Category Archives: Networking Stuff

Anything Networking realted

Setup RADIUS Server for Watchguard Wi-Fi Access Point Authentication

There are three different components discussed herein, Certificate creation, RADIUS server configuration and WatchGuard firewall configuration. I’ve left out the switch/networking portion, as it is mostly covered in the WatchGuard firewall section.

Self-Signed Certificate Creation

You need to create a Self-Signed Certificate on the RADIUS Server.
Open Windows PowerShell as an Administrator.

Enter the following at the prompt:

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DC1.Server.local

Note: Change the Bolded portion of the command line to the FQDNS name of the RADIUS Server.

Open MMC and add the Certificate to the Computer Account, Press OK.MMC

Highlight the Certificate you just created under Certificates>Personal>Certificates and Right Click and Copy.

Next, expand Trusted Root Certificate Authorities>Certificates and Paste the newly created Certificate there.


RADIUS Server Setup… 

Setup RADIUS Clients and be sure to use a Shared Secret at least 22 characters long.
Make sure to add each AP to the RADIUS Clients list.
RADIUS Clients

Create a Connection Request Policy as follows:
Connection Request Policy

Check Wireless – IEEE 802.11 under Common 802.11 connection tunnel types and Wireless – Other under Others in the NAS Port Type settings.
Secure Wireless Connections Policies

Leave all of the Settings under the configuration tab blank/default:
Settings

Create a Network Policy as follows:
Network Policies

Select the Windows Group and add the Security Group you created in AD to allow Wifi access…
This can be a specific group or Domain Users to allow everyone authenticated through AD.
Add NAS Port Type and select Wireless – IEEE 802.11 under Common 802.11 connection tunnel types and Wireless – Other under Others section.
Conditions

Ensure the Constraints tab is set as follows:
Add Microsoft Protected EAP (PEAP) as the EAP Type and verify there is an issued certificate.
Add Secured password (EAP-MSCHAP v2) as the EAP Type in the Protected EAP Properties.
Contraints

The Settings tab can just be left at its defaults.

If a particular setting wasn’t listed above, leave it as default or blank.


WatchGuard Firewall and Access Point setup…

In this configuration setup, there are four Access Points which broadcast two SSID’s, Secure and Guest.
Secure SSID is for RADIUS Authentication and Guest is for Internet Only access.

The network configuration is as follows:

VLAN 1 – default subnet, Trusted Zone, untagged (192.168.1.0/24)
VLAN 85 – Secure SSID, Trusted Zone, tagged (192.168.85.0/24)
VLAN 95 – Guest SSID, Optional Zone, tagged (192.168.95.0/24)
VLAN 254 – Voice, Trusted Zone, tagged (192.168.254.0/24)

VLAN 1, Firewall – Gateway for the data subnet under the NETWORK settings.
VLAN 1VLAN 85, Secure – Gateway for Secure SSID
SecureSetup DHCP under the Network tab to issue IP address configurations to Secure clients:
Secure DHCPVLAN 95, Guest – Gateway for Guest SSID
GuestSetup DHCP under the Network tab to issue IP address configurations to Guest clients:
Guest DHCPEach Access Point is to be configured as follows:
Assign each Access Point with a static IP address in your Default/Data VLAN subnet.
RADIUS Clients
Add each Unpaired Access Point to the Gateway Wireless Controller with the following under NETWORK settings:
Access PointsAccess pointsSetup SSIDs as follows:

Label the Network Name (SSID) for the Secure VLAN.
Check Enable VLAN tagging and enter the VLAN number for the Secure subnet.
Secure SSIDUnder the Security tab, configure the settings as follows:
Be sure to match the RADIUS Secret defined on the RADIUS Server and that it is at least 22 characters long.
Secure SecurityUnder the Access Points, select each Radio you wish to show as available for this SSID.
Secure RadiosLabel the Network Name (SSID) for the Guest VLAN.
Check Enable VLAN tagging and enter the VLAN number for the Guest subnet.

Guest SSID

Under the Security tab, configure the settings as follows:
Guest SecurityUnder the Access Points, select each Radio you wish to show as available for this SSID.
Guest RadiosNow, the Access Points should show up under the Gateway Wireless Controller.
Access Points
Add a Firewall Policy under FIREWALL settings as follows:
Firewall PolicyNext, click on the Policy to add the Access Points and RADIUS Server to the configuration.
Add each Access Point in the FROM list and the RADIUS Server in the TO list. Leave all else as defaults.
Policy SettingsAdd the Wifi Group defined in AD and select RADIUS as the Authentication Server under AUTHENTICATION settings.
The Group Name needs to match the Group defined in RADIUS Server allowed access to connect to the Access Points.
Add RADIUS GroupRADIUS Group

Advertisements

Double NAT to allow IPSEC VPN on firewall behind router or firewall

On your Site 1 internet router/firewall, NAT the following ports to your VPN firewall’s External IP address

ports

Note: To setup a proper IPSEC VPN on a firewall that is behind an internet facing router/firewall, your IPSEC VPN firewall must be assigned an internal IP address. The above example shows the IPSEC VPN firewall as 192.168.254.100.

This is the IP subnet that is hosted by the internet router/firewall. 192.168.254.100 is what the External interface of the IPSEC VPN firewall is assigned. Its internal subnet must be on a different subnet. This example will use 172.29.0.0/24

The IPSEC VPN tunnel configuration is exactly identical as if the device was the internet facing device.

In the VPN tunnel configuration, setup your local gateway to what the internet facing device (External) IP address is assigned.

On the remote IPSEC VPN tunnel, configure its remote IP address to the same IP address that is assigned to the above local gateway.

Example:

Site 1 (Home)                                                   Site 2 (Business)

Local GW: 1.1.1.1                                             Local GW: 2.2.2.2
Remote GW: 2.2.2.2                                      Remote GW: 1.1.1.1
Internal: 172.29.0.0/24                                Internal: 192.168.1.0/24
Remote: 192.168.1.0/24                                Remote: 172.29.0.0/24

vpn.png

Switch VLAN Tags on Switchports

Connect into the Cisco switch:

 switch1

 Login:

switch2

Ensure no other users are logged in:

switch3

If more than one user is logged in, ensure the other user(s) log out prior to making any changes.

Show running config:

switch4

Scroll down to the switchport needing changed. When –More– shows, press the spacebar to view more of the configuration:

Once the switchport is in view, press the Esc key to end scrolling the config:

Enter configuration terminal mode:

switch5

Using the cursor, highlight the switchport needing changed by left clicking in front of the line and scrolling right until you highlight the switchport number:

switch6

Right click and the highlighted text will copy and paste into your config line:

switch7

Press Enter and that allows that particular switchport interface to be edited:

switch8

Using the cursor, highlight the switchport access vlan needing changed by left clicking in front of the line and scrolling right until you highlight the vlan number:

switch9

Right click and the highlighted text will copy and paste into your config line:

Press the Delete key to remove the current vlan number and enter the new vlan you wish to assign to the switchport:

switch10

Continue making additional switchport changes by using your up arrow key to display the switchport line from the history and change the switchport number to your desired switchport number. Once the change has been made, press Enter and use the same feature to change the vlan tag as well.

Exit the terminal and configuration mode by entering ‘exit and press Enter’ twice:

switch11

Save running config to startup config:

switch12

Port Forwarding to Host on ASA

To forward a port to a device behind the firewall on your inside subnet, follow the steps below:

Using the ASDM, Add Network Object under the Configuration/Firewall/Objects/Network Objects/Groups settings.

Provide a Name, select Host and enter it’s IP Address.
Check the Add Automatic Address Translation Rules box.
Ensure the Type is Static.
Set the Translated Addr to outside.
Click on the Advanced… button.
Set the Source Interface to inside and the Destination Interface to outside.
Select the correct Protocol Service, then enter the correct Real Port and Mapped Port.
Click OK.

port1

Add Access Rule under Configuration/Firewall/Access Rules.
Set the Interface to inside.
Set Action to Permit.
Set Source to any
Set Destination to the device you are forwarding the port to.
Set the Service to the Protocol/Port you are forwarding.
Click OK.port2

Configure ASA for S2S IPSEC VPN

In the toolbar in the ASDM, select Wizards/VPN Wizards/Site-to-site VPN Wizard…

Step 1: Click Next on the Introduction screen.
Step 2: Enter the Peer IP Address for the remote site and ensure the VPN Access Interface is set to outside, click Next

s2swizard1

Step 3: Browse the Local Network by clicking on the three to the right of the Local Network field.
Select inside-network and click on the Local Network button, then click OK
Enter the Remote Network IP/Class for the remote subnet, Example(10.10.1.1/24) then click Next

s2swizard2

Step 4: Select Simple Configuration, enter the Pre-shared Key and click Next

s2swizard3

Step 5: Exempt the Inside interface by marking the box with a checkmark and click Next

s2swizard4

Step 6: Review the configuration and click Finish if everything is correct, click Back to make any changes needed.

s2swizard5

Uncheck IKEv2 Enabled checkbox, then click Edit on the Connection Profile you just created.

s2swizard6

Verify the appropriate IKE Policy is used in the Ipsec Settings/IKE v1 Settings/Encryption Algorithms, if not, click Manage and Add it.

s2swizard7

Click Apply, then Save

Subnet Cheat Sheet

I’ve created this easy to remember cheat sheet for use while taking your Cisco exams. Once you have copied it onto paper a few times, you will realize just how easy it is and how valuable it is when testing for your Cisco exams. After reviewing several different methods for computing the number of hosts and subnets, I’ve consolidated the information so it will save you considerable amounts of time in computations during your exams.