In organizations that use Windows, employees use their Active Directory (AD) username and password to access their PCs every day. So why do you need separate credentials on your routers? You don't -- you can use the Windows AD database to log in to your Cisco routers and switches.
In this two-part series, I'm explaining how to configure AD authentication on your routers and switches. Last time, I told you how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS). This week, let's wrap things up by explaining how to configure your routers and switches to use the authentication.
Before we begin, let's go over this article's assumptions. We're assuming that you've already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.
For this article, I used a Cisco 871W router that's running Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)XC2, RELEASE SOFTWARE (fc1). Specifically, it has this IOS file: c870-advipservicesk9-mz.124-4.XC2.
This router has a VLAN1 that four LAN Ethernet ports share by default. This is where I configured my IP address, as shown below:
interface Vlan1
ip address 192.168.1.100 255.255.255.0
interface FastEthernet0
no shutdown
Configure the router or switch
While I'm using a Cisco 871W router, you can also use a Cisco switch, and the configuration should be similar. You can even configure this type of RADIUS authentication on a Cisco PIX firewall or Adaptive Security Appliance (ASA).
To configure a router or switch to talk to the Windows IAS RADIUS server to authenticate logins for management, start by making sure you have a secret password enabled, as shown below:
enable secret 5 Secret!Pass1
Next, configure the router for RADIUS authentication. Listing A offers an example.
In this example, the IP address is the IP address of our Windows IAS RADIUS server, and the key is the key we entered when we configured the RADIUS client on the IAS server. In addition, we've configured the source interface to make sure the IP address of the RADIUS server matches the IP address of the RADIUS client we configured in IAS.
We also configured an authentication list called TRAuthList. While you can use the default authentication list, I don't recommend it. The default list automatically applies to all login devices, including the console. So failure of the RADIUS authentication could also lock you out of the console.
I also suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:
R1-871W(config)# user netadmin pass secretpass1
Next, we need to configure all of our lines with the authentication list we created. For this example, we have the normal five lines (0 to 4), but your device may contain more. Here's an example:
R1-871W(config)# line vty 0 4
R1-871W(config-line)#Â login authentication TRAuthList
At this point, Windows AD authentication would work if we used Telnet to connect to the router or switch. However, for security's sake, I recommend using SSH instead of Telnet, so now we need to configure SSH.
Start by making sure we have a hostname on the router. Here's an example:
Router(config)# hostname R1-871W
Then, make sure there's an IP domain name configured. Here's an example:
R1-871W(config)# ip domain-name TechRepublic.com
Next, generate the crypto keys, as shown below, and answer all questions with their defaults:
R1-871W(config)# crypto key generate rsa
Finally, restrict VTY lines to use only SSH -- not Telnet. Here's an example:
R1-871W(config)# Line vty 0 4
R1-871W(config-line)# Transport input ssh
Test the configuration
I recommend leaving the console or other existing connection to the router up until you can verify that the new configuration works. In addition, don't save the configuration until you make sure it works. If it doesn't work, you can always remove it or reboot the device to go back to the previous configuration.
To test the new configuration, I connected to the router using SecureCRT, but you can also use PuTTY, which is free. Figure A displays the Session Options - New dialog box, which shows my connection settings. Note the SSH1 protocol -- not SSH2.
Figure A
Notice that we are using SSH1, not SSH2.
Figure B displays the Enter Username dialog box, which I use to log in with my Windows username.
Figure B
Log in with your Windows username.
With that, I have successfully connected, as shown in Figure C. I used the show users command to show that it's really me.
Figure C
Using the show users command displays a successful connection.
Troubleshoot the configuration
When it comes to troubleshooting the Cisco IOS side of this complex configuration, using the debugand testcommands is your best bet. Here's an example:
Router# debug aaa authentication
AAA Authentication debugging is on
Router# debug radius authentication
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Router#
Router# test aaa group radius ddavis MyPass1 port 1645 new-code
In addition to using the IAS log files, which I discussed in the previous article, this lets you see what's going on in the background on both sides of this configuration (i.e., the router or switch and the RADIUS server). If you run across an error message that you don't recognize, search the Web -- someone else has likely run across it already and figured out the resolution.
Saturday, January 31, 2009
Subnetting 123
Ever get stressed out because you know that there would be subnetting question(s) in the next exam you are taking and that these questions easily take up 10 to 20 minutes of your precious exam time? What if there is more than one question?
The process of converting the subnet to binary and decimal can drive the unfamiliar insane, not to mention the waste of precious time and brain power which can be utilized for other areas of exam preparation.
Let's take a look at a shortcut method that will cut down the time needed to answer these questions without the need for a calculator.
Subnet Basics:
This article assumes that you know how to perform subnetting in the traditional method but it is important to stress that there are only 3 classes of usable IP addresses which are
| Class | Range | Subnet mask | Host bit | Subnet |
| Class A | 1 - 126
| 255.0.0.0 | 24 | 8 |
| Class B | 128 - 191 | 255.255.0.0 | 16 | 16 |
| Class C | 192 - 223 | 255.255.255.0 | 8 | 24 |
You must understand and remember this table well in order to master the shortcut.
Note: You must borrow at least 2 bits and must leave at least 2 bits
The 'Subnet Table'
| Bits Borrowed (N) | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| Bit Value | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| Subnet Mask | 128 | 192 | 224 | 240 | 248 | 252 | 254 | 255 |
| Number of Subnets
| 0 | 2 | 6 | 14 | 30 | 62 | 126 | 254 |
Stop: Before continuing, please read this very important article regarding the use of the ((2^N)-2) method of subnetting.
If using the (2^N) method as defined in RFC 1878, your table would look like this instead.
| Bits Borrowed (N) | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| Bit Value | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| Subnet Mask | 128 | 192 | 224 | 240 | 248 | 252 | 254 | 255 |
| Number of Subnets
| 2 | 4 | 8 | 16 | 32 | 64 | 128 | 256 |
The 'subnet table' is commonly seen in lecture notes or certification guides but what the author/lecturer did not tell you is how to derive this table on the fly. Its actually quite simple, lets look at it line by line
1) Bits borrowed, this is the easy one, just remember that the table consists of only 8 columns.
2) Bits Value, remember by heart that the first value starts with 128 and the subsequent values are divided by two.
3) Subnet Mask, this line tells you what the subnet mask would be, to get the figures, add up the corresponding bits value and all of the values prior to it.
128 + 0 (there is no prior value) =128
128 + 64 = 192
192 + 32 = 224
224 + 16 = 240
240 + 8 = 248
248 + 4 = 252
252 + 2 + 254
254 + 1 + 255
4) Number of Subnets, tells you how many subnet you'll get if you use the subnet mask. Just look at the corresponding N value at the top and you can derive the figures.
Once you understand how to derive the 'subnet table', spend some time practicing. I would advise you to draw out the table once you are in the exam room (before starting the actual exam) it will take you less than a minute.
How to tackle the questions
There are only a few different ways that Microsoft or Cisco can phrase their questions, lets take a look at some examples,
Question Type 1:
If you are to determine the subnet mask based on a number of hosts and an IP address
Example:
You are assigned an IP address of 172.30.0.0 and you need 1000 hosts on your network, what is your subnet mask.
Step one: Determine the number of bits needed for the hosts.
In this scenario, we need ten bits as 2^10 = 1024 (the question asks for 1000 hosts only)
Step two: Determine the number of bits left for the subnet.
32 - (number of bits needed for the host) which is 32-10 = 22 bits
Step three: Determine the number of bits actually borrowed.
We take the number of bits left for the subnet and minus as many 8s as possible as each 8 represents 1 octal. Therefore 22 - 8 - 8 = 6 bits were borrowed
| Bits Borrowed (N) | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| Bits Value | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| Subnet Mask | 128 | 192 | 224 | 240 | 248 | 252 | 254 | 255 |
| Number of Subnets
| 0 | 2 | 6 | 14 | 30 | 62 | 126 | 254 |
With reference to the subnet table, 6 bits would have a subnet of 255.255.252.0 . Take note that a total of two 8s were subtracted off, therefore the first two octal would be 255.255.x.x and the 3rd octal was 6 bits borrowed which leaves with 255.255.252.x.
Simple?
Question Type 2:
If you were given an IP address of 172.30.0.0 and you need 15 subnets
| Bits Borrowed (N) | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| Bits Value | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| Subnet Mask | 128 | 192 | 224 | 240 | 248 | 252 | 254 | 255 |
| Number of Subnets
| 0 | 2 | 6 | 14 | 30 | 62 | 126 | 254 |
With reference to the subnet table, the subnet mask should be 255.255.248.0. 172.30.0.0 is a Class B address and the subnet should be 255.255.0.0.
Question Type 3:
You are assigned an IP address of 172.30.0.0 and you need 55 subnets, how many hosts do you have per subnet?
Step One: Determine the number of bits used for the subnet.
| Bits Borrowed (N) | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| Bits Value | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| Subnet Mask | 128 | 192 | 224 | 240 | 248 | 252 | 254 | 255 |
| Number of Subnets
| 0 | 2 | 6 | 14 | 30 | 62 | 126 | 254 |
According to the chart, the closest match to 55 subnet would be 62 and therefore, the number of bits borrowed for the subnet is 6. Since 172.30.0.0 is a Class B, we would need to add another 16 bits to the 6 making it 22 bits in total.
Step Two: Determine the number of bits used for the host.
Number of bits used for the hosts is 32 - (number of bits used for the subnet) which is 22 = 10 bits.
2^10-2 = 1022, therefore there are a total of 1022 usable hosts in each subnet.
The key to mastering this shortcut is the same as with any other mathematical question - pratice.
Good luck on your next exam
Subscribe to:
Posts (Atom)
