Auth-fail-vlan and guest-vlan for dot1x configuration in Cisco switches

Reference:

http://packetlife.net/blog/2008/aug/12/8021x-guest-vlans/
https://www.experts-exchange.com/questions/25115133/dot1x-auth-fail-vlan-not-working.html

Tested that both guest-vlan and auth-fail-vlan works as expected with the following configuration:

aaa new-model
aaa authentication dot1x default group radius
radius-server host **** auth-port ** acct-port ** key **
radius-server source-ports **

dot1x system-auth-control
dot1x guest-vlan supplicant

interface GigabitEthernet0/10
description 11a 10(11212)
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 922
dot1x auth-fail vlan 923
dot1x auth-fail max-attempts 1

As discussed in the refered links, that auth-fail-vlan and guest-vlan can only work with the tuned configuraiton of max-req,auth-fail max-attempts and tx-period.

With the following configuration, client will stay in guest-vlan when authentication fails:
dot1x auth-fail max-attempts 3

With the following configuraiton , client will fallbacked in auth-fail-vlan when authentication fails:

interface GigabitEthernet0/10
description 11a 10(11212)
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 922
dot1x auth-fail vlan 923
dot1x auth-fail max-attempts 3

With the following configuraiton, port is turned down when authentication fails:

dot1x guest-vlan supplicant

With the following configuration, port is turned down when authentication fails:

interface GigabitEthernet0/10
description 11a 10(11212)
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 922
dot1x auth-fail vlan 923
dot1x auth-fail max-attempts 1

make

http://linoxide.com/how-tos/linux-make-command-examples/
the make command accepts targets as command line arguments. These targets are usually specified in a file named ‘Makefile’, which also contains the associated action corresponding to the targets.
When the make command is executed for the very first time, it scans the Makefile to find the target (supplied to it) and then reads its dependencies. If these dependencies are targets themselves, it scans the Makefile for these targets and builds their dependencies (if any), and then builds them. Once the main dependencies are build, it then builds the main target
suppose you make change to only one source file and you execute the make command again, it will only compile the object files corresponding to that source file, and hence will save a lot of time in compiling the final executable.
Here are the details of the testing environment used for this article :
OS – Ubuntu 13.04
Shell – Bash 4.2.45
Application – GNU Make 3.81

http://www.cs.colby.edu/maxwell/courses/tutorials/maketutor/
example:
(varables)
IDIR =../include
CC=gcc
CFLAGS=-I$(IDIR)

ODIR=obj
LDIR =../lib

LIBS=-lm
DEPS = $(patsubst %,$(IDIR)/%,$(_DEPS))

_OBJ = hellomake.o hellofunc.o
OBJ = $(patsubst %,$(ODIR)/%,$(_OBJ))

(Target:dependencies)
$(ODIR)/%.o: %.c $(DEPS)
$(CC) -c -o $@ $< $(CFLAGS)

hellomake: $(OBJ)
gcc -o $@ $^ $(CFLAGS) $(LIBS)

.PHONY: clean

clean:
rm -f $(ODIR)/*.o *~ core $(INCDIR)/*~

$< is the first item in the dependencies list;
$@ is the left side of :
$^ is the right side of :
%.o any file ended with ‘.o’

crontab to schedule task excuted regularly

http://www.thegeekstuff.com/2009/06/15-practical-crontab-examples/comment-page-1/

Linux Cron utility is an effective way to schedule a routine background job at a specific time and/or day on an on-going basis

Examples:
1, This will execute the Full backup shell script (full-backup) on 10th June 08:30 AM.
30 08 10 06 * /home/ramesh/full-backup

2,This example executes the specified incremental backup shell script (incremental-backup) at 11:00 and 16:00 on every day
00 11,16 * * * /home/ramesh/bin/incremental-backup

3,This example checks the status of the database everyday (including weekends) during the working hours 9 a.m – 6 p.m
00 09-18 * * * /home/ramesh/bin/check-db-status
Schedule a Background Cron Job For Every 10 Minutes.
*/10 * * * * /home/ramesh/check-disk-space
4, This will execute the system annual maintenance using annual-maintenance shell script at 00:00 on Jan 1st for every year.
@yearly /home/ramesh/red-hat/bin/annual-maintenance
5, Schedule a Cron Job Beginning of Every Month using @monthly
@monthly /home/ramesh/suse/bin/tape-backup

To view your crontab entries type crontab -l from your unix account as shown below
-bash-4.1$ crontab -l
no crontab for username
To view crontab entries of other Linux users, login to root and use -u {username} -l
To edit a crontab entries, use crontab -e as shown below. By default this will edit the current logged-in users crontab.
-bash-4.1$ crontab -e
[Note: This will open the crontab file in Vim editor for editing. Please note cron created a temporary /tmp/crontab.XX… ]
When you save the above temporary file with :wq, it will save the crontab and display the following message indicating the crontab is successfully modified.

Installing Crontab From a Cron File

Instead of directly editing the crontab file, you can also add all the entries to a cron-file first. Once you have all thoese entries in the file, you can upload or install them to the cron as shown below.

ramesh@dev-db$ crontab -l
no crontab for ramesh

$ cat cron-file.txt
@yearly /home/ramesh/annual-maintenance
*/10 * * * * /home/ramesh/check-disk-space

ramesh@dev-db$ crontab cron-file.txt

ramesh@dev-db$ crontab -l
@yearly /home/ramesh/annual-maintenance
*/10 * * * * /home/ramesh/check-disk-space

useful bash expressions

Use man bash to check the description of the following experssions:
$ Expands to the process ID of the shell. In a () subshell, it expands to the process ID of the current shell, not the subshell.
# Expands to the number of positional parameters in decimal
? Expands to the status of the most recently executed foreground pipeline
$# the number of parameters with which the script has been called
$? reads the exit status of the last command executed, $? == 0 if all commands exit successfully.After a function returns, $? gives the exit status of the last command executed in the function.
&& Logical AND
lets you do something based on whether the previous command completed successfull.More precisely, && will evaluate the second expression iff the first expression returns 0
exit command terminates a script, just as in a C program. It can also return a value, which is available to the script’s parent process.
exit 0 Every command returns an exit status (sometimes referred to as a return status or exit code). A successful command returns a 0, while an unsuccessful one returns a non-zero value that usually can be interpreted as an error code. Well-behaved UNIX commands, programs, and utilities return a 0 exit code upon successful completion, though there are some exceptions.

&> Bash allows both the standard output (file descriptor 1) and the standard error output
(file descriptor 2) to be redirected to the file whose name is the expansion of word
with this construct.
There are two formats for redirecting standard output and standard error:
&>word
and
>&word
Of the two forms, the first is preferred.
&> /dev/null send standard output to blackhole

&> /dev/null send standard output to blackhole
>/dev/null 2>&1
There are always three default files open. stdin (0) stdout (1) stderr (2)
2>&1 is asking to direct all the STDERR as STDOUT, (ie. to treat all the error messages generated from the script as its standard output). Now we already have > /dev/null at the end of the script which means all the standard output (STDOUT) will be written to /dev/null. Since STDERR is now going to STDOUT (because of 2>&1) both STDERR and STDOUT ends up in the blackhole /dev/null. In other words, the script is silenced.

$0 The filename of the current script.
$n These variables correspond to the arguments with which a script was invoked. Here n is a positive decimal number corresponding to the position of an argument (the first argument is $1, the second argument is $2, and so on).
$* All the arguments are double quoted. If a script receives two arguments, $* is equivalent to $1 $2.
$@ All the arguments are individually double quoted. If a script receives two arguments, $@ is equivalent to $1 $2.
$? The exit status of the last command executed.
$$ The process number of the current shell. For shell scripts, this is the process ID under which they are executing.
$! The process number of the last background command.

https://www.tutorialspoint.com/unix/unix-special-variables.htm

300-206 SENSS study notes

1.0 Threat Defense

25%

1.1 Implement firewall (ASA or IOS depending on which supports the implementation)

  • 1.1.a Implement ACLs
  • 1.1.b Implement static/dynamic NAT/PAT
  • 1.1.c Implement object groups
  • 1.1.d Describe threat detection features

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html
basic threat detection
ciscoasa(config)# threat-detection basic-threat
ciscoasa(config)# show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 1
advanced threat detection
scanning threst detection
In order to enable Scanning Threat Detection, use the threat-detection scanning-threat command.
ciscoasa(config)# threat-detection scanning-threat

  • 1.1.e Implement botnet traffic filtering

http://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html

Example 1-2 Multiple Mode Botnet Traffic Filter Recommended Example

dynamic-filter updater-client enable
changeto context context1
dynamic-filter use-database
class-map dynamic-filter_snoop_class
match port udp eq domain
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns preset_dns_map dynamic-filter-snoop
service-policy dynamic-filter_snoop_policy interface outside
dynamic-filter enable interface outside
dynamic-filter drop blacklist interface outside
changeto context context2
dynamic-filter use-database
class-map dynamic-filter_snoop_class
match port udp eq domain
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns preset_dns_map dynamic-filter-snoop
service-policy dynamic-filter_snoop_policy interface outside
dynamic-filter enable interface outside
dynamic-filter drop blacklist interface outside

  • 1.1.f Configure application filtering and protocol inspection

http://www.cisco.com/c/en/us/td/docs/security/asdm/6_2/user/guide/asdmconfig/inspctrl.html

When a user establishes a connection, the security appliance checks the packet against access lists, creates an address translation, and creates an entry for the session in the fast path, so that further packets can bypass time-consuming checks. However, the fast path relies on predictable port numbers and does not perform address translations inside a packet.
Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers.
Other applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the security appliance.
If you use applications like these, then you need to enable application inspection.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html

The default Layer 3/4 class map for through traffic is called “inspection_default.” It matches traffic using a special match command, match default-inspection-traffic, to match the default ports for each application protocol.

The default policy configuration includes the following commands:

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global

You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic to specific IP addresses. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.

hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect

  • 1.1.g Describe ASA security contexts

Multiple contexts configuration.

1.2 Implement Layer 2 Security

  • 1.2.a Configure DHCP snooping

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1120427

Display a binding table
Router# show ip dhcp snooping binding
Enable dhcp snooping globally
Router(config)# ip dhcp snooping
enable dhcp snooping option82
Router(config)# ip dhcp snooping information option
enable dhcp snooping on vlan
Router(config)# ip dhcp snooping vlan 10 12
Configuring the DHCP Trust State on Layer 2 LAN Interfaces
Router(config)# interface FastEthernet 5/12
Router(config-if)# ip dhcp snooping trust

  • 1.2.b Describe dynamic ARP inspection

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

S1(config)# ip arp inspection vlan 1
S1(config)# in fa6/3
S1(config-if)# ip arp inspection trust

  • 1.2.c Describe storm control

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/storm.html

Router# interface GigabitEthernet4/10
Router# switchport
Router# switchport mode access
Router# storm-control broadcast level 0.5
Router# storm-control multicast level 0.5
Router# spanning-tree portfast edge

  • 1.2.d Configure port security

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

example of port security:

Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end

  • 1.2.e Describe common Layer 2 threats and attacks and mitigation

http://www.networkpcworld.com/types-of-layer-2switch-security-attacks-and-mitigation-steps-in-brief/

Security Attacks against Switches or at Layer 2 can be grouped in four major Categories as follows:

1. MAC layer attacks
2. VLAN attacks
3. Spoofing attacks
4. Attacks on switch devices
1. MAC Layer Attacks Types

MAC address flooding 
Description :- Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports.
Mitigation Port security. MAC address VLAN access maps.
 
2. VLAN Attacks
i – VLAN hopping
By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures.
Mitigation  Tighten up trunk configurations and the negotiation state of unused ports. Place unused ports in a common VLAN.
 
ii – Attacks between devices on a common VLAN 
Devices might need protection from one another, even though they are on a common VLAN. This is especially true on service-provider segments that support devices from multiple customers.
Mitigation : – Implement private VLANs (PVLAN).
 
3. Spoofing Attacks
i – DHCP starvation and DHCP spoofing
An attacking device can exhaust the address space available to the DHCP servers for a period of time or establish itself as a DHCP server in man-in-themiddle attacks.
Mitigation :- Use DHCP snooping.
 
ii – Spanning-tree compromises 
Attacking device spoofs the root bridge in the STP topology. If successful, the network attacker can see a variety of frames.
Mitigation :- Proactively configure the primary and backup root devices. Enable root guard.
 
iii – MAC spoofing
Attacking device spoofs the MAC address of a valid host currently in the CAM table. The switch then forwards frames destined for the valid host to the attacking device.
Mitigation :- Use DHCP snooping, port security.
 
iv – Address Resolution Protocol (ARP) spoofing
Attacking device crafts ARP replies intended for valid hosts. The attacking device’s MAC address then becomes the destination address found in the Layer 2 frames sent by the valid network device.
Mitigation :- Use Dynamic ARP Inspection, DHCP snooping, port security.
 
4. Switch Device Attacks
i – Cisco Discovery Protocol (CDP) manipulation
Information sent through CDP is transmitted in clear text and unauthenticated, allowing it to be captured and divulge network topology information.
Mitigation :- Disable CDP on all ports where it is not intentionally used.
 
ii – Secure Shell Protocol (SSH) and Telnet attacks
Telnet packets can be read in clear text. SSH is an option but has security issues in version 1.
Mitigation : – Use SSH version 2. Use Telnet with vty ACLs.
  • 1.2.f Describe MACSec

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/deploy_guide_c17-663760.html#wp9000236

Before the 2010 revision of IEEE 802.1X, there was no mechanism to help ensure the confidentiality or integrity of the traffic sent after authentication. Because traffic was sent in the clear with no integrity checks, rogue users with physical access to the authenticated port could monitor, modify, and send traffic. In addition, source MAC address filtering could be circumvented by MAC address spoofing.
MACsec provides secure communication on wired LANs. When MACsec is used to secure the communication between endpoints on a LAN, each packet on the wire is encrypted using symmetric key cryptography so that communication cannot be monitored or altered on the wire.1.2.g Configure IP source verification

High-Level IEEE 802.1X and MACsec Sequence

During the session-key agreement stage, the switch and the supplicant advertise their capabilities and derive all the parameters needed for MACsec. These functions are accomplished by the MKA protocol, which is transported on the wire using a new EAPoL packet type 5 (EAPoL-MKA).
If the supplicant and the switch are capable of MACsec, the switch automatically becomes the key server. The key server is responsible for selecting and advertising a cipher suite. Cisco components all support the default cipher suite Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128).
The key server is also responsible for generating a secure association key (the SAK) from the CAK. The SAK is the secret key that is used to encrypt traffic on the wire for a given connection. The SAK is the actual key that is used to encrypt traffic for a session. Unlike the CAK, which is a long-term master key, the SAK is a transient key that can periodically be refreshed.

1.3 Configure device hardening per best practices

  • 1.3.a Routers

secure BGP, management ip, secure login, netflow monitor traffic, acls,

Routing Protocol Authentication and Verification with Message Digest 5
Passive-Interface Commands
Route Filtering

  1. 1.3.b Switches

Unicast RPF
IP Source Guard
Port Security
Dynamic ARP Inspection
Anti-Spoofing ACLs

 

  • 1.3.c Firewalls

Anti reverse path check; security level; mgmt interface;

302 study

Types of Resource Record

1, SOA start of authority: created one SOA when created one master zone file

2, A record: for each ip address of the machine (AAAA record for ipv6 address)

3, C name: alias name of a host name registered in A record

4, D name: for ipv6

5,HINFO: host information (OS, hardware) for DNS servers

6, MX(mail exchanger), mail system for a given domain

7,PTR (pointer), associate hostname with a give ip address, used for reverse name lookups.

8,NS (name server ) for a given zone

etc.

F5 reset tshoot

The following causes are those of the most generous causes that clients get reset from F5:

1, retransmission 5 times + timeout, reset

2, If F5 does not support any of the SSL versions/ciphers client wants to use, F5 would respond with TCP/RST immediately with reset.

3, ssl handshake timeout by default 10 secs

4,Application caused reset.The simplest is when you close the socket, and then write more data on the output stream. By closing the socket, you told your peer that you are done talking, and it can forget about your connection. When you send more data on that stream anyway, the peer rejects it with an RST to let you know it isn’t listen
5, one arm scenario, vip need have snat configured in case the backend server has default gw bypass f5, it that case, f5 connection towards backend server will timeout, after that f5 will send reset to client side

6, following item5, if automap is configured,  source is translated to self IP on egress interface heading toward servers, if no self ip on that vlan configured on f5, f5 will send reset packet.

7, The Server SSL profile Secure Renegotiate setting is set to Require or Require Strict. The back-end SSL server lacks support for the Transport Layer Security (TLS) Renegotiation Indication Extension

8, HTTP header size exceeded by server

9, HTTP header size exceeded by client

10, When an existing client-side connection has been detached from the server-side connection and reselects a new server, the BIG-IP system sends a TCP RST to the server to close the existing server-side connection. This behavior typically comes from using iRule commands such as LB::reselect.

11, No route to host

12, The BIG-IP system receives a SYN for either one of the following conditions:

  • A virtual server of type reject
  • A port that is protected by the Port Lockdown settings on a self IP address