MiToken + Junos Two Factor Radius Authentication

Do you have Junos devices? If you do, excellent choice. Do you have MiToken? Once again, love your work there. If you don’t have MiToken, it’s a plug-in to the M$ IAS/NPS servers that allows mutiple types of hard and soft tokens to be used allowing secure OTPs with dual factor authentication with your Active Directory domain(s).

This post will guide you though configuring Junos to use MiToken for two factor authentiucation to help hardern your Junos devices.


For more information on MiToken visit mi-token.com.
This configuration has been tested with Junos11.1r3.5
, Junos is a registered trademark of Juniper Networks.

Junos Device Config:

Now go jump into Junos configuration mode and set the following:

[text]
# Add radius to the password auth order
set system authentication-order radius

set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x secret "SECRET"
set system radius-server x.x.x.x timeout 10
set system radius-server x.x.x.x retry 2
set system radius-server x.x.x.x source-address x.x.x.x

# Block everyone access by default
set system login user remote full-name Radius-User
set system login user remote class unauthorized

# Create users who should get access
set system login user john full-name "John Smith"
set system login user john class super-user
[/text]

MiToken / NPS Configuration:

Now lets configure the MiToken side to accept radius packets from our Junos device(s). The only down side to MiToken is it runs on Windows :-(.

1) Define a Radius client in NPS


Right click on radius clients and choose ‘New RADIUS Client’

2) Define a connection request policy


Set up your policy to identify your Junos devices … For more information refer to the MiToken Admin guide.


This step is optional. You do not have to require Windows Authentication to be active – This would take you back to single factor OTP auth

3) Enable MiToken on the connection request policy for Junos devices

4)

Enjoy you radius dual factor authentication. Your auditors and boss will now love you. Hit them up for a raise.

5)

Send some praise Cooper’s way 🙂

Juniper SRX Chassis Cluster + LACP Redundant Eth Interfaces

So a co-worker and I spent some time playing around with JunOS 11’s (I believe it came in with 11 – correct me if wrong) reth’s ability to now be LACP interfaces, as well as just plain redundant. It was not immediately clear how the switch was required to be set up in order to facilitate this new, awesome feature.

– This was used with a ex4200 virtual chassis cluster and SRX Chassis Cluster –

Here is how we got it happily working (assuming you have a chassis cluster up and running):

SRX Config:

set interfaces ge-2/0/0 gigether-options redundant-parent reth1
set interfaces ge-2/0/1 gigether-options redundant-parent reth1
set interfaces ge-2/0/2 gigether-options redundant-parent reth1
set interfaces ge-2/0/3 gigether-options redundant-parent reth1
set interfaces ge-11/0/0 gigether-options redundant-parent reth1
set interfaces ge-11/0/1 gigether-options redundant-parent reth1
set interfaces ge-11/0/2 gigether-options redundant-parent reth1
set interfaces ge-11/0/3 gigether-options redundant-parent reth1

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive

EX Config:

set interfaces ge-0/0/0 ether-options 802.3ad ae1
set interfaces ge-0/0/1 ether-options 802.3ad ae2
set interfaces ge-0/0/2 ether-options 802.3ad ae1
set interfaces ge-0/0/3 ether-options 802.3ad ae2

set interfaces ge-1/0/0 ether-options 802.3ad ae2
set interfaces ge-1/0/1 ether-options 802.3ad ae1
set interfaces ge-1/0/2 ether-options 802.3ad ae2
set interfaces ge-1/0/3 ether-options 802.3ad ae1

set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae2 aggregated-ether-options lacp active

Now we have LACP bandwidth and redundancy – Either the switch or SRX can die, in theory.

* Have not tested the failover yet – But will before this set up goes to production – Will update the post *

 

30 Levels of NAT Firewall Lab

So I am a very large geek, and proud of it. It hurt to walk past a cupboard at work knowing there was 30+ Cisco PIX 501 firewalls sitting in there collecting dust. One day it dawned on me, I wonder how crap internet would be sitting behind 30 of those slow ass god awful to use and configure firewalls. So here are the results:

Network Diagram

(Click for larger image)

Sample PIX 501 conf:

[plain]
hostname fwX
password cisco
enable password cisco
domain-name cooperlees.com

ip address inside 10.N.0.1 255.255.255.0
ip address outside 10.N1.0.2 255.255.255.0
interface ethernet0 auto
interface ethernet1 100full

route outside 0 0 10.N1.0.1
nat (inside) 1 10.N.0.0 255.255.255.0
global (outside) 1 interface

access-list outbound permit any any
access-group outbound in interface inside

access-list ping_acl permit icmp any any
access-group ping_acl in interface outside
[/plain]

Video of the Results

Thanks to Jason Leschnik, Anthony Noonan, Kyle Seton and Chris Steven for their assistance.