Connecting the world…

RADIUS Authentication

I am sure that many of you would like to do the same thing and many of you successfully configured it. I am trying to configure RADIUS Authentication on my Cisco 877W. I have two different RADIUS policies, the first for privilege level 1 and the second for privilege level 15. I am using Microsoft IAS as RADIUS server.

I configured two policies and the second policy has the following Advanced Options set.

RADIUS - Advanced Options

This means that the user should get privilege level 15, when logging in. I configured the following on the Cisco877W router.

aaa authentication login AD group radius local none
aaa authorization exec AD group radius
radius-server host auth-port 1812 acct-port 1813 key 7 KEY
radius-server retry method reorder
radius-server transaction max-tries 2
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication
line vty 0 4
session-timeout 5
access-class 10 in
exec-timeout 5 0
login authentication AD
transport preferred none
transport input ssh
transport output telnet ssh

The user doesn’t get the privilege level 15, but comes in privilege level 1 and has to enter enable to get into privilege level 15. I turned on RADIUS debugging and I see the shell code coming by, as the debug output below shows.

%SSH-5-SSH2_SESSION: SSH2 Session request from (tty = 1)
using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ Succeeded
RADIUS/ENCODE(00000716): ask “Password: ”
RADIUS/ENCODE(00000716): send packet; GET_PASSWORD
RADIUS/ENCODE(00000716):Orig. component type = EXEC
RADIUS/ENCODE(00000716): dropping service type,
“radius-server attribute 6 on-for-login-auth” is off
RADIUS(00000716): Config NAS IP:
RADIUS/ENCODE(00000716): acct_session_id: 1814
RADIUS(00000716): sending
RADIUS/ENCODE: Best Local IP-Address for Radius-Server
RADIUS(00000716): Send Access-Request to id 1645/31, len 81
RADIUS: authenticator 72 D9 B5 F1 76 72 9A D1 – 73 D7 E8 AF 21 F3 B5 0F
RADIUS: User-Name [1] 6 “rene”
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 3
RADIUS: NAS-Port-Id [87] 6 “tty3”
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: Calling-Station-Id [31] 13 “”
RADIUS: NAS-IP-Address [4] 6
RADIUS: Received from id 1645/31, Access-Accept, len 83
RADIUS: authenticator BB BF B5 FD 1D 36 67 9B – FE 5A EE 5A 6C 42 5E B9
RADIUS: Vendor, Cisco [26] 25
RADIUS: Cisco AVpair [1]
19 “shell:priv-lvl=15”
RADIUS: Service-Type [6]
6 Login [1]
RADIUS: Class [25] 32
RADIUS: 3C 09 04 AE 00 00 01 37
00 01 0A 0A 01 05 01 C8 [< ??????7????????]
RADIUS: A6 C0 C2 0D FD 4C 00
00 00 00 00 00 00 13 [?????L????????]
RADIUS(00000716): Received from id 1645/31
[user: rene] [Source:] [localport: 22]

I am running out of options. I have tried to use the Cisco-AVpair in IAS, but no success. I tried using only Telnet, but no success. Maybe someone has an option to try…

Network simulator

More often I have to change critical configuration options in live environments, but sometimes I don’t no the effect of these changes on the network. So I would like to build a test network where I can check the impact of the configuration changes. A good network simulator would definitely help in this situation.

Cisco switches use IOS software and software always contains bugs. A new release can contain bug fixes, but also new features. It could be useful to test these new features in a test environment. Unfortunately we and our customers don’t have a lot of routers and switches in spare. So I need a network simulator, which can simulate real Cisco IOS software.

First I used the tool Dynamips / Dynagen. This text Cisco router emulator emulates a couple of Cisco routers. The tool helps by loading different images on your own laptop. The hard part of Dynamips is the configuration of a test environment. All configuration is done in text files, with a lot of different options.

Luckily I found a graphical user interface for Dynamips. It is called GNS3. GNS3I really love this tool, because designing a network environment is dragging and dropping some routers, define the desired modules and connect them together. Next start the emulator and you are ready to go. The new version of GNS3 doesn’t only emulate routers, but also the Cisco PIX firewall with software version 8.x. Of course it is no Cisco ASA, but better something then nothing.

I really recommend this tool to everybody involved with network infrastructures and especially Cisco environments. The tool can help you by testing features like routing protocols and QoS tools. GNS3 is also very useful when studying for a Cisco Exam, even for the CCIE certification.

LDAP and eSafe Gateway

eSafe Gateway can be used for scanning incoming and outgoing SMTP connections for virusses and SPAM. Normally eSafe Gateway doesn’t check incoming mail addresses against a directory like Active Directory or Novell Directory Services.

This means that all mail addresses for a trusted domain are forwarded to the internal mail server. In the most ideal situation unknown mail addresses should be blocked at the eSafe Gateway. This feature will take away load from the internal mail server, because this mail server doesn’t have to generate NDR (Non-Delivery Reports) messages. Beside that, the eSafe Gateway also doesn’t have to process the NDR’s. LDAP (Lightweight Directory Access Protocol) provides this functionality.

With LDAP configured, the eSafe Gateway will synchronize all known mail objects from the directory services with the eSafe Gateway. By this, the eSafe Gateway knows all valid mail objects and can block invalid mail objects. There are some issues when configuring a LDAP query with Active Directory. By default Active Directory only allows 1000 objects in one query. Some customers have more mail object, so this settings needs to be added. Inside Active Directory, you should edit the LDAP Policy setting MaxPageSize. Look here for more information about editing the MaxPageSize variable.

Some organizations use PublicFolders in conjunction with Microsoft. These PublicFolders can be mail-enabled and should be added in the LDAP filter configuration inside eSafe Gateway. This is done by changing the default filter




This results in adding the mail object PublicFolder to the LDAP query.

QoS matching for VoIP

Voice over IP is, as you know for sure, very time-sensitive traffic. That is why VoIP signaling and payload traffic should receive enough bandwidth and as less jitter and delay as possible.

QoS is an important tool to assign VoIP traffic more preference over “normal” traffic. Important for QoS tools to function correctly is placing different kinds of traffic in different queues. To place traffic in different queues, traffic should be classified. All VoIP traffic should be classified and placed in the same queue or given the same priority. I usually use the following ACL’s to match VoIP signaling and payload traffic.


ip access-list extended VOIP-SIGNALING
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060


ip access-list extended VOIP-PAYLOAD
permit udp any any range 16384 32767

The following table gives some basic explanations for the different permit statements:

Protocol Matching criteria
H.323 / H.225 TCP/1720
H.323 / H.245 TCP/11xxx
Media Gateway Control Protocol (MGCP) UDP/2427 and TCP/2428
Skinny Client Control Protocol (SCCP) TCP/2000-2002
Simple Gateway Control Protocol (SGCP) TCP/2000-2002
H.323 / H.225 RAS TCP/1719
Session Initiation Protocol UDP/5060
Real-Time Transport Protocol (RTP) UDP/16384-32767, even ports only
Real-Time Control Protocol (RTCP) UDP/16384-32767, odd ports only

Cacti, easy going

A decent management server is very important in a network, at least that is my opinion. The most important aspect of a management server is its user friendliness. Our customers are most of the time busy with their own problems and the problems of end users, which include all kind of (silly) problems. So the most of them don’t have a lot of time to spend on configuring a management server.

That is why I like Cacti and especially CactiEZ. CactiEZ is a software appliance, which is up and running in half an hour. After that you just add some devices and you can generate some nice bandwidth statistics with the help of RRDTool. I have also seen a lot of other management servers, like Nagios, HP OpenView and Cisco Works, but the most of them are hard to configure and end up as mp3 player…..

When I configure a management server only for network components like switches, routers and/or firewalls, I always use CactiEZ. It is easy to install and gives me all the things I need. The most important options of Cacti for me are: bandwidth statistics, syslog messages, flow view, mac tracking, reporting and so one. Especially if you combine Cacti(EZ) with SwitchMap, you have a nice, easy to use and robust management server for your network.