 172.16.145.5, 00:00:55, Tunnel0
Spokes have sent updates about their networks (loopback interfaces) to the Hub.
Now Hub must send that information down to the other Spokes. The Hub may do
that as long as Split Horizon rule is disabled for the routing protocol.
10.0.0.0/24 is subnetted, 1 subnets
C
10.1.12.0 is directly connected, FastEthernet0/0
C
192.168.1.0/24 is directly connected, Loopback0
S*
0.0.0.0/0 [1/0] via 10.1.12.2
R1#sh ip nhrp
172.16.145.4/32 via 172.16.145.4
Tunnel0 created 00:00:33, expire 00:05:26
Type: dynamic, Flags: unique registered
NBMA address: 10.1.24.4
172.16.145.5/32 via 172.16.145.5
Tunnel0 created 00:01:08, expire 00:04:51
Type: dynamic, Flags: unique registered
NBMA address: 10.1.25.5
NHRP database displayed on the DMVPN hub. Note that “sh ip nhrp” shows mapping
between Tunnel0 ip address and ip address of Serial interface which is used for
reaching the tunnel endpoint. The entries in NHRP database on the hub are
dynamic (dynamically obtained from the spokes).
R1#sh ip eigrp neighbor
IP-EIGRP neighbors for process 145
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
RTO
Q
Seq
Cnt Num
1
172.16.145.4
Tu0
11 00:00:38
10
1362
0
3
0
172.16.145.5
Tu0
11 00:01:16
29
1362
0
3
EIGRP adjacency established with the spokes.
R1#sh ip eigrp interface
IP-EIGRP interfaces for process 145
Interface
Peers
Xmit Queue
Mean
Pacing Time
Multicast
Pending
Un/Reliable
SRTT
Un/Reliable
Flow Timer
Routes
Tu0
2
0/0
19
Lo0
0
0/0
0
R1#sh crypto isakmp sa
Page 20 of 100
6/227
0/1
80
0
0
0
CCIE SECURTY v4 Lab Workbook
IPv4 Crypto ISAKMP SA
dst
src
state
conn-id status
10.1.12.1
10.1.25.5
QM_IDLE
1001 ACTIVE
10.1.12.1
10.1.24.4
QM_IDLE
1002 ACTIVE
IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.12.1
protected vrf: (none)
local
ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0)
Local and remote identities used for the tunnel. Note that GRE protocol is
transported in the tunnel (IP protocol 47). It is automatically achieved by
assigning IPSec profile to the tunnel interface (configuring crypto ACLs is no
longer needed)
current_peer 10.1.24.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
Note that traffic is going through the tunnel established between the hub (R1)
and the spoke (R4).
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.24.4
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x97564348(2539012936)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2A3D155F(708646239)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4568792/3536)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
Inbound SPI (Security Parameter Index) has been negotiated.
Page 21 of 100
CCIE SECURTY v4 Lab Workbook
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x97564348(2539012936)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4568792/3536)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
Outbound SPI (Security Parameter Index) has been negotiated.
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local
ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.25.5/255.255.255.255/47/0)
Local and remote identities used for tunnel established between hub (R1) and
one of the spokes (R5).
current_peer 10.1.25.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.25.5
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x423D37C6(1111308230)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE65FFF26(3865050918)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4492833/3501)
IV size: 8 bytes
Page 22 of 100
CCIE SECURTY v4 Lab Workbook
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x423D37C6(1111308230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4492832/3501)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.24.2 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C
172.16.145.0 is directly connected, Tunnel0
C
192.168.4.0/24 is directly connected, Loopback0
D
192.168.5.0/24 [90/28288000] via 172.16.145.1, 00:03:22, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C
10.1.24.0 is directly connected, Serial0/0/0.42
D
192.168.1.0/24 [90/27008000] via 172.16.145.1, 00:03:22, Tunnel0
S*
0.0.0.0/0 [1/0] via 10.1.24.2
The networks of R1 and R5 loopbacks are present in the R4’s routing table.
These networks are reachable through the hub (R1) over the DMVPN network.
R4#sh ip route 192.168.5.0
Routing entry for 192.168.5.0/24
Known via "eigrp 145", distance 90, metric 28288000, type internal
Redistributing via eigrp 145
Page 23 of 100
CCIE SECURTY v4 Lab Workbook
Last update from 172.16.145.1 on Tunnel0, 00:03:34 ago
Routing Descriptor Blocks:
* 172.16.145.1, from 172.16.145.1, 00:03:34 ago, via Tunnel0
Next hop IP address followed by the information source (R1 – the hub)
Route metric is 28288000, traffic share count is 1
Total delay is 105000 microseconds, minimum bandwidth is 100 Kbit
Reliability 255/255, minimum MTU 1400 bytes
Loading 1/255, Hops 2
R4#sh ip cef 192.168.5.0
192.168.5.0/24
nexthop 172.16.145.1 Tunnel0
The CEF entries displayed for R5 loopback network. This indicates an IP address
of next hop which have to be used for reaching 192.168.5.0/24.
R4#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:04:04, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
The NHRP database entries displayed. This shows the mapping between hub’s
tunnel interface IP address and hub’s real interface IP address through which
the tunnel endpoint is reachable. Note that NHRP database entries related to
the hub are static and never expires (the hub must be always reachable for the
spoke and cannot be dynamic).
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
10.1.12.1
10.1.24.4
QM_IDLE
conn-id status
1001 ACTIVE
This indicates that ISAKMP tunnel is established and active (QM_IDLE means that
ISAKMP SA is authenticated and Quick Mode – IPSec Phase 2 is fininshed.
IPv6 Crypto ISAKMP SA
R4#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.24.4
protected vrf: (none)
local
ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0)
current_peer 10.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
Page 24 of 100
CCIE SECURTY v4 Lab Workbook
#pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
IPSec proxy IDs on the spoke indicates that traffic between tunnel endpoint
will be encrypted/decrypted. Also, packet counters are incrementing as there
are routing updates crossing the tunnel.
local crypto endpt.: 10.1.24.4, remote crypto endpt.: 10.1.12.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0.42
current outbound spi: 0x2A3D155F(708646239)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x97564348(2539012936)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4571034/3344)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2A3D155F(708646239)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4571034/3344)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R4#pi 192.168.5.5 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4
!!!!!
Page 25 of 100
CCIE SECURTY v4 Lab Workbook
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms
Now ping the other spoke using its loopback IP address as source. This should
simulate end-to-end connectivity through the DMVPN network.
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
10.1.12.1
10.1.24.4
QM_IDLE
conn-id status
1001 ACTIVE
IPv6 Crypto ISAKMP SA
Note: No new ISAKMP SA or NHRP mappings created.
R4#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:04:40, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
The same bunch of commands should be run on the other spoke.
R5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.25.2 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C
172.16.145.0 is directly connected, Tunnel0
D
192.168.4.0/24 [90/28288000] via 172.16.145.1, 00:01:24, Tunnel0
C
192.168.5.0/24 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C
10.1.25.0 is directly connected, Serial0/1/0.52
D
192.168.1.0/24 [90/27008000] via 172.16.145.1, 00:02:02, Tunnel0
S*
0.0.0.0/0 [1/0] via 10.1.25.2
R5#sh ip cef 192.168.4.0
192.168.4.0/24
nexthop 172.16.145.1 Tunnel0
R5#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:02:11, never expire
Type: static, Flags:
Page 26 of 100
CCIE SECURTY v4 Lab Workbook
NBMA address: 10.1.12.1
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
10.1.12.1
10.1.25.5
QM_IDLE
conn-id status
1001 ACTIVE
IPv6 Crypto ISAKMP SA
R5#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.25.5
protected vrf: (none)
local
ident (addr/mask/prot/port): (10.1.25.5/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0)
current_peer 10.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 40, #pkts encrypt: 40, #pkts digest: 40
#pkts decaps: 46, #pkts decrypt: 46, #pkts verify: 46
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.1.25.5, remote crypto endpt.: 10.1.12.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1/0.52
current outbound spi: 0xE65FFF26(3865050918)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x423D37C6(1111308230)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4430458/3455)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE65FFF26(3865050918)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
Page 27 of 100
CCIE SECURTY v4 Lab Workbook
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: Tunnel0head-0
sa timing: remaining key lifetime (k/sec): (4430459/3455)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R5#pi 192.168.4.4 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/40 ms
Note: No new ISAKMP SA or NHRP mappings created.
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
10.1.12.1
10.1.25.5
QM_IDLE
IPv6 Crypto ISAKMP SA
R5#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:03:01, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
Page 28 of 100
conn-id status
1001 ACTIVE
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Content Security
WSA
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 29 of 100
CCIE SECURTY v4 Lab Workbook
Logical Topology for WSA labs
WSA is connected to the network using two interfaces:
•
P1 – data interface, placed in VLAN 30 (ASA DMZ)
•
M1 – management interface, placed in VLAN 10 (ASA Inside)
Page 30 of 100
CCIE SECURTY v4 Lab Workbook
LAB 2.2. Transparent Proxy with ASA
Objectives
This lab shows how integrate WSA with ASA to do transparen proxy services
for users.
IP Addressing and devices
Device
Interface
IP address
WSA
M1
10.1.10.80/24
P1
10.1.30.80/24
Lo0
1.1.1.1/32
E0/0
10.1.10.1/24
E0/1
172.31.1.1/24
0/0 (outside)
100.2.2.10/24
0/1 (inside)
10.1.10.10/24
0/2 (dmz)
10.1.30.10/24
Lo0
2.2.2.2/32
E0/0
100.2.2.2/24
WinXP
NIC
10.1.10.50/24
Win7
NIC
10.1.10.104/24
AD
NIC
172.31.1.200/24
R1
ASA
R2
Task
Reconfigure WSA to provide Transparent Proxy services to all users. THE
WSA should use it’s M1 interface and talk to ASA using WCCP v2 protocol.
Messages exchanged between WSA and ASA should be authenticated using
‘cisco123’ shared secret. Enable Transparent proxy for http and HTTPS.
Disable CONNECT method for explicit proxy.
Page 31 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Configure WCCP on ASA.
!
access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 80
access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 443
!
wccp 90 redirect-list WCCP password cisco123
wccp interface inside 90 redirect in
!
Step 2 Reconfigure interfaces on WSA.
•
Go to Network > Interfaces and click Edit Settings… Uncheck
Restrict M1 port to appliance management services only option
and erase P1 interface configuration. Click Submit.
•
Note the following message. Click Continue.
•
Review the configuration and click Commit Changes.
Page 32 of 100
CCIE SECURTY v4 Lab Workbook
Step 2 Enable Transparent Proxy services.
•
Go to Network > Transparent Redirection and click Edit Device…
•
From the drop-down list select WCCP v2 Router and click Submit.
•
Click Add Service…
•
Provide name for WCCP service e.g. asa-wccp and select Dynamic
service ID option. Set the ID to 90 and associate Port Numbers of
80,443. Put 10.1.10.10 (ASA’s inside interface IP) as Router IP
Address and tick Enable Security for Service option configuring
‘cisco123’ as password. Click Submit.
Page 33 of 100
CCIE SECURTY v4 Lab Workbook
•
Review configuration and click Commit Changes.
Step 3 Win7 client PC configuration.
•
Open up web browser and go to Tools > Internet Options >
Connections > LAN Settings and uncheck Use a proxy server for
your LAN option.
Page 34 of 100
CCIE SECURTY v4 Lab Workbook
Verification
•
On Win7 client PC open up web browser and go to http://www.google.com.
Authenticate as user from Employees group.
// there is 401 returned by the proxy which is authentication request.
1360089008.110 0 10.1.10.104 TCP_DENIED/401 0 GET
http://proxy.micronics.local/B0000D0000N0001F0000S0000R0004/http://www.google.com/ NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> // after authentication the request is proceeded normally
1360089020.203 413 10.1.10.104 TCP_MISS/200 31422 GET http://www.google.com/
"MICRONICS\employee1@AD" DIRECT/www.google.com text/html ALLOW_WBRS_12-EmployeesDefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_srch,8.2,-,"-",-,-,-,-,"-",-,-,-,"-",-,,"-","-",-,-,IW_srch,-,"-","-","Google","Search Engine","-","-",608.66,0,-,"-","-"> -
•
Connect to http://www.facebook.com. The FB is redirecting the user to HTTPS by
default, so you should get certificate error (the certificate is not trusted because it is
signed by WSA). You should be connected after accepting the certificate.
Page 35 of 100
CCIE SECURTY v4 Lab Workbook
// HTTP request to facebook.com
1360089089.513 271 10.1.10.104 TCP_MISS/302 405 GET http://www.facebook.com/
"MICRONICS\employee1@AD" DIRECT/www.facebook.com text/html DEFAULT_CASE_12-EmployeesDefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_snet,4.7,0,"-",0,0,0,-,"-",-,-,-,"-",-,,"-","-",-,-,IW_snet,-,"-","-","Facebook General","Facebook","-","-",11.96,0,,"Unknown","-"> // TCP Connect to 443, redirected to WSA.
1360089089.703 183 10.1.10.104 TCP_MISS_SSL/200 0 TCP_CONNECT 31.13.64.23:443
"MICRONICS\employee1@AD" DIRECT/31.13.64.23 - DECRYPT_AVC_7-DefaultGroup-DefaultGroupNONE-NONE-NONE-DefaultGroup <IW_snet,4.7,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,,IW_snet,-,"-","-","Facebook General","Facebook","Encrypted","-",0.00,0,-,"-","-"> // check connection table on ASA – there should be NO connections from Win7 PC
ASA1(config)# sh conn
11 in use, 77 most used
TCP outside 2.16.216.40:443 inside 10.1.10.80:57688, idle 0:00:07, bytes 32361, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57686, idle 0:00:07, bytes 27805, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57685, idle 0:00:07, bytes 74840, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57684, idle 0:00:07, bytes 75426, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57683, idle 0:00:08, bytes 11142, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57682, idle 0:00:08, bytes 83528, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57680, idle 0:00:14, bytes 2593, flags UfFrIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57679, idle 0:00:14, bytes 45467, flags UfFrIO
TCP outside 195.12.233.137:443 inside 10.1.10.80:57666, idle 0:00:15, bytes 2548, flags UIO
TCP outside 31.13.64.23:443 inside 10.1.10.80:53205, idle 0:00:17, bytes 30380, flags UIO
Check ASA WCCP commands output.
ASA1(config)# deb wccp packet
WCCP-PKT:D90: Received valid Here_I_Am packet from 10.1.10.80 w/rcv_id 00000112
WCCP-PKT:D90: Sending I_See_You packet to 10.1.10.80 w/ rcv_id 00000113
ASA1(config)# sh wccp
Global WCCP information:
Router information:
Router Identifier:
100.2.2.10
Protocol Version:
2.0
Service Identifier: 90
Number of Cache Engines:
1
Number of routers:
1
Total Packets Redirected:
11464
Redirect access-list:
WCCP
Total Connections Denied Redirect:
0
Total Packets Unassigned:
6
Page 36 of 100
CCIE SECURTY v4 Lab Workbook
Group access-list:
-none-
Total Messages Denied to Group:
0
Total Authentication failures:
0
Total Bypassed Packets Received:
0
ASA1(config)# sh wccp 90 detail
WCCP Cache-Engine information:
Web Cache ID:
10.1.10.80
Protocol Version:
2.0
State:
Usable
Initial Hash Info:
00000000000000000000000000000000
Assigned Hash Info:
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment:
256 (100.00%)
Packets Redirected:
11464
Connect Time:
00:00:18
00000000000000000000000000000000
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
ASA1(config)# sh wccp 90 service
WCCP service information definition:
Type:
Dynamic
Id:
90
Priority:
240
Protocol:
6
Options:
0x00000012
-------Hash:
DstIP
Alt Hash:
-none-
Ports:
Destination:: 80 443 0 0 0 0 0 0
Page 37 of 100
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Identity Management
ACS
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 38 of 100
CCIE SECURTY v4 Lab Workbook
Logical Topology for ACS labs
ACS 5 is connected to the network behind Router1 and has IP address of
172.31.1.100. Default gateway should be set to R1.
Management access to ACS should be allowed from WinXP PC (10.1.10.50).
Page 39 of 100
CCIE SECURTY v4 Lab Workbook
LAB 2.3. ACS Bootstrapping
Objectives
This lab introduces Cisco Secure Access Control Server v5.3 and verifies
basic connectivity with other network elements.
IP Addressing and devices
Device
Interface
IP address
ACS
NIC
172.31.1.100
R1
Lo0
1.1.1.1/32
E0/0
10.1.10.1/24
E0/1
172.31.1.1/24
Lo0
2.2.2.2/32
E0/0
100.2.2.2/24
NIC
10.1.10.50/24
R2
WinXP
Page 40 of 100
CCIE SECURTY v4 Lab Workbook
Task 1 – Verify ACS installation
Connect to ACS console using SSH and username/password of
admin/Micronics1. Check and note the following:
•
ACS application version
•
ACS daemon status
•
Interface configuration
•
Routing table (with default gateway)
•
Clock configuration
•
Timezone configuration
Configure the following:
•
NTP server set to 172.31.1.1
•
Connect to the GUI and install the license located on WinXP desktop
(ACS5.lic)
Configuration
Complete these steps:
Step 1
Run Putty and connect to IP address of 172.31.1.100
Step 2
Verify that ACS is installed properly
ACS5/admin# show application
<name>
<Description>
acs
Cisco Secure Access Control System 5.3
Cisco ACS is an application installed on underlying operating system
called Cisco ADE. Once you’re connected to ADE you must check what
applications are installed. Then you can use application name (in our
case ‘acs’) in all other commands.
Step 3
Check ACS version
ACS5/admin# show application version acs
Cisco ACS VERSION INFORMATION
Page 41 of 100
CCIE SECURTY v4 Lab Workbook
----------------------------Version : 5.3.0.40
Internal Build ID : B.839.EVAL
The main version is 5.3 and the patch level is 40. The build depends
on the development stage and also indicates that we use evaluation
version of ACS. You can install production license or evaluation
license (90 days). Remember that if the ACS was installed with 60GB
disk
(minimum)
there
will
be
no
option
to
run
it
with
no-eval
license. The 60GB is a minimum value and can only be used in lab
environment.
Step 4
Check status of ACS processes
ACS5/admin# show application status acs
ACS role: PRIMARY
Process 'database'
running
Process 'management'
running
Process 'runtime'
running
Process 'view-database'
running
Process 'view-jobmanager'
running
Process 'view-alertmanager'
running
Process 'view-collector'
running
Process 'view-logprocessor'
running
If there is other status than ‘running’ it means theres something
wrong with a particular ACS subsystem/process. To fix that you can
try to restart ACS application using ‘application stop acs’ and then
‘application start acs’. Be patient as it may take a while to start
all ACS processes.
Step 5
Check interface configuration and verify IP address and netmask
ACS5/admin# show interface
eth0
Link encap:Ethernet
HWaddr 00:50:56:AE:83:F6
inet addr:172.31.1.100
Bcast:172.31.1.255
Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feae:83f6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST
MTU:1500
Metric:1
RX packets:12645 errors:0 dropped:0 overruns:0 frame:0
TX packets:16627 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1105589 (1.0 MiB)
TX bytes:19717105 (18.8 MiB)
Interrupt:177 Base address:0x2000
Page 42 of 100
CCIE SECURTY v4 Lab Workbook
Make sure that you see RX and TX packets and no error counters
increasing. This is a first indicator that something can be wrong
with connectivity. If you do not see eth0 interface that usually
means the interface is down.
lo
Link encap:Local Loopback
inet addr:127.0.0.1
Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING
MTU:16436
Metric:1
RX packets:1939218 errors:0 dropped:0 overruns:0 frame:0
TX packets:1939218 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:300253955 (286.3 MiB)
sit0
TX bytes:300253955 (286.3 MiB)
Link encap:IPv6-in-IPv4
NOARP
MTU:1480
Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b)
Step 6
TX bytes:0 (0.0 b)
Check routing table and default gateway
ACS5/admin# show ip route
Kernel IP routing table
Destination
Gateway
Genmask
Flags Metric Ref
Use
172.31.1.0
0.0.0.0
255.255.255.0
U
0
0
0 eth0
0.0.0.0
172.31.1.1
0.0.0.0
UG
0
0
0 eth0
Iface
Step 7
Check basic connectivity to the gateway and to other network
elements
ACS5/admin# ping 172.31.1.1
PING 172.31.1.1 (172.31.1.1) 56(84) bytes of data.
64 bytes from 172.31.1.1: icmp_seq=0 ttl=255 time=10.0 ms
64 bytes from 172.31.1.1: icmp_seq=1 ttl=255 time=0.642 ms
64 bytes from 172.31.1.1: icmp_seq=2 ttl=255 time=0.690 ms
64 bytes from 172.31.1.1: icmp_seq=3 ttl=255 time=0.784 ms
--- 172.31.1.1 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.642/3.049/10.083/4.061 ms, pipe 2
ACS5/admin# ping 10.1.10.10
PING 10.1.10.10 (10.1.10.10) 56(84) bytes of data.
Page 43 of 100
CCIE SECURTY v4 Lab Workbook
--- 10.1.10.10 ping statistics --4 packets transmitted, 0 received, 100% packet loss, time 3027ms
Note that you cannot reach ASA firewall at this stage. This is
because the ASA has no route back to network 172.31.1.0/24. You will
fix this later.
ACS5/admin# ping 10.1.10.50
PING 10.1.10.50 (10.1.10.50) 56(84) bytes of data.
64 bytes from 10.1.10.50: icmp_seq=0 ttl=127 time=0.812 ms
64 bytes from 10.1.10.50: icmp_seq=1 ttl=127 time=1.02 ms
64 bytes from 10.1.10.50: icmp_seq=2 ttl=127 time=1.02 ms
64 bytes from 10.1.10.50: icmp_seq=3 ttl=127 time=10.8 ms
--- 10.1.10.50 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3009ms
rtt min/avg/max/mdev = 0.812/3.429/10.860/4.291 ms, pipe 2
Step 8
Check the name server and domain configuration. Verify if DNS
works asking to resolve FQDN of acs5.micronics.local
ACS5/admin# show running-config | inc name
hostname ACS5
ip domain-name micronics.local
ip name-server 172.31.1.200
username admin password hash $1$Vlgou3Zx$hWKQ2lqIKFZF./OlFJ/Wi1 role admin
ACS5/admin# ping 172.31.1.200
PING 172.31.1.200 (172.31.1.200) 56(84) bytes of data.
64 bytes from 172.31.1.200: icmp_seq=0 ttl=128 time=0.551 ms
64 bytes from 172.31.1.200: icmp_seq=1 ttl=128 time=0.331 ms
64 bytes from 172.31.1.200: icmp_seq=2 ttl=128 time=0.401 ms
64 bytes from 172.31.1.200: icmp_seq=3 ttl=128 time=0.415 ms
--- 172.31.1.200 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.331/0.424/0.551/0.082 ms, pipe 2
ACS5/admin# nslookup acs5.micronics.local
Trying "acs5.micronics.local"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;acs5.micronics.local.
IN
;; ANSWER SECTION:
Page 44 of 100
ANY
CCIE SECURTY v4 Lab Workbook
acs5.micronics.local.
3600
IN
A
172.31.1.100
Received 54 bytes from 172.31.1.200#53 in 0 ms
Step 9
Check clock and timezone configuration
ACS5/admin# show clock
Sun Jan
6 12:23:45 UTC 2013
ACS5/admin# show timezone
UTC
If there is a different timezone configured you can always change it
to the correct value using ‘clock timezone UTC’ command in the global
configurtion. To check what timezone names are available use ‘show
timezones’ command.
Step 10
Configure NTP
ACS5/admin(config)# ntp server 172.31.1.1
The NTP server was modified.
If this action resulted in a clock modification, you must restart ACS.
ACS5/admin(config)# exit
ACS5/admin# write mem
Generating configuration...
ACS5/admin# show ntp
Primary NTP
: 172.31.1.200
unsynchronised
time server re-starting
polling server every 64 s
remote
refid
st t when poll reach
delay
offset
jitter
============================================================================
==
127.127.1.0
LOCAL(0)
10 l
42
64
7
0.000
0.000
LOCAL(1)
8 u
44
64
77
0.733
4.846
0.002
172.31.1.1
3.029
Warning: Output results may conflict during periods of changing
synchronization.
ACS5/admin# show ntp
Primary NTP
: 172.31.1.1
Page 45 of 100
CCIE SECURTY v4 Lab Workbook
synchronised to NTP server (172.31.1.1) at stratum 9
time correct to within 452 ms
polling server every 64 s
remote
refid
st t when poll reach
delay
offset
jitter
============================================================================
==
127.127.1.0
LOCAL(0)
10 l
45
64
77
0.000
0.000
LOCAL(1)
8 u
44
64
77
0.733
4.846
0.002
*172.31.1.1
3.029
Warning: Output results may conflict during periods of changing
synchronization.
NTP synchronization is very important especially when ACS is a part
of Active Directory domain. If you plan to join AD then clock between
Domain
Controller
and
ACS
must
be
synchronized.
The
NTP
related
issues are causing most problems with AD integration.
You can also check application logs when syncing with NTP.
Note that ACS may not synchronize with a source which is not reliable
(the source gets time from its local clock).
ACS5/admin# show logging application | in ntp
Nov
8 11:38:05 ACS5 ntpd[29716]: ntpd 4.2.0a@1.1190-r Mon Jul 28 11:03:50
EDT 2008 (1)
Nov
8 11:38:05 ACS5 ntpd: ntpd startup succeeded
Nov
8 11:38:05 ACS5 ntpd[29716]: precision = 2.000 usec
Nov
8 11:38:05 ACS5 ntpd[29716]: Listening on interface wildcard,
0.0.0.0#123
Nov
8 11:38:05 ACS5 ntpd[29716]: Listening on interface wildcard, ::#123
Nov
8 11:38:05 ACS5 ntpd[29716]: Listening on interface lo, 127.0.0.1#123
Nov
8 11:38:05 ACS5 ntpd[29716]: Listening on interface eth0,
172.31.1.100#123
Nov
8 11:38:05 ACS5 ntpd[29716]: kernel time sync status 0040
Nov
8 11:38:05 ACS5 ntpd[29716]: frequency initialized 0.000 PPM from
/var/lib/ntp/drift
Step 11
Nov
8 11:41:20 ACS5 ntpd[29716]: synchronized to LOCAL(0), stratum 10
Nov
8 11:41:20 ACS5 ntpd[29716]: kernel time sync disabled 0041
Nov
8 11:42:23 ACS5 ntpd[29716]: synchronized to 172.31.1.1, stratum 8
Nov
8 11:42:24 ACS5 ntpd[29716]: kernel time sync enabled 0001
Connect through the GUI and install the license. Open up web
browser (IE or FF) and enter the following URL
https://172.31.1.100/acsadmin
•
Authenticate as acsadmin/default and change the default
Page 46 of 100
CCIE SECURTY v4 Lab Workbook
password to Micronics1.
•
Provide a license file ACS5.lic (should be on WinXP desktop)
•
Once license file is installed, the ACS is ready for further
configurtion
Page 47 of 100
CCIE SECURTY v4 Lab Workbook
Page 48 of 100
CCIE SECURTY v4 Lab Workbook
LAB 2.4. Setup AAA clients
Objectives
This lab shows how to configure AAA clients in ACS and perform basic
authentication using RADIUS and TACACS+ protocols.
IP Addressing and devices
Device
Interface
IP address
ACS
NIC
172.31.1.100
R1
Lo0
1.1.1.1/32
E0/0
10.1.10.1/24
E0/1
172.31.1.1/24
SW1
Vlan10
10.1.10.7/24
WinXP
NIC
10.1.10.50/24
Page 49 of 100
CCIE SECURTY v4 Lab Workbook
Task 1 – Create a user in ACS internal database
Create a new user with username of student1 with a password of student123
in ACS Internal Identity Store. The user should belong to Students user
group.
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.
Add new entry to Device Type and Location NDGs (Network Device
Groups).
•
Go to Users and Identity Stores > Identity Groups and click
Create. Add name Students under All Groups and click Submit.
•
Go to Users and Identity Stores > Users and click Create. Add
new user with a name of student1 and password of student123,
select Students under Identity Groups and click Submit.
Page 50 of 100
CCIE SECURTY v4 Lab Workbook
Verification
There is no Verification for this task.
Page 51 of 100
CCIE SECURTY v4 Lab Workbook
Task 2 – Adding the router as AAA client in ACS
Configure R1 router as AAA client in ACS using TACACS+ with secret key of
cisco123. Make sure the device is sourcing TACACS+ traffic from its
loopback0 interface and uses only one TCP connection for whole AAA
conversation.
The new AAA client should be added as Device Type = Routers in Location =
HQ. Configure AAA on the router and use test aaa command to verify your
solution.
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.
Add new entry to Device Type and Location NDGs (Network Device
Groups).
•
Go to Network Resources > Network Device Groups > Location
and click Create. Add name HQ under All Locations and click
Submit.
Page 52 of 100
CCIE SECURTY v4 Lab Workbook
Devices can be differentiated based on their type and/or location. There
are two pre-defined containers in ACS: one for location and second for
type. This information can be further used in authorization policies and it
is recommended to add new devices to correct categories.
•
Go to Network Resources > Network Device Groups > Device
Type and click Create. Add name Routers under All Device Types
and click Submit.
Step 2 Add new AAA client to the ACS.
•
Go to Network Resources > Network Device and AAA Clients and
click Create. Add new client with name of R1, select Location = HQ
and Device Type = Routers, configure IP address of 1.1.1.1, select
TACACS+ as a protocol and configure Shared Secret of cisco123.
Select Single Connect Device option and click Submit.
Page 53 of 100
CCIE SECURTY v4 Lab Workbook
Step 3 Router configuration.
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
aaa new-model
!
tacacs server ACS
address ipv4 172.31.1.100
key cisco123
single-connection
!
Notice that we do not need to configure ‘aaa authentication…’ command
here. It is enough to specify TACACS server in the configuration and
then we can use it in ‘test aaa’ command.
Also note that you can specify AAA server in three ways:
1.
using old command structure like ‘tacacs-server host…’
2.
using new command structure as configured above
3.
using AAA groups with commands like ‘aaa group server…’
The first option is deprecated and is not recommanded to be used in
IOS 15.0 and above.
Page 54 of 100
CCIE SECURTY v4 Lab Workbook
Verification
Use test aaa command to check user authentication.
R1#test aaa group tacacs+ student1 student123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
Check logs on ACS. Go to Monitoring and Reports and launch
Authentications – TACACS – Today report.
Page 55 of 100
CCIE SECURTY v4 Lab Workbook
Task 3 – Adding the switch as AAA client in ACS
Configure SW1 switch as AAA client in ACS using RADIUS with secret key of
cisco123. Make sure the device is sourcing RADIUS traffic from vlan10
interface with IP address of 10.1.10.7/24.
The new AAA client should be added as Device Type = Switches in Location =
HQ. Configure AAA on the switch and use test aaa command to verify your
solution.
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.
•
Go to Network Resources > Network Device Groups > Device
Type and click Create. Add name Switches under All Device Types
and click Submit.
Step 2 Add new AAA client to the ACS.
•
Go to Network Resources > Network Device and AAA Clients and
click Create. Add new client with name of SW1, select Location = HQ
and Device Type = Switches, configure IP address of 10.1.10.7,
Page 56 of 100
CCIE SECURTY v4 Lab Workbook
select RADIUS as a protocol and configure Shared Secret of
cisco123 and click Submit.
Step 3 Switch configuration.
!
interface Vlan10
ip address 10.1.10.7 255.255.255.0
!
aaa new-model
!
ip default-gateway 10.1.10.1
ip radius source-interface Vlan10
radius-server host 172.31.1.100 key cisco123
!
Note that when you enable ‘aaa new-model’ the router will start asking
for Username/Password on VTY lines. You must either configure ‘login
authentication’ command on VTYs or create some backup/fallback username
in the local router’s database.
It is always recommended to have such local user account.
!
username backup password backup
!
Page 57 of 100
CCIE SECURTY v4 Lab Workbook
Verification
Use test aaa command to check user authentication.
SW1#ping 172.31.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1015 ms
SW1#test aaa group radius student1 student123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
Check logs on ACS. Go to Monitoring and Reports and launch
Authentications – RADIUS – Today report.
Page 58 of 100
CCIE SECURTY v4 Lab Workbook
LAB 2.5.
User authentication and
authorization (IOS)
Objectives
This lab shows how to configure routers to perform basic authentication and
authorization.
IP Addressing and devices
Device
Interface
IP address
R1
Lo0
1.1.1.1/32
E0/0
10.1.10.1/24
E0/1
172.31.1.1/24
Lo0
2.2.2.2/32
E0/0
100.2.2.2/24
R2

The router may authenticate remote users using its local user database. Every
user connecting to the router must be authenticated and authorized to perform
specific tasks. There are 16 privilege levels on the router. The levels are defined
with a number of 0 through 15. By default only three levels are configured:
•
Level 0 – basic level which is accessible by every user with only access
to basic commands like “exit” and “logout”
•
Level 1 – user without administrative permissions has this level
assigned. Usually every user in non-privileged router mode (non-enable
mode) is on this level
•
Level 15 – user with administrative privileges is on this level. All
commands are available on this level by default. When a user enters
“enable” command and authenticates successfully, he/she is by default
authorized on level 15.
Page 59 of 100
CCIE SECURTY v4 Lab Workbook
Rest of the levels (2-14) is user configurable so that we can assign commands
to a specific level. The term “assign” is unfortunate here as we are able to only
“move” a command between levels. For example, if a command is by default on
level 15 (remember that most of the configuration commands are available only
on level 15) we can move it down to level 10. However, this command will be
now available on level 10 and on all levels above up to level 15.
The router can have different passwords for every privilege level, so that we can
authenticate to a specified level by entering command “enable <lvl>”.
Note that because most configuration commands are available on level 15,
entering level 5 for example will not give us any access to other commands. We
need to “move” specific commands first to that level to be able to use them.
Page 60 of 100
CCIE SECURTY v4 Lab Workbook
Task 1 – Local user authentication on router
On R2 configure local user “luser1” with a password of “luser1” and allow him
to issue only “show” commands when accessing the router using TELNET
session. Use strong encryption for enable password if possible. You are not
allowed to use any AAA commands or views to accomplish this task.
Configuration
Complete these steps:
Step 1 Configure R2 as follows:
!
privilege exec all level 3 show
!
enable secret level 3 enable3
!
username luser1 password luser1
!
line vty 0 4
login local
!
Verification
R1#telnet 100.2.2.2
Trying 100.2.2.2 ... Open
User Access Verification
Username: luser1
Password:
R2>show priv
^
 ”show” command is not accessible for level 1 user – it is now on
level 3
% Invalid input detected at '^' marker.
R2>enable
% No password set  there’s no enalble password for level 15 configured
R2>enable 3
Password:
 “enable3” password works for privilege level 3 only
R2#sh priv
Current privilege level is 3
Page 61 of 100
CCIE SECURTY v4 Lab Workbook
R2#show ?
aaa
Show AAA values
aal2
Show commands for AAL2
access-expression
List access expression
access-lists
List access lists
accounting
Accounting data for active sessions
adjacency
Adjacent nodes
alarm-interface
Display information about a specific Alarm
Interface Card
aliases
Display alias commands
alignment
Show alignment information
alps
Alps information
appfw
Application Firewall information
appletalk
AppleTalk information
arap
Show Appletalk Remote Access statistics
archive
Archive of the running configuration information
arp
ARP table
ase
Display ASE specific information
async
Information on terminal lines used as router
interfaces
auto
Show Automation Template
autoupgrade
Show autoupgrade related information
backhaul-session-manager
Backhaul Session Manager information
<...snip...>
R2#conf t
^  higher level commands are not accessible for level 3 user
% Invalid input detected at '^' marker.
R2#exit
[Connection to 100.2.2.2 closed by foreign host]
R1#
Page 62 of 100
CCIE SECURTY v4 Lab Workbook
This page is intentionally left blank.
Page 63 of 100
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Identity Management
ISE
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 64 of 100
CCIE SECURTY v4 Lab Workbook
Logical Topology for ISE labs
ISE v1.1 is connected to the network behind Router1 and has IP address of
172.31.1.20. Default gateway should be set to R1.
Management access to ISE should be allowed from WinXP PC (10.1.10.50).
Page 65 of 100
CCIE SECURTY v4 Lab Workbook
LAB 2.6. ISE Installation (optional)
Objectives
This lab introduces Identity Service Engine v1.1 and verifies basic connectivity
with other network elements.
IP Addressing and devices
Device
Interface
IP address
ISE
NIC
172.31.1.20
R1
Lo0
1.1.1.1/32
E0/0
10.1.10.1/24
E0/1
172.31.1.1/24
Lo0
2.2.2.2/32
E0/0
100.2.2.2/24
NIC
10.1.10.50/24
R2
WinXP
This is an optional task. If the ISE is already pre-installed, you can go directly
to next task.
Task
Perform ISE installation and bootstrapping. Provide the following information
during the installation process:
•
Hostname: ISE
•
IP Address and mask: 172.31.1.20/24
•
Default gateway: 172.31.1.1
•
Domain name and nameserver: micronics.local, 172.31.1.200
•
NTP server and timezone: 172.31.1.200, UTC
Page 66 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Log into the ISE Virtual Appliance console (if you have access to it).
You should see the following prompt:
**********************************************
Please type ‘setup’ to configure the appliance
**********************************************
localhost login:
Enter setup as a username to start configuration wizard.
Step 2 Go through the configuration wizard.
Press ‘Ctrl-C’ to abort setup
Enter hostname[]: ise
Enter IP address []: 172.31.1.20
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 172.31.1.1
Enter default DNS domain[]: micronics.local
Enter Primary nameserver[]: 172.31.1.200
Add secondary nameserver? Y/N [N]: <enter>
Enter Primary NTP server[time.nist.gov]: 172.31.1.1
Add another NTP server? Y/N [N]: <enter>
Enter system timezone[UTC]: <enter>
Enter username[admin]: <enter>
Enter password: Micronics1
Enter password again: Micronics1
Bringing up network interface...
Pinging the gateway...
Pinging the primary nameserver ...
Virtual machine detected, configuring VMware tools...
Do not use ‘Ctrl-C’ from this point on...
Appliance is configured Installing applications...
Installing ise ...
The mode has been set to licensed.
Step 3 ISE installation. Provide passwords for ISE databased during
installation.
Application bundle (ise) installed successfully
=== Initial Setup for Application: ise ===
Page 67 of 100
CCIE SECURTY v4 Lab Workbook
Welcome to the ISE initial setup. The purpose of this setup is
to provision the internal ISE database. This setup requires
you create a database administrator password and also create a
database user password.
Please follow the prompts below to create the database
administrator password.
Enter new database admin password: Micronics1234
Confirm new database admin password: Micronics1234
Successfully created database administrator password.
Please follow the prompts below to create the data base user
password:
Enter new database user password: Micronics1234
Confirm new Database user password: Micronics1234
Successfully created database user password.
Running database cloning script...
Running database network config assistant tool...
Extracting ISE database content...
Starting ISE database processes...
Creating ISE M&T session directory...
Performing ISE database priming...
Generating configuration...
Rebooting...
Verification
Connect to ISE using SSH and provide username/password of admin/Micronics1.
Check and note the following:
•
ISE application version
•
ISE daemon status
•
Interface configuration
•
Routing table (with default gateway)
•
Clock configuration
•
Timezone configuration
Connect to the GUI from WinXP desktop and check license and ISE deployment
options.
Page 68 of 100
CCIE SECURTY v4 Lab Workbook
Run Putty and connect using SSH to IP address of 172.31.1.20
Verify that ISE is installed properly
Cisco ISE is an application installed on underlying operating system called Cisco ADE.
Once you’re connected to ADE you must check what applications are installed. Then you
can use application name (in our case ‘ise) in all other commands.
ISE/admin# show application
<name>
<Description>
ise
Cisco Identity Services Engine
ISE/admin#
Check ISE version
ISE/admin# show application version ise
Cisco Identity Services Engine
--------------------------------------------Version
: 1.1.0.665
Build Date
: Wed Mar
7 22:51:03 2012
Install Date : Wed Jan
2 17:12:33 2013
The
main
version
development
stage.
is
By
1.1
and
the
patch
default
ISE
is
level
in
EVAL
is
mode
665.
for
The
90
build
days.
depends
You
can
on
the
install
production license or use evaluation license. You do not need to provide any license
file for ISE to be working.
Check status of ISE processes
ISE/admin# show application status ise
ISE Database listener is running, PID: 4166
ISE Database is running, number of processes: 26
ISE Application Server is running, PID: 5694
ISE M&T Session Database is running, PID: 3826
ISE M&T Log Collector is running, PID: 5921
ISE M&T Log Processor is running, PID: 6005
ISE M&T Alert Process is running, PID: 5840
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 64 GB
Page 69 of 100
CCIE SECURTY v4 Lab Workbook
If there is other status than ‘is running’ it means theres something wrong with a
particular ISE subsystem/process. To fix that you can try to restart ISE application
using ‘application stop ise’ and then ‘application start ise’. Be patient as it may
take a while to start all ISE processes.
Check interface configuration and verify IP address and netmask
ISE/admin# show interface
GigabitEthernet 0
Link encap:Ethernet
HWaddr 00:50:56:AE:A1:34
inet addr:172.31.1.20
Bcast:172.31.1.255
Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feae:a134/64 Scope:Link
UP BROADCAST RUNNING MULTICAST
MTU:1500
Metric:1
RX packets:70970 errors:0 dropped:0 overruns:0 frame:0
TX packets:90676 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8304352 (7.9 MiB)
TX bytes:15921119 (15.1 MiB)
Interrupt:59 Base address:0x2024
lo
Link encap:Local Loopback
inet addr:127.0.0.1
Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING
MTU:16436
Metric:1
RX packets:29034318 errors:0 dropped:0 overruns:0 frame:0
TX packets:29034318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:501930492 (478.6 MiB)
sit0
TX bytes:501930492 (478.6 MiB)
Link encap:IPv6-in-IPv4
NOARP
MTU:1480
Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b)
TX bytes:0 (0.0 b)
Make sure that you see RX and TX packets and no error counters increasing. This is the
first indicator that something can be wrong with connectivity. If you do not see
GigabitEhernet0 interface that usually means the interface is down.
You may see more interfaces depending on ISE installation. Some interfaces may be used
for profiling services.
Check routing table and default gateway
Page 70 of 100
CCIE SECURTY v4 Lab Workbook
ISE/admin# show ip route
Kernel IP routing table
Destination
Gateway
Genmask
Flags Metric Ref
172.31.1.0
0.0.0.0
255.255.255.0
U
0
0
Use Iface
0 eth0
0.0.0.0
172.31.1.1
0.0.0.0
UG
0
0
0 eth0
Note that there is still interface ‘eth0’ in the command output. This interface is a
pointer to GigabitEthernet0.
Check basic connectivity to the gateway and to other network elements
ISE/admin# ping 172.31.1.1
PING 172.31.1.1 (172.31.1.1) 56(84) bytes of data.
64 bytes from 172.31.1.1: icmp_seq=1 ttl=255 time=0.853 ms
64 bytes from 172.31.1.1: icmp_seq=2 ttl=255 time=0.810 ms
64 bytes from 172.31.1.1: icmp_seq=3 ttl=255 time=0.776 ms
64 bytes from 172.31.1.1: icmp_seq=4 ttl=255 time=0.886 ms
--- 172.31.1.1 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.776/0.831/0.886/0.046 ms
ISE/admin# ping 10.1.10.10
PING 10.1.10.10 (10.1.10.10) 56(84) bytes of data.
64 bytes from 10.1.10.10: icmp_seq=1 ttl=254 time=67.9 ms
64 bytes from 10.1.10.10: icmp_seq=2 ttl=254 time=1.17 ms
64 bytes from 10.1.10.10: icmp_seq=3 ttl=254 time=16.3 ms
64 bytes from 10.1.10.10: icmp_seq=4 ttl=254 time=57.0 ms
--- 10.1.10.10 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 1.172/35.622/67.910/27.663 ms
You may not reach ASa firewall at this stage. If not, check if ASA has static route to
172.31.1.0/24 network configured.
ISE/admin# ping 10.1.10.50
PING 10.1.10.50 (10.1.10.50) 56(84) bytes of data.
64 bytes from 10.1.10.50: icmp_seq=1 ttl=127 time=0.862 ms
64 bytes from 10.1.10.50: icmp_seq=2 ttl=127 time=0.909 ms
64 bytes from 10.1.10.50: icmp_seq=3 ttl=127 time=1.00 ms
64 bytes from 10.1.10.50: icmp_seq=4 ttl=127 time=0.896 ms
--- 10.1.10.50 ping statistics ---
Page 71 of 100
CCIE SECURTY v4 Lab Workbook
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.862/0.917/1.004/0.064 ms
Check the name server and domain configuration. Verify if DNS works asking to
resolve FQDN of ise.micronics.local
ISE/admin# show running-config | inc name
hostname ISE
ip domain-name micronics.local
ip name-server 172.31.1.200
username admin password hash $1$pAzQ9DDO$zWBNlRgM8m1mlZPZLRh0Y1 role admin
no-username
ISE/admin# ping 172.31.1.200
PING 172.31.1.200 (172.31.1.200) 56(84) bytes of data.
64 bytes from 172.31.1.200: icmp_seq=1 ttl=128 time=0.345 ms
64 bytes from 172.31.1.200: icmp_seq=2 ttl=128 time=0.348 ms
64 bytes from 172.31.1.200: icmp_seq=3 ttl=128 time=0.382 ms
64 bytes from 172.31.1.200: icmp_seq=4 ttl=128 time=0.417 ms
--- 172.31.1.200 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.345/0.373/0.417/0.029 ms
ISE/admin# nslookup ise.micronics.local
Trying "ise.micronics.local"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47970
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ise.micronics.local.
IN
ANY
IN
A
;; ANSWER SECTION:
ise.micronics.local.
3600
172.31.1.20
Received 53 bytes from 172.31.1.200#53 in 1 ms
Check clock and timezone configuration
ISE/admin# show clock
Fri Jan 18 14:02:13 UTC 2013
ISE/admin# show timezone
UTC
If there is a different timezone configured you can always change it to the correct
value using ‘clock timezone UTC’ command in the global configurtion. To check what
timezone names are available use ‘show timezones’ command.
Page 72 of 100
CCIE SECURTY v4 Lab Workbook
ISE/admin# show ntp
Configured NTP Servers:
172.31.1.1
Unable to talk to NTP daemon. Is it running?
% To restart NTP do 'no ntp server' followed by 'ntp server <servername>'
If you experience the above issue try to reapply the NTP server configuration.
ISE/admin# conf t
Enter configuration commands, one per line.
End with CNTL/Z.
ISE/admin(config)# ntp server 172.31.1.1
ISE/admin(config)# end
NTP synchronization is very important especially when ISE is a part of Active Directory
domain. If you plan to join AD then clock between Domain Controller and ISE must be
synchronized. The NTP related issues are causing most problems with AD integration.
You can also check application logs when syncing with NTP.
Note that ISE may not synchronize with a source that is not reliable (the source gets
time from its local clock).
ISE/admin# show ntp
Configured NTP Servers:
172.31.1.1
unsynchronised
time server re-starting
polling server every 64 s
remote
refid
st t when poll reach
delay
offset
jitter
==============================================================================
127.127.1.0
.LOCL.
172.31.1.1
LOCAL(1)
10 l
3
64
1
0.000
0.000
0.001
8 u
2
64
1
0.930
-0.146
0.001
* Current time source, + Candidate
Warning: Output results may conflict during periods of changing synchronization.
<after a while>
ISE/admin# show ntp
Configured NTP Servers:
172.31.1.1
synchronised to NTP server (172.31.1.1) at stratum 9
time correct to within 944 ms
polling server every 64 s
remote
refid
st t when poll reach
delay
offset
jitter
==============================================================================
127.127.1.0
.LOCL.
10 l
29
64
77
Page 73 of 100
0.000
0.000
0.001
CCIE SECURTY v4 Lab Workbook
*172.31.1.1
LOCAL(1)
8 u
26
64
77
0.778
0.357
0.529
* Current time source, + Candidate
Warning: Output results may conflict during periods of changing synchronization.
Connect through the GUI and check license. Open up web browser (IE or FF) and
enter the following URL https://172.31.1.20
•
Authenticate as admin/Micronics1.
•
You may see the following message while connecting to the ISE for the first time.
•
Pick Do not show this message again and then click OK.
Page 74 of 100
CCIE SECURTY v4 Lab Workbook
•
Check the deployment mode by selecting ise on the top right of the current window.
To check license you must go to Administration -> System -> Licensing.
Page 75 of 100
CCIE SECURTY v4 Lab Workbook
LAB 2.7. Configure Wired 802.1x
Objectives
This lab shows how to configure 802.1x for wired environment.
IP Addressing and devices
Device
Interface
IP address
ISE
NIC
172.31.1.20
R1
Lo0
1.1.1.1/32
E0/0
10.1.10.1/24
E0/1
172.31.1.1/24
AD
NIC
172.31.1.200
WinXP
NIC
10.1.10.50/24
SW1
VLAN10
10.1.10.7/24
Task
There is a Windows 7 host connected to SW1 port 0/7 through the IP Phone.
The IP Phone is authenticated using MAB configured in previous tasks.
Configure Win7 PC to use its native supplicant with PEAP/MS-CHAPv2 only.
Use Active Directory user employee1 and computer’s account (member of
Domain Computers AD group) for authentication. Upon successful
authentication the user and machine should get full access to the network.
Enable 802.1x low impact mode on the port and allow only DHCP, DNS, TFTP
and ICMP traffic. Ensure the following authentication order:
o
802.1x
o
MAB
The switch should time out 802.1x authentication method after 15 seconds
and allow only one MAC address to be seen behind the IP Phone. If there are
more MAC addresses the switch should NOT authenticate them and silently
drop the packets.
Page 76 of 100
CCIE SECURTY v4 Lab Workbook
You can disable Whitelist authorization rule and put the IP Phone back to the
default Cisco-IP-Phone group.
Page 77 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Switch configuration.
!
ip access-list extended DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark TFTP
permit udp any any eq tftp
remark Ping
permit icmp any any
!
interface GigabitEthernet0/7
ip access-group DEFAULT in
authentication open
authentication order dot1x mab
dot1x timeout tx-period 5
!
ip device tracking
radius vsa send
!
Step 2 Create allowed protocols object.
•
Go to Policy > Policy Elements > Results > Authentication >
Allowed Protocols and click Add. Enter PEAP_Only as name, pick
Allow PEAP with Allow EAP-MS-CHAPv2, uncheck all other
methods and click Submit.
Page 78 of 100
CCIE SECURTY v4 Lab Workbook
Step 3 Create authorization profile for AD clients to get full network access
upon successful authorization.
•
Go to Policy > Policy Elements > Results > Authorization >
Authorization Profiles and click Add. Enter AD_Success_Profile as
name, pick DACL Name checkbox and chose default
PERMIT_ALL_TRAFFIC from the drop-down list. Click Submit.
Page 79 of 100
CCIE SECURTY v4 Lab Workbook
Step 4 Move IP Phone MAC address to the default Identity Group and disable
Whitelist authorization rule.
•
Go to Administration > Identity Management > Identities >
Endpoints and click Cisco-IP-Phone (an entry with IP Phone MAC
address). Change the Identity Group Assignment to Cisco-IPPhone. Click Save.
Page 80 of 100
CCIE SECURTY v4 Lab Workbook
•
Go to Policy > Authorization and click Edit link next to the Whitelist
rule. Click on the green icon and chose Disabled. Click Done and
Save.
Step 5 Add new authentication rule or edit default one.
•
Go to Policy > Authentication and click orange arrow next to
Allowed Protocols in Dot1X rule. Pick PEAP_Only from configured
objects. Then click black arrow to show more options of the rule and
change default identity source to AD1. Click Save.
Page 81 of 100
CCIE SECURTY v4 Lab Workbook
Step 6 Create new authorization rule for domain users.
•
Go to Policy > Authorization and insert new rule as a second to last
(before the default one). Enter a name e.g. Domain User and create
new Compound Condition where AD1:ExternalGroup =
micronics.local\Users/employees.
•
As Permissions chose AD_Success_Profile already created in the
previous steps. Click Done.
Step 7 Create authorization rule for domain computers.
Page 82 of 100
CCIE SECURTY v4 Lab Workbook
•
Go to Administration > Identity Management > External Identity
Sources > Active Directory and click Add > Select Groups From
Directory on Groups tab. Click Retrieve Groups and pick
micronics.local/Users/Domain Computers group. Click OK.
•
Click Save Configuration.
•
Go to Policy > Authorization and insert new rule before Domain
User rule. Enter a name e.g. Domain Computer and create new
Page 83 of 100
CCIE SECURTY v4 Lab Workbook
Compound Condition where AD1:ExternalGroup =
micronics.local\Users/Domain Computers.
•
As Permissions chose AD_Success_Profile already created in the
previous steps. Click Done.
•
Click Save.
Page 84 of 100
CCIE SECURTY v4 Lab Workbook
Step 8 Win7 PC native supplicant configuration.
•
Go to Services (services.msc) and Enable/Start WiredAutoConfig
service.
•
Go to Network Connections right click on LAB-Network and select
Properties. You should see Authentication tab.
Page 85 of 100
CCIE SECURTY v4 Lab Workbook
•
On the Authentication tab select options as follows:
Click on Settings button and uncheck Validate server certificate
option.
Page 86 of 100
CCIE SECURTY v4 Lab Workbook
•
Click on Configure button and uncheck the option:
•
Click OK and go back to the Authentication tab. Click Additional
Settings button and check Specify authentication mode and select
User or computer authentication. Click OK and close network
adapter properties window.
Page 87 of 100
CCIE SECURTY v4 Lab Workbook
Verification
Enable debugging on the switch:
debug radius
debug dot1x event
Bounce the switchport and check debug output.
SW1#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
SW1(config)#int g0/7
SW1(config-if)#shut
SW1(config-if)#no shu
SW1(config-if)#^Z
// see the AuthManager state before authentication. The domain is UNKNOWN at
the moment but there is MAC address on the port. Note that dot1x is running but
it will fail over to mab after timeout.
SW1#sh auth sess int g0/7
Interface:
MAC Address:
IP Address:
GigabitEthernet0/7
0021.a084.6ff4
Unknown
Status:
Running
Domain:
UNKNOWN
Security Policy:
Should Secure
Security Status:
Unsecure
Oper host mode:
Oper control dir:
multi-domain
both
Session timeout:
N/A
Idle timeout:
N/A
Common Session ID:
0A010A070000002F00ED9839
Acct Session ID:
0x00000034
Handle:
0x3500002F
Runnable methods list:
Method
State
dot1x
Running
mab
Not run
// First the IP Phone is being authenticated.
dot1x-ev(Gi0/7): New client notification from AuthMgr for 0x04000059 - 0021.a084.6ff4
%AUTHMGR-5-START: Starting 'dot1x' for client (0021.a084.6ff4) on Interface Gi0/7
AuditSessionID 0A010A070000002F00ED9839
%LINK-3-UPDOWN: Interface GigabitEthernet0/7, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/7, changed state to up
// two dot1x retransmissions are configured by default
Page 88 of 100
CCIE SECURTY v4 Lab Workbook
dot1x-ev(Gi0/7): Sending EAPOL packet to 0021.a084.6ff4
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Sending EAPOL packet to 0021.a084.6ff4
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Received an EAP Timeout
%DOT1X-5-FAIL: Authentication failed for client (0021.a084.6ff4) on Interface Gi0/7
AuditSessionID
dot1x-ev(Gi0/7): Sending event (2) to Auth Mgr for 0021.a084.6ff4
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client
(0021.a084.6ff4) on Interface Gi0/7 AuditSessionID 0A010A070000002F00ED9839
dot1x-ev(Gi0/7): Received Authz fail for the client
0x04000059 (0021.a084.6ff4)
dot1x-ev(Gi0/7): Deleting client 0x04000059 (0021.a084.6ff4)
%AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.a084.6ff4) on Interface
Gi0/7 AuditSessionID 0A010A070000002F00ED9839
// dot1x has failed for IP Phone because the phone has no dot1x supplicant, now
the MAB is running
%AUTHMGR-5-START: Starting 'mab' for client (0021.a084.6ff4) on Interface Gi0/7
AuditSessionID 0A010A070000002F00ED9839
dot1x-ev:Delete auth client (0x04000059) message
dot1x-ev:Auth client ctx destroyed
dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
RADIUS/ENCODE(00000034):Orig. component type = DOT1X
RADIUS(00000034): Config NAS IP: 10.1.10.7
RADIUS/ENCODE(00000034): acct_session_id: 52
RADIUS(00000034): sending
// RADIUS authentication message is sent to ISE. Note that username is MAC
address of the IP Phone and we have Service-Type=10 and NAS-Port-Type=15 in the
message. The ISE will match that connection to the correct authentication rule
based on those attributes.
RADIUS(00000034): Send Access-Request to 172.31.1.20:1812 id 1645/160, len 209
RADIUS:
authenticator B9 13 0A 78 2E E0 32 C7 - 75 A0 6C 56 0D D3 27 93
RADIUS:
User-Name
RADIUS:
User-Password
[2]
18
*
RADIUS:
Service-Type
[6]
6
Call Check
RADIUS:
Framed-MTU
[12]
6
1500
RADIUS:
Called-Station-Id
[30]
19
"C4-64-13-6C-E8-07"
RADIUS:
Calling-Station-Id
[31]
19
"00-21-A0-84-6F-F4"
RADIUS:
Message-Authenticato[80]
18
RADIUS:
[1]
14
"0021a0846ff4"
[10]
48 AF 08 93 30 FB 6C FA FD FB 10 37 56 E1 42 F5
[ H0l7VB]
RADIUS:
EAP-Key-Name
[102] 2
RADIUS:
Vendor, Cisco
[26]
49
*
RADIUS:
Cisco AVpair
[1]
43
"audit-session-id=0A010A070000002F00ED9839"
RADIUS:
NAS-Port-Type
[61]
6
Ethernet
Page 89 of 100
[15]
CCIE SECURTY v4 Lab Workbook
RADIUS:
NAS-Port
[5]
6
50007
RADIUS:
NAS-Port-Id
[87]
20
"GigabitEthernet0/7"
RADIUS:
NAS-IP-Address
[4]
6
10.1.10.7
RADIUS(00000034): Started 5 sec timeout
// RADIUS reply is received. This is an Access-Accept RADIUS message type so it
contains some additional attributes. The most important attributes here are
‘device-traffic-class=voice’ and dACL name. The first attribute is very
important in case of Multi-Auth. The switch knows what ‘authentication domain’
to use. Without this attribute the IP Phone could be authenticated in DATA
domain as the MAC address of the phone is ‘visible’ in two VLANs (data vlan and
voice vlan).
Also note that there is just dACL name in the RADIUS message. There are no dACL
entries yet. The switch must ask for that dACL again to download ACEs (Access
List Entries).
RADIUS: Received from id 1645/160 172.31.1.20:1812, Access-Accept, len 297
RADIUS:
authenticator 89 F8 81 A9 CD 82 74 B9 - C0 87 50 16 98 AF B0 7A
RADIUS:
User-Name
[1]
19
RADIUS:
State
[24]
40
"00-21-A0-84-6F-F4"
RADIUS:
52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41
[ReauthSession:0A]
RADIUS:
30 31 30 41 30 37 30 30 30 30 30 30 32 46 30 30
[010A070000002F00]
RADIUS:
RADIUS:
45 44 39 38 33 39
Class
[ ED9839]
[25]
50
RADIUS:
43 41 43 53 3A 30 41 30 31 30 41 30 37 30 30 30
RADIUS:
30 30 30 32 46 30 30 45 44 39 38 33 39 3A 49 53
[0002F00ED9839:IS]
RADIUS:
45 2F 31 34 33 35 35 38 35 35 33 2F 33 30 32 39
[ E/143558553/3029]
RADIUS:
Termination-Action
RADIUS:
Message-Authenticato[80]
RADIUS:
[29]
6
[CACS:0A010A07000]
1
18
53 41 4D 42 74 C4 90 4F AB 57 80 A8 86 99 66 5D
RADIUS:
Vendor, Cisco
RADIUS:
Cisco AVpair
RADIUS:
Vendor, Cisco
RADIUS:
Cisco AVpair
[26]
34
[1]
28
[26]
75
[1]
69
[ SAMBtOWf]]
"device-traffic-class=voice"
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-
PERMIT_ALL_TRAFFIC-4f57e406"
RADIUS:
Vendor, Cisco
RADIUS:
Cisco AVpair
[26]
35
[1]
29
"profile-name=Cisco-IP-Phone"
RADIUS(00000034): Received from id 1645/160
RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
%MAB-5-SUCCESS: Authentication successful for client (0021.a084.6ff4) on Interface
Gi0/7 AuditSessionID 0A010A070000002F00ED9839
%AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client
(0021.a084.6ff4) on Interface Gi0/7 AuditSessionID 0A010A070000002F00ED9839
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0021.a084.6ff4| AuditSessionID
0A010A070000002F00ED9839| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| EVENT DOWNLOAD-REQUEST
RADIUS/ENCODE(00000000):Orig. component type = INVALID
RADIUS(00000000): Config NAS IP: 10.1.10.7
RADIUS(00000000): sending
Page 90 of 100
CCIE SECURTY v4 Lab Workbook
// The switch must download ACL from ISE. This is done by another RADIUS request
where username is a dACL name. There must be three things configured on the switch
to make this happen:
-
aaa authorization network
-
ip device tracking
-
radius vsa send
RADIUS(00000000): Send Access-Request to 172.31.1.20:1812 id 1645/161, len 147
RADIUS:
authenticator D4 CD 40 0E F3 F8 F9 70 - 58 99 86 E7 AB 82 94 42
RADIUS:
NAS-IP-Address
[4]
6
10.1.10.7
RADIUS:
User-Name
[1]
41
"#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4f57e406"
RADIUS:
Vendor, Cisco
[26]
32
[1]
26
[26]
30
RADIUS:
Cisco AVpair
RADIUS:
Vendor, Cisco
RADIUS:
RADIUS:
RADIUS:
Cisco AVpair
[1]
Message-Authenticato[80]
24
"aaa:service=ip_admission"
"aaa:event=acl-download"
18
D6 19 B1 96 C2 84 8C 39 B6 F8 59 11 B4 D5 CE 32
[ 9Y2]
RADIUS(00000000): Started 5 sec timeout
// with the RADIUS Access-Accept message the switch gets ACl entries.
RADIUS: Received from id 1645/161 172.31.1.20:1812, Access-Accept, len 211
RADIUS:
authenticator FA 1C F2 32 B9 39 44 C8 - 62 9D 53 67 81 1D 8C EF
RADIUS:
User-Name
[1]
41
RADIUS:
State
[24]
40
"#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4f57e406"
RADIUS:
52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 61 63
[ReauthSession:ac]
RADIUS:
31 66 30 31 31 34 30 30 30 30 30 42 37 32 35 31
[1f011400000B7251]
RADIUS:
RADIUS:
30 36 42 36 44 44
Class
[ 06B6DD]
[25]
50
RADIUS:
43 41 43 53 3A 61 63 31 66 30 31 31 34 30 30 30
RADIUS:
30 30 42 37 32 35 31 30 36 42 36 44 44 3A 49 53
[00B725106B6DD:IS]
RADIUS:
45 2F 31 34 33 35 35 38 35 35 33 2F 33 30 33 30
[ E/143558553/3030]
RADIUS:
Termination-Action
RADIUS:
Message-Authenticato[80]
RADIUS:
[29]
6
[CACS:ac1f0114000]
1
18
8D 04 C6 C4 03 39 C9 E4 71 09 BB 6B D7 76 9F 5D
RADIUS:
Vendor, Cisco
RADIUS:
Cisco AVpair
[26]
36
[1]
30
[ 9qkv]]
"ip:inacl#1=permit ip any any"
RADIUS(00000000): Received from id 1645/161
%EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| EVENT DOWNLOAD-SUCCESS
%EPM-6-IPEVENT: IP 0.0.0.0| MAC 0021.a084.6ff4| AuditSessionID
0A010A070000002F00ED9839| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0021.a084.6ff4) on Interface
Gi0/7 AuditSessionID 0A010A070000002F00ED9839
RADIUS/ENCODE(00000034):Orig. component type = DOT1X
RADIUS(00000034): Config NAS IP: 10.1.10.7
RADIUS(00000034): sending
// if RADIUS accounting is enabled, another message is sent
RADIUS(00000034): Send Accounting-Request to 172.31.1.20:1813 id 1646/26, len 290
RADIUS:
authenticator 53 F1 C6 46 5A C5 72 97 - DC 43 AF C1 61 2B 4F 96
RADIUS:
Acct-Session-Id
[44]
10
"00000034"
Page 91 of 100
CCIE SECURTY v4 Lab Workbook
RADIUS:
Vendor, Cisco
RADIUS:
Cisco AVpair
[26]
49
[1]
43
"audit-session-id=0A010A070000002F00ED9839"
"00-21-A0-84-6F-F4"
RADIUS:
User-Name
[1]
19
RADIUS:
Vendor, Cisco
[26]
32
RADIUS:
Cisco AVpair
[1]
26
RADIUS:
Acct-Authentic
[45]
6
RADIUS
[1]
RADIUS:
Acct-Status-Type
[40]
6
Start
[1]
RADIUS:
NAS-Port-Type
[61]
6
Ethernet
[15]
RADIUS:
NAS-Port
[5]
6
50007
RADIUS:
NAS-Port-Id
[87]
20
"GigabitEthernet0/7"
RADIUS:
Called-Station-Id
[30]
19
"C4-64-13-6C-E8-07"
RADIUS:
Calling-Station-Id
[31]
19
"00-21-A0-84-6F-F4"
RADIUS:
Class
[25]
50
"connect-progress=Call Up"
RADIUS:
43 41 43 53 3A 30 41 30 31 30 41 30 37 30 30 30
[CACS:0A010A07000]
RADIUS:
30 30 30 32 46 30 30 45 44 39 38 33 39 3A 49 53
[0002F00ED9839:IS]
45 2F 31 34 33 35 35 38 35 35 33 2F 33 30 32 39
[ E/143558553/3029]
RADIUS:
RADIUS:
Service-Type
[6]
6
Framed
RADIUS:
NAS-IP-Address
[4]
6
10.1.10.7
RADIUS:
Unsupported
[151] 10
RADIUS:
RADIUS:
44 45 37 41 45 41 43 37
Acct-Delay-Time
[2]
[ DE7AEAC7]
[41]
6
0
RADIUS(00000034): Started 5 sec timeout
RADIUS: Received from id 1646/26 172.31.1.20:1813, Accounting-response, len 20
RADIUS:
authenticator 61 24 0C 05 95 95 5F 37 - 32 D5 DA 19 89 98 FD 40
// check the authentication session again. You should see correct domain
(VOICE) based on the attribute received from the ISE, and ACL name. You will
not see ACL entries here.
SW1#sh auth sess int g0/7
Interface:
MAC Address:
IP Address:
User-Name:
GigabitEthernet0/7
0021.a084.6ff4
Unknown
00-21-A0-84-6F-F4
Status:
Authz Success
Domain:
VOICE
Security Policy:
Should Secure
Security Status:
Unsecure
Oper host mode:
Oper control dir:
Authorized By:
ACS ACL:
multi-domain
both
Authentication Server
xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout:
N/A
Idle timeout:
N/A
Common Session ID:
0A010A070000002F00ED9839
Acct Session ID:
0x00000034
Handle:
0x3500002F
Runnable methods list:
Method
State
Page 92 of 100
CCIE SECURTY v4 Lab Workbook
dot1x
Failed over
mab
Authc Success
Bounce the Win7 NIC (LAB-Network) to trigger dot1x and check debug output. Click
on the balloon message that appears and provide user/pass of
employee1/Micronics1 to authenticate.
dot1x-ev(Gi0/7): Dot1x authentication started for 0xC300005B (0026.55d0.0d56)
%AUTHMGR-5-START: Starting 'dot1x' for client (0026.55d0.0d56) on Interface Gi0/7
AuditSessionID 0A010A070000003100EE1DEA
// you may see more dot1x reties here. It depends on configured tx-period and
how quickly you provide username and password to the supplicant.
dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
EAPOL pak dump rx
EAPOL Version: 0x1
type: 0x0
length: 0x000E
dot1x-ev: dot1x_auth_queue_event: Int Gi0/7 CODE= 2,TYPE= 1,LEN= 14
dot1x-ev(Gi0/7): Received pkt saddr =0026.55d0.0d56 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.000e
dot1x-ev(Gi0/7): dot1x_sendRespToServer: Response sent to the server from 0xC300005B
(0026.55d0.0d56)
RADIUS/ENCODE(00000036):Orig. component type = DOT1X
RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS/ENCODE(00000036): acct_session_id: 54
RADIUS(00000036): sending
// RADIUS authentication message is sent. It includes provided username and
Service-Type=2 and NAS-Port-Type=15 which should be matched by ISE to the
correct authentication rule. Note that the ISE is configured with Allowed
Protocols where only PEAP/MS-CHAPv2 is selected. This will trigger another set
of RADIUS messages to negotiate and build TLS tunnel and authenticate securely
over that tunnel.
RADIUS(00000036): Send Access-Request to 172.31.1.20:1812 id 1645/162, len 204
Page 93 of 100
CCIE SECURTY v4 Lab Workbook
RADIUS:
authenticator 07 CE 7D 37 DF DA B8 D6 - 00 16 97 E8 97 BC 0F 4F
RADIUS:
User-Name
[1]
11
"employee1"
RADIUS:
Service-Type
[6]
6
Framed
RADIUS:
Framed-MTU
[12]
6
1500
RADIUS:
Called-Station-Id
[30]
19
"C4-64-13-6C-E8-07"
RADIUS:
Calling-Station-Id
[31]
19
"00-26-55-D0-0D-56"
RADIUS:
EAP-Message
[79]
16
RADIUS:
RADIUS:
RADIUS:
02 01 00 0E 01 65 6D 70 6C 6F 79 65 65 31
Message-Authenticato[80]
[2]
[ employee1]
18
9C 1F 81 CF 9F 9E 64 34 E5 DA AC 68 D2 57 C1 41
RADIUS:
EAP-Key-Name
[102] 2
RADIUS:
Vendor, Cisco
[26]
[ d4hWA]
*
49
RADIUS:
Cisco AVpair
[1]
43
"audit-session-id=0A010A070000003100EE1DEA"
RADIUS:
NAS-Port-Type
[61]
6
Ethernet
RADIUS:
NAS-Port
[5]
6
50007
RADIUS:
NAS-Port-Id
[87]
20
"GigabitEthernet0/7"
RADIUS:
NAS-IP-Address
[4]
6
10.1.10.7
[15]
RADIUS(00000036): Started 5 sec timeout
// RADIUS challenge message is to negotiate PEAP and build TLS tunnel.
RADIUS: Received from id 1645/162 172.31.1.20:1812, Access-Challenge, len 119
RADIUS:
authenticator 5B FB D9 3A 4B B5 74 93 - 4C 54 58 C8 BC A1 08 56
RADIUS:
State
[24]
73
RADIUS:
33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 30
[37CPMSessionID=0]
RADIUS:
41 30 31 30 41 30 37 30 30 30 30 30 30 33 31 30
[A010A07000000310]
RADIUS:
30 45 45 31 44 45 41 3B 32 38 53 65 73 73 69 6F
[0EE1DEA;28Sessio]
RADIUS:
6E 49 44 3D 49 53 45 2F 31 34 33 35 35 38 35 35
[nID=ISE/14355855]
RADIUS:
33 2F 33 30 33 32 3B
RADIUS:
RADIUS:
RADIUS:
RADIUS:
EAP-Message
[ 3/3032;]
[79]
8
01 47 00 06 19 21
[ G!]
Message-Authenticato[80]
18
48 01 CE 89 9D 3B 52 D4 77 5C 83 63 A8 16 D2 31
[ H;Rw\c1]
RADIUS(00000036): Received from id 1645/162
RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
EAPOL pak dump rx
EAPOL Version: 0x1
type: 0x0
length: 0x007B
dot1x-ev: dot1x_auth_queue_event: Int Gi0/7 CODE= 2,TYPE= 25,LEN= 123
dot1x-ev(Gi0/7): Received pkt saddr =0026.55d0.0d56 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.007b
dot1x-ev(Gi0/7): dot1x_sendRespToServer: Response sent to the server from 0xC300005B
(0026.55d0.0d56)
RADIUS/ENCODE(00000036):Orig. component type = DOT1X
RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS/ENCODE(00000036): acct_session_id: 54
Page 94 of 100
CCIE SECURTY v4 Lab Workbook
RADIUS(00000036): sending
// another RADIUS request is sent. Note that RADIUS message does NOT contain
any password. There is just username. The username/password will be carried
securely by EAP which is sent using RADIUS AVP/79.
RADIUS(00000036): Send Access-Request to 172.31.1.20:1812 id 1645/163, len 386
RADIUS:
authenticator F0 57 7F CA 9E 1E DE B0 - 69 9F 41 77 5C 32 EC CE
RADIUS:
User-Name
[1]
11
"employee1"
RADIUS:
Service-Type
[6]
6
Framed
RADIUS:
Framed-MTU
[12]
6
1500
RADIUS:
Called-Station-Id
[30]
19
"C4-64-13-6C-E8-07"
"00-26-55-D0-0D-56"
RADIUS:
Calling-Station-Id
[31]
19
RADIUS:
EAP-Message
[79]
125
RADIUS:
[2]
02 47 00 7B 19 80 00 00 00 71 16 03 01 00 6C 01 00 00 68 03 01 51 06 B6 F7 BA
BC F9 9E 91 CF 87 8E 3C FF 03 AF E3 E6 F2 65 29 F8 20 0F D5 12 97 87 AF DA 54 E1 00 00
18 00 2F 00 35 00 05 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 27
[G{qlhQ<e) T/528']
RADIUS:
FF 01 00 01 00 00 00 00 0E 00 0C 00 00 09 65 6D 70 6C 6F 79 65 65 31 00 0A 00
06 00 04 00 17 00 18 00 0B 00 02 01 00
RADIUS:
Message-Authenticato[80]
RADIUS:
[ employee1]
18
24 89 84 4A A5 44 1A 9A CC AA 7F 82 07 25 5E 03
[ $JD?^]
RADIUS:
EAP-Key-Name
[102] 2
RADIUS:
Vendor, Cisco
[26]
49
*
RADIUS:
Cisco AVpair
[1]
43
"audit-session-id=0A010A070000003100EE1DEA"
RADIUS:
NAS-Port-Type
[61]
6
Ethernet
RADIUS:
NAS-Port
[5]
6
50007
RADIUS:
NAS-Port-Id
[87]
20
"GigabitEthernet0/7"
RADIUS:
State
[24]
73
[15]
RADIUS:
33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 30
[37CPMSessionID=0]
RADIUS:
41 30 31 30 41 30 37 30 30 30 30 30 30 33 31 30
[A010A07000000310]
RADIUS:
30 45 45 31 44 45 41 3B 32 38 53 65 73 73 69 6F
[0EE1DEA;28Sessio]
RADIUS:
6E 49 44 3D 49 53 45 2F 31 34 33 35 35 38 35 35
[nID=ISE/14355855]
RADIUS:
33 2F 33 30 33 32 3B
RADIUS:
NAS-IP-Address
[4]
[ 3/3032;]
6
10.1.10.7
RADIUS(00000036): Started 5 sec timeout
// This RADIUS challenge message is for ISE authentication. PEAP uses server
side authentication using digital certificate. This is why that message is so
long – it contains ISE certificate.
RADIUS: Received from id 1645/163 172.31.1.20:1812, Access-Challenge, len 1131
RADIUS:
authenticator F0 C8 1D 6C 96 CE 6F 38 - 6D DD 18 94 6A 57 24 5C
RADIUS:
State
[24]
73
RADIUS:
33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 30
RADIUS:
41 30 31 30 41 30 37 30 30 30 30 30 30 33 31 30
[A010A07000000310]
RADIUS:
30 45 45 31 44 45 41 3B 32 38 53 65 73 73 69 6F
[0EE1DEA;28Sessio]
RADIUS:
6E 49 44 3D 49 53 45 2F 31 34 33 35 35 38 35 35
[nID=ISE/14355855]
RADIUS:
33 2F 33 30 33 32 3B
RADIUS:
EAP-Message
[79]
[37CPMSessionID=0]
[ 3/3032;]
255
RADIUS:
01 48 03 F4 19 C0 00 00 0B 0A 16 03 01 00 51 02 00 00 4D 03 01 51 06 B6 F7 B2 45 7B 2C EF 39 30 04 98 52 3A 89 85 30 4A 89 92 1E 26 D3 58 28
RADIUS:
47 51 B0 49 E1 DD 20 FC B0 69 4B BC A5 CB 70 0C F6 3B E4 E6 3A 89 AB 2C FF 50 33 13 8A FA AA FC 60 5E 60 FA 57
RADIUS:
77 6A 00 35 00 00 05 FF 01 00 01 00 16 03 01 0A A6 0B 00 0A A2 00 0A 9F 00 06 06 30 82 06 02 30 82 04 EA A0 03 02 01 02 02 0A 61 27 FF 80 00 00 00 00 00 03 30 0D 06
09 2A 86 48 86 F7 0D 01 01 05 05 00 30 4F 31 15 30 13 06 0A 09 92 26 89 93 F2 2C
[wj500a'0*H0O10&,]
Page 95 of 100
[HQMQE{,90R:0J&X(]
[GQI iKp;:,P3`^`W]
CCIE SECURTY v4 Lab Workbook
RADIUS:
64 01 19 16 05 6C 6F 63 61 6C 31 19 30 17 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 09 6D 69 63 72 6F
RADIUS:
6E 69 63 73 31 1B 30 19 06 03 55 04 03 13 12 63 61 2E 6D 69 63 72 6F 6E
RADIUS:
69 63 73 2E 6C 6F 63 61 6C 30 1E 17 0D 31 32 31 31 32 30
RADIUS:
RADIUS:
31 39 34 39 31 38 5A 17 0D 31 34
EAP-Message
[79]
[dlocal10&,dmicro]
[nics10Uca.micron]
[ics.local0121120]
[ 194918Z14]
255
RADIUS:
31 31 32 30 31 39 34 39 31 38 5A 30 5A 31 0B 30 09 06 03 55
RADIUS:
04 06 13 02 75 73 31 0B 30 09 06 03 55 04 08 13 02 63 61 31 12 30 10 06 03 55 04 0A 13 09 6D 69 63 72 6F 6E
RADIUS:
69 63 73 31 0C 30 0A 06 03 55 04 0B 13 03 6C 61 62 31 1C 30 1A 06 03 55 04 03 13 13 69 73 65 2E
RADIUS:
6D 69 63 72 6F 6E 69 63 73 2E 6C 6F 63 61 6C 30
RADIUS:
82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 B1 23 13 7A 04 C5 03 F4 95 32 21 93 02 08 3C CF DF 6C A2 F0 0B FC 12
0F B7 C8 05 05 F5 35 E6 71 1A 6E 0C 38 A3 D7 98 11 1E 4F
RADIUS:
RADIUS:
RADIUS:
[1120194918Z0Z10U]
[us10Uca10Umicron]
[ics10Ulab10Uise.]
[micronics.local0]
["0*H0#z2!<l5qn8O]
EA 25 51 70 FB F5 7B C0 2C 82 C8 44 92 3A C1 47 85 60 23 BF 2E C6 E8 4A 15 C0 FA FC 70 3E D6 94 4D DB 4E
[?Qp{,D:G`#.Jp>MN]
F0 0D F0 89 4C 60 C8 59 61 AE 0E 81 75 70 55 51 15 1D 84 5C ED 36 DA 01 C9 7D 37 12 1E FA 25 8F E8 9F 0C 66 33 BB 9B D5
EAP-Message
[79]
[ L`YaupUQ\6}7?f3]
255
RADIUS:
14 91 6B AF 74 93 29 5A 11 9B ED 31 CD E0 84 E6 B3 4D 64 A1 35 AF A8 90 1B BA 02 DA 36 2A 0B 81 6A BA 1D 1A 22 8A 78 F1 17 C9 01 CE 6D 48 53
RADIUS:
BB 44 1C 13 62 7E EE EB 6C EE 48 1D F3 FA 3B F0 84 3A C5 8A 76 86 C6 67 80 3D 9A 08 CF 19 43 A8 07 B3 DC 0E 3F DE 24 30 C9 0D 5E 0E 69
RADIUS:
6F 8D 3E 95 EC 58 B3 F5 DC 0B 0D DC C6 D2 5B C0 54 9F CC F5 1A 01 4E BE 51 5B AC 16 45 F7 27 76 A2 73 FA 3C 3F 2E 06 19 C9 20
RADIUS:
87 C2 A4 14 6D 02 03 01 00 01 A3 82 02 D3 30 82 02 CF 30 0B 06 03 55 1D 0F 04 04 03 02 05 A0 30 1D 06 03 55 1D 0E 04 16 04 14 DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95
60 18 90 AF D8 07 09 30 13 06 03 55 1D 25
[m00U0U9^kK2U`0U?]
RADIUS:
04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 1F 06 03 55 1D 23 04 18 30 16 80 14 4E 48 F2 B6 65 69 28 34 9F F9 7D D1 62 B0 58 34
RADIUS:
B3 86 31 44 30 82 01
RADIUS:
EAP-Message
[79]
255
0E 06 03 55 1D 1F 04 82 01 05 30 82 01 01 30 81 FE A0 81 FB A0 81 F8 86 81 B8 6C 64 61 70 3A 2F 2F 2F 43 4E 3D 63 61
RADIUS:
2E 6D 69 63 72 6F 6E 69 63 73 2E 6C 6F 63 61 6C
RADIUS:
2C 43 4E 3D 64 63 2C 43 4E 3D 43 44 50 2C 43 4E
[,CN=dc,CN=CDP,CN]
RADIUS:
3D 50 75 62 6C 69 63 25 32 30 4B 65 79 25 32 30
[=Public?20Key?20]
RADIUS:
53 65 72 76 69 63 65 73 2C 43 4E 3D 53 65 72 76
[Services,CN=Serv]
RADIUS:
69 63 65 73 2C 43 4E 3D 43 6F 6E 66 69 67 75 72
[ices,CN=Configur]
RADIUS:
61 74 69 6F 6E 2C 44 43 3D 6D 69 63 72 6F 6E 69
[ation,DC=microni]
RADIUS:
63 73 2C 44 43 3D 6C 6F 63 61 6C 3F 63 65 72 74
[cs,DC=local?cert]
RADIUS:
69 66 69 63 61 74 65 52 65 76 6F 63 61 74 69 6F
[ificateRevocatio]
RADIUS:
6E 4C 69 73 74 3F 62 61 73 65 3F 6F 62 6A 65 63
[nList?base?objec]
RADIUS:
74 43 6C 61 73 73 3D 63 52 4C 44 69 73 74 72 69
[tClass=cRLDistri]
RADIUS:
62 75 74 69 6F 6E 50 6F 69 6E 74 86 3B 68 74 74 70
RADIUS:
3A 2F 2F 64 63 2E 6D 69 63 72 6F 6E 69 63 73 2E
[://dc.micronics.]
RADIUS:
6C 6F 63 61 6C 2F 43 65 72 74 45 6E 72 6F 6C 6C
[local/CertEnroll]
RADIUS:
2F 63 61 2E 6D
RADIUS:
[0+0U#0NHei(4}bX4]
[ 1D0]
RADIUS:
RADIUS:
[kt)Z1Md56*j"xmHS]
[Db~lH;:vg=C?$0^i]
[o>X[TNQ[E'vs<?. ]
[U00ldap:///CN=ca]
[.micronics.local]
[butionPoint;http]
[ /ca.m]
Message-Authenticato[80]
18
A1 DC DF 16 43 95 CA 9C B4 3C 55 31 71 31 41 01
[ C<U1q1A]
RADIUS(00000036): Received from id 1645/163
RADIUS/DECODE: EAP-Message fragments, 253+253+253+253, total 1012 bytes
<snip>
dot1x-ev(Gi0/7): Received pkt saddr =0026.55d0.0d56 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
dot1x-ev(Gi0/7): dot1x_sendRespToServer: Response sent to the server from 0xC300005B
(0026.55d0.0d56)
RADIUS/ENCODE(00000036):Orig. component type = DOT1X
RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS/ENCODE(00000036): acct_session_id: 54
RADIUS(00000036): sending
RADIUS(00000036): Send Access-Request to 172.31.1.20:1812 id 1645/171, len 306
RADIUS:
authenticator 3F 59 C2 9B F2 19 B0 62 - 48 B9 7F 62 62 24 C0 46
RADIUS:
User-Name
[1]
11
"employee1"
RADIUS:
Service-Type
[6]
6
Framed
RADIUS:
Framed-MTU
[12]
6
1500
RADIUS:
Called-Station-Id
[30]
19
"C4-64-13-6C-E8-07"
RADIUS:
Calling-Station-Id
[31]
19
"00-26-55-D0-0D-56"
RADIUS:
EAP-Message
[79]
45
RADIUS:
02 4F 00 2B 19 00 17 03 01 00 20 37 07 D7 71 29 9D 4D 7D 5B C6 3D 7C 85 4A 3F
4F 83 2A 08 77
RADIUS:
RADIUS:
RADIUS:
[2]
[O+ 7q)M}[=|J?O*w]
39 7C 4A E6 44 13 12 04 AE C3 16 13
Message-Authenticato[80]
[ 9|JD]
18
87 6A 31 76 49 99 00 6F 6E 59 EB 04 26 99 F0 F5
RADIUS:
EAP-Key-Name
[102] 2
RADIUS:
Vendor, Cisco
[26]
[ j1vIonY&]
*
49
RADIUS:
Cisco AVpair
[1]
43
"audit-session-id=0A010A070000003100EE1DEA"
RADIUS:
NAS-Port-Type
[61]
6
Ethernet
RADIUS:
NAS-Port
[5]
6
50007
Page 96 of 100
[15]
CCIE SECURTY v4 Lab Workbook
RADIUS:
NAS-Port-Id
[87]
20
RADIUS:
State
[24]
73
"GigabitEthernet0/7"
RADIUS:
33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 30
[37CPMSessionID=0]
RADIUS:
41 30 31 30 41 30 37 30 30 30 30 30 30 33 31 30
[A010A07000000310]
RADIUS:
30 45 45 31 44 45 41 3B 32 38 53 65 73 73 69 6F
[0EE1DEA;28Sessio]
RADIUS:
6E 49 44 3D 49 53 45 2F 31 34 33 35 35 38 35 35
[nID=ISE/14355855]
RADIUS:
33 2F 33 30 33 32 3B
RADIUS:
NAS-IP-Address
[4]
[ 3/3032;]
6
10.1.10.7
RADIUS(00000036): Started 5 sec timeout
// RADIUS Access-Accept message after successful authentication. It contains
additional authorization attributes like dACL name.
RADIUS: Received from id 1645/171 172.31.1.20:1812, Access-Accept, len 409
RADIUS:
authenticator 04 9F 01 D2 2B 18 12 C3 - 69 57 CC 9E EB C4 BE 7F
RADIUS:
User-Name
[1]
11
RADIUS:
State
[24]
40
"employee1"
RADIUS:
52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41
[ReauthSession:0A]
RADIUS:
30 31 30 41 30 37 30 30 30 30 30 30 33 31 30 30
[010A070000003100]
RADIUS:
45 45 31 44 45 41
RADIUS:
Class
[ EE1DEA]
[25]
50
RADIUS:
43 41 43 53 3A 30 41 30 31 30 41 30 37 30 30 30
RADIUS:
30 30 30 33 31 30 30 45 45 31 44 45 41 3A 49 53
[0003100EE1DEA:IS]
RADIUS:
45 2F 31 34 33 35 35 38 35 35 33 2F 33 30 33 32
[ E/143558553/3032]
RADIUS:
Termination-Action
[29]
6
RADIUS:
EAP-Message
[79]
6
RADIUS:
RADIUS:
RADIUS:
03 4F 00 04
[CACS:0A010A07000]
1
[ O]
Message-Authenticato[80]
18
E5 83 8E 2B 05 75 3F B9 2F 1B 48 A3 17 A7 A4 FA
RADIUS:
EAP-Key-Name
[102] 67
RADIUS:
Vendor, Cisco
[26]
75
RADIUS:
Cisco AVpair
[1]
69
[ +u?/H]
*
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-
PERMIT_ALL_TRAFFIC-4f57e406"
RADIUS:
Vendor, Microsoft
[26]
58
RADIUS:
MS-MPPE-Send-Key
[16]
52
RADIUS:
Vendor, Microsoft
[26]
58
RADIUS:
MS-MPPE-Recv-Key
[17]
52
*
*
RADIUS(00000036): Received from id 1645/171
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
%DOT1X-5-SUCCESS: Authentication successful for client (0026.55d0.0d56) on Interface
Gi0/7 AuditSessionID
dot1x-ev(Gi0/7): Sending event (2) to Auth Mgr for 0026.55d0.0d56
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client
(0026.55d0.0d56) on Interface Gi0/7 AuditSessionID 0A010A070000003100EE1DEA
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.55d0.0d56) on Interface
Gi0/7 AuditSessionID 0A010A070000003100EE1DEA
Page 97 of 100
CCIE SECURTY v4 Lab Workbook
// Note that there is no ACL download in this case. This is because the ACL of
the same name has been already downloaded in the previous steps (IP Phone
authorization).
dot1x-ev(Gi0/7): Received Authz Success for the client 0xC300005B (0026.55d0.0d56)
dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev(Gi0/7): Sending out EAPOL packet
RADIUS/ENCODE(00000036):Orig. component type = DOT1X
RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS(00000036): sending
// RADIUS accounting message is sent
RADIUS(00000036): Send Accounting-Request to 172.31.1.20:1813 id 1646/27, len 282
RADIUS:
authenticator 7F 96 5F 1E FA 14 C5 4A - 7F 46 CA 57 CD 62 E1 46
RADIUS:
Acct-Session-Id
[44]
10
RADIUS:
Vendor, Cisco
[26]
49
RADIUS:
Cisco AVpair
[1]
43
"audit-session-id=0A010A070000003100EE1DEA"
"employee1"
RADIUS:
User-Name
[1]
11
RADIUS:
Vendor, Cisco
[26]
32
"00000036"
RADIUS:
Cisco AVpair
[1]
26
"connect-progress=Call Up"
RADIUS:
Acct-Authentic
[45]
6
RADIUS
[1]
RADIUS:
Acct-Status-Type
[40]
6
Start
[1]
RADIUS:
NAS-Port-Type
[61]
6
Ethernet
[15]
RADIUS:
NAS-Port
[5]
6
50007
RADIUS:
NAS-Port-Id
[87]
20
"GigabitEthernet0/7"
RADIUS:
Called-Station-Id
[30]
19
"C4-64-13-6C-E8-07"
RADIUS:
Calling-Station-Id
[31]
19
"00-26-55-D0-0D-56"
RADIUS:
Class
[25]
50
RADIUS:
43 41 43 53 3A 30 41 30 31 30 41 30 37 30 30 30
RADIUS:
30 30 30 33 31 30 30 45 45 31 44 45 41 3A 49 53
[0003100EE1DEA:IS]
RADIUS:
45 2F 31 34 33 35 35 38 35 35 33 2F 33 30 33 32
[ E/143558553/3032]
RADIUS:
Service-Type
[6]
6
Framed
RADIUS:
NAS-IP-Address
[4]
6
10.1.10.7
RADIUS:
Unsupported
[151] 10
RADIUS:
RADIUS:
39 41 43 35 39 42 43 31
Acct-Delay-Time
[41]
[CACS:0A010A07000]
[2]
[ 9AC59BC1]
6
0
RADIUS(00000036): Started 5 sec timeout
RADIUS: Received from id 1646/27 172.31.1.20:1813, Accounting-response, len 20
RADIUS:
authenticator 10 CE B8 8F 9C 12 10 FA - A5 76 EF 72 17 01 E7 94
RADIUS/ENCODE(00000036):Orig. component type = DOT1X
RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS(00000036): sending
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
%EPM-6-POLICY_APP_SUCCESS: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLxIP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
Page 98 of 100
CCIE SECURTY v4 Lab Workbook
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-WAIT
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
%EPM-6-POLICY_APP_SUCCESS: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLxIP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
// check out authentication sessions on the port. You should see two separate
domains (VOICE and DATA) each authenticated separately.
SW1#sh auth sess int g0/7
Interface:
MAC Address:
IP Address:
User-Name:
GigabitEthernet0/7
0026.55d0.0d56
10.1.10.104
employee1
Status:
Authz Success
Domain:
DATA
Security Policy:
Security Status:
Oper host mode:
Oper control dir:
Authorized By:
Vlan Group:
ACS ACL:
Should Secure
Unsecure
multi-domain
both
Authentication Server
N/A
xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout:
N/A
Idle timeout:
N/A
Common Session ID:
0A010A070000003100EE1DEA
Acct Session ID:
0x00000036
Handle:
0xAE000031
Runnable methods list:
Method
State
dot1x
Authc Success
mab
Not run
---------------------------------------Interface:
MAC Address:
IP Address:
User-Name:
GigabitEthernet0/7
0021.a084.6ff4
Unknown
00-21-A0-84-6F-F4
Status:
Authz Success
Domain:
VOICE
Security Policy:
Should Secure
Security Status:
Unsecure
Oper host mode:
Oper control dir:
Authorized By:
multi-domain
both
Authentication Server
Page 99 of 100
CCIE SECURTY v4 Lab Workbook
ACS ACL:
xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout:
N/A
Idle timeout:
N/A
Common Session ID:
0A010A070000002F00ED9839
Acct Session ID:
0x00000034
Handle:
0x3500002F
Runnable methods list:
Method
State
dot1x
Failed over
mab
Authc Success
Check ISE logs.
Check is the NIC is up and running.
Page 100 of 100
Download PDF
Similar pages