Server 2008 R2 as RADIUS for CISCO ASA VPN Clients

Server 2008 R2 as RADIUS for CISCO ASA VPN Clients

As in every Enterprise or a private Data Centar network one must use various of IT systems to insure the security of via meshed systems. The other day I implemented a Cisco 5520 Failover scenario and the main problem I had with the users, is how will they manage so many passwords for VPN, AD, Mail and etc. So I thought why not use Kerberos for VPN and simplify the tasks. 

This easy done task I will explain as short and much I can. The main goal is to make Cisco ASA failover to use the Active Directory for authenticating the users against VPN policy.

Easiest way to configure ASA quick is using the ASDM utility. I use CLI only for initial interface and http commands , after that all is downstream.

First we need to configure an object:

Using the Firewall section we expand Objects and select IP names. Then click ADD and describe the Radius server. After that we enter the IP address of the Intranet located Domain controller.

Next step is to define a AAA Radius group:

Click the Remote Access VPN section.

Expand AAA Setup and select AAA Server Groups.

Click the Add button to the right of the AAA Server Groups section.

Give the server group a name, like TEST-AD, and make sure the RADIUS protocol is selected.

Accept the default for the other settings. 

And click OK.

Next step is to add our RADIUS server to this created group:

Select the server group created in the step above.

Click the Add button to the right of Servers in the Select Group.

Under the Interface Name select the interface on the ASA that will have access to the RADIUS server, most likely inside.

Under Server Name or IP Address enter the IP Name you created for the RADIUS server above.

Skip to the Server Secret Key field and create a complex password. Make sure you document this as it is required when configuring the RADIUS server. Re-enter the secret in the Common Password field.

Leave the rest of the settings at the defaults and click Ok.

To enable RADIUS on Server 2008 we must add a role:

Connect to the Windows Server 2008 server and launch Server Manager.

Click the Roles object and then click the Add Roles link on the right.

Click Next on the Before You Begin page.

Select the Network Policy and Access Services role and click Next.

Under Role Service select only the Network Policy Server service and click Next.

Click Install.

After launching the NPS tool right-click on the entry NPS(Local) and click the Register Server in Active Directory. Follow the default prompts.

We need to define a Radius CLIENT on Server 2008 for our ASA Cluster:

Right-click on RADIUS Clients and select New RADIUS Client.

Create a Friendly Name for the ASA device. I used “CiscoASA” but if you had more than one you might want to make it more unique and identifiable. Make sure you document the Friendly Name used as it will be used later in some of the policies created.

Enter the Server Secret Key specified on during the ASA configuration in the Shared secret and Confirm shared secret field.

Leave the default values for the other settings and click OK. See Figure 1 for all the complete RADIUS Client properties.

Connection Request Policy

Expand the Policies folder.

Right-click on the Connection Request Policies and click New.

Set the Policy Nameto something meaningful. I used CiscoASA because this policy is geared specifically for that RADIUS client. Leave the Type of network access server as Unspecified and click Next.

Under Conditions click Add. Scroll down and select the Client Friendly Name condition and click Add…

Specify the friendly name that you used when creating the RADIUS Client above. Click OK and Next.

On the next two pages leave the default settings and click Next.

Under the Specify a Realm Name select the Attribute option on the left. From the drop down menu next to Attribute: on the right select User-Name. Click Next again.

Review the settings on the next page and click Finish.

Create a Network Policy

Right-click the Network Policy folder and click New.

Set the Policy Name to something meaningful. Leave the Type of network access server as Unspecified and click Next.

Under Conditions click Add.

Add a UsersGroup condition to limit access to a specific AD user group. You can use a generic group like Domain Users or create a group specifically to restrict access.

Add a Client Friendly Name condition and again specify the Friendly Name you used for your RADIUS client.

Click Next. Leave Access granted selected and click Next again.

(Important Step) On the authentication methods leave the default selection and add Unencrypted authentication (PAP, SPAP).

Accept the default Constraints and click Next.

Accept the default Radius Settings and click Next. Review the settings and click Finish.

Restart the Network Policy Server service.

The last thing left is to Test and Save the config.

If necessary re-launch the ASDM utility.

Return to Configuration -> Remote Access VPN -> AAA Setup -> AAA Server Groups.

Select the new Server Group you created.

From the Servers in the Selected Group section highlight the server you created. Click the Test button on the right.

Select the Authentication radio button. Enter the Username and Password of a user that meets the conditions specified in the Network Policy created above then click OK.

Feel free to comment.

Configure Corefig as a free managament tool for Hyper-V 2012

Configure Corefig as a free managament tool for Hyper-V 2012

Reading a lot of articles online I have found that Hyper-V 2012 has some cool new features that are free to use. Some of them are in battle with VMware, like HA and the new SMB 3.0 protocol. I have installed a nested Hyper-V 2012 under the VMware setup to test the management tools. 

One tool I have found as a useful collection of PowerShell scripts is the Corefig. Here are some steps to use with this management tool and how to configure it.

On a fresh install of the Hyper-V Hypervisor one should enable the Remote Managament under the initial powershell options. To copy the files from the downloaded Corefig site firewall should be disabled on the Hyper-V 2012. This can be done via a simple command using netsh.

The next step is to download the Corefig.zip file and copy it to the Hyper-V hypervisor. One can copy the files using the Netbios protocol, and simply typing the \\hyper-vsrv location and creating a folder under the root of the Hypervisor called Corefig.

The link for the Corefig installation can be found here.

After extracting the files , we should start the Powershell script to initialize the Corefig installation process and to make it as a startup service. This can be done via a simple command:

CD C:\COREFIG

POWERSHELL .\COREFIG.PS1

Soon after that we have an instance of the Corefig started and can use all of the managament functions it offers us. A simple screenshot will show the GUI of the tool.

We can easily change the network settings, a small Control Panel utilities, and general Hyper-V settings. One great security tool is to manage the firewall via the GUI is easy for creating the first initial rules. I have disabled the firewall for testing purposes.

Acording to Microsoft this tools is verified to work with these setups:

• Verified: Microsoft Windows Server 2012 (Core Installation)
• Verified: Microsoft Windows Server 2012 (Complete GUI Installation)
• Verified: Microsoft Hyper-V Server 2012

Feel free to use the tool and comment on it.

Windows Server 2008 PKI Single Tier CDP

Windows Server 2008 PKI Single Tier CDP

In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the assurance level of the binding, may be carried out by software at a CA or under human supervision.

Active Directory Certificate Services (AD CS) is an Identity and Access Control security technology that provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies.

A system or systems where the CRL (Certificate Revocation List) is placed for retrieval by Relying Parties or others throughout the PKI environment. A CDP should be referenced in each Certificate so that Relying Parties can readily check the CRL before relying on the Certificate. Most CDPs are accessible via HTTP or LDAP.

In this small setup we have a Windows Server 2008 R2 with following rolles installed :

• Active Directory Certificate Services
• Active Directory Domain Services
• DNS Server
• Web Server (IIS)

We have a client Windows 7 desktop machine that is joined to the domain. We want to test if the machine has got a certificate for negotiating the authentification and other domain procedures. And also we want to ensure that the AutoEnrollement is turned so that every other machine in the domain will do this automatically.

After installing the roles we should create a Certificate Authority policy file as a template for all the other certificates and save it under the c:\windows folder as a CaPolicy.inf.

[Version]

Signature="$Windows NT$"

[PolicyStatementExtension]

Policies=InternalPolicy

[InternalPolicy]

OID= 1.2.3.4.1455.67.89.5

Notice="Legal Policy Statement"

URL=http://pki.corp.local/cps.txt 

[Certsrv_Server]

RenewalKeyLength=2048

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=10

LoadDefaultTemplates=0

AlternateSignatureAlgorithm=1 

To see the location of the CDP we point ourselves to the Start>AdministrativeTools>Certification Authority

No to ensure that all the PCs in the Active Directory domain called corp.local enroll these certificates we should modify the default domain Group Policy. This can be done via the gpmc.msc policy command.

To review the Cetificate Enrollment we should checkout the local GPO settings on the client machine. This can be done using the MMC console on the Client Windows 7 machine. The Snapint is the Certificate Authority to manage all the local certificates.

We can see that we have enrolled the certificate from the DC1 that is our Domain Controller. And the last thing to see is the purpose of the certificate.

We can see that we have got the All Issuance Policies certificate installed. This also means that the Windows 7 recognized the OID numbers from the CaPolicy.inf file. To research further one can use the Microsoft Technet for other CA purposes.

Feel free to comment.

Setup Linux as a Microsoft Domain Controller

Setup Linux box as a Microsoft Domain Controller

In this short blog I will use three main components to setup a Centos Linux Distro as a Microsoft Domain Controller. With the last version of samba 4 comes with Active directory logon and administration protocols, including typical active directory support and full interoperability with Microsoft Active Directory servers.

To make this happen we need to setup 3 services on a Centos Linux:

• Samba4  (also can be used for file sharing)
• NTP server
• Bind database (to host the AD DNS Zone)

First we must setup the Hostname of the Centos Domain Controller:

nano /etc/sysconfig/network

HOSTNAME=centos-dc

Because of a smaller and complicated setup we should disable the SeLinux capabilities:

nano /etc/sysconfig/selinux

SELINUX=disabled

setenforce 0

To tune this up we should install Dependencies on a Linux box if they are not already installed:

yum -y install gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils

Next step is to download the Samba 4 package , compile it and install it:

wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz

tar -xzvf samba-latest.tar.gz

cd samba-latest/

./configure --enable-selftest

make

make install

With the new Samba4 comes the Samba-Tool to provision and configure a new domain name and to bind it with the database service:

/usr/local/samba/bin/samba-tool domain provision --realm=frogman.local --domain=FROGMAN --adminpass 'P@ssw0rd' --server-role=dc --dns-backend=BIND9_DLZ

The dns backend BIND9_DLZ uses samba4 AD to store zone information.

Edit named configuration:

rndc-confgen -a -r /dev/urandom

To allow AD queries from every machine in the LAN , we should define the port 53 available to every machine. In the named.conf forwarder must be configured to resolve remote DNS queries.

nano /etc/named.conf

options {

listen-on port 53 { any; };

forwarders {172.16.1.1; };

allow-query { any; };

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

include "/usr/local/samba/private/named.conf";

DNS can be configured to point to the localhost address and to define the local domain:

nano /etc/resolv.conf

nameserver 127.0.0.1

domain frogman.local

The next step is to enable the Kerberos authentification:

nano /etc/krb5.conf

[libdefaults]

default_realm = FROGMAN.LOCAL

dns_lookup_realm = false

dns_lookup_kdc = true

Configuration and installation of the NTP service follows:

wgethttp://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz

tar -xzvf ntp-4.2.6p5.tar.gz

cd ntp-4.2.6p5

./configure --enable-ntp-signd

make

make install

We must then configure permissions for the DNS zone and the associated files:

chown named:named /usr/local/samba/private/dns

chown named:named /usr/local/samba/private/dns.keytab

chmod 775 /usr/local/samba/private/dns

chmod 755 /etc/init.d/samba4

chmod 755 /etc/init.d/ntp

chkconfig --levels 235 samba4 on

chkconfig --levels 235 ntp on

chkconfig --levels 235 named on

Now we have defined all the services to start at startup. Now you can reboot the server and look if the services are all up. Myself had a problem with the namedi service. This error manifested in the /var/log as an Bind loading error.

dlz_dlopen failed to open library /usr/local/samba/modules/bind9/dlz_bind9.so'

I fixed this error assigning appropriate perrmission to the dlz_bind9.so file:

chmod 775 /usr/local/samba/modules/bind9/dlz_bind9.so

After another reboot I choose a Windows Box to test , and to add to the newly fresh created domain controller using the free Linux machine. 

And we have a Microsoft Box joined to a domain with a Linux Domain controller :D

Feel free to comment.