2009-11-24

Telnet logging to Cisco router with Radius authentication based on Windows 2008 R2

This time something else

Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).

The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.

Here is the configuration of the router (tested on Cisco 1800 Series)

enable secret 5 ############

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

line con 0
 password 7 ############
line aux 0
line vty 0 4
 password 7 ############
 transport input telnet
 session-timeout 60


Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command


aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:
  •  first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
  •  if the server does not respond (and only then) - local user database is checked 
 aaa authorization exec default group radius local- command execution authorization is done in the same way as above.


The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.


line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)



Now for the Windows 2008 Server R2 side:

Network policy for level 15:

  • Windows Group: NetAdmins
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=15
 Network policy for level 7:

  • Windows Group: SomeoneElse
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=7

 Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password
Author: Michal Zyzak on 11:10 AM 1 comments
Tags: , , , , , ,

2009-11-12

Monitoring Cisco Wireless Controller 4400 via SNMP

Hello

Cisco has done a great job implementing SNMP into its 4400 WLC.
The sheer number of OIDs is phenomenal.

You will need two MIB files to translate OIDs from numeric into named
AIRESPACE-SWITCHING-MIB
 1.3.6.1.4.1.14179.1



AIRESPACE-WIRELESS-MIB
 1.3.6.1.4.1.14179.2




Both are avaible to view and download here:
http://www.oidview.com/mibs/14179/md-14179-1.html

Or from Cisco site:
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.14179


First monitor - Number of users connected to given AP

This will tell us how many people are connected to one particular Cisco Airespace Access Point

For that we only need one OID:
From table: bsnAPIfLoadParametersTable
Entry: bsnAPIfLoadNumOfClients
Numerical OID: 1.3.6.1.4.1.14179.2.2.13.1.4

And if we do a snmpwalk on it we will find that there is a bit more work to do.
Why?
Because Cisco APs connected to given controller are identified in SNMP database by a string o random values preceded by a single 0 (zero) like this: 0.31.155.25.136.80 .
Also will can see that each AP has two OIDs. One ending with ".0" other with ".1".
Thats because the APs can work in one of two modes: a/h or b/g/n.

So in order to get the correct data (via smnpget) we need to join the OIDs into one string like this:
1.3.6.1.4.1.14179.2.2.13.1.4.0.31.155.25.136.8.0

Here is an example command:
snmpget -c public 192.168.200.100 -Ovq 1.3.6.1.4.1.14179.2.2.13.1.4.0.31.155.25.136.8.0

The output would be for example:
5

The -O parameter controls output of snmpget.
  • 'v' - does not print OID string,
  • 'q' - quick print values (without the value type) - makes parsing of output much simpler
Here is a link to a Perl script I created for Nagios/Opsview:
http://www.monitoringexchange.org/inventory/Check-Plugins/Network/Cisco-AP-Client-number


Second monitor - Profile status of given AP

This will tell us the profile status of one particular Cisco Airespace Access Point

For that we need 4 OIDs:
From table: bsnAPIfProfileStateTable
1.3.6.1.4.1.14179.2.2.16.1.1
1.3.6.1.4.1.14179.2.2.16.1.2
1.3.6.1.4.1.14179.2.2.16.1.3
1.3.6.1.4.1.14179.2.2.16.1.24
The values of those OIDs are: Passed or Failed.

Word on profiles:
There are 4:
  • load   (...14179.2.2.16.1.1)
  • noise   (...14179.2.2.16.1.3)
  • interference   (...14179.2.2.16.1.2)
  • coverage   (...14179.2.2.16.1.24)
Each one is defined by set of values defined in Wireless Controller. WLC checks if those conditions ore met by an AP. If so the given profile status is passed.


Here is a link to a Perl script I created for Nagios/Opsview:
http://www.monitoringexchange.org/inventory/Check-Plugins/Hardware/Network/Network-Gear/Cisco-AP-Profile-Status


Third monitor - basic traffic information of given AP

Those OIDs will give us information on total send and receive utilization (in %) as well as channel number and its utilization. Another information that should be checked is th operations status of the AP

For that we need few more OIDs:
From table: bsnAPTable
Administrative Status: 1.3.6.1.4.1.14179.2.2.1.1.37
The value of this OID can be: 
1 - enable
2 - disable

Operational Status: 1.3.6.1.4.1.14179.2.2.1.1.6
The value of this OID can be:
1 - associated
2 - disassociating
3 - downloading 

From table: bsnAPIfLoadParametersTable
TX utilization: 1.3.6.1.4.1.14179.2.2.13.1.1
RX utilization: 1.3.6.1.4.1.14179.2.2.13.1.2
Channel utilization: 1.3.6.1.4.1.14179.2.2.13.1.3
The value of those OIDs are given in %.
There are global values of the AP (not on per client basis)
 

And the number of channel used by this AP we get from table: bsnAPIfTable
1.3.6.1.4.1.14179.2.2.2.1.4

Here is a link to a Perl script I created for Nagios/Opsview:
http://www.monitoringexchange.org/inventory/Check-Plugins/Hardware/Network/Network-Gear/Cisco-AP-Traffic
Author: Michal Zyzak on 10:00 AM 5 comments
Tags: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)