PBSPlaza.nl

The following commands can be used to quick-create a CSR and a private key in OpenSSL;

$ openssl genrsa -des3 -out private.key 2048 – Generate a 2048 bits private key.
$ openssl req -new -key private.key -out cert.csr – Generate the CSR with the newly created private key.
$ openssl pkcs12 –export –inkey private.key –in signed-csr.cer –out cert.p12 – Create a file which holds the public and private key (password protected).

While i am working with the Aruba Networks Mobility Controller, i have collected some useful commands which can be used in daily operating the controller. The following commands can be used with Aruba OS 5.0.

The list will be expanded in the future.

LICENSING COMMANDS

#show license
#show license limit

USER COMMANDS

#show user – displays the users which are currently connected to the MC.
#aaa user clear-sessions [A.B.C.D.] – This command clears ongoing sessions for the specified client.
#aaa user delete [A.B.C.D.] – This command deletes clients, users, or roles.

ACL COMMANDS

#show acl hits role [STRING] – Show internal ACL hit counters.
#show acl hits

LOG COMMANDS

#show log security 20 – displays the last 20 rules of the security log buffer. Useful when you are suspecting a problem with an AAA profile.

Since IOS 8.2, the Cisco ASA can protect you against Botnets. Here is some relevant information when you want to use the Botnet Traffic Filter in a Cisco ASA firewall with IOS 8.2.

1. A license is needed: ASA55xx-BOT-1YR=
2. You need to configure DNS snooping in the ASA
3. The following syslog ID’s are used with syslog:

338001
338002
338003
338004

5. Reverse access rules need to be configured.

A tutorial can be found here.

These days i was busy with configuring a remote networking concept which was build with an Aruba Mobility Controller (MC) 3200. This is done in conjunction with RAP2WG remote access-points. This is a basic configuration of the Aruba RAP deployment.

As the procedure to setup the controller can be a little confusing, i decided to post the procedure on my weblog.

In short the following steps need to be done te get the RN setup working (basics);

1. configure the controller basics, e.g. IP address, vlans, trunks, etc.
2. define the aaa profile
3. define the ssid profile
4. define the virtual access-point profile (VAP)
5. define VPN settings
6. define provision profile
7. define AP group
8. whitelist the RAP’s
9. open firewall ports
10. provision the RAP’s (“zero touch”)

Well, let’s start with step 1: define the aaa profile. Al these things can be done through the GUI or the CLI of the MC. If you want, you can alter some settings if you want.

step 1: configure the controller basics such as IP address, gateway, vlans, etc.

A part of this step can be done by the initial configuration dialog which is showing up as you first boot the MC. Some others need to be done afterwards. I configured a vlan (11) in a DMZ zone of a firewall, and a vlan (60) where the wireless clients will be in. I use port Gi1/0 as a trunk to the coreswitch with only the vlans 11 and 60 allowed. I have created a loopback interface for the RAP’s to connect to.

This all is done by the following config;

hostname "Aruba3200"
clock timezone GMT 1
 

interface loopback
        ip address 10.1.1.200
!

vlan 11 "dmz"
vlan 60 "wireless-clients"

interface gigabitethernet  1/0
        description "GE1/0"
        trusted
        switchport mode trunk
        switchport trunk allowed vlan 11,60

interface vlan 1
        ip address 172.16.0.254 255.255.255.0
!

interface vlan 11
        ip address 10.1.1.199 255.255.255.0
!

ip default-gateway 10.1.1.1

step 2: defining aaa profile

aaa profile "wifi-aaa-profile"
   authentication-dot1x "default"

step 3: define the ssid profile

I used WPA for encryption, but you can use the one you like.

wlan ssid-profile "wifi-ssid-profile"
   essid "justforfun"
   opmode wpa-psk-tkip
   wpa-passphrase *****

step 4: define the virtual access-point profile (VAP)

Bind the aaa and ssid profiles together in the VAP profile and define the vlan.

wlan virtual-ap "my-vap-profile"
   ssid-profile "wifi-ssid-profile"
   vlan 60
   aaa-profile "wifi-aaa-profile"

step 5: define the VPN settings for the RAP2WG’s (GUI)

The 3DES policy (priority 5 in this example) need to be added for the RAP2WG’s

A IP address pool need to be defined for the RAP2WG’s. These addresses need to be unique in the routing domain.

ip local pool "albron-aps" 10.10.10.1 10.10.10.10
vpdn group l2tp
  ppp authentication PAP

step 6: define provisioning profile

ap provisioning-profile "my-provisioning-profile"
   remote-ap
   master "x.x.x.x" #public IP of the controller, or the NAT address of the firewall

step 7: define the AP group

In the AP group, the vap profile and the provisioning profile comes together.

ap-group "MyAPGroup"
   virtual-ap "my-vap-profile"
   provisioning-profile "my-provisioning-profile"

step 8: whitelist the RAP’s

The new RAP’s need to be whitelisted (mac addresses) to be accepted by the MC. This can be done in the following part of the GUI. In this part, the RAP’s will be associated with the AP group “MyAPGroup”.

step 9: open firewall ports

Seen from the Internet, you only have to open port udp/4500 (IPSec NAT-T) to the MC.

step 10: provision the RAP

The final step is to provide the RAP with information; the IP address where the MC can be reached. This can be done by connecting a wired PC to E1 of the RAP2WG and port E0 to a regular Internet connection (modem or router). Now, as the RAP2WG has boot up (couple of minutes), open a browser on the wired PC and type in any URL. Now the RAP configuration screen shows up, and the IP address of the mobility controller has to be entered.

When this is done, the RAP2WG is connecting to the mobility controller and registers with it. After a couple of minutes, the RAP has rebooted again and is publishing the configured ESSID.

Since i configured a lot of site-2-site VPN those days, i created a VPN config snip which i have used as a template. So i you need to configure a site-2-site VPN on a Cisco ASA, you can use this template and customize the fields.

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list vpn_filter extended permit ip any any
!
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
!
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy <policy_name> internal
group-policy <policy_name> attributes
vpn-idle-timeout none
vpn-filter value vpn_filter
vpn-tunnel-protocol IPSec

!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy <policy_name>
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key <pre-shared-key>
!
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 1.1.1.1
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 3600
crypto map outside_map 8 set nat-t-disable

Sometimes, you want to see the serial number of a transceiver in a Cisco switch (e.g, a GLC-SX-MM=). You can see the transceiver serial number by typing the following command;

switch#sh idprom interface gigabitEthernet x/y | i Serial

The i serial is optional to filter out the Serial number.

In the last weeks, i have been busy with doing some upgrades of CactiEZ 0.8.7c with PA2.2 to 0.8.7e with PA2.5. As always, at first sight everything seems to be OK when the upgrade has finished. But when you have a full blown Cacti server (with a lot of plugins and tweaks running), it can be different..

In some cases, the GRAPHS screen did stay blank when i clicked on the GRAPHS tab after the upgrade. The only thing i could do to see the graphs, was to click the TREE tab, resulting in showing up the graph tree on the left of the screen. Then i have to click on the appropriate graph in the tree to see it.

In a few words, i did the following to fix this problem (it’s not the most neat one:/)

1. Backup your Cacti files!
2. Download the official Cacti 0.8.7e files
3. Overwrite the files in the ‘/var/www/html’ directory on your server with the official Cacti 0.8.7e files
4. Now overwrite the files in the ‘/var/www/html’ directory again with the 0.8.7e/PA2.5 files

Now some files have to be edited for Cacti to function correctly;

5. Edit /var/www/html/include/config.php

Go to rule number 30 and edit the following line;

$database_password = "change_this_to_your_dbpassword";

6. Edit /var/www/html/include/global.php

Add the plugins you have installed with the $plugins statements. You can get those from your backup files.

Now Cacti should operate normal again. When you click the GRAPHS tab, the main graph screen will show up again!

I use Mozilla Thunderbird to access my Gmail account (via IMAP). The problem i had was that when i deleted a message in Thunderbird, the message did not move to the trash folder. Instead, it was only visible in the All Mail folder.

When i delete a message in Thunderbird, it should be moved to the [Gmail]/Trash folder. To get this accomplished, the following should be done in Thunderbird;

• The Gmail account is defined as a mail.server.serverx definition in the Config Editor
• Type "mail.server.server" under Filter: in Config Editor.
• Go through the list until you spot your Gmail account’s name (say, "Gmail" or your Gmail address) under Value for a preference named mail.server.server*.name (where ‘*’ is replaced with a number).
• Note the server’s number.
  • If you find your Gmail account’s name under "mail.server.server2.name", for example, note "2".
• Click on the mail.server.server* line with the right mouse button.
• Select New | String from the menu.
• Type "mail.server.server*.trash_folder_name", replacing the ‘*’ with the noted number.
  • In my case it was 2, so i typed "mail.server.server2.trash_folder_name".
• Click OK.
• Type "[Gmail]/Trash" under Enter string value.
• Click OK.
• Close the configuration dialog.
• Restart Mozilla Thunderbird.

I was struggling with the TCP Port Template for Cacti. I installed the plugin, but the state of the monitored port stays 0 (nan) in the graph.

It seems that this problem is in the /var/www/html/scripts/tcp.php file. Modify lines 54 & 56 as follows;

  print "0";
} else {
  print "1";

in

  return "0";
} else {
  return "1";

This should fix the problem.

sometimes it is necessary to do some actions with squid (eproxy) on eSafe on the command-line. For instance, you want a quick stop-and-start of squid or do some debugging. The following options can be used in the CLI environment;

Usage: squid [-hvzCDFNRYX] [-d level] [-s | -l facility] [-f config-file] [-u port] [-k signal]
       -d level  Write debugging to stderr also.
       -f file   Use given config-file instead of
                 /opt/eproxy/etc/squid.conf
       -h        Print help message.
       -k reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse
                 Parse configuration file, then send signal to
                 running copy (except -k parse) and exit.
       -s | -l facility
                 Enable logging to syslog.
       -u port   Specify ICP port number (default: 3130), disable with 0.
       -v        Print version.
       -z        Create swap directories
       -C        Do not catch fatal signals.
       -D        Disable initial DNS tests.
       -F        Don’t serve any requests until store is rebuilt.
       -N        No daemon mode.
       -R        Do not set REUSEADDR on port.
       -S        Double-check swap during rebuild.
       -X        Force full debugging.
       -Y        Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.

For instance, when you want to stop-and-start squid (to flush DNS cache), you can use the following;

# /opt/eproxy/sbin/squid –k shutdown
# /opt/eproxy/sbin/squid