I had some issues while configuring some VRF’s on a Cisco router and using that router as a DHCP server. First of all the router wasn’t binding any DHCP request. The DHCP server configuration is defined below.
ip dhcp pool guest
network 10.10.0.0 255.255.252.0
dns-server 18.104.22.168 22.214.171.124
The configuration of the DHCP server is very straightforward. Exception is the use of the VRF interface to bind the DHCP server to. With this configuration the DHCP server isn’t working, because no IP addresses are bind to clients.
The second issue is about configuring some IP address exclusions for the configured pool. This can be done via the command ip dhcp excluded-address vrf <vrf-name> <first ip-address> <last ip-address> (info). Depending on the IOS version used, this command isn’t available in CLI. I had this issue with the CIsco 2811 I was using, so I tried to ip dhcp class command. I added the following to the configuration of the DHCP server.
ip dhcp class dhcp_class_unsecure
remark limit IP addresses
ip dhcp pool unsecure
network 172.16.252.0 255.255.252.0
dns-server 126.96.36.199 188.8.131.52
address range 172.16.253.1 172.16.253.255
This isn’t exactly the same as configuring IP exclusions, because the ip dhcp class command is used to group clients on specific characteristics. Clients that match these characteristics are assigned an IP address from the specific class. In my situation the use of the ip dhcp class command fixed the problem.
This article isn’t very difficult and spectacular. It is just for me as a quick note to configure DHCP relaying on a HP A4800G switch. The configuration of this type of switch is a little different compared to Cisco and/or legacy HP ProCurve switches. The following steps are required to configure DHCP relaying:
System View: return to User View with Ctrl+Z.
[SW01]dhcp relay server-group <group id> ip <DHCP server>
[SW01]dhcp select relay
[SW01]dhcp relay server-select <group id>
As said before this is very simple. But for some reason I always forget the DHCP enable and DHCP select relay configuration options.
When configuring a Microsoft ISA Server 2006 array you have two options for authentication and communication between the Microsoft ISA 2006 Configuration Storage Server and the array members.
I normally configure the array members within a DMZ environment en install the CSS server on the internal network.
To maximize the security the array members aren’t part of the Active Directory. So communication between the CSS and the array members is workgroup based and the authentication type used is Authentication over SSL encrypted channel. This option needs the configuration of SSL certificates to authenticate and secure the connection. The certificates have a certain validity period, after which the certificate needs to be renewed.
Normally I always ran the repair option from the installation and specified the new certificate. I discovered a new and simpler method by using the ISACertTool. This tool provides an easy way to renew the certificate on the Configuration Storage Server and the root CA certificate on the array members.
You just need to create a web server certificate in pfx format from a Windows CA server of any other CA server. If the CA server isn’t trusted by the array members, you need to install the CA certificate on the array members. If you use trusted CA server certificate, you can skip this step.
The syntax for the ISACertTool is very straightforward. On the Configuration Storage Server you need to run the following command:
ISACertTool.exe /st <pfx file> /pswd <password> /keepcerts
On the array member you run the following command to install the root CA certificate.
ISACertTool.exe /fw <root ca file>
IMPORTANT: for a correct usage of the tool you need to extract the tool to the Microsoft ISA Server install directory, which is by default C:\Program Files\Microsoft ISA Server.
Creating a web server certificate request is very easy when using a Windows CA server. There is one disadvantage. The requested certificate is directly stored in the user store (by default) or the local computer store, if specified during the request. The disadvantage is that you cannot export the requested certificate including the private keys. During the request the option to Mark keys as exportable is grayed out.
There is a way to mark the keys as exportable when using a Windows CA server. You need to create a new Web Server Certificate template. You can use the existing Web Server Certificate Template as default and copy the current settings. To do so, you just:
That is all you need to do. You can now request a new certificate with the newly create certificate template. After the certificate is issued and installed on the user or local computer store, you can export the certificate including the private key.
Today I had some problems running ISA 2004 en IAS on the same server. At the beginning the customer was running ISA 2000 and IAS on the same server without any problems. By incident, the customer was forced to upgrade his ISA. They had a 2004 license, so ISA 2004 it was.
I noticed that ISA 2004 puts a “Default ISA policy” with the highest priority in the remote access policies. The rule blocks all RADIUS requests, so I had to manually remove the access policy. After the removal everything was working fine again.
I had to change the configuration in the ISA server again and the “Default ISA policy” came back in IAS. So I had to delete the rule again. I also tried to change the priority of the rule, but the “Default ISA policy” gets the highest priority again after applying a change in ISA.
I cannot find anything specific about this problem on the internet, so maybe someone experienced this before and can provide me with an answer to disable this behavior.