ClearPass – concurrent session limit

I tried to configure a restriction to the concurrent number of active sessions a user can have on the wireless network. I found a great article on AirHeads Community “How to deny access for authentication requests based on session limit?

I configured my ClearPass environment like shown in the article, but I didn’t see any active sessions in the access tracker. The counter remained 0. I connected to the Insight database with the tool pgAdmin to see if the Insight database is updated. The database is updated, so every thing seems to be working.

Be accident I found the solution. The SSID is using EAP-PEAP authentication and users enter there username as <username>@<domain-name>, like rene@booches.nl. This is necessary, because the SSID is configured to work with Govroam. Govroam provides government employees with seamless access to WiFi networks, wherever the service has been made available by participating organisations. To authenticated the users correctly, I configured the CPPM Service with Strip Username Rules.

Strip Username Rules

The SQL query checks the attribute %{Authentication:Username}

select count(*) as sessions from radius_acct where (username = ‘%{Authentication:Username}’) AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() – interval ‘1 hour’) AND now());

In the InsightDB the username has the format <username>@<domain-name>, but the attribute %{Authentication:Username} has the format <username>. I saw this “mismatch” while checking the Access Tracker.

ClearPass Access Tracker

I altered the query by changing %{Authentication:Username} into %{Authentication:Full-Username}. After this the session information was correct and I could use the session counter in a Role Mapping or Enforcement Profile to limit the concurrent number of active sessions from a user.

FortiGate – IPSec with dynamic IP

Site-to-site VPN connections are a common way to connect a branch office to the corporate network. In the Netherlands it is still common to have a internet connection at a branch office with a dynamic IP address. The usage of dynamic IP address is not ideal when configuring a site-to-site VPN connection, because the configuration almost always relies on static IP addresses.

I recently configured an IPSec VPN between two FortiGate appliances and the branch appliance is using a dynamic IP address. I used Fortinet’s DDNS feature to configure the VPN.

To configure the branch FortiGate for DDNS, I had to configure the WAN interface to retrieve its IP address via DHCP. Next I configured DDNS.

config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain “branche01-booches.fortiddns.com”
set monitor-interface “wan1”
next
end

This can also be done in the GUI.

FortiDDNS

The VPN configuration on the hub firewall for dynamic DNS support is the same as the configuration of a regular VPN connection. The only difference is the configuration of the peer IP address. Instead of a static IP, you configure the DDNS FQDN.

config vpn ipsec phase1-interface
edit “vpn_p1_branche01”
set type ddns
set interface “wan1”
set proposal 3des-sha1
set dhgrp 2
set remotegw-ddns “branche01-booches.fortiddns.com”
set psksecret P$k-VPN!
next
end

And as you can image, this can also be done via the GUI.

FortiDDNS IPSec - HQ

Check the status of the VPN connection via the regular methods like cli (get vpn ike gateway or get vpn ipsec tunnel name <tunnel-name>) or via the GUI.

Cisco ASA: multiple context and capture

Packet captures are very useful for troubleshooting purposes. The Cisco ASA supports packet captures even in multiple context mode. I normally configure packet captures on CLI level. This can be done by configuring an access-list to match the specific traffic you would like to capture. Add the access-list and the specific interface in a capture command. Mostly I download the capture in raw format for further analysis with a tool like WireShark. The capture can be downloaded via TFTP or via a secure connection (HTTPS) to the Cisco ASA firewall.

When running a Cisco ASA in multiple context mode, I always disable the ability to connect directly to a context for management purposes. That way you have to access the admin context for management access, but this also denies the option to download the capture via a secure connection directly from the Cisco ASA traffic context.

The easiest way to download the capture in multiple context mode is via a TFTP transfer from the system context. Check the example command below. The capture is made within the context named contextA and the capture has the name captureA. The following command can be used to download the capture in raw (pcap) format.

copy /pcap capture:contextA/captureA tftp://10.10.10.10/captureA.pcap

You can now analyse the capture with WireShark

Cisco IOS-XE 16.x

Cisco has release new IOS-XE software, called IOS-XE Denali 16.x. This software is available for Cisco ASR routers and Cisco Catalyst 3850/3650 switches. In the end IOS-XE Denali should be available for all switches.

A good overview of Cisco Catalyst IOS XE Denali is explained in this Youtube video from Tech Field Day.

Below you see the commands to upgrade a Cisco Catalyst 3850 switch stack consisting 3 switches to the new IOS-XE Denali firmware. When you use the default software install commands you will receive an error message, like shown below.

C3850#software install file flash:/cat3k_caa-universalk9.16.01.02.SPA.bin switch 1-3 on-reboot
Preparing install operation …
[2]: Copying software from active switch 2 to switches 1,3
[2]: Finished copying software to switches 1,3
[1 2 3]: Starting install operation
[1 2 3]: Expanding bundle flash:cat3k_caa-universalk9.16.01.02.SPA.bin
[1 2 3]: Copying package files
[1 2 3]: Package files copied
[1 2 3]: Finished expanding bundle flash:cat3k_caa-universalk9.16.01.02.SPA.bin
[1 2 3]: Verifying and copying expanded package files to flash:
[1 2 3]: Verified and copied expanded package files to flash:
[1 2 3]: Starting compatibility checks
[1]: % Candidate package compatibility checks failed because the following
package dependencies were not satisfied. Operation aborted.

[2]: % Candidate package compatibility checks failed because the following
package dependencies were not satisfied. Operation aborted.

[3]: % Candidate package compatibility checks failed because the following
package dependencies were not satisfied. Operation aborted.

To get a successful install, you need to add the commands new and force, like shown in the output below. You need to manually reboot the switch during a maintenance windows to active the Cisco IOS-XE Denali firmware.

C3850#software install file flash:/cat3k_caa-universalk9.16.01.02.SPA.bin switch 1-3 new force on-reboot
Preparing install operation …
[2]: Copying software from active switch 2 to switches 1,3
[2]: Finished copying software to switches 1,3
[1 2 3]: Starting install operation
[1 2 3]: Expanding bundle flash:cat3k_caa-universalk9.16.01.02.SPA.bin
[1 2 3]: Copying package files
[1 2 3]: Package files copied
[1 2 3]: Finished expanding bundle flash:cat3k_caa-universalk9.16.01.02.SPA.bin
[1 2 3]: Verifying and copying expanded package files to flash:
[1 2 3]: Verified and copied expanded package files to flash:
[1 2 3]: Starting compatibility checks
[1 2 3]: Bypassing peer package compatibility checks due to ‘force’ command option
[1 2 3]: Finished compatibility checks
[1 2 3]: Starting application pre-installation processing
[1 2 3]: Finished application pre-installation processing
[1]: Old files list:
Removed cat3k_caa-base.SPA.03.07.01E.pkg
Removed cat3k_caa-drivers.SPA.03.07.01E.pkg
Removed cat3k_caa-infra.SPA.03.07.01E.pkg
Removed cat3k_caa-iosd-universalk9.SPA.152-3.E1.pkg
Removed cat3k_caa-platform.SPA.03.07.01E.pkg
Removed cat3k_caa-wcm.SPA.10.3.110.0.pkg
[2]: Old files list:
Removed cat3k_caa-base.SPA.03.07.01E.pkg
Removed cat3k_caa-drivers.SPA.03.07.01E.pkg
Removed cat3k_caa-infra.SPA.03.07.01E.pkg
Removed cat3k_caa-iosd-universalk9.SPA.152-3.E1.pkg
Removed cat3k_caa-platform.SPA.03.07.01E.pkg
Removed cat3k_caa-wcm.SPA.10.3.110.0.pkg
[3]: Old files list:
Removed cat3k_caa-base.SPA.03.07.01E.pkg
Removed cat3k_caa-drivers.SPA.03.07.01E.pkg
Removed cat3k_caa-infra.SPA.03.07.01E.pkg
Removed cat3k_caa-iosd-universalk9.SPA.152-3.E1.pkg
Removed cat3k_caa-platform.SPA.03.07.01E.pkg
Removed cat3k_caa-wcm.SPA.10.3.110.0.pkg
[1]: New files list:
Added cat3k_caa-rpbase.16.01.02.SPA.pkg
Added cat3k_caa-rpcore.16.01.02.SPA.pkg
Added cat3k_caa-srdriver.16.01.02.SPA.pkg
Added cat3k_caa-wcm.16.01.02.SPA.pkg
Added cat3k_caa-webui.16.01.02.SPA.pkg
[2]: New files list:
Added cat3k_caa-rpbase.16.01.02.SPA.pkg
Added cat3k_caa-rpcore.16.01.02.SPA.pkg
Added cat3k_caa-srdriver.16.01.02.SPA.pkg
Added cat3k_caa-wcm.16.01.02.SPA.pkg
Added cat3k_caa-webui.16.01.02.SPA.pkg
[3]: New files list:
Added cat3k_caa-rpbase.16.01.02.SPA.pkg
Added cat3k_caa-rpcore.16.01.02.SPA.pkg
Added cat3k_caa-srdriver.16.01.02.SPA.pkg
Added cat3k_caa-wcm.16.01.02.SPA.pkg
Added cat3k_caa-webui.16.01.02.SPA.pkg
[1 2 3]: Creating pending provisioning file
[1 2 3]: Finished installing software. New software will load on reboot.

FortiClient SSLVPN – export profiles

I am using the FortiClient SSLVPN lightweight application for SSL VPN access to client networks. In the GUI you don’t have options to export the configured profiles as you have with the full-featured FortiClient SSLVPN. The profiles for the lightweight version are stored in the registry, so you can export and import from there. The registry location is:

[HKEY_CURRENT_USER\SOFTWARE\Fortinet\SslvpnClient\Tunnels]

forticlient-ssl-vpn