Connecting the world…

LAN

Cisco WLC – Upgrade FUS image

Today I upgraded a FUS image on a Cisco WLC 5500 controller, because I also upgrade the WLC software to 7.2.103.0. The FUS upgrade is straightforward and comparable to a regular software update. The only difference is that you need console access to perform the upgrade. The FUS image upgrades the following components:

  • Field Recovery Image is upgraded to runtime image version
  • Bootloader is upgraded to 1.0.16
  • Offline Field Diagnostics is upgraded to 0.9.28
  • FPGA Revision version is upgraded to 1.7
  • Environment Controller (MCU) Image version is upgraded to 1.8
  • USB Console Revision version is upgraded to 2.2

During the upgrade process you have to confirm to proceed the upgrade, like shown below

Checking for Field recovery image upgrade

Field Recovery Image upgrade …

        Upgrade Field Recovery Image from version 6.0.182.0 to 7.0.112.21

        Are you sure you want to proceed (y/N) ? y
        ******************************************************************
* Please make sure POWER SUPPLY is always ON during this period. *    ******************************************************************

Erasing Flash (estimated 49 seconds) …

Writing to flash (estimated 716 seconds) …

This happens multiple times and the controller reboots several times during the upgrade. It took about 20 minutes for the complete upgrade of the FUS image.

Catalyst 3750X licensing

While making a kit list for a network design with Cisco Catalyst 3750X switches, I got confused while looking at the different licensing features. The Cisco Catalyst 3750X switches are available with multiple licensing options, which can be upgraded.

A new switch can be ordered with two licensing options. These are LAN Base (Enhanced Intelligent Services) and IP Base (Baseline Enterprise Services). However an additional license is available: IP Services (Enterprise Services). The LAN Base feature is relative new for this switch. A normal Cisco Catalyst 3750 is a multilayer switch with routing capabilities by default. The LAN Base licensing only allows the usage of layer 2 “switching” features and no routing capabilities.

The LAN Base feature set offers enhanced intelligent services that includes comprehensive Layer 2 features. The IP Base feature set provides baseline enterprise services in addition to all LAN Base features. IP Base also includes the support for routed access, StackPower, and MACsec. The IP Services feature set provides full enterprise services that includes advanced Layer 3 features such as Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Protocol Independent Multicast (PIM), and IPv6 routing such as OSPFv3 and EIGRPv6. IP Services feature set also includes the Embedded Event Manager (EEM) and IP service-level agreements (SLAs) initiator functionalities. All software feature sets support advanced security, QoS, and management features. The IP Services feature set is only available as an upgrade option at the time of ordering or through a license at a later time; there is no dedicated IP Services switch model. [Source]

As I mentioned before, by default, the Cisco Catalyst 3750X can only be ordered with the LAN Base or IP Base license. Customers have the ability to upgrade from LAN Base to IP Base or from IP Base to IP Services. Below you see the article numbers for the different upgrades:

C3750X-24-L-S C3750X-24 LAN Base to IP Base Paper License
C3750X-48-L-S C3750X-48 LAN Base to IP Base Paper License
L-C3750X-24-L-S C3750X-24 LAN Base to IP Base E-License
L-C3750X-48-L-S C3750X-48 LAN Base to IP Base E-License
LL-C3750X-24-L-S C3750X-24 LAN Base to IP Base E-License for Used Switch
LL-C3750X-48-L-S C3750X-48 LAN Base to IP Base E-License for Used Switch
C3750X-24-IOS-S-E C3750X-24 IP Base to IP Services factory IOS Upgrade
C3750X-48-IOS-S-E C3750X-48 IP Base to IP Services factory IOS Upgrade
C3750X-24-L-E C3750X-24 IP Base to IP Services Paper License
C3750X-48-L-E C3750X-48 IP Base to IP Services Paper License
L-C3750X-24-L-E C3750X-24 IP Base to IP Services E-License
L-C3750X-48-L-E C3750X-48 IP Base to IP Services E-License
LL-C3750X-24-L-E C3750X-24 IP Base to IP Services E-License for Used Switch
LL-C3750X-48-L-E C3750X-48 IP Base to IP Services E-License for Used Switch

Hhhhmm, as you can see you have multiple choices for upgrading from LAN Base to IP Base or from IP Base to IP Services. But what do they all mean?!?! I didn’t know exactly and had doubts, so I asked our Cisco account manager and he gave me the following information.

Factory IOS Upgrade You can directly upgrade from IP Base to IP Services at the moment you buy the switch. To receive a switch with an IP Services software image, you simply have to add the “IP Base to IP Services Factory Upgrade”. The article number contains only the license which can be used with a brand new switch.
Paper License You need to order this license if you already have the switch or if you are already using the switch. With the Paper License you receive a PAK code in paper format
E-License Comparable to Paper License, but the license is delivered via e-mail.
E-License for Used Switch This license is delivered via e-mail and needs to be ordered if you would like to upgrade a refurbished switch

The above explanation cleared a lot of my confusion about the new licensing mechanism. Hope it will help you too.

eSafe Proxy with NTLM v2.0

Today I am playing with eSafe 8 operating in eSafe Proxy with NTLM authentication mode. Configuring eSafe Proxy with NTLM authentication is very straightforward and not difficult. The authentication settings are configuring using the eSafe Appliance Manager web interface, like shown below.

eSafe_proxy

I did some testing with multiple browsers and single sign-on with NTLM authentication is working perfectly. The system administrator was also testing, but he was complaining that he couldn’t authenticate. A pop-up box is received and when you enter the appropriate credentials, they aren’t accepted by eSafe. I found out that the customer is using Windows 7 and I was testing with Windows XP and Windows Server 2003.

Windows Vista, Windows 7 and Windows Server 2008 R2 and higher use NTLM v2.0-only by default. eSafe Proxy uses NTLM v1.0. The default setting within Windows can be changed to operate in a mode which is backwards compatible with eSafe Proxy. Take the following steps to change the NTLM settings:

  1. 1. Open the Group Policy Editor with gpedit.msc;
  2. 2. Go to Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options;
  3. 3. Go to the setting: Network security: LAN Manager authentication level
  4. 4. Change this setting to: Send LM & NTLM – use NTLMv2 session security if negotiated
  5. 5. Apply the policy with gpupdate /force

ntlmv2

The picture shows the policy setting within Windows. This should solve the problem with single sign-on on Windows Vista, Windows 7 and Windows Server 2008 R2 and higher.

MAC Authentication Bypass – Continued

Finally I had a day “off” and could test MAC Authentication Bypass (MAB) in our test environment at the office. I created the following test environment:

MAB-TEST

There are 4 different VLAN’s and a Cisco Catalyst 3750 connects the VLAN’s to each other. I wanted to create an environment with the following properties:

  • All switch ports are default member of VLAN 1;
  • Authenticated workstations become member of VLAN 25;
  • Unauthenticated workstation become member of VLAN 30;
  • VoIP phones are member of VLAN 15;
  • All workstation should be able to boot with Wake on LAN;
  • MS-IAS is used as RADIUS Authentication server;

I have configured the necessary components and got the environment working with the above properties. The next few sections cover the configuration of the different components.

Cisco Catalyst 3750

Most of the configuration is done on the Cisco Catalyst 3750 switch. First of all I created the different VLAN’s on layer 2 of the OSI model. Next I created the SVI’s to make the VLANs routable. I used the standard SVI configuration. I used the ‘quick-and-dirty’ solution for configuring Wake On LAN (WOL) by just adding the ip directed-broadcast command to the SVI’s. The snippet below shows the SVI configuration.

Interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip directed-broadcast
end
!
Interface Vlan10
ip address 192.168.10.254 255.255.255.0
ip directed-broadcast
end
!
Interface Vlan15
ip address 192.168.15.254 255.255.255.0
end
!
Interface Vlan30
ip address 192.168.30.254 255.255.255.0
end

The next step is configuring AAA and the RADIUS group for authenticating the connected clients to the network. The snippet shows these configuration.

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
radius-server host 192.168.10.30 auth-port 1812 acct-port 1813 key ictivity

The following step is to enable 802.1x globally in the switch. You should use the command in the following snippet to enable 802.1x.

dot1x system-auth-control

The last configuration snipper shows the configuration of a switch port. This switch port is configured use MAC Authentication Bypass as backup authentication method if 802.1x cannot authenticate.

interface GigabitEthernet1/0/16
switchport mode access
switchport voice vlan 15
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout tx-period 1
dot1x max-reauth-req 1
dot1x guest-vlan 30
spanning-tree portfast
spanning-tree bpduguard enable

MS-IAS

I configured Internet Authentication Services on a Windows 2003 server. I didn’t configure the Active Directory, but use the local users and local groups to authenticate. I configured the RADIUS client inside IAS and started to create a Remote Access Policy. The Remote Access Policy matches a newly created Windows Group. The important aspects of the Policy are the Authentication options and the Advanced Attributes. The configuration of both is shown below.

Authentication Advanced

The last step in the whole process is configuring the Windows Group and adding users to that group. The MAC address of the workstation is acting as username and password. Important to notice is that all characters are case-sensitive and the username and password should only contain lowercase characters. An example of username and password is: 0016762eccda.

After configuring the test environment I have done some testing. First was trying to connect a workstation and authenticate. This is working perfectly, you will see a nice IAS event message on the Windows 2003 server. Next I connected an IP Phone with a build-in switch and connected the workstation to the IP Phone. The workstation again authenticates flawlessly against the RADIUS server. The last test was trying to wake up the workstation via Wake On LAN. When you should down the workstation, the switch ports first goes in shutdown and re-enables after the complete shutdown of the workstation. Next the switch ports returns to Vlan 1 (switchport access vlan 1). I send the Magic Packet to the broadcast address of VLAN 1. The workstation starts booting and authenticates against the RADIUS server.

I can only say, that MAC Authentication Bypass is working perfectly in my TEST environment. Shortly I will try to implement it on the network of one of our customers, because he wants a cheap method for securing his switch ports.

I know, and I told the customer, that MAC authentication isn’t a very powerful tool for security the switch port. Because spoofing a valid MAC address is enough to get access to the network. But MAC authentication is still better, then no authentication at all. And let’s face it, what are the costs: NOTHING!!!

Most companies have a Windows 2003 server where IAS can be installed or you can use FreeRADIUS, so no costs on the OS. I have tried an IP Base and an IP Services IOS on the Cisco Catalyst 3750, both are working perfectly. A switch has minimal an IP Base image, so no additional costs here. The only costs are made during the configuration and testing of the authentication.

Check the latest article about MAB and MDA in an IP Phone environment