Booches.nl

Another blogging colleague

There is a new blogger on the internet. The owner of the blog is working as Solution Consultant at 4IP and has a main focus on networking. His blog is called Frameburst and can be found via the URL http://www.frameburst.net.

He is still developing this blog and working at the layout, but here are some interesting outtakes:

I think Aruba’s VBN is a great solution as addition to their portfolio, there are still some small bumps and glitches concerning the ‘zero-touch’ process but nothing serious. I think VBN is a great solution for companies that want to extend their wireless corporate network to branch offices and home users with the same security benefits. Source

A few weeks ago I’ve passed my JNCIA-EX exam, I’ve used a Juniper EX 4200 Switch  acquired as demonstration model from Juniper Networks which was very helpful for the exam preparation and eventually passing the exam. After unpacking the switch and booting up for the first time it was password protected because the switch wasn’t reset to it’s factory defaults. Source

The RSS feed is already working, so add it to your RSS reader.

eSafe Proxy with NTLM v2.0

Today I am playing with eSafe 8 operating in eSafe Proxy with NTLM authentication mode. Configuring eSafe Proxy with NTLM authentication is very straightforward and not difficult. The authentication settings are configuring using the eSafe Appliance Manager web interface, like shown below.

I did some testing with multiple browsers and single sign-on with NTLM authentication is working perfectly. The system administrator was also testing, but he was complaining that he couldn’t authenticate. A pop-up box is received and when you enter the appropriate credentials, they aren’t accepted by eSafe. I found out that the customer is using Windows 7 and I was testing with Windows XP and Windows Server 2003.

Windows Vista, Windows 7 and Windows Server 2008 R2 and higher use NTLM v2.0-only by default. eSafe Proxy uses NTLM v1.0. The default setting within Windows can be changed to operate in a mode which is backwards compatible with eSafe Proxy. Take the following steps to change the NTLM settings:

1. 1. Open the Group Policy Editor with gpedit.msc;
2. 2. Go to Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options;
3. 3. Go to the setting: Network security: LAN Manager authentication level
4. 4. Change this setting to: Send LM & NTLM – use NTLMv2 session security if negotiated
5. 5. Apply the policy with gpupdate /force

The picture shows the policy setting within Windows. This should solve the problem with single sign-on on Windows Vista, Windows 7 and Windows Server 2008 R2 and higher.

Huh? Interface SSLVPN-VIF0?

While checking interface statistics on a Cisco 3845, I noticed the following layer 3 interfaces.

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         74.124.155.67   YES NVRAM  up                    up
GigabitEthernet0/1         10.10.10.1      YES NVRAM  up                    up
GigabitEthernet0/0/0       unassigned      YES NVRAM  administratively down down
SSLVPN-VIF0                unassigned      NO  unset  up                    up
Tunnel0                    192.168.255.2   YES NVRAM  up                    up

I can explain all interfaces, except the SSLVPN-VIF0 interface. I tried to look at the internet, but that didn’t result in any useful information. I used Cisco’s Output Interpreter, but that didn’t help either.

INFO: The following interfaces show the interface configuration ‘method’ as ‘unset’. SSLVPN-VIFO This means that no configuration changes were made to the interface since the last reload.

I noticed the same interface on a Cisco 1811 router, but not on the Cisco 871 and Cisco 878 routers. The interface cannot be related to SSL VPN functionalities, because that feature isn’t configured on the routers. At least that was what I thought at first. I checked my home router, because it has SSL VPN configured and found that the SSLVPN-VIF0. As the abbreviation implies, SSLVPN-VIF0 stands for “SSLVPN Virtual Interface 0”.

An IP address is assigned to the interface, after establishing a SSLVPN connection. You can retrieve more information about the SSLVPN-VIF interface by using multiple show interface SSLVPN-VIF commands. An example is shown below:

router#show interface SSLVPN-VIF 0 switching
SSLVPN-VIF0 ***Internally created by SSLVPN context home***

Protocol  IP
Switching path    Pkts In   Chars In   Pkts Out  Chars Out
Process         26       2657          4        240
Cache misses          0          -          -          -
Fast          0          0          0          0
Auton/SSE          0          0          0          0

NOTE: all counts are cumulative and reset only after a reload.

So don’t panic when you see the SSLVPN-VIF0 interface on your router. You now know where it is coming from.