Friday, February 10, 2012

Resolving layer 1 issues

Often times we have issues with cabling and don't know how to prove it. Fortunately if you are using Cisco switches you are in luck since there is a way to test the cabling using commands in the Cisco switches. Please not that this will bring that interface down, and is not recommended to be done during production hours.....
 As can see from the log below:

3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
3d00h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
3d00h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up


How do we do that you ask? Well here goes:

Test_Switch01#test cable-diagnostics tdr interface GigabitEthernet0/1


To see the results:

Test_Switch01#sh cable-diagnostics tdr int gigabitEthernet 0/1
TDR test last run on: March 04 00:36:40

Interface Speed        Local pair         Pair         length               Remote pair        Pair status
--------- ----- ---------- ------------------ -----------            -------------         -------
Gi0/1      100M               Pair    A       0            +/- 4  meters     Pair B                 Normal
                                      Pair    B       0            +/- 4  meters     Pair A                 Normal
                                      Pair    C       1            +/- 4  meters     Pair C                Short
                                      Pair    D       2            +/- 4  meters     Pair D                Short
Test_Switch01#


Hope this will help you tell the facilities guys to check the cabling...




Thursday, February 9, 2012

NPS Server R2 2008 for Radius on Cisco Devices

How to Make an NPS your Radius Authentication Server for Cisco Device Admin Access
1. In NPS once you have your NPS server running, first add your client,
A. In the Server Manager, click on Roles > Network Policy and Access > NPS (Local) >Radius Clients and Servers > Radius Clients -à Click on New on the Right hand side of the window under Actions and you will get a window as follows:
B. Add your Friendly name for your device and the IP address, Add the Shared secret that you will also use as your Radius key in the Cisco devices

2. On the advance Tab either select Cisco or just leave it as Radius Standard as this does not really matter.


Click on Apply and then now we go to the interesting part.

3. Under Policies, you would want to create two policies:
I). Connection Request Policy
ii). Network Policy

Connection Request Policy


4. Click on Connection Request Policy and click on new under Actions:
On the window as below, Name your policy and click next

5. On the the next window you are going to set the conditions that are required for your devices to pass authorization :


6. Select One of the conditions that apply to your network, In mine I used the Client IPv4 Address so that I could use the wildcard and be selective on what range of IP address could get Authentication from the NPS.

Hit Ok and click next on to get the window below:


Hit next on this window as well:




Hit next and then finish on this window:



Now we go to the Network Policy and please follow this carefully as this can make or break your authentication and Authorization:

Network Policy


7. Click on the Network Policies and then new under the Actions:
8. Name your policy accordingly and click Next:


9. Now you have to add the conditions for your devices to be able to get Authenticated:
10. Click on ADD and you will get the following window and “Select User Group”, this is very important when you have an AD Group, let’s say Network_Admins:



Add the AD group that is supposed to have access to device management.

11. On the next window, select Access Granted


Hit next:

Unselect everything except Unencrypted authentication (PAP,SPAP)



Click No on the next annoying Windows help window:


Hit next and go to the Configure Constraints:

Hit Next:

IMPORTANT:


12. On the following window, under Radius Attributes > Standard : remove the Framed-Protocol - PPP and then Edit the Service Type



This is a very important step as some Cisco devices will not work without this Attribute.

Now Click on the Vendor Specific :


Click on add:


Click on the Cisco-AV-Pair and then Add:

Click on Add and then type in the following to give your shell access level 15 access:
shell:priv-lvl=15

This attribute can be changed and applied to different groups i.e level 1 , 15

Note:

By default, there are three privilege levels on the router.
  • privilege level 1 = non-privileged (prompt is router>), the default level for logging in
  • privilege level 15 = privileged (prompt is router#), the level after going into enable mode
  • privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout


Close the window and hit next:



Hit finish on this window and now you have fully configured your NPS to be a radius server for your Cisco devices.




Cisco Configuration


For your Cisco devices this is all you need:

aaa authentication login default group radius local-case
aaa authentication login vty group radius local-case
aaa authorization exec default group radius local if-authenticated
aaa accounting system default start-stop group radius
!
ip radius source-interface Vlan1   <<<--- Configure the interface that has the IP address on the NPS Client
!
radius-server host <ip address of the NPS server> auth-port 1645 acct-port 1646
radius-server key <Key that was configured on the Radius client in the NPS>
!
line vty 0 4
login authentication vty <<<------- Make sure this is the same as in the aaa authentication login command

Please note that the privelege levels can be changed and applied according your needs:



See Cisco documentation here:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml