What IPv6 system user output looks like ...
[plain]
cooper@noona-gw> show system users
9:15AM up 13:29, 1 user, load averages: 0.36, 0.28, 0.23
USER TTY FROM LOGIN@ IDLE WHAT
cooper p0 2001:470:1f05:78b:224:1dff:fe71:9f70 9:15AM - -cli (cli)
[/plain]
Archive for 2011
So work was awesome this year and bought me an SRX110 for Xmas. I thought that I would share, to configure it's vDSL interface to use adsl (with Australian VPI and VCI), you just configure the interface as if it was an ADSL PIM.
Here is the config:
[plain]
set interfaces at-1/0/0 description "ADSL Interface"
set interfaces at-1/0/0 mtu 1540
set interfaces at-1/0/0 encapsulation atm-pvc
set interfaces at-1/0/0 atm-options vpi 8
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 unit 0 description PPPoA
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-llc
set interfaces at-1/0/0 unit 0 vci 8.35
set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret "PASSWORD"
set interfaces at-1/0/0 unit 0 ppp-options chap local-name "username@ISP"
set interfaces at-1/0/0 unit 0 ppp-options chap passive
set interfaces at-1/0/0 unit 0 family inet address x.x.x.x/32
[/plain]
The inventor of the C programming language and integral part of UNIX development has past away. RIP Dennis Ritchie.
Thanks for the Uni lectures ...
A lot of companies run Microsoft's Active Directory AAA infrastructure. A nice add on to AD (apart from my favorite 'Services for UNIX') is the Network and Policy Server (NPS). Using this RADIUS server with any radius speaking client is a nice addon that allows the majority of Network infrastructure to use AD as it's authoriative authentication source. Using NPS as the souce will allow new users to obtain access to the box without the need for configuration on all the infrastrucutre devices individually, scales and disables users access when they leave the organisation (local accounts tend to be forgotten).
Finding documentation on using NPS with JUNOS was difficult, so here is how I have got it to work:
First we need the Juniper Vedor Code and attribute to send to your JUNOS device:
[plain]
Juniper Vendor ID:
2636
RADIUS Attribute to specify account name (id):
Juniper-Local-User-Name (1)
[/plain]
Then we need to configure a RADIUS client in NPS, then configure the JUNOS side and finally define a 'Connection Request Policy' (More information here visit this post)
Once the connection request policy is defined we now need a 'Network Request Policy'. This will allow the use of AD groups (amoungst other attributes) to define which template account that is defined locally on the JUNOS device to map the user to. Please refer to the previous NPS post for more information on configuring a Network request policy.
To add the custom VSA navigate to the "Network Policies'' section in the NPS MMC, go to properties of the policy you wish to add the VSA to and navigate to the 'Settings' tab.
Select 'Vendor Specific' under attributes and then click add. Then select 'Custom' from the drop down list, select Vendor-Specific and click add:
Now select add and enter the following:
The device will now send the defined 'USERNAME' that is required to be defined locally on each JUNOS device that speaks to this radius server.
If there is no match, JUNOS will fall back to the default remote authentication server template user 'remote'. I reccomend setting this to unauthorised so that if a user not in required groups gets authenticated due to bad NPS polices can not obtain any useful access to the JUNOS device.
Please let me know how you go and if I have made any boo boos in my post.
The above was tested with JUNOS 11.2r2.4 and Windows Server 2008 R2.
tcp packet walks in to a bar and says "I want a beer", barman says "you want a beer?" and tcp packet says "yes, a beer"
An RTP packet walks into a bar through the wrong entrance. The barman says "You're not getting any special treatment"
A multicast packet walks into a bar and leaves by four different exits.
A BGP Update walks into a CRS-1. He walks back out with a corrupt optional transitive attribute.
A DNS packet walks into a liquor store - where do I find beer "ABC"?. Clerk: aisle 4, top row on the right.
An IPv6 packet walks into a bar. Nobody talks to him.
A UDP packet went into a bar. The bartender didn't acknowledge him...
ICMP packet walks into a bar from warehouse and announces - "no more beer"
A dhcp packet walks into a bar and asks for a beer. Bartender says , "here, but I'll need that back in an hour!"
If you are unfortunately working on a JUNOS chassis cluster that does not have the out-of-band management patched (fxp0) then you must use an alternate way to connect to specific nodes and copy files. You are able to copy files and login from to the non active node via the following methods.
To copy files or log in JUNOS gives you the following options:
Copy files from one node to another
[plain]
Copy Method A, using CLI:
> file copy /var/tmp/abc.log node1:/var/log/
Copy Method B, using shell, follow the commands in order:
> start shell user root
% rcp -T /var/tmp/abc.log node1:/var/log/
[/plain]
Ref link http://kb.juniper.net/InfoCenter/index?page=content&id=KB17410
Login from node0 to node1
The command mentioned does not work on 3k and 5k devices.
[plain]
% rlogin -Jk -T node1 (This is shell command)
[/plain]
So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!
After adding the license you can now perform the following:
Install Application identification
request services application-identification download
Check the status:
- request services application-identification download status
Application package 1980 is installed successfully.
Create a Application Ruleset
All that is ahppening here is youtube is BLOCKED, everything else is allowed.
[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]
Add to a security policy:
There is now the 'application-firewall' settings to apply to policies ...
cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall Application firewall services
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
gprs-gtp-profile Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile Specify GPRS stream control protocol profile name
idp Intrusion detection and prevention
redirect-wx Set WX redirection
reverse-redirect-wx Set WX reverse redirection
> uac-policy Enable unified access control enforcement of policy
utm-policy Specify utm policy name
Example Policy:
[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]
TODO: Play with 'application-tracking'. Will update blog post once I have.
So it's that simple ... Application firewalling is now accross the whole SRX range ... win.
Do you have Junos devices? If you do, excellent choice. Do you have MiToken? Once again, love your work there. If you don't have MiToken, it's a plug-in to the M$ IAS/NPS servers that allows mutiple types of hard and soft tokens to be used allowing secure OTPs with dual factor authentication with your Active Directory domain(s).
This post will guide you though configuring Junos to use MiToken for two factor authentiucation to help hardern your Junos devices.
For more information on MiToken visit mi-token.com.
This configuration has been tested with Junos11.1r3.5, Junos is a registered trademark of Juniper Networks.
Junos Device Config:
Now go jump into Junos configuration mode and set the following:
[text]
# Add radius to the password auth order
set system authentication-order radius
set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x secret "SECRET"
set system radius-server x.x.x.x timeout 10
set system radius-server x.x.x.x retry 2
set system radius-server x.x.x.x source-address x.x.x.x
# Block everyone access by default
set system login user remote full-name Radius-User
set system login user remote class unauthorized
# Create users who should get access
set system login user john full-name "John Smith"
set system login user john class super-user
[/text]
MiToken / NPS Configuration:
Now lets configure the MiToken side to accept radius packets from our Junos device(s). The only down side to MiToken is it runs on Windows :-(.
1) Define a Radius client in NPS
Right click on radius clients and choose 'New RADIUS Client'
2) Define a connection request policy
Set up your policy to identify your Junos devices ... For more information refer to the MiToken Admin guide.
This step is optional. You do not have to require Windows Authentication to be active - This would take you back to single factor OTP auth
3) Enable MiToken on the connection request policy for Junos devices
4)
Enjoy you radius dual factor authentication. Your auditors and boss will now love you. Hit them up for a raise.
5)
Send some praise Cooper's way 🙂