Booches.nl

Connecting the world…

MacOS X

I used MacOS X already in the past on an “old” MacBook and I have an iMac at home, but recently I am using a MacBook Pro for work. This blog is just a wrap up for “things” that I use often, but for some reason I always forget.

Add Static route

Add a static route via de command.

sudo route -n add -net <network> <gateway>
Example: sudo route -n add -net 172.16.0.0/12 172.18.21.254

Import intermediate / root certificate

Export a certificate from a website, so I am able to import the certificate into the MBP certificate store or import the certificate to other appliances, like ClearPass

openssl s_client -connect www.booches.nl:443 -showcerts

ClearPass – REST API

Description:

I created some Python scripts for ClearPass. The scripts can be found on Github. There are several directories:

  • config: contains the parameters to authenticate against ClearPass and acquire an access token;
  • general_scripts: some general configuration scripts, like a Password Generator script or Date/Time script;
  • guests: scripts for adding or deleting guest accounts. I created a script to add guest accounts via a CSV file and print the most important information to a Guest Pass in Word format;
  • localusers: scripts for adding or deleting local user accounts;

First of all, I would like to thank Tim Cappalli for the ClearPass Authentication scripts!!

GuestPass Example

Scripts:

 

A special thanks to Tim Cappalli for the ClearPass Authentication scripts!!

FortiGate – OnDemand Token Timeout

Today’s customer is having a problem with OnDemand tokens on a FortiGate firewall. The FortiGate firewall uses RADIUS authentication for SSL VPN user authentication. FortiAuthenticator is used as RADIUS server. To strengthen the security levels, FortiAuthenticator is configured to demand two-factor authentication (2FA) for successful authentication. FortiAuthenticator has multiple options to demand 2FA from a user, like hardware FortiTokens, FortiToken Mobile or mail or SMS services.

Problem with the latter two could be timeouts. By default, FortiAuthenticator expects the token code after 60 seconds. This value is customizable.

However, only changing the timeout in FortiAuthenticator isn’t enough, because FortiGate has its own timeout value too. So you need to change this value if you would like to increase the time between entering username/password and token code. The timers are configurable via the CLI in “system global”

two-factor-email-expiry: Email-based two-factor authentication session timeout (30 – 300 seconds (5 minutes), default = 60).
two-factor-fac-expiry: FortiAuthenticator token authentication session timeout (10 – 3600 seconds (1 hour), default = 60).
two-factor-ftk-expiry: FortiToken authentication session timeout (60 – 600 sec (10 minutes), default = 60).
two-factor-ftm-expiry: FortiToken Mobile session timeout (1 – 168 hours (7 days), default = 72).
two-factor-sms-expiry: SMS-based two-factor authentication session timeout (30 – 300 sec, default = 60).

In this particular case, I changed the two-factor-fac-expiry setting to match the setting on FortiAuthenticator.

HPE AOS CLI command

Description:

The script is used to execute a CLI command on one or multiple switches. The script use switches.txt as input file to login to one or multiple switches. When the scripts is executed the script asks for username and password and which command to execute. The status codes of the different sections is displayed and the output from the CLI command is send to file. The file name syntax will be SW<IP>_<sw hostname>_<cli command>.txt

Usage:

  • create switches.txt and add the switch IP address – one IP address per line
  • execute the Python script
  • the script is test with:
    • python 3.6
    • Aruba JL258A 2930F-8G-PoE+-2SFP+ Switch
    • Software revision WC.16.05.0004

Script:

FortiGate – backup via auto-script

One of the features I would like to see in a FortiGate is the ability to automatically create backups and copy them to offline storage. Of course, this can be accomplished by adding FortiManager to the solution, but why would I need FortiManager if I only have one FortiGate (cluster). Another option would be using scripts, like Python or PowerShell, with scheduled tasks on servers to pull a backup from the FortiGate firewalls.

A very basic option would be the usage of system auto-script in FortiOS 5.4 and higher. Use this command to create CLI command scripts that can be saved and run. This gives you the possibility to auto-script the execute backup full-config commando. A disadvantage of this command is that you only have the option to use (T)FTP. There is no option to use a secure protocol like SFTP.

An example of an auto-script:


The example executes the backup command and sends the backup via TFTP to the TFTP server. The script runs every 24 hours (86400 seconds). It repeats infinite and starts automatically.

The script can also be configured via the GUI (Global >> System >> Advanced >> Configuration Scripts). More information about the feature can be found here.