2009-11-24

Telnet logging to Cisco router with Radius authentication based on Windows 2008 R2

This time something else

Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).

The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.

Here is the configuration of the router (tested on Cisco 1800 Series)

enable secret 5 ############

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

line con 0
 password 7 ############
line aux 0
line vty 0 4
 password 7 ############
 transport input telnet

 session-timeout 60


Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command


aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:

  •  first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
  •  if the server does not respond (and only then) - local user database is checked 
 aaa authorization exec default group radius local- command execution authorization is done in the same way as above.


The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.


line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)



Now for the Windows 2008 Server R2 side:

Network policy for level 15:

  • Windows Group: NetAdmins
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=15
 Network policy for level 7:

  • Windows Group: SomeoneElse
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=7

 Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password



2009-11-12

Monitoring Cisco Wireless Controller 4400 via SNMP

Hello

Cisco has done a great job implementing SNMP into its 4400 WLC.
The sheer number of OIDs is phenomenal.

You will need two MIB files to translate OIDs from numeric into named
AIRESPACE-SWITCHING-MIB
1.3.6.1.4.1.14179.1




AIRESPACE-WIRELESS-MIB
1.3.6.1.4.1.14179.2





Both are avaible to view and download here:
http://www.oidview.com/mibs/14179/md-14179-1.html

Or from Cisco site:
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.14179


First monitor - Number of users connected to given AP

This will tell us how many people are connected to one particular Cisco Airespace Access Point

For that we only need one OID:
From table: bsnAPIfLoadParametersTable
Entry: bsnAPIfLoadNumOfClients
Numerical OID: 1.3.6.1.4.1.14179.2.2.13.1.4

And if we do a snmpwalk on it we will find that there is a bit more work to do.
Why?
Because Cisco APs connected to given controller are identified in SNMP database by a string o random values preceded by a single 0 (zero) like this: 0.31.155.25.136.80 .
Also will can see that each AP has two OIDs. One ending with ".0" other with ".1".
Thats because the APs can work in one of two modes: a/h or b/g/n.

So in order to get the correct data (via smnpget) we need to join the OIDs into one string like this:
1.3.6.1.4.1.14179.2.2.13.1.4.0.31.155.25.136.8.0

Here is an example command:
snmpget -c public 192.168.200.100 -Ovq 1.3.6.1.4.1.14179.2.2.13.1.4.0.31.155.25.136.8.0

The output would be for example:
5

The -O parameter controls output of snmpget.
  • 'v' - does not print OID string,
  • 'q' - quick print values (without the value type) - makes parsing of output much simpler
Here is a link to a Perl script I created for Nagios/Opsview:
http://www.monitoringexchange.org/inventory/Check-Plugins/Network/Cisco-AP-Client-number


Second monitor - Profile status of given AP

This will tell us the profile status of one particular Cisco Airespace Access Point

For that we need 4 OIDs:
From table: bsnAPIfProfileStateTable
1.3.6.1.4.1.14179.2.2.16.1.1
1.3.6.1.4.1.14179.2.2.16.1.2
1.3.6.1.4.1.14179.2.2.16.1.3
1.3.6.1.4.1.14179.2.2.16.1.24

The values of those OIDs are: Passed or Failed.

Word on profiles:
There are 4:
  • load   (...14179.2.2.16.1.1)
  • noise   (...14179.2.2.16.1.3)
  • interference   (...14179.2.2.16.1.2)
  • coverage   (...14179.2.2.16.1.24)
Each one is defined by set of values defined in Wireless Controller. WLC checks if those conditions ore met by an AP. If so the given profile status is passed.


Here is a link to a Perl script I created for Nagios/Opsview:
http://www.monitoringexchange.org/inventory/Check-Plugins/Hardware/Network/Network-Gear/Cisco-AP-Profile-Status


Third monitor - basic traffic information of given AP

Those OIDs will give us information on total send and receive utilization (in %) as well as channel number and its utilization. Another information that should be checked is th operations status of the AP

For that we need few more OIDs:
From table: bsnAPTable
Administrative Status: 1.3.6.1.4.1.14179.2.2.1.1.37
The value of this OID can be: 
1 - enable
2 - disable

Operational Status: 1.3.6.1.4.1.14179.2.2.1.1.6
The value of this OID can be:
1 - associated
2 - disassociating
3 - downloading 

From table: bsnAPIfLoadParametersTable
TX utilization: 1.3.6.1.4.1.14179.2.2.13.1.1
RX utilization: 1.3.6.1.4.1.14179.2.2.13.1.2
Channel utilization: 1.3.6.1.4.1.14179.2.2.13.1.3
The value of those OIDs are given in %.
There are global values of the AP (not on per client basis)
 


And the number of channel used by this AP we get from table: bsnAPIfTable
1.3.6.1.4.1.14179.2.2.2.1.4

Here is a link to a Perl script I created for Nagios/Opsview:
http://www.monitoringexchange.org/inventory/Check-Plugins/Hardware/Network/Network-Gear/Cisco-AP-Traffic

2009-10-09

User management in MySQL

Welcome back!

Here is something that anybody should remember.
Adding, setting privileges and removing users in MySQL db using command line.


I know this is trivial and that you can easily google/yahoo/bing this, but still....
This blog is supposed to be a complete admin's diary so -  it has to be here.

Anyway:

mysql> CREATE USER 'username'@'%' IDENTIFIED BY 'password';



Create a user that can access the MySQL from any host.
If you want to restrict the access to certain machine - replace '%' (MySQL wildcard) with IP address or hostname.
If you want to create a user without any password - do not input the IDENTIFIED BY part.

mysql> GRANT ALL PRIVILEGES ON *.* TO 'username'@'%' IDENTIFIED BY 'password'
-> WITH GRANT OPTION;


Give this user full administrative access to all databases with the option to control other users' privileges.


mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
 -> ON database1.*
 -> TO 'username'@'%';
 
Give this user superuser access (read and modify tables and data) to all tables in database1.
 
mysql> REVOKE INSERT,UPDATE,DELETE,CREATE,DROP
-> ON database1.*
-> TO 'username'@'%'; 

 

Remove from this user superuser access (only SELECT command is available now) to all tables in database1.

mysql> FLUSH PRIVILEGES; 

This tells MySQL to reload the grant tables. Not always necessary.
Other method is to inject the user data into the 'user' table on 'mysql' database (default db existing in every MySQL).
 
mysql> INSERT INTO user(Host,User,Password) 
-> VALUES('localhost', 'username', PASSWORD('password'));
mysql> FLUSH PRIVILEGES;

 
Last line is required when using this method. 
To remove a user you only need one command (since MySQL version 5.0.2)
 
mysql> DROP USER user@host;

 

2009-08-25

How to upgrade SNMP agent on Debian Etch

Hi!

This is my first post on my very first blog.
So I ask for your understanding.
Also - I'm not a xNIX systems expert (yet) so posts regarding Linux may contain some errors.
Again - be forgiving :-)                   
(and give feedback, always give feedback!!)


OK. To the point.

I'm using SNMP to get performance data of a Linux (Debian Etch) machine. I need to get CPU usage of every core separately. Unfortunately the machine does not give out that information via SNMP.
I fixed it by upgrading SNMP agent to latest (almost) stable version.


Here are the steps I needed to take.

Check the current snmpd version installed on said box:
  • locally: 
find / -name snmpd
/usr/sbin/snmpd -v
  •  remotely:
snmpwalk -v 1 -c community_string X.X.X.X versiontag
It turned out that machine uses snmpd version 5.2.3 which is the latest version for Debian Etch.

So the only way to use newer SNMP agent on this old Debian is to compile it from source.

Download the latest stable source package of Net-Snmp:
wget http://sourceforge.net/projects/net-snmp/files/net-snmp/5.4.2.1/net-snmp-5.4.2.1.tar.gz/download

Unpack it, configure, compile and install
tar -xf  net-snmp-5.4.2.1.tar.gz
cd  net-snmp-5.4.2.1
./configure
make
make install
OOOPS! Error:
/usr/bin/ld: cannot find -lperl
It turned out that the poor Etch did not have libperl-dev (PERL development library)
So:
apt-get install libperl-dev
and than compile and install again.

After the installation disable / remove the old snmpd package:

/etc/init.d/snmpd stop
or
aptitude remove snmpd

Run the newly installed agent with old configuration file:
/usr/local/sbin/snmpd -c /etc/snmp/snmpd.conf &

Check the running processes:
 ps -ef | grep -i snmp.
(the dot at the end is a REGEXP symbol for "any single character" so that grep will filter for "snmp" and "snmpd")

And check the SNMP agent version again.
Success!

Afterword:
I use OpsView for monitoring. It a s Nagios-based open-source application. I will talk about it near future.