sysadmin

You are currently browsing the archive for the sysadmin category.

SonicWall VPN with RADIUS authentication

Thu 11-Feb-2010 in english, sysadmin | Please leave a comment!

SonicWall has a rather nice VPN application called Global Client. What makes it nice is that it does most of the configuration jobs transparently to the user. And for the network administrator, setting up a VPN really is a one banana job.

The flip side of this is that it’s too easy to set up a VPN server with only Shared Secret authentication. This is all nice and fine if you have two or three VPN users but for any real installation, you really should authenticate the users individually. And if your real installation is based on Microsoft Windows, you probably have an Active Directory on the backline which already has all the users on it.

I’ve been handheld through one such installation and this is the attempt to get another one running, while blogging about the experience.

Prereq

The magic ingredient here is the RADIUS server (Remote Authentication Dial-In User Service). On Windows 2003, the RADIUS service is provided by the Internet Authentication Service, IAS. On Windows 2008 it’s a part of the Network Policy Server. SonicWall has a pretty decent techdoc about configuring RADIUS authentication on Windows Server 2003 but the 2008 implementation is left as an exercise to the reader.

If NPS isn’t installed yet, add it from Server manager –> Roles –> Add role.

The prerequisite step is to create a Windows Active Directory group of folks who will be granted VPN access using RADIUS authentication. While you could use All Users, you might be slipping in a few test users (username test, password test – i’m sure you don’t have any of those on your net, right?). So be a good sysadmin and create the group VPN users, then add users or groups there manually.

Now you can fire up the Internet Authentication Service or Network Policy Server.

RADIUS

imageThe first step is to add a RADIUS client to the configuration. A RADIUS client is the box which uses RADIUS, not the end user itself, using the box. So in this case, we’ll add the Firewall as a RADIUS client.

On Windows 2003, right-click RADIUS Clients –> New RADIUS Client. On Windows 2008, RADIUS Clients and Servers –> RADIUS Clients (right-click) –> New RADIUS Client. Give it the Friendly Name “Firewall” and fill in the IP address. For this discussion, we’ll say the firewall lives at 192.168.42.1. The Client-Vendor can be set to RADIUS Standard. I don’t know if the SonicWall supports the Additional Options listed, so you can leave them blank.

Now tap in a fairly complex Shared Secret which the RADIUS server and the firewall will use, into Notepad. You’ll need the same Shared Secret later.

Since you’ll probably want to test the connection, create a similar RADIUS Client for either your own PC if you happen to be on the local network at the time, or at some test server. Or at the RADIUS server itself, which means you’ll need to add a RADIUS client either for the local IP address or 127.0.0.1. I found a fairly decent, and non-cost RADIUS test client at IEA Software called Radlogin. The least i can do for the favour is to suggest you check out the client too.

The next step is to create a Remote Access Policy. On Windows 2003, right click Remote Access Policies –> New Remote Access Policy. On Windows 2008, it’s complicated. I’ll get to that in a paragraph or two.

If you’re still on 2003, a wizard appears. Name your new “Custom Policy” something like VPN Authentication. Now you need to add the following Policy Conditions: NAS-IP-Address is the one of your firewall, eg 192.168.42.1, and Windows-Groups is the group VPN Users you created in the prerequisite step above. As an extra measure, you could also demand that the NAS-IP-Address matches that of your firewall. In that way you can use RADIUS for other fun things too. Click Next. Tick the right radio button so that these users should be Granted remote access permission. Next. Now you’ll still need to Edit the Profile. On the Authentication tab, check all Authentication methods except Unauthenticated access. Unfortunately the current Sonic Walls do not reliably use MS-CHAP2, which is a shame. We’ll even need to tick the trivially encrypted CHAP and the non-encrypted PAP. Not much for security, i know. On the Advanced tab, make sure you have the following attributes selected: Service-Type: Framed, and Framed-Protocol: PPP, both of vendor “RADIUS Standard”.

Phew. And now for Windows 2008.

NPS –> Policies –> Network Policies (right-click) –> New. This will also pop up a wizard. Give the Policy a name like VPN Authentication and set the Type of network access to Remote Access Server. Add the following Conditions: User Groups (or Windows Groups) must be the VPN Users group you selected above. Then scroll down down down the Conditions list and require that the RADIUS Client –> Client IPv4 Address is that of your firewall, for the very same reasons as above. Do that now or later when the test shows green lights. Next. Access Granted. Next. Select all the Less Secure Authentication Methods except the last two, Allow clients to connect without negotiating… and machine health check only. You can uncheck CHAP and PAP while you test the RADIUS authentication later from the firewall, as they are security holes.

Run Radlogin and test whether you get a response, Good or Bad, or whether you get a Timeout. A Timeout probably means that you haven’t got the RADIUS Client configured right on the NPS. A Bad response probably means that your Constraints are wrong.

The Wall

Here’s a tip. Use anything but Internet Explorer to manage the SonicWall. It emits such buggy HTML code that it’s just hopelessly slow with IE.

I might be taking an extra step here because we also wanted RADIUS authentication to the firewall. In that case, you’re getting two settings at the price of one. Live with it and log on to the SonicWall admin interface.

A safety measure, add a Local User to the firewall which we’ll also allow access in case the RADIUS server is in a twist. For this discussion, we’ll call this user Backdoor. Put Backdoor into relevant groups (Firewall Admin). On the VPN Access tab, give Backdoor the appropriate networks (Firewalled subnets).

Then we want to create a group for VPN users. Thus, go to Users –> Local Groups (sic) and click Add Group. On the Settings tab, call your group VPN Users. On the Members tab, scroll down the left box and hopefully you should find the entry All RADIUS Users. Add it. Also add the Backdoor user we created above. Under the VPN Access tab, add whatever networks you see fit; LAN Subnets may be what you’re looking for. Edit the CFS policy if you (really) want to.

Now from Users –> Settings, set the Authentication method for login to RADIUS + Local and click the Configure button. What now probably happens is that you configure the global settings for the whole firewall, not just the VPN login. On the now popped-up RADIUS Configuration Settings tab, enter the name or IP address of your RADIUS server, the one you created half a page up. Find that Notepad page where you created the Shared Secret and paste it in the corresponding box. On the RADIUS Users tab, tick Local configuration only (yeah, beats me too) and select the VPN Users as the Default RADIUS group.

Final step, and now it’s time to take a deep breath. If you’re configuring this over a VPN connection, make sure you have a backup plan, because you’re now going to change the VPN access settings. Thus, go to VPN –> Settings. I’m assuming that you already have a WAN GroupVPN in place. Click the pencil icon to edit the entry. Switch to the Advanced tab. Check Require Authentication of VPN Clients via XAUTH and choose your previously created VPN Users group as the User Group. Also Enable NetBIOS Broadcasts while you’re at it.

Click OK.

Test your VPN settings. Breathe normally.

Extra sugar

For extra brownie points, you can configure firewall administration logins to be authenticated by RADIUS. From Network –> Interfaces –> LAN –> edit pencil, tick all relevant Management options and the HTTPS User Login checkbox. Voilá, RADIUS authentication to the firewall!

I wonder what we can authenticate next… :)

Tags: , , , , ,

We ping

Wed 10-Feb-2010 in english, sysadmin | Please leave a comment!

I’m taking this course on basically what i already do at work, so the Windows server environment, networking and the F-Secure antivirus infrastructure. For the last few weeks, we’ve been talking networks and working with the Cisco Packet Tracer network simulator, which has been good and fine but still a bit… virtual. Tonight we finally had a real hands on lab session and to see the bits fly on actual iron was really gratifying!

We worked in pairs and our assignment, which grew at the pace we got the basic bits configured, came to be an not altogether uncomplicated one.

Cisco Packet Tracer sample

Two Cisco 2600 series routers connected by serial. Both routers have HP Procurve switches connected with them and there are virtual LANs on the switches which are terminated on the routers. An ADSL modem connected to the other switch, a DSLAM connected to the ADSL, an uplink to the school network from the DSLAM. RIP 2 routing between all networks.

Getting pings return from the Internet on something you’ve built yourself – fairly funky.

So that i have even a vague memory of what i did, i’ll just jot down the configuration steps after the break.

Read the rest of this entry »

Tags: ,

Re-activating certificates with SBS 2008

Wed 3-Feb-2010 in english, sysadmin | Please leave a comment!

The other day, a client at a customer of mine called in to say that “her remote connection does not work”. It took a little while to interpret her problems into technical terms; what she meant was that when outside the office, her Outlook wouldn’t synchronize. I’ve since learned that working with a remote connection also may mean working with a laptop when it’s off-site or just non-docked, regardless if there’s an actual connection involved or not.

But back to the agenda.

First i thought there was something wrong with her Outlook, but after some investigation i came to believe there was something fishy with the certificate presented by the customer’s server. Which is a Microsoft Small Business Server 2008. This could be confirmed by taking a https connection to their Outlook Web Access thingy, which also gave a SSL cert error. It was using the wrong certificate. Bugger.

To remedy, i took a remote c… a VPN connection + an RDP session (see, it’s ambiguous enough if i write it!) to the server and opened up – hear this – the Exchange Powershell console. Issue the statement Get-ExchangeCertificate and you get a list of the SSL certificates the host knows of. The one you’re looking for is probably the one with a hostname and a hint of commercial spice (say Old Thawte). To verify, you can write Get-ExchangeCertificate <thumbprint of relevant certificate> | fl which will give you more info. Now chant Enable-ExchangeCertificate <thumbprint of relevant certificate here> and inform the applet you’ll want to enable it for IIS, the IIS Itertubes Server. Verify with a connection to the Outlook Web Access Thingy and close the Powershell console. You rock. Already.

Since we’re talking about an SBS, we have the Remote Web Workplace installed. RWW provides, among other neat things, a terminal server gateway to the servers inside, and it too relies on an SSL certificate being valid. Thus, with your RDP session still open from the above paragraph, go Start –> Administrative tools –> Terminal services –> TS Gateway Manager. Right click the gateway server name and select Properties. Click the SSL Certificate tab. Pick Select an existing certificate and click the Browse Certificates button. Choose the right certificate, ie. the same one as above, and click Install [sic]. Then OK yourself out of there and verify.

You rock. Fully.

Now you would technically have the time to ponder the reasons why the certificate fell out of grace with the server in the first place, but since you’re the overworked sysadmin you are, you’ll save that as pillow reading for tonight.

Tags: , , , , , ,

Rolling backup on the cheap

Thu 28-Jan-2010 in english, geek, sysadmin | Please leave a comment!

Within, i’ll present a free and low-pain solution to implement a backup copy method for Windows using an external hard disk. The same method could also be used for backups over the network.

A user at a customer of mine needed a way to copy his documents to an external disk which is easy and cheap. While it would be possible to use Windows backup, it’s not the nicest of programs to work with (he’s on Windows XP, the backup software on Win7 is probably much nicer), so i decided against it.

My requirements were:

  • Simplicity – easy to use for the user
  • Unobtrusive – doesn’t require complex installs to the computer which may be against the company IT policy
  • Open – doesn’t lock out the user if the backup program fails or goes out of date
  • Maintainable – even if i went away, somebody else could update and maintain the system

So with some painful research, i ended up with the Toucan backup Portable App. In fact, i had done an installation like this before but with less elegance, which is to say that i will here spare you from some lack-of-elegance. Not bad.

The whole method is based on example code from the Toucan help files.

Step 0: A wee bit of theory (won’t hurt … much)

We’re going to create two backup routines. One will create a full backup of a source directory onto a target directory on a removable disk. The other one will create an archive containing all files that have changed since the last full backup. Both of these are created with Toucan’s differential backup. Five full backup files will be kept and automagically cleaned out when a full backup is performed. Everything is configurable and probably also schedule-able.

Step 1: Preparation

The first thing to do is to give the external hard disk a persistent mapping. With the external hard disk plugged in, right click My Computer, choose Manage, select the Disk management tool. Right click the external disk, choose Change Drive Letter and Paths and select a nice and backup-friendly letter, say Q.

Then, get the Toucan Portable App. Toucan portable is designed to run within the PortableApps framework but it’ll work nice by itself. By design, that means it will run without making any changes on your system, and we’ll use that to actually run Toucan from the external disk itself. If you want the PortableApps framework, go ahead. It won’t hurt. Much :)

Install Toucan on the external disk, Q:. Due to the PortableApps framework, it’ll install in some directory structure underneath the root of Q. Navigate to the Toucan executable and run it.

Step 2: Configure what to back up

The Toucan user interface is a bit scary, but don’t worry. I’ll keep you company until we’re ready to run. Click on the Backup tab. Click the big plus-sign button in the Job Name box to create a new Job. Give the job the name Full backup. In the Type box, select Differential (which may seem misleading but bear with me).

From the big area on the left, select one directory (or even one whole disk, but that’s going to be a lot to backup) you want backed up. I suggest you choose a reasonably small hierarchy to start with, otherwise the testing phase will take some time. Press the plus-sign button in the middle of the screen to have that directory added to your backup list. Unfortunately, Toucan doesn’t support differential backups on multiple source directories. If you want that, you’ll need to repeat this article multiple times. But there are worse pains than that.

In the Backup Location text box, enter @backupfolder@\ (we’ll get to that shortly – oh, and don’t miss that backslash \ at the end of @backupfolder@ as it’s probably important).

Press the Save button which is in the Job Name box.

Step 3: The automagic bits

Click the Variables tab. Click the plus-sign button to create a variable. Name it backupfolder. You’ll get two lines of text in the big box below, one being your computer’s name. Double click that one and enter Q:\backup (or @drive@\backup which would be the cooler and more portable notation). Click the save button.

Click the Script tab. Press the plus-sign button and name a script Backup-rotational. Paste the following into the edit window:

Delete "@backupfolder@\BaseFile-5.zip"
Rename "@backupfolder@\BaseFile-4.zip" "@backupfolder@\BaseFile-5.zip"
Rename "@backupfolder@\BaseFile-3.zip" "@backupfolder@\BaseFile-4.zip"
Rename "@backupfolder@\BaseFile-2.zip" "@backupfolder@\BaseFile-3.zip"
Rename "@backupfolder@\BaseFile-1.zip" "@backupfolder@\BaseFile-2.zip"
Rename "@backupfolder@\BaseFile.zip" "@backupfolder@\BaseFile-1.zip"
Backup "Full backup"

Press the save button.

Yeah, i know it’s ugly, but the Toucan scripting language is just about that developed. It does get worse though.

Anew, press the plus-sign button and create another script. Call it Diff-backup. The only code it will have is:

Backup "Full backup"

Press the save button.

Step 4: Intermediate testing

Still within the Script tab, select the Backup-rotational script and press Run. You should get a few warnings that there aren’t any BaseFile-n.zip files to delete or rename but the backup bit should work fine. The jolly magic here which we couldn’t really influence is that when Toucan runs a differential backup but there is no file to “different against”, it will save the full backup into the file BaseFile.zip.

A reasonably big hierarchy will backup in 15 minutes, a smaller one in a minute or so. If there were severe errors, check your code. If it matches mine, there must be a bug in my code, which you should remark about in the comments section below.

When the Backup-rotational script has run, choose the Diff-backup script and run that. If you want to, you can make some changes to the source hierarchy before running the Diff-backup to see some reality in the process.

Step 5: Enter Batman

You’ll still need two batch files to make the whole magic run. In the directory where Toucan.exe is installed, create the following two files with the contents below:

do-full-backup.cmd

del Q:\backup\20*.zip Toucan Script "Backup-rotational"

do-diff-backup.cmd

Toucan Script "Diff-backup"

The sad bit is that you need to delete the incremental files from the batch file, as Toucan doesn’t expand wildcards (caveat: this script only works in the 3rd millennium Gregorian time – if you’re reading this in another time zone, please edit your script to suite).

Run the two batch files. Watch the output and observe what happens in your backup directory.

Step 6: Shortcuts or schedules

Add shortcuts to your user’s desktop or set a schedule using your favourite cron replacement. Educate said user to run those shortcuts on a regular basis.

Step 7: Restoring files (this should never happen)

In case Bad Things happen, go to the backup directory of your external hard disk. Check out the BaseFile.zip (or an older BaseFile-n.zip if you realize the Bad Thingness only weeks later) or the relevant timestamp-named file if the Bad Thing just happened. Navigate and restore. Take a bow.

You’re done.

Tags:

Cisco ASDM Upgrade from the Command Line

Mon 21-Dec-2009 in english, sysadmin | Please leave a comment!

After having locked myself out from the graphical user interface goodness of the Cisco ASA, i needed to Set Things Straight again. Rebooting (or reloading in Cisco lingo) the firewall would of course only reload the firmware into the upgraded 8.0.x version which won’t let me in. The Cisco upgrade example documentation happily mentions that one can use TFTP to do the upgrading bit if the GUI seems too easy. Or unavailable.

But there’s a huge chasm between “you could do this” and “here’s how you do it”. So here’s how i did it.

0. Get the ASA and ASDM images from Cisco

I could write a whole rant about this because it’s a nightmare getting the software updates from Cisco. Why can’t they be like other vendors and just distribute the updates to the customers who have bought their hardware? Anyway, if you managed to lock yourself out with an ASA update, you probably have the ASDM software handy as well.

Trivial FTP

TFTP is not FTP. TFTP is a simpler file transfer protocol, joyously dubbed Trivial File Transfer Protocol. Windows comes with a TFTP client, but no server. Linux comes with both. And if you’re on a Mac, you already know more than i.

In this posting, i will assume you have ASDM 6.2.3 handy, and that it is saved as asdm-623.bin

1. Locate a TFTP server software

I decided to get the Open TFTP server from Sourceforge. WinAgents has an Industry Strength TFTP server which has an installer package of 24 megs, which is a bit overkill for a one shot installation. Jounin.net has a nice and graphical tftp server i’ve used before, but i missed it when googling. The OpenTFTPd installer is only 173 kB which was nice.

Go get it.

2. Configure it

The Open TFTP Server installs in c:\Program Files (x86)\OpenTFTPServer by default, which is also where the configuration file OpenTFTPServerMT.ini is. To edit this, you need to have Admin privileges. I’m (still) on Vista, so i pushed the Windows button, wrote Command line, right clicked that on the Start menu and chose Run as Administrator. Yeah i know there was some meta-alt-shift-something to do the same thing but i’ve forgotten the chord. Now edit the ini file (notepad will do) and enter the directory where your ASDM image is under the section [HOME].

I went and #commented out all lines starting with an ‘apostrophe just to be sure there’d be no bugs.

2½. Know your IP address

Type ipconfig (and scroll up) to see what your IP address is. Mine is 10.10.42.4.

3. Run it

Run the RunAsStandAloneMT.bat file from the admin command line window. Running the .exe file from the command line will just ask you to unblock the TFTP service and exit. No fun.

4. Suck the image

If you haven’t got a terminal connection to the ASA, now’s the time. Connect that nice blue flat cable between your serial port and the ASA console. Use PuTTY (or whatever that terminal thingy that comes with Windows is called, if you must) and connect to COM1 with 9600 bps, 8-N-1.

Tap enter a few times, log on if you need, and enter the following magic words, remembering to breathe normally:


ena
tap your “enable password”
conf t
copy tftp://10.10.42.4/asdm-623.bin disk0:asdm-623.bin

At this stage (dumb) ASA will re-ask what all the parameters you just entered above were, and then proceed to…

Accessing tftp://10.10.42.4/asdm-623.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (a lot of exclamation marks omitted here!)

Writing file disk0:/asdm-623.bin… !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (yeah)

Finally, type


asdm image disk0:/asdm-623.bin
wr

…whereby the firewall answers something along the lines of

Building configuration…
Cryptochecksum: 058305fa 13371597 acdcafb8 gabagaba

5368 bytes copied in 1.440 secs (5368 bytes/sec)
[OK]

Take a deep breath.

Write a blog post.

reload

Tags: , ,

Cisco ASA Upgradefail

Mon 21-Dec-2009 in english, sysadmin | 1 comment

Grrrr. Sometimes you should just go by your hunch. I was in the process of updating a Cisco ASA 5505 firewall from software version 7.x to 8.0 according to the instructions from Cisco, using the ASA management (”ASDM”) software that came on the firewall.

Versioning?

To confuse the novice firewall administrator, the ASA has one series of version numbers which has absolutely nothing in common with the ASDM version numbers.

Anyway, my ASA was at 7.2.4 going to 8.0.5 and my ASDM was on 5.2.4 and was eventually going to be upgraded to 6.2.3.

I was really wondering if the old ASA management software (”ASDM”) would be able to manage the newer ASA software, but the instructions were in the order of first upgrading the ASA software, then reboot, then upgrade the ASDM. So i follow the instructions, upgrade, select the proper boot image, reload, fire up the (old) ASDM and…

Boom. I’m stranded.

Now i can either make a careful guess on how to get to the right boot image using the command line or try and upgrade the ASDM image using TFTP. I really don’t fancy either option….

Anyway, here’s my humble suggestion if you want to upgrade your ASA: start with the ASDM. It Just Might Work™.

Tags: , , , , ,

How to render a HP server useless (and back again)

Wed 16-Dec-2009 in english, sysadmin | Please leave a comment!

I had a very tense few hours with a customer’s server yesterday. The fact that it’s a Small Business Server and thus, the “Everything Server”, didn’t make things much better. I did two things, and both turned out to be bad. I also didn’t reboot between the two things, which also turned bad to be even worse.

One. I installed the new service pack, which is a Good Thing (generally), except when the computer hangs at “setting up, stage 3 of 3, 0% ready” and spins the little circle thingy for half an hour. At that stage the “please do not turn off your computer” becomes stressful to ignore. So i leaned on the power button, chose to restart in Safe mode and everything seemed okay. For a while.

Two. I changed the network adapter to traffic at 1 Gb/s full duplex. This turned out to be catastrophic. And i fully blame HP for this. After a reboot into normal mode, i had no network. At all. And i was not able to open the HP network interface control panel thingy, since the “management database” was locked. Not even netsh would help me this time.

After much stressful head scratching and beard tearing, i hypothesized that HP NIC management is grumpy because it was in fact plugged into a switch that only goes to 100 Mb/s. Yeah, i can appreciate that it can’t traffic with the wrong line speeds but that i can’t turn that setting off is criminal. If that indeed was the case. So i plugged the server’s NIC into a backline giga-Ether switch (yeah, you shouldn’t do that either) and rebooted. And hey presto, the “management database” was no longer locked.

Back to 100/full, plug the server where it belonged, and normality is restored. Just in time to go and fetch the kids. Sysadmin feat in true Hollywood style.

I just wonder what those HP engineers were thinking about.

Tags: , , , ,

Remotely joining a Windows domain

Fri 4-Dec-2009 in english, sysadmin | 1 comment

I learned something today. It is possible to have a Windows computer join a domain over VPN. My colleague suggested this to be true once but i never actually tried it myself.  And here’s how.

Be at the office, or at home. Take the computer that’s going to the customer and install all the security updates. Make a VPN conection to the customer. Check that the DNS settings for the subnet behind the VPN connection points to the nameserver of the customer. If you’re running a well configured VPN, that should happen automagically (also if you’re running Windows VPN).

Right-click My Computer, choose Properties, do the usual drill from Computer Name to join the customer’s domain. Reboot.

And here comes the trick.

Log in as the old local user. Re-ignite the VPN connection. Start –> Switch user. Log in as administrator (or whoever) from the customer domain. This will, oddly enough, de-activate the VPN connection, so you’ll need to rebuild it.

Do the other tricks you wanted to as a member of the customer’s domain.

Easy as pie, once you know the recepie.

Tags: , , , ,

Bad Behavior has blocked 541 access attempts in the last 7 days.