evilrouters.net

In this demonstration, we’re going to install FreeRADIUS onto a CentOS 5.2 server and configure it to support AAA on Cisco devices.

“FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. It is also widely used in the academic community, including eduroam. The server is fast, feature-rich, modular, and scalable.” –FreeRADIUS home page

I’ve been using FreeRADIUS in production for a few years now, mostly to support wireless users. One of the benefits of FreeRADIUS — besides being open source, of course — is the numbers of backends one can use for authentication:

“If a password is not available locally for some reason, the server can pass the authentication to another system such as LDAP, PAM, Unix (/etc/passwd), Kerberos, Active Directory, or RADIUS server via RADIUS proxying. Local programs (e.g. CGI scripts) can also be used to authenticate users via shell scripts or any other method. Perl or Python scripts can be pre-loaded into the server, which significantly lowers the cost of running such programs.”

Powerful, huh? Indeed.

For this demonstration, I’m installing a new CentOS 5.2 virtual machine on my MacBook under VMware Fusion. Installing the operating system, however, is beyond the scope of this document. Also, we’ll just be using the local system database for now — we’ll save SQL and LDAP (perhaps even Active Directory) authentication for later. After we get FreeRADIUS up and running, we’ll set up a user account and then configure a Cisco router to use RADIUS for authentication.

Let’s begin with installing FreeRADIUS by running (as root) the following command:

[root@bertram ~]# yum -y install freeradius

“yum” should have went out, grabbed the appropriates packages and dependencies, and installed them. If the end of your output looks like this, you’re all set:

Complete!
[root@bertram ~]#

Because FreeRADIUS will need to use the local system database for authentication, we need to set ‘user = root’ and ‘group = root’ in radiusd.conf. This is easy enough, just open up /etc/raddb/radiusd.conf, and change the lines that reads “user = radiusd” and “group = radiusd” to “user = root” and “group = root”, respectively. Note that this (running our daemons as root) is almost always something we want to avoid. Using other authentication backends, such as SQL or LDAP, would not require this change and would allow the FreeRADIUS service to run under the default “radiusd” unprivileged account.

Next, we need to let FreeRADIUS know about our NAS — in this case, our Cisco router. For the sake of this demonstration, our router (R1) will have IP address 192.168.1.201. We’ll also need a shared secret that the router and RADIUS server use. Let’s use the ever popular “SECRET_KEY”. Add the following to the end of /etc/raddb/clients.conf:

client 192.168.1.201 {
        secret = SECRET_KEY
        shortname = R1
        nastype = cisco
}

Then, on the FreeRADIUS side, we need to create a user account in the local user database that we’ll use for actually authenticating to R1. Nothing special here, just creating a new user account and setting the password. I’ve passed the plain-text password into “passwd” via stdin so that you can see it. Normally, we wouldn’t do that — just run “passwd cisco” and enter the password when prompted:

[root@bertram ~]# /usr/sbin/useradd cisco
[root@bertram ~]# echo secret | passwd --stdin cisco
Changing password for user cisco.
passwd: all authentication tokens updated successfully.
[root@bertram ~]#

We now have a local user named “cisco” with a password of “secret” that we’ll use when it comes time to authenticate to R1. Before we can do that, however, we must let FreeRADIUS know about the user. Append the following to /etc/raddb/users:

cisco   Auth-Type := System
        Service-Type = NAS-Prompt-User,
        cisco-avpair = "shell:priv-lvl=15"

This notifies FreeRADIUS of a local user account named “cisco”. Using the “cisco-avpair” attribute in this manner allows us to automatically assign privilege level 15 to the user, removing the requirement for the user to issue “enable” (and the enable secret) in order to gain elevated access.

Let’s get started configuring R1. I’m going to assume that you’re starting from a default configuration. The first thing we want to do is create a “fallback” user account (on the router itself) that we can use to authenticate if, for some reason, connectivity to the RADIUS server is lost. Let’s create a user named “admin” with a password of “letmein”:

R1(config)#username admin privilege 15 secret letmein

Under normal circumstances, we’ll never use this local account — only when the RADIUS server is unavailable.

The first thing I need to do is configure my interface on R1 and verify we can ping the RADIUS server. Assuming you already have your router up and running, you can likely skip this step:

R1(config)#interface fastethernet 3/0
R1(config-if)#ip address 192.168.1.201 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Mar  1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up
*Mar  1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up
R1(config-if)#do ping 192.168.1.51

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24 ms
R1(config-if)#

Excellent, all set! Let’s start configuring R1 for AAA:

R1(config)#aaa new-model
R1(config)#radius-server host 192.168.1.51 auth-port 1812 acct-port 1813 key SECRET_KEY

AAA should now be enabled on R1. Note that we provided the IP address of the RADIUS server as well as the shared secret we configured in FreeRADIUS earlier. In addition, we must specify the “auth-port” and “acct-port” used by FreeRADIUS, as these are different from Cisco’s defaults (1645 and 1646). Let’s configure authentication:

R1(config)#aaa authentication login default group radius local
R1(config)#line vty 0 4
R1(config-line)#login authentication default
R1(config-line)#line con 0
R1(config-line)#login authentication default

Here, we’ve told R1 to use RADIUS for authentication and to fall back to the local user database if the RADIUS server is not available. We don’t want to DoS ourselves!

The following command will allow the user to run an “exec” shell when logging into the router:

R1(config)#aaa authorization exec default group radius if-authenticated 

Last, but not least, we want accounting (the final “A” in “AAA”):

R1(config)#aaa accounting exec default start-stop group radius
R1(config)#aaa accounting system default start-stop group radius

That should be enough to allow us to login with our local (Linux) system account “cisco” that we created earlier. Let’s give it a shot:

macbook:~ jlgaddis$ telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.


User Access Verification

Username: cisco
Password:

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  administratively down down
Ethernet0/1                unassigned      YES unset  administratively down down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Serial1/0                  unassigned      YES unset  administratively down down
Serial1/1                  unassigned      YES unset  administratively down down
Serial1/2                  unassigned      YES unset  administratively down down
Serial1/3                  unassigned      YES unset  administratively down down
FastEthernet3/0            192.168.1.201   YES manual up                    up
R1#exit
Connection closed by foreign host.
macbook:~ jlgaddis$

Success! We’ve installed FreeRADIUS, added a local user account, set up the NAS client (R1) and configured it to authenticate against the RADIUS server. Let’s take a look at what was logged by FreeRADIUS:

[root@bertram ~]# cat /var/log/radius/radacct/192.168.1.201/detail-20081119
Wed Nov 19 00:24:47 2008
        Acct-Session-Id = "00000005"
        User-Name = "cisco"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port = 130
        NAS-Port-Id = "tty130"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "192.168.1.49"
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 192.168.1.201
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.1.201
        Acct-Unique-Session-Id = "31b757fca2145e79"
        Timestamp = 1227072287

Wed Nov 19 00:25:14 2008
        Acct-Session-Id = "00000005"
        User-Name = "cisco"
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = User-Request
        Acct-Session-Time = 27
        Acct-Status-Type = Stop
        NAS-Port = 130
        NAS-Port-Id = "tty130"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "192.168.1.49"
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 192.168.1.201
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.1.201
        Acct-Unique-Session-Id = "31b757fca2145e79"
        Timestamp = 1227072314

[root@bertram ~]#

If there’s interest, I may expand on this later to include huntgroups, multiple RADIUS servers, using MySQL for accounting, or even through some LDAP and/or Active Directory authentication into the mix. If you’re interested, please leave a comment below!

While browsing through my archives tonight, my thoughts went back to the reliable little Buffalo WHR-G125 router/access point over in the corner. Back in January, I wrote about having issues with my MacBook’s wireless and upgrading to — at the time — the latest version of DD-WRT to see if it would help with the issues.

Many months have passed since then and the wireless issues have went away. Unfortunately, I don’t really remember when they went away. I’m not sure if it had anything to do with the firmware upgrade or not.

Regardless, I browsed over to the DD-WRT site again to see if there was newer firmware available. There was, so I decided to upgrade. Upgrading to the latest version was really easy:

[jlgaddis@cleveland ~]$ ssh root@ap
root@ap's password:
root@router:~# cd /tmp
root@router:/tmp# wget http://tinyurl.com/5qv69u
root@router:/tmp# write dd-wrt.v24_vpn_generic.bin linux

At this point, we have a few minutes to kill. The flash memory isn’t the fastest in the world, and it’ll take a bit to save the file to flash. Once it’s done and our prompt has came back back, we just need to reboot.

root@router:/tmp# reboot

Give the router a minute or two to reboot, and we should be able to login again:

[jlgaddis@cleveland ~]$ ssh root@ap
DD-WRT v24 vpn (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
root@ap's password:
==========================================================

 ____  ___    __        ______ _____         ____  _  _
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|

                       DD-WRT v24
                   http://www.dd-wrt.com

==========================================================


BusyBox v1.11.1 (2008-07-27 16:20:53 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@router:~# exit
Connection to ap closed.
[jlgaddis@cleveland ~]$

“We just launched a new alias for reporting certification security issues. It’s security-tipline@external.cisco.com.”

“Please use this for submitting any issues of exam theft or cheating.”

–cris cohen, from a post on linkedin.

new security features are being added to many enterprise switches. the availability of those features varies based on what vendor’s equipment you’re using (as well as the firmware) and each vendor offers similar features but call them by different names.

this table illustrates a few:

…thanks to informationweek

computer world is reporting that:

a laptop containing “strategic information” was stolen from a campaign field office of presidential contender John McCain.

The laptop contained “strategic information for the [Republican party] on how we are going to reach out to people in the Kansas City area.”

i guess they’ve never heard of pgp or whole disk encryption, in general, both of which i use and recommend.

read more

mccain argues that flip-flops are an example of a political leader who can’t be trusted — so he might as well drop out of the race.

read the rest of this story (alternet.org)

for quite a long time, we didn’t have any type of environmental monitoring in our datacenter. i wasn’t there when our “new” building was built so i don’t know the reason (oversight, i imagine). several months ago, though, one of my co-workers (who arrives way before the rest of us) came in on a monday morning to find that our datacenter was extremely warm (he put his hand on the back of a server cabinet and quickly removed it, like when you touch a hot stove).

it didn’t take long to convince the $boss that we needed a way to keep an eye on the temperature. an acquaintance of mine at boeing recommended the apc environmental manager units, which were relatively cheap. guess what we now have in our datacenter?

what i really like about ‘em:

• quick, easy setup
• syslog logging
• user-defined thresholds
• e-mail notifications
• snmp!

i really, really like snmp. i snmp enable everything i can, and keep an eye on it all with various tools (zenoss, cacti, homebrew perl scripts, etc.).

we had an incident where the apc unit didn’t alert us like it was supposed to. that led me to spend 15 minutes banging out yet another perl script. this one, ran every 15 minutes from a crontab, polls the temperature oid of the environmental manager. what it does depends on a few things:

• if the unit doesn’t respond, an e-mail alert is generated
• if the unit responds and the temperature is below the threshold “x”, nothing happens
• if the unit responds and the temperature is above “x”, an e-mail to our internal list is sent
• if the unit responds and the temperature is above “x+5″, an e-mail to our internal list is sent, as well as an e-mail to our facilities staff’s internal list

the multiple levels of “escalation” ensure that if, for whatever reason, no one in my department responds, our facilities staff can be alerted and hopefully one of them will address the situation. the nice (arguably) thing is that as long as the temperature is above the threshold, the e-mails will continue to go out every 15 minutes until someone takes action. it doesn’t take long before those e-mails get annoying — especially for those of us who carry a blackberry 24/7!

in the battle against spam, yahoo said this week that it’s making headway in getting sites to adopt its e-mail-authenticating technology.

called domain keys identified mail, the program confirms that an e-mail is not faked, that it’s actually coming from the address it purports to be.

this has been tried before, in a number of different ways by a number of different companies (including microsoft). it hasn’t worked yet.

yahoo is hiring engineers who know how to identify networks of bots and is investing in technology that will allow yahoo servers around the world to respond and adapt automatically to threats, risher said.

yeah, right. since i’d say 99% of spam comes from botnets, this means we can expect that 1) yahoo will stop allowing spam to be sent through its servers and 2) it’ll stop blocking all of us .edu’s as spam, right? ask any mail admin at a .edu how much of a pain in the ass yahoo is to them if you wonder what i’m talking about.

[ read more... ]

a 13 year old from texas who stole his dad’s credit card and ordered two hookers from an escort agency has today been convicted of fraud and given a three year community order.

ralph hardy, a 13 year old from newark, texas, confessed to ordering an extra credit card from his father’s existing credit card company, and took his friends on a $30,000 spending spree, culminating in playing “halo” on an xbox with a couple of hookers in a texas motel.

his ambition is to one day become a politician. i think he’s off to a good start. =)

[ read more ]

i was asked today to look at an issue where backups of our virtual machines on vmware esx had began to fail. we use vizioncore’s vranger pro for backing up the vm’s and it has a “user account” on each of the servers running vmware esx.

after a quick look, i figured out what happened. password aging was set to require a password change every 90 days. since we don’t ever “interactively” log in to the esx servers with this particular account, however, we didn’t see the warnings.

we currently don’t have a “you must change your password every x days” policy, because we have a policy of using long, complex passphrases. because of this we didn’t want to change those passwords every 90 days per the default.

the fix was to disable password aging for vranger’s account on each of the vmware esx hosts, like this:

# passwd -x 99999 -w 7 -n 0 vranger

(the “-w 7 -n 0″ are probably unnecessary, but keeps this account’s settings consistent with the others.)