layer

Coming from a Cisco QoS background, I wanted to get a good grasp on HP QoS with the ProCurve switches, but there isn't much information out there (besides the Advanced Traffic Management Guide by HP).  This post should should consolidate some of that information, and is based on the the Advanced Traffic Management Guide, various vendor HP interopability guides, and talks with some of the guys over at HP Networking.

HP QoS Basics:

The 4 components of HP ProCurve QoS are:

1. Enable QoS

2. Decide how many traffic queues you need

3. Assign guaranteed minimum bandwidth (GMB)/traffic servicing per queue

4. Classify traffic and assign to 802.1p priority

These four steps can be achieved with a single command (almost like an Auto QoS). This command enables QoS, the 8 queue model, GMB, and DSCP-to-802.1p mappings of the primary DSCP values.

HP(config)# qos type-of-service diff-services

Now that QoS has been enabled, we can look at how HP maps 802.1p priorities to each queue:

HP# show qos queue-config

Egress Queue Configuration

Queue      802.1p Priority

-------          ------------

1                1

2                2

3                0

4                3

5                4

6                5

7                6

8                7

As you can see, traffic goes into queue 3 by default (802.1p - 0), background or scavenger traffic would be assigned to 802.1 priority 1 or 2, and more important traffic assigned to priorities 3-7.  Now that we know where the traffic is going, let's look at the bandwidth assigned to each queue:

HP# show bandwidth output 1

Outbound Guaranteed Minimum Bandwidth %

Port   Q1   Q2   Q3  Q4   Q5   Q6   Q7   Q8

------   ---    ---    ---    ---    ---    ---    ---    ---

1         2      3     30   10   10   10    15   20

Traffic with priority 1 or 2 gets the least amount of guaranteed bandwidth at 2% and 3%.  Default traffic is guaranteed 30%, and we see that the upper queue's (7 and 8) get 15% and 20% respectively.  Note that this is just guaranteed minimum bandwidth (GMB), not shaping or policing.  If the other queues are not full, traffic can burst above their guaranteed rate.  If the default values do not fit your network needs, the values can be changed on a port-by-port basis:

HP(config)# interface 1 bandwidth-min output 1 1 10 1 5 1 1 80

HP# show bandwidth output 1

Outbound Guaranteed Minimum Bandwidth %

Port   Q1   Q2   Q3  Q4   Q5   Q6   Q7   Q8

------   ---    ---    ---    ---    ---    ---    ---    ---

1         1     1     10     1      5      1     1      80

HP also does time-slicing per queue, depending on the assigned GMB.  For example, by default, traffic in queue 3 (GMB=30%) will be serviced at 30% of the time window before servicing the next queues packets.  With the modified GMB properties directly above, queue 8 would be serviced at 80% of the time before moving to the next queues.

There are also memory buffers assigned to each queue, but those are platform dependent and not publicly available (they are also not configurable).

Finally, we can view the default DSCP-to-802.1p Priority mappings:

HP# show qos dscp-map

DSCP -> 802.p priority mappings

NOTE: 'qos type-of-service diff-services' must be configured before DSCP is honored on inbound traffic.

DSCP CodePoint    DSCP Value    802.1p tag      DSCP Policy name

------------------------    -----------------    --------------       --------------------------------

000000                      0                         0                       cs0

000001                      1                         No-override

000010                      2                         No-override

000011                      3                         No-override

000100                      4                         No-override

000101                      5                         No-override

000110                 6                    No-override

000111                  7                     No-override

001000                 8                    1                   cs1

001001                 9                    No-override

001010              10              1               af11

001011                  11              No-override

001100                  12              1                af12

001101              13               No-override

001110             14               2                af13

001111              15               No-override

010000             16               2                cs2

010001               17               No-override

010010              18               0                af21

010011             19                   No-override

010100             20               0                af22

010101             21               No-override

010110             22                   3                af23

010111             23                   No-override

011000             24                   3                cs3

011001              25                  No-override

011010              26              4                af31

011011              27                   No-override

011100             28               4               af32

011101              29               No-override

011110                 30               5               af33

011111              31               No-override

100000              32                   4               cs4

100001              33               No-override

100010                 34               6               af41

100011                  35               No-override

100100                 36                   6                af42

100101                 37                   No-override

100110              38               7               af43

100111                 39               No-override

101000              40               5               cs5

101001                 41               No-override

101010              42               No-override

101011                  43               No-override

101100                 44               No-override

101101              45               No-override

101110                 46                   7               ef

101111                  47                   No-override

110000                  48               6                cs6

110001                 49              No-override

110010                  50              No-override

110011              51              No-override

110100              52               No-override

110101              53               No-override

110110              54               No-override

110111              55               No-override

111000              56               7               cs7

111001              57                   No-override

111010              58               No-override

111011              59               No-override

111100              60               No-override

111101             61               No-override

111110              62              No-override

111111                 63               No-override

As you can see, by default, EF traffic is assigned a priority of 7, placed in queue 8, and therefore given a GMB of 20%.

If your traffic comes into the switch with DSCP values, then verify the default DSCP-to-priority mapping meets your application's needs.  If not, you can assign the DSCP value to a different priority with the following command:

HP(config)# qos dscp-map af31 priority 5

If your application traffic does not come into the switch with a DSCP value, then you will need to classify the traffic and assign it a priority.  This can be done based off MAC address, IP address, VLAN ID, L3 Protocol, and L4 ports.  I'm not going to go through how to classify traffic with an access-list in this post, maybe in the future!

Here are a couple other interesting facts/suggestions related to ProVision QoS:

Only Egress queuing can be enabled.  There is no ingress queuing.  Egress queuing is most important, and even according to Cisco's Medianet QoS 4.0 document, ingress queuing is not a requirement in an QoS implementation.

If you do not need to classify traffic into 8 queues, using the 4 queue model will increase the memory buffer available to each queue.  By default, the 4 queue model also has a higher GMB for EF traffic, which means EF traffic is serviced more frequently.

There is not a "strict priority queue" (like Cisco's "Priority Queue Out").  If you purely want a "strict priority queue" and do not care about other traffic, you can change the GMB and assign 100% of the bandwidth to the highest queue.

What if you just need to implement QoS for ShoreTel VoIP and I don't care about all this other stuff, what do you need to do? Just use the switch command qos type-of-service diff-services and you are set!  ShoreTel classifies voice traffic as EF and call control as AF31.  If you want to guarantee more bandwidth to ShoreTel, then I would also use the 4 queue model.

Supported Switches:  This guide is based off the HP 2920, 3800, 5400, and 8200 series of switches.

A pair of jobs that disable PoE during non-working hours

Switch(config)# job poe-on at 8:00 on mon-fri config-save "interface 1-24 power-over-ethernet"

Switch(config)# job poe-off at 17:00 on mon-fri config-save "no interface 1-24 power-over-ethernet"

A pair of jobs that block access to a server during weekends

Switch(config)# ip access-list extended block-server

Switch(config-ext-nacl)# deny ip any host 10.0.1.80

Switch(config-ext-nacl)# permit ip any any

Switch(config-ext-nacl)# exit

Switch(config)# job allow at 8:00 on mon config-save "no interface 1-24 ip access-group block-server in"

Switch(config)# job deny at 17:00 on fri config-save  " interface 1-24 ip access-group block-server in"

A job that blinks the Chassis Locate LED when the switch reboots

Switch(config)# job reboot-led at reboot "chassislocate blink"

A job that reboots the switch on the first day of each year

Switch(config)# job annual-reboot at 2:00 on 1/1 boot

Job Scheduler show command

Display a list of scheduled jobs or details of a single job.

Syntax

HP_Switch # show job <Name>

a working config 

version 18.4R1.8;

system {

    root-authentication {

        encrypted-password "$6$Cm7jP3ar$gnKBcARkn.Jw2cTpVbBB8rfhYDTaguFCXBspMEpCXlwKWd/Q9Nf6Z2fBLghoIz3r7.7v37SpcSzZlP8rhWOBN/"; ## SECRET-DATA

    }

    syslog {

        user * {

            any emergency;

        }

        file messages {

            any notice;

            authorization info;

        }

        file interactive-commands {

            interactive-commands any;

        }

    }

    extensions {

        providers {

            juniper {

                license-type juniper deployment-scope commercial;

            }                           

            chef {                      

                license-type juniper deployment-scope commercial;

            }

        }

    }

}

interfaces {

    et-0/0/0 {

        unit 0 {

            family inet {

                dhcp {

                    vendor-id Juniper-qfx10002-72q;

                }

            }

        }

    }

commands required to get stuff to work 

delete interface xe-0/0/0 

delete interface xe-0/0/0:0

delete interface xe-0/0/0:1

delete interface xe-0/0/0:2

delete interface xe-0/0/0:3 

etc etc to clear old junk

set system root-authentication encrypted-password "$6$Cm7jP3ar$gnKBcARkn.Jw2cTpVbBB8rfhYDTaguFCXBspMEpCXlwKWd/Q9Nf6Z2fBLghoIz3r7.7v37SpcSzZlP8rhWOBN/"

set system syslog user * any emergency

set system syslog file messages any notice

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any

set system extensions providers juniper license-type juniper deployment-scope commercial

set system extensions providers chef license-type juniper deployment-scope commercial

set interfaces et-0/0/0 unit 0 family inet dhcp vendor-id Juniper-qfx10002-72q

set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members vlan10

set interfaces et-0/0/1 unit 0 family inet dhcp vendor-id Juniper-qfx10002-72q

set interfaces xe-0/0/1 unit 0 family inet dhcp vendor-id Juniper-qfx10002-72q

set interfaces et-0/0/2 unit 0 family inet dhcp vendor-id Juniper-qfx10002-72q

set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk

set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members vlan10

set vlans default vlan-id 1

set vlans vlan10 vlan-id 10

set vlans vlan100 vlan-id 100

commit - this will commit the commands previous entered - unit you run this you are not applying config to live 

commit confirmed  - this will apply the config as above but only for 10 mins after this it will revert back to pre commit. 

commit check - useful if you are adding lots of config change and want to be sure you are not applying confilcts or errors - this only checks / validates 

rollback 0                - this will undo the changes you have made but not commited. 

show | compare            - this shows uncommited commands / config. 

run show vlans 

Delete interface to remove ....................

show | display set 

unit 0 is most common you can replace unit 0 with .0 e.g. xe0/0/1.0

show chassis fpc pic-status   - is management working ? 

show chassis hardware 

show chassis fpc

to get rid of terminal puke 

set

system {

    syslog {

        user * {

            any emergency;

match "!(.*Scheduler Oinker*.|.*Frame 0*.|.*ms without yielding*.)";

         }

}

}

set ip address - 

1. Create layer2  vlan name and vlan id:

# set vlans vlan-name vlan-id vlan-id

Example:

# set vlans vlan100 vlan-id 100

2. Then assign that vlan to an interface:

# set interfaces interface-name unit logical-unit-number family ethernet-switching vlan members vlan-name

Example:

# set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan100

3. Then create a logical l3 interface and assign that interface to a vlan:

# set interfaces vlan unit logical-unit-number family inet address inet-address

Example:

# set interfaces vlan unit 100 family inet address 10.10.10.1/24

4. The link l3-interface to a vlan:

# set vlans vlan-name l3-interface vlan.logical-interface-number

Example:

# set vlans vlan100 l3-interface vlan.100

Here is the result:

# run show interfaces vlan

Physical interface: vlan, Enabled, Physical link is Up

Interface index: 129, SNMP ifIndex: 328

Type: VLAN, Link-level type: VLAN, MTU: 1518, Speed: 1000mbps

Device flags : Present Running

Link type : Full-Duplex

Link flags : None

Current address: 00:23:9c:12:5b:00, Hardware address: 00:23:9c:12:5b:00

Last flapped : Never

Input packets : 1808099

Output packets: 22785

Logical interface vlan.100 (Index 118) (SNMP ifIndex 630)

Flags: SNMP-Traps 0x0 Encapsulation: ENET2

Input packets : 959

Output packets: 19

Protocol inet

Flags: None

Addresses, Flags: Is-Preferred Is-Primary

Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255

Done!

show | compare 

show | display set

hp do not like you to use "unsupported" modules - you can do this however - simply enter undocumented command 

allow-unsupported-transceiver 

configure terminal 

2. interface interface-id 

3. Depending on your auto-Qos configuration, use one of the following commands: 

• auto qos voip {cisco-phone | cisco-softphone | trust} 

• auto qos video {cts | ip-camera | media-player} 

• auto qos classify [police] 

• auto qos trust {cos | dscp} 

4. end 

5. show auto qos interface interface-id 

show auto qos 

no auto qos

 show running-config | i autoQos

 no policy-map policy-map_name

show running-config | i AutoQoS 

show auto qos 7. write memory 

Shutting Interfaces from Kron using Macros in Cisco IOS

You should be able to use kron and macros to be able to shut interfaces on a scheduled basis in Cisco IOS.

1. Make a macro to shut the interfaces (or perform other nested tasks)

Router(config)# macro name macro_name1

Router(config)# interface Vlan1

Router(config-if)#  shutdown

Router(config-if)#  no shutdown @

2. Make a kron job to call the Cisco IOS macro.

Router(config)# kron policy-list policy_name1

Router(config-kron-policy)# cli macro_name1

Router(config-kron-policy)# exit

3. Next, create a kron occurrence, in which you tell the router when and how often you want to run this policy list (i.e., group of commands). Here's an example:

Router(config)# kron occurrence policy_name1 at 22:00 Mon recurring

Router(config-kron-occurrence)# policy-list policy_name1

Router(config-kron-occurrence)# exit

Performing Command-Line Processing

Switch commands are not case sensitive. You can abbreviate commands and parameters if the

abbreviations contain enough letters to be different from any other currently available commands or

parameters.

You can scroll through the last 20 commands stored in the history buffer and enter or edit a command at

the prompt. Table 2-1 lists the keyboard shortcuts for entering and editing switch commands.

Performing History Substitution

The history buffer stores the last 20 command lines you entered. History substitution allows you to

access these command lines without retyping them. Table 2-2 lists the history substitution commands.

Table 2-1 Keyboard Shortcuts

Keystrokes Result

Press Ctrl-B or

press the Left Arrow key1

1. The Arrow keys function only on ANSI-compatible terminals, such as VT100s.

Moves the cursor back one character.

Press Ctrl-F or

press the Right Arrow key1

Moves the cursor forward one character.

Press Ctrl-A Moves the cursor to the beginning of the command line.

Press Ctrl-E Moves the cursor to the end of the command line.

Press Esc-B Moves the cursor back one word.

Press Esc-F Moves the cursor forward one word.

Press Ctrl-P or the Up Arrow key1 Recalls commands in the history buffer, beginning with

the most recent command. Repeat the key sequence to

recall older commands successively.

Press Ctrl-N or the Down Arrow key1 Returns to more recent commands in the history buffer

after commands have been recalled with Ctrl-P or the

Up Arrow key. Repeat the key sequence to recall more

recent commands.

Switch# show history Lists the last several commands you have entered in

EXEC mode.

to set ip address: set deviceconfig system ip-address <ip address> netmask <netmask> default-gateway <default gateway> dns-setting servers primary <DNS ip address>

commit

configure

These are the additional settings for a Cisco 3750X switch to get DOT1x authentication working with computer certificates. This was done using a Cisco ACS 5.3 server as the radius server and a Windows Server 2008 R2 certificate authority. The CA has SCEP setup to allow the auto-issuing of certificates when requested from a Cisco device.

I had issues getting the computer and phone to happily live on the same port, but at the same time being able to put into different authentication domains. The issue was fixed by creating a custom attribute on the radius server when it responds to these requests. You need to create/modify the cisco-av-pair attribute to contain the string device-traffic-class=voice. On the Cisco ACS 5 servers, this can be accomplished easier under the common tasks tab of the authorization profile, by setting the the Voice Vlan-Permission to join option to static.

On the ACS server, you could enter every MAC address manually that you want authenticated, which is more secure for a smaller deployment but a pain for larger ones. Instead I entered 2 MAC address ranges with wildcards to match the 2 phone ranges that I knew would be in use. Not quite as secure, but once this is combined later on with an access list on the voice vlan, the security should be as good as its going to get.

CONFIG TIME:

aaa new-model

#Additional AAA settings needed to use radius for dot1x

aaa authentication dot1x default group radius

aaa authorization network default group radius

#Create the radius server. Note that this method is new in v15 of Cisco IOS

radius server SERVER-1

 address ipv4 192.168.1.100 auth-port 1645 acct-port 1646

 key 0 spamhammer

#If a client fails to authenticate, will only shut down the data VLAN on that port

#Useful if a phone shares the same port

errdisable detect cause security-violation shutdown vlan

errdisable recovery cause security-violation

#Enable dot1x system wide

dot1x system-auth-control

#Create a trustpoint for certificate based auth

#Blank password command allows for this cert to be auto-issued

crypto pki trustpoint TP-1

 enrollment mode ra

 enrollment url http://192.168.1.100:80/certsrv/mscep/mscep.dll

 serial-number

 fqdn TLAB-1

 password

 subject-name cn=LAB-1,c=GB,OU=Switch

 revocation-check crl

 auto-enroll 80

#After setting up the trustpoint, you can request the certificate by using the commands 'crypto pki authenticate trustpoint TP-1' (authenticates the CA server) and then 'crypto pki enroll trustpoint TP-1' (requests a certificate)

#Generic interface configuration

interface GigabitEthernet1/0/1

 switchport access vlan 50

 switchport mode access

 switchport voice vlan 60

 logging event link-status

 srr-queue bandwidth share 1 30 35 5

 priority-queue out

 authentication host-mode multi-domain

 authentication order dot1x mab

 authentication port-control auto

 mab

 mls qos trust dscp

 dot1x pae authenticator

 dot1x timeout tx-period 5

 auto qos trust

 spanning-tree portfast

What is IEEE 802.1X?

Devices attempting to connect to a LAN or WLAN require an authentication mechanism. IEEE 802.1X, an IEEE Standard for Port-Based Network Access Control (PNAC), provides protected authentication for secure network access.

An 802.1X network is different from home networks in one major way; it has an authentication server called a RADIUS Server. It checks a user's credentials to see if they are an active member of the organization and, depending on the network policies, grants users varying levels of access to the network. This allows unique credentials or certificates to be used per user, eliminating the reliance on a single network password that can be easily stolen.

KEY TAKEAWAYS

• 802.1X is an authentication protocol to allow access to networks with the use of a RADIUS server.

• 802.1X and RADIUS based security is considered the gold standard to secure wireless and wired networks today.

How Does 802.1X Work?

802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The RADIUS server is able to do this by communicating with the organization's directory, typically over the LDAP or SAML protocol.

KEY TAKEAWAYS

• 802.1X gives the device access to the protected side of the network after authentication.

• 802.1X offers a few different ways to authenticate such as username/password, certificates, OTP, etc..

What is 802.1X EAP Security?

The standard authentication protocol used on encrypted networks is Extensible Authentication Protocol (EAP), which provides a secure method to send identifying information over-the-air for network authentication. 802.1X is the standard that is used for passing EAP over wired and wireless Local Area Networks (LAN). It provides an encrypted EAP tunnel that prevents outside users from intercepting information.

The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication process.

WPA2-Enterprise Protocols

Level of Encryption

Authentication Speed

Directory Support

User Experience

EAP-TLS

Public-Private Key Cryptography

Fast – 12 Steps

SAML/LDAP/MFA Servers

Best

PEAP-MSCHAPV2

Encrypted Credentials

Slow – 22 Steps

Active Directory

Acceptable

EAP-TTLS/PAP

Non-Encrypted Credentials

Slowest – 25 Steps

Non-AD LDAP Servers

Poor

KEY TAKEAWAYS

• EAP is the tunnel that transfers a user’s identifying information from client to server.

• EAP tunnels most often use username/password or certificates

• Not all EAP Tunnels are created the same, man-in-the-middle attacks are easier to perform with username/password

What is 802.1X Used For?

802.1X is used for secure network authentication. If you are an organization dealing with valuable and sensitive information, you need a secure method of transporting data. 802.1X is used so devices can communicate securely with access points (enterprise-grade routers). It was historically only used by large organizations like enterprises, universities, and hospitals, but is rapidly becoming adopted by smaller businesses because of the growing threats in cyber security.

802.1X is often referred to as WPA2-Enterprise. In contrast, the Pre-Shared Key network security most often used at home is referred to as WPA2-Personal. WPA2-Personal is not sufficient for any organization dealing with sensitive information and can put organizations at serious risk for cyber crimes.

KEY TAKEAWAYS

• Used to secure connections to wired and wireless networks via rotating key security and avoiding Open/Un-Encrypted or static key (PSK) connections

• 802.1X is used in corporate and campus settings where users get authorized or removed from network access as they enter and leave the organization

Are IEEE 802.1X and Wi-Fi the Same?

Almost. The IEEE 802.1X standard was first designed for use in wired Ethernet networks. Wi-Fi is a trademarked phrase that refers to the IEEE 802.11x standard specifically – a modified version of the original standard.

That being said, most security and networking professionals use the term 802.1X for both wired and wireless networks if they are using WPA2-Enterprise security.

What is Wired 802.1X?

Authenticating a wired network connection for 802.1X is a similar process to wireless. The wired network user must connect to the secure network from their device and present a signed certificate or valid credentials to authenticate their identity.

The primary difference is instead of establishing a secure connection with a wireless switch, your device must be Ethernet connected and authenticate to an 802.1X-capable switch. The device and RADIUS server establish trust over the wired connection and if the user is recognized, they will be authorized for secure network use.

How Secure is 802.1X?

When used correctly, it is the golden standard of network authentication security. It can prevent over-the-air credential theft attacks like Man-in-the-Middle attacks and Evil Twin proxies. It is much more secure than Pre-Shared Key networks, which are typically used in personal networks.

However, 802.1X security can vary greatly depending on two factors. The first variable occurs if end users are left to manually configure their devices. The configuration process requires high-level IT knowledge to understand and if one step is incorrect, they are left vulnerable to credential theft. We highly recommend using dedicated 802.1X onboarding software instead.

The second variable depends on whether an organization is using credential-based authentication or certificate-based authentication. Certificate-based EAP-TLS significantly reduces an organization's risk for credential theft and is the most secure way to use 802.1X. Not only does it stop credentials from being sent over the air where they can be easily stolen, but it forces users to go through an enrollment/onboarding process that ensures their devices are configured correctly.

KEY TAKEAWAYS

• One of the most secure protocols for network authentication, trumping WPA2/3-PSK and Open/Unencrypted connections

• Requires precise configuration, mistakes made by users lead to security compromise.

• Digital certificates instead of username/password based 802.1X mitigates security issues

Is 802.1X Encrypted?

Yes, 802.1X is encrypted.

802.1X WPA is generally reserved for personal networks, such as your home Wi-Fi, and runs on RC4-based TKIP (Temporal Key Integrity Protocol) encryption. It's less secure than WPA2, but usually sufficient for home use.

802.1X WPA2 could utilize TKIP, but generally chooses AES (Advanced Encryption Standard), which is the most secure standard available. It is a little more difficult and costly to set up however, so it's used in higher-stake environments like businesses.

The Components of 802.1X

There are just a few components that are needed to make 802.1X work. Realistically, if you already have access points and some spare server space, you possess all the hardware needed to make secure wireless happen. Sometimes you don't even need the server; some access points come with built-in software that can operate 802.1X (though only for the smallest of small deployments).

Regardless of whether you purchase professional solutions or build one yourself from open source tools, the quality and ease of 802.1X is entirely a design aspect.

KEY TAKEAWAYS

• 802.1X only includes four major components: client, access-point/switch, RADIUS server, and identity provider

Client / Supplicant

In order for a device to participate in the 802.1X authentication, it must have a piece of software called a supplicant installed in the network stack. The supplicant is necessary as it will participate in the initial negotiation of the EAP transaction with the switch or controller and package up the user's credentials in a manner compliant with 802.1X. If a client does not have a supplicant, the EAP frames sent from the switch or controller will be ignored and the switch will not be able to authenticate.

Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built-in. SecureW2 provides an 802.1X supplicant for devices that don't have one natively.

Thankfully, the vast majority of device manufacturers have built-in support for 802.1X. The most common exceptions to this might be consumer gear, such as game consoles, entertainment devices or some printers. Generally speaking, these devices should be less than 10% of the devices on your network and are best treated as the exception rather than the focus.

KEY TAKEAWAYS

• Software on the device that contains the configuration and connection data (certificates/credentials) which is sent to the access-point/switch

• Requires devices be set up precisely to avoid credential theft if username/password authentication is used. Consider configuration software or switching to certificate-based authentication.

• Most OSs for going back 10-15 years have 802.1X support, IoT.support is lacking but catching up

Switch / Access Point / Controller

The switch or wireless controller plays an important role in the 802.1X transaction by acting as a 'broker' in the exchange. The client does not have network connectivity until there is a successful authentication, and the only communication is between the client and the switch in the 802.1X exchange.

The switch/controller initiates the exchange by sending an EAPOL-Start packet to the client when the client connects to the network. The client's responses are forwarded to the correct RADIUS server based on the configuration in the Wireless Security Settings. When the authentication is complete, the switch/controller makes a decision whether to authorize the device for network access based on the user's status and possibly the attributes contained in the Access_Accept packet sent from the RADIUS server.

If the RADIUS server sends an Access_Accept packet as a result of an authentication, it may contain certain attributes that provide the switch with information on how to connect the device on the network. Common attributes will specify which VLAN to assign a user to, or possibly a set of ACLs (Access Control Lists) the user should be given once connected. This is commonly called 'User Based Policy Assignment' as the RADIUS server is making the decision based on user credentials. Common use cases would be to push guest users to a 'Guest VLAN' and employees to an 'Employee VLAN'.

KEY TAKEAWAYS

• These devices facilitate communication between the device and the RADIUS server.

• The access-point/switch is where you configure the network to use 802.1X instead of Open/Unencrypted or WPA2/3-PSK.

• Act as enforcement points when RADIUS servers return precise access control policy

RADIUS Server

The RADIUS server acts as the “security guard” of the network; as users connect to the network, the RADIUS authenticates their identity and authorizes them for network use. A user becomes authorized for network access after enrolling for a certificate from the PKI (Private Key Infrastructure) or confirming their credentials. Each time the user connects, the RADIUS confirms they have the correct certificate or credentials and prevents any unapproved users from accessing the network.

A key security mechanism to employ when using a RADIUS is server certificate validation. This guarantees that the user only connects to the network they intend to by configuring their device to confirm the identity of the RADIUS by checking the server certificate. If the certificate is not the one which the device is looking for, it will not send a certificate or credentials for authentication. This prevents users from falling victim to an Evil Twin proxy attack.

RADIUS servers can also be used to authenticate users from a different organization. Solutions like Eduroam use RADIUS servers as proxies (such as RADSEC). If a student visits a neighboring university, the RADIUS server can authenticate their status at their home university and grant them secure network access at the university they are currently visiting.

KEY TAKEAWAYS

• RADIUS Servers are the decision points for devices requesting access to of the protected side of network

• RADIUS Servers interact with identity providers to authenticate, authorize and report connections

Why Does 802.1X Need a RADIUS Server?

802.1X needs a RADIUS server because there needs to be a dedicated server to verify credentials. The authentication facet of 802.1X actually occurs at the RADIUS server. The server checks the directory of authorized users to confirm whether or not the client has permission to access the network and passes that information back to the controller/access point. Without a RADIUS server, authentication would have to occur at the access point (this would require some pretty powerful APs), such as in the case of PSK (pre-shared key) authentication.

Identity Store / Directory

The Identity Store refers to the entity in which usernames and passwords are stored. In most cases, this is Active Directory or potentially an LDAP server. Almost any RADIUS server can connect to your AD or LDAP to validate users. There are a few caveats when LDAP is used, specifically around how the passwords are hashed in the LDAP server. If your passwords are not stored in cleartext or an NTLM hash, you will need to choose your EAP methods carefully as certain methods may not be compatible, such as EAP-PEAP. This is not an issue caused by RADIUS servers, but rather from the password hash.

SecureW2 can help you set up SAML to authenticate users on any Identity Provider for Wi-Fi access. Here are guides to integrating with some popular products.

• To set up SAML authentication within Google Workspace, click here.

• Configuring WPA2-Enterprise with Okta, click here.

• For a guide on SAML Authentication using Shibboleth, click here.

• To configure WPA2-Enterprise with ADFS, click here.

Developing a robust WPA2-Enterprise network requires additional tasks, such as setting up a PKI or CA (Certificate Authority) and seamlessly distributing certificates to users. But contrary to what you might think, you can make any of these upgrades without buying new hardware or making changes to the infrastructure. For example, rolling out guest access or changing the authentication method can be accomplished without additional infrastructure.

Recently, many institutions have been switching EAP methods from PEAP to EAP-TLS after seeing noticeable improvement in connection time and roaming ability. Improving the functionality of wireless networks can be gained without changing a single piece of hardware.

KEY TAKEAWAYS

• 802.1X traditionally requires a directory (on-prem or cloud) so the RADIUS can communicate to identify each user and what level of access they are allowed.

• Directories use username/passwords which makes them vulnerable to major security issues

• Newer cloud identity providers (Azure AD, Okta, Google) can interact with next-gen RADIUS to do passwordless identity authorization.

How Does 802.1X Authentication Work?

The 802.1X authentication process is comprised of four steps: Initialization, Initiation, Negotiation, and Authentication.

1. Initialization
   The Initialization step starts when the authenticator detects a new device and attempts to establish a connection. The authenticator port is set to an “unauthorized” state, meaning that only 802.1X traffic will be accepted and every other connection will be dropped.

2. Initiation
   The authenticator starts transmitting EAP-Requests to the new device, which then sends EAP responses back to the authenticator. The response usually contains a way to identify the new device. The authenticator received the EAP response and relays it to the authentication server in a RADIUS access request packet.

3. Negotiation
   Once the authentication server receives the request packet, it will respond with a RADIUS access challenge packet containing the approved EAP authentication method for the device. The authenticator will then pass on the challenge packet to the device to be authenticated.

4. Authentication
   Once the EAP method is configured on the device, the authentication server will begin sending configuration profiles so the device will be authenticated. Once the process is complete, the port will be set to “authorized” and the device is configured to the 802.1X network.

KEY TAKEAWAYS

• Typically 802.1X authentication begins with the client requesting access, the RADIUS server verifying the user against the identity provider, and the access-point/switch allowing access

• 802.1X authentication works best via certificate because both the user and device context is taken authentication to prevent over-the-air credential theft.

Bonus: RADIUS Accounting

802.1X RADIUS accounting involves recording the information of devices that are authenticated to the 802.1X network and the session duration. The device information, usually the MAC address and port number, is sent in a packet to the accounting server when the session begins. The server will receive a message signaling the end of the session.

While this isn't part of the 802.1X authentication process, we get a lot of questions about accounting, as RADIUS Servers are often referred to as AAA (Authentication, Authorization, Accounting) servers.

VLAN

A VLAN, or Virtual Local Area Network, is a method of configuring your network to emulate a LAN with all of the management and security benefits it provides.

Basically, VLANs are segmenting your network to organize the security rules found on a network. For example, the Open/Guest network is usually put in a different VLAN than the secure network. This helps to make sure that devices and network resources that are on one VLAN aren't affected if anything bad happened on a seperate VLAN.

Digital certificates make VLAN assignment a snap because attributes can be encoded into the certificate that the RADIUS uses to authenticate. You could set up a policy so that anyone with the email domain “it.company.com” would be automatically assigned a different VLAN segment than “sales.company.com”.

MAC Authentication

MAC authentication, or MAC address authentication, is a simple security measure in which you create a list of approved MAC addresses that are allowed network access..

Unfortunately, it's not difficult to spoof MAC addresses, so MAC authentication is rarely deployed on enterprise levels.

MAC RADIUS

MAC RADIUS is a form of MAC Authentication. Instead of using a credential or a certificate to authorize a device, the RADIUS confirms the MAC address and authenticates.

MAC Bypass

The primary use of MAC Bypass is to tie-in devices that don't support 802.1X (like game consoles, printers, etc.) to your network. However, it's still vulnerable, so it should be in a separate VLAN.

How do I Configure 802.1X on Devices?

Configure 802.1X on Windows

You can configure 802.1X on Windows OS devices in two ways: manually, or with device onboarding software.

Manually configuring a Windows device requires the user to set up a new wireless network, enter a network name, set the security type, adjust network settings, set the authentication method, and many more steps. While it's certainly possible to complete this process accurately, it is highly complex and much more difficult than an onboarding software designed for efficiency.

The process for configuring Windows OS with SecureW2 requires the user to connect the onboarding SSID and open an internet browser. The user is sent to SecureW2's JoinNow onboarding software. After clicking JoinNow, a graphic will indicate the progress of the configuration. The user will then be prompted to enter their credentials and the device will be authenticated and equipped with a certificate.

Configure 802.1X on macOS

For macOS, you can either manually configure or employ onboarding software to set up 802.1X.

In order to manually configure macOS, the end user needs to know how to create an enterprise profile, install a client security certificate, verify the certificate, and adjust the network settings. The process isn't too difficult for someone with a background in IT, but it is risky for the average network user because of the high-level technical information involved with each step.

Downloading the SecureW2 JoinNow Suite for macOS enables automation so end users are not required to complete the process. The setup is similar to Windows OS; the end user starts by connecting to the onboarding SSID and opens a browser. After downloading the .DMG file and entering their credentials, the configuration process begins. The entire configuration and authentication requires only a few steps, allowing the end user to sit back while the device configures.

Configure 802.1X on Android

You are able to configure your Android for 802.1X in two ways: manually through the Wi-Fi settings or with device onboarding software.

Configuring manually via Wi-Fi settings requires you to create a network profile, configure Server Certificate Validation (which requires uploading the CA used on the RADIUS Server and the common name), and configuring the authentication method. If you use device onboarding software, all these steps are done by an application that can be downloaded from the Play Store that will configure your organization's network settings for you.

Configure 802.1X on iOS

Configuring 802.1X authentication for iPhones requires you to either manually configure the device or use onboarding software.

Manual configuration means you need to create a network profile in the Wi-Fi settings and configure Server Certificate validation and the authentication method. The process is much simpler with onboarding software because SecureW2 can push a mobile config file to an iPhone device and configure the network settings automatically.

Configure 802.1X on Linux

Like other operating systems, there are two methods to configure 802.1X on Linux.

The manual configuration is relatively simple. Open up Network Manager, select Edit Connections, find your access point and click Edit. A new window will open up, choose the tab that says 802.1X settings and input the information of your network.

For one device, this is a straightforward process. If you need to onboard many devices (and users), you need SecureW2's automatic device onboarding software. Click here to learn more.

KEY TAKEAWAYS

• 802.1X settings can include SSID, EAP-type, Auth protocols, certificate/certificate and server certificate validation which trusts the authentic RADIUS server (vs. Evil twin)

• Auto-configuration via onboarding software or MDM or manual configuration are the options.

• For unmanaged/BYOD devices onboarding software can mitigate security risk

802.1X vs WPA2-Enterprise

802.1X is an IEEE standard framework for encrypting and authenticating a user who is trying to associate to a wired or wireless network. WPA-Enterprise uses TKIP with RC4 encryption, while WPA2-Enterprise adds AES encryption.

Vulnerabilities in 802.1X

No security protocol is invulnerable, and 802.1X is not an exception.

Wireless 802.1X's most common configurations are WPA-PSK (pre-shared key, also called WPA-Personal) and WPA or WPA2 Enterprise.

PSK is the simplest and the most vulnerable. A password is configured on the access point and distributed to users of the network. It's intended for personal use, mostly in homes. It's easily cracked with a run-of-the-mill brute force attack, and is also susceptible to all other common attacks.

Enterprise-level wireless networks are typically not compromised by brute force attacks because their network administrator will have mandated complex passwords and reset policies. Particular vulnerabilities vary depending on the authentication standard used by the enterprise network.

PEAP MSCHAPv2  was once the industry standard for WPA2-Enterprise networks, but it's been cracked. There are still many organizations using this standard, despite the inherent vulnerabilities to over-the-air attacks.

EAP-TTLS/PAP is another common standard that is also very vulnerable to over-the-air attacks. It's particularly weak because credentials are sent in clear text, so it's a simple matter for hackers to intercept and steal. Further exacerbating the problem is the rising popularity of Cloud RADIUS servers. Many of them only support EAP-TTLS/PAP, so end users are forced to send their credentials in clear text over the internet.

The strongest WPA2-Enterprise standard is EAP-TLS. It relies on the asymmetrical cryptography of digital certificates for authentication, which renders it immune to over-the-air attacks. Even if a hacker intercepts the traffic, they will only harvest one half of the public-private key pair – which is useless without the other half.

Click here for more details on the steely defenses offered by EAP-TLS.

KEY TAKEAWAYS

• Leaving 802.1X configuration to the end user risks misconfiguration and security compromise.

• Trusting the right RADIUS Server vs. an evil twin is very important but not mandatory in 802.1X so ensure certificate validation is always enabled.

• Credential-based EAP methods like PEAP-MSCHAPv2 or EAP/TTLS-PAP are vulnerable - switch to certificate-based EAP-TLS - industry titans like Microsoft recommend moving to certificates

The Best 802.1X Enterprise Solution

The security of your network is the security of your organization. You wouldn't leave your front door unlocked, so why would you leave your network unsecured?

SecureW2 is trusted by some of the biggest companies in the world to provide the highest level of security and peace of mind. Our software solutions can be integrated seamlessly into your current network infrastructure or stand on their own as a fully-managed network security service.

We have affordable options for organizations of any size. Check out our pricing to learn more.

KEY TAKEAWAYS

• Implement 802.1X by avoiding username/passwords and deploy digital certificates

• Make RADIUS connection decisions based on both user and device information

• Consider a cloud-native RADIUS solution that integrates with cloud identities without password based LDAP

#Generates a named keypair to be used in the trustpoint

crypto key generate rsa modulus 1024 label PKI-KEYPAIR

crypto pki trustpoint TP-1

 enrollment mode ra

 enrollment url http://192.168.1.100:80/certsrv/mscep/mscep.dll

 serial-number

 fqdn RTR-IPSEC

 ip-address GigabitEthernet0/1

 password

 subject-name cn=RTR-IPSEC,c=GB,ou="Routers"

#ONLY HAVE REVOCATION CHECK IF ROUTER CAN REACH CRL WHEN TUNNEL IS DOWN#

 revocation-check crl

 rsakeypair PKI-KEYPAIR

 auto-enroll 80 regenerate

#Authenitcates the CA server

crypto pki authenticate trustpoint TP-1

#Requests a certificiate

crypto pki enroll trustpoint TP-1

crypto isakmp policy 1

 encr aes

 group 2

crypto ipsec security-association lifetime kilobytes 2048000

crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac

crypto map WAN 1 ipsec-isakmp

 set peer 10.10.10.10

 set transform-set TRANSFORM-1

 match address 100

interface GigabitEthernet0/1

 description IPSEC LINK

 bandwidth 10000

 ip address 10.10.10.9 255.255.255.0

 duplex auto

 speed auto

 crypto map WAN

access-list 100 permit ip any any 

Current configuration:

!

version 12.0

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname console-wizard

!

enable secret 5 $1$Mnd3$BnScUWJqrhb1nyeUemz8r1

enable password 7 14111B190905262A3625

!

username cisco password 7 105F1E1C17030B

username terry password 7 1424071B0916392E273D21307242

username admin password 7 1214504F44080B122C2D

ip subnet-zero

ip domain-list cisco.com

no ip domain-lookup

ip host port5 2005 192.168.0.1

ip host port2 2002 192.168.0.1

ip host port1 2001 192.168.0.1

ip host 3600-3 2014 10.10.10.1

ip host 3600-2 2013 10.10.10.1

ip host 5200-1 2010 10.10.10.1

ip host 2600-1 2008 10.10.10.1

ip host 2509-1 2007 10.10.10.1

ip host 4500-1 2015 10.10.10.1

ip host 3600-1 2012 10.10.10.1

ip host 2511-2 2002 10.10.10.1

ip host 2511-rj 2003 10.10.10.1

ip host 2511-1 2001 10.10.10.1

ip host 5200-2 2011 10.10.10.1

ip host 2520-1 2004 10.10.10.1

ip host 2520-2 2005 10.10.10.1

ip host 2600-2 2009 10.10.10.1

ip host 2513-1 2006 10.10.10.1

ip host pix-1 2016 10.10.10.1

ip host port8 2008 192.168.0.1

ip host port7 2007 192.168.0.1

ip host port6 2006 192.168.0.1

ip host port4 2004 192.168.0.1

ip host port3 2003 192.168.0.1

partition flash 2 8 8

!

!

!

!

interface Loopback0

 ip address 192.168.0.1 255.255.255.255

 no ip directed-broadcast

!

interface Loopback1

 ip address 10.10.10.1 255.0.0.0

 no ip directed-broadcast

!

interface Ethernet0

 ip address 172.16.12.222 255.255.255.0

 no ip directed-broadcast

 no ip mroute-cache

!

interface Serial0

 no ip address

 no ip directed-broadcast

 no ip mroute-cache

 shutdown

 no fair-queue

!

ip default-gateway 172.16.12.1

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.12.1

!

!

menu cserver title ^CC

To get back to the menu press "CTRL+SHIFT+6"

then "X". You must then clear the connection and

begin a new console session to re-connect to

that device.

--------------------------------------------------------

1 - Connect to console1 | c1 - clear console 1

2 - Connect to console2 | c2 - clear console 2

3 - Connect to console3 | c3 - clear console 3

4 - Connect to console4 | c4 - clear console 4

5 - Connect to console5 | c5 - clear console 5

6 - Connect to console6 | c6 - clear console 6

7 - Connect to console7 | c7 - clear console 7

8 - Connect to console8 | c8 - clear console 8

--------------------------------------------------------

show - show lines in use | prompt - exit menu

Exit - logout |

--------------------------------------------------------^C

menu cserver prompt ^CCPlease enter command or selection:^C

menu cserver command 1 telnet port1

menu cserver command 2 telnet port2

menu cserver command 3 telnet port3

menu cserver command 4 telnet port4

menu cserver command 5 telnet port5

menu cserver command 6 telnet port6

menu cserver command 7 telnet port7

menu cserver command 8 telnet port8

menu cserver command cl1 cl1

menu cserver command cl2 cl2

menu cserver command cl3 cl3

menu cserver command cl4 cl4

menu cserver command cl5 cl5

menu cserver command cl6 cl6

menu cserver command cl7 cl7

menu cserver command cl8 cl8

menu cserver command menuexit menu-exit

menu cserver command exit exit

menu cserver command show show line tty 1 8

menu cserver options show pause

menu cserver command c1 clear line 1

menu cserver command c2 clear line 2

menu cserver command c3 clear line 3

menu cserver command c4 clear line 4

menu cserver command c5 clear line 5

menu cserver command c6 clear line 6

menu cserver command c7 clear line 7

menu cserver command c8 clear line 8

menu cserver command prompty menu-exit

menu cserver clear-screen

menu cserver single-space

!

line con 0

 logging synchronous

 transport input none

line 1 8

 session-timeout 35791

 no exec

 exec-timeout 0 0

 transport input all

 telnet break-on-ip

 telnet sync-on-break

 telnet ip-on-break

 flowcontrol hardware

line aux 0

 transport preferred telnet

 transport input all

 speed 38400

 flowcontrol hardware

line vty 0 4

 exec-timeout 60 0

 password 7 00071A150754

 login local

 autocommand menu cserver

!

end

console-wizard#

time-range denied

periodic weekdays 0:00 to 17:00

periodic weekdays 23:00 to 23:59

periodic weekend 0:00 to 12:00

periodic weekend 23:00 to 23:59

access-list 155 deny  tcp any any eq 1119 time-range denied

access-list 155 deny  tcp any any eq 3724 time-range denied

access-list 155 deny  tcp any any eq 6112 time-range denied

access-list 155 deny  tcp any any eq 6113 time-range denied

access-list 155 deny  tcp any any eq 6114 time-range denied

access-list 155 deny  tcp any any eq 4000 time-range denied

access-list 155 deny  udp any any eq 3724 time-range denied

access-list 155 deny  tcp any any range 6881 6999 time-range denied

perfect for blocking kids from gaming 247

ensure the router time / date is accurate

from exec prompt type the following

csim start (ext number) eg 48014

this will create a call and route it to that phone, if uncompleted in 5 seconds will quit.

As an update to my post about using IPSec on Cisco routers (Router IPSec), I encountered a strange bug/feature when setting up netflow across an encrypted link.

Apparently, if you try to use standard netflow on a router that is performing IPSec encryption, the netflow packets bypass the software encryption and the remote router will then reject the packets for not being encrypted. Cisco have acknowledge that this is a problem on their forums (LINK) and suggest the workaround of using flexible netflow instead.

The below is an extract pulled from the source article outlining how to replicate netflow into flexible netflow

flow exporter Flow-Export

 destination 192.168.1.100

 source GigabitEthernet0/0

 output-features

 transport udp 2055

!

flow monitor Flow-Export

 record netflow-original

 exporter Flow-Export

!

interface GigabitEthernet0/0

ip flow monitor Flow-Export output

So this took a while to fully figure out as I found the official documents didn't cover all the steps required. But a bit of digging around about Kerberos authentication in general lead me to figure this out out.

This was all done with a Palo Alto Networks PA-220 running version 8.1 against a Windows 2016 AD server.

Active Directory Config

Creating the user account for AD

So its best to create a standalone account for the PAN firewalls to perform this authentication. This stops unnecessary permissions being granted to the account, as well as ensures that nothing should lock the account out. I'd also suggest setting the account so the password never expires.

Once created, there are two properties needed to be set on the account. I found in my testing that I needed both these settings enabled for the Kerberos auth to work as expected:

• This account supports Kerberos AES128 bit encryption

• This account supports Kerberos AES256 bit encryption

DNS Records

For us to be able to bind the newly created PAN service account to the firewall, we need to manually create a DNS record for the firewall. This record should point to the interface which will initiate the Kerberos auth requests, which by default will be the management interface. If you have changed the service routes to use a different interface for Kerberos auth, then make sure you use the IP address of that interface.

In this case, I will be using the management interface of my firewall as the Kerberos auth source, so I've created a DNS entry for this IP.

Generating KeyTab files

In order for the PAN firewall to perform authentication via Kerberos, it needs a keytab file to be authorised. This needs to be done via the command prompt on the domain controller, using an account with Admin priviledges.

For ease of copy/paste for others, the command being used is the following:

ktpass -princ http/palo-firewall-1.knat.co.uk@KNAT.CO.UK -mapuser sa_palo@knat.co.uk -pass PASSWORD -crypto aes256-sha1 ptype KRB5_NT_PRINCIPAL -out c:\keytab-PAN.keytab -mapop set

Replace the work PASSWORD with the actual password of the account and you are good to go. This will generate the file c:\keytab-PAN.keytab which can be copied off in readiness for importing into the firewall.

What the above command is doing is binding the DNS name palo-firewall-1.knat.co.uk to to the user account sa_palo that we previously created.

Take note of the capitilisation in the command as well when it comes to the domain name, as this needs to match exactly what we'll be entering on the firewall soon.

In the above example, we're trying to map the account to new domain name, but the output is saying that it wasn't able to successfully change the SPN (service principle name) data on the AD account. This shouldn't happen if you are using a new account, but if you are reusing an AD account then you might run into this problem.  If you do, then you can manually map the SPN with this command:

setspn -s http/palo-firewall-1.knat.co.uk@KNAT.CO.UK knat.co.uk\sa_palo

Once completed, we can now move onto the setup on the firewall itself.

Firewall Config

Create a Kerberos Profile

Simple enough, under Device > Server Profiles > Kerberos, create a new profile containing all the servers you want to use for authentication against.

Create an Authentication Profile

The authentication profile is what is referenced against usernames or in authentication rules to say how to authenticate users. We're going to create a new one to say we want to perform Kerberos authentication against the server profile created previously.

Under Device > Authentication Profile, create a new profile, and give it a unique name. Then we just need to populate the settings:

• Set the type to Kerberos

• Set the server profile as the one previous created

• Set the Kerberos realm as the domain name in all caps (KNAT.CO.UK)

• Set the user domain to be the domain in lower case (knat.co.uk)

• In the single sign on box, click import and import the keytab created on the AD server

• In the advanced tab, set the allowed user list to all 

Note the capilisation again here. In my testing, if the Kerberos realm is set in lower case, the configuration will fail to work correctly, so this needs to be set carefully.

Authentication Rules

You should now be able to authenticated users using Kerberos, either manually or by using SSO.

For administrators, create the username and set the authentication profile to your auth profile name, in this example KNAT-Kerberos

For end user authentication, we create authentication policy rules defining when we want to authenticate users. A good way to do this is when its coming from your trusted zone, going to the untrusted zone, and when the user is unknown. When setting the authentication enforcement, you will need to create a new Authentication object, setting the method as browser-challenge and the authentication profile as your Kerberos auth profile you previously create.

After your rule is created, you should hopefully have something which looks like this

Captive Portal Settings

The final settings we need to put in place are the captive portal settings telling the firewall how to perform the browser-challenge authentication redirect. This is done under Device > User Identification > Captive Portal Settings.

Enable the captive portal, set your authentication profile to the Kerberos profile and set your redirect host to be the Palo FQDN we've been previously using.

Now you just need to commit your policy and users should be prompted for authentication if they are unknown and they are trying to get between the Trust and WAN zones.

Windows SSO

The final step which you may need to take, depends on your environment. For environments using Internet Explorer, you will need to add the firewalls FQDN to the list of intranet sites in order for it to permit the Kerberos request from the firewall.

Under Internet options > Security > Local intranet (sites button), add the FQDN of the firewall that will be doing the authentication. In our example. we would add palo-firewall-1.knat.co.uk to this list.

If you've gone through and followed all these steps, then you should have SSO working for windows clients using Kerberos authentication to identify users without them knowing its been done.

I hope this guide helps others who have gotten stuck trying to get this implemented, but if there are any questions please feel to leave a comment and I'll help where I can. 

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

exit

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

exit

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

exit

class-map type inspect imap match-any sdm-app-imap

match invalid-command

exit

class-map type inspect ymsgr match-any sdm-app-yahoo

match service text-chat

exit

class-map type inspect msnmsgr match-any sdm-app-msn-otherservices

match service any

exit

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

exit

class-map type inspect aol match-any sdm-app-aol-otherservices

match service any

exit

class-map type inspect match-all sdm-protocol-imap

match protocol imap

exit

class-map type inspect match-any sdm-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

exit

class-map type inspect http match-any sdm-http-allowparam

match request port-misuse tunneling

exit

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

exit

class-map type inspect match-all sdm-protocol-im

match class-map sdm-cls-protocol-im

exit

class-map type inspect pop3 match-any sdm-app-pop3

match invalid-command

exit

class-map type inspect match-all sdm-protocol-http

match protocol http

exit

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

exit

class-map type inspect http match-any sdm-app-httpmethods

match request method bcopy

match request method bdelete

match request method bmove

match request method bpropfind

match request method bproppatch

match request method connect

match request method copy

match request method delete

match request method edit

match request method getattribute

match request method getattributenames

match request method getproperties

match request method index

match request method lock

match request method mkcol

match request method mkdir

match request method move

match request method notify

match request method options

match request method poll

match request method propfind

match request method proppatch

match request method put

match request method revadd

match request method revlabel

match request method revlog

match request method revnum

match request method save

match request method search

match request method setattribute

match request method startrev

match request method stoprev

match request method subscribe

match request method trace

match request method unedit

match request method unlock

match request method unsubscribe

exit

class-map type inspect http match-any sdm-http-blockparam

match request port-misuse im

match request port-misuse p2p

match req-resp protocol-violation

exit

class-map type inspect msnmsgr match-any sdm-app-msn

match service text-chat

exit

class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices

match service any

exit

class-map type inspect aol match-any sdm-app-aol

match service text-chat

exit

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

exit

class-map type inspect match-all sdm-protocol-pop3

match protocol pop3

exit

policy-map type inspect http sdm-action-app-http

class type inspect http sdm-http-blockparam

  log

  reset

  exit

class type inspect http sdm-app-httpmethods

  log

  reset

  exit

class type inspect http sdm-http-allowparam

  log

  allow

  exit

exit

policy-map type inspect pop3 sdm-action-pop3

class type inspect pop3 sdm-app-pop3

  log

  exit

exit

policy-map type inspect im sdm-action-app-im

class type inspect aol sdm-app-aol

  log

  allow

  exit

class type inspect msnmsgr sdm-app-msn

  log

  allow

  exit

class type inspect ymsgr sdm-app-yahoo

  log

  allow

  exit

class type inspect aol sdm-app-aol-otherservices

  log

  reset

  exit

class type inspect msnmsgr sdm-app-msn-otherservices

  log

  reset

  exit

class type inspect ymsgr sdm-app-yahoo-otherservices

  log

  reset

  exit

exit

policy-map type inspect imap sdm-action-imap

class type inspect imap sdm-app-imap

  log

  exit

exit

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

  no drop

  inspect

  exit

class class-default

  no drop

  pass

  exit

exit

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

  exit

class type inspect sdm-protocol-http

  no drop

  inspect

  service-policy http sdm-action-app-http

  exit

class type inspect sdm-protocol-imap

  no drop

  inspect

  service-policy imap sdm-action-imap

  exit

class type inspect sdm-protocol-pop3

  no drop

  inspect

  service-policy pop3 sdm-action-pop3

  exit

class type inspect sdm-protocol-im

  no drop

  inspect

  service-policy im sdm-action-app-im

  exit

class type inspect sdm-insp-traffic

  no drop

  inspect

  exit

exit

policy-map type inspect sdm-permit

class class-default

exit

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

exit

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

exit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

exit

If you use a service like Netflix but want to watch content that isn't available in your country, then services exist to let you get around the blocks put in place. You can use a VPN to hide all your traffic or you can use a service like Unlocator to change your DNS requests so they appear to be coming from a different country, which in turns gives you access to that countries content. This isn't just for Netflix, but also works for services such as Hulu and BBC iPlayer.

They've recently added a nice feature for people such as myself who suffer with a dynamic IP address; you can now update the IP address they have in their records for your account by using a URL provided specifically for your account. This is nice, but I wanted a way for my router to do this task for me rather than relying on one of my virtual machines to perform the task. Luckily, its possible and very easy to do this by using an IP SLA operation set to perform a HTTP get on the URL they give you. The below lines of config are all that is required to set up and start the operation.

ip sla 1337

 http get http://unlo.it/<API-KEY> name-server 8.8.8.8

ip sla schedule 1337 start-time now recurring

Ta-Da! No more manually updating your IP address on their records!

Thanks for Unlocator for adding this feature to their service. 

fw unloadlocal

removes firewall policy currently loaded - handy if you block management access

go print

xl core

########################

checkpoint install / upgrade notes for windows

from which ever version of checkpoint you are at an assumption will be made that you are going to move to the latest and greatest

this bring the case and making an assumption that your current version is from the arc then you will need to follow the minimal upgrade path

eg

if your on R55 and wish to upgrade to R70 for example there is no direct path that you can take, so your have togo

via NGX 65 then to R70 or greater.

the following is the upgrade process I use to undergo a successful upgrade and if you need to hop a couple of versions

to get upto the latest one then just run through the upgrade guide a couple of times.

Backup

of course the backup is the most important place to start and there are varying ways of doing it, myself and the setup of the fwmanager means

that i can just take a snapshot via vmware to ensure that there is a safe backout plan - simples

i will also run the upgrade installer twice, the first time to export the current data (physical back)

the second time to actually run the installer.

checkpoint release magor version of there software eg. R55 R60 R70 R71 R75 the R65.2 or R70.1 are major releases with an update installed,

so to achive R70.1 you must have installed the R70 product and then the R70.1 upgrade ontop of the orginal R70

the version at this time of documenting is R75.2

(we will assume i'm running R70 or R71.*)

so download the R75 installer - about 800Mb

extract to your local disk

run the setup.exe

the first time through we want to select export point to a location you would like to save the backup to then start

the export.

once saved ensure you name it sometthing sensible like R71.1-pre-upgrade-to-R75 put this somewhere safe hoping we won't need it.

the installer well now exit on completion of the export (eg backup)

fireup the installer again setup.exe

this time we want to run through the upgrade prompts , we should check the pre-upgrade button and let the system ensure that it's all good togo

assuming no errors it will continue the upgrade, there is a button to tick to add new applications but unless you have purchased a licence fo these

then there isn't any point in adding them as they are only going to clutter the software further.

on completion it will finish with a screen saying so ( note this will popup in the background it doesn't focus )

once exited your able to launch the console and login, first login might fail stating it's running some background actions

( upto 10 mins max )

after which time it will allow you to login, my experience of this is that it will hang for what will seem like forever on the maps section ( be patient VERY )

it will get there in the end, i guess this is some form of caching of the data on inital launch as after this it runs fine.

thats it in a nut shell for the manager - next the ipso ip appliance

note - if you want to change the function of the appliance you must untick packages delete them

reboot - reinstall them - and run cpconfig

###########################################

handy commands

factory reset - set fcd revert Gaia_R75.40VS

enable vxs mode - set vsx on

manual backup - add backup local or scp or ftp etc

set back restore

Check Point commands generally come under cp (general), fw (firewall), and fwm (management).

CP, FW & FWM

cphaprob stat List cluster status

cphaprob -a if List status of interfaces

cphaprob syncstat shows the sync status

cphaprob list Shows a status in list form

cphastart/stop Stops clustering on the specfic node

cp_conf sic SIC stuff

cpconfig config util

cplic print prints the license

cprestart Restarts all Check Point Services

cpstart Starts all Check Point Services

cpstop Stops all Check Point Services

cpstop -fwflag -proc Stops all checkpoint Services but keeps policy active in kernel

cpwd_admin list List checkpoint processes

cplic print Print all the licensing information.

cpstat -f all polsrv Show VPN Policy Server Stats

cpstat Shows the status of the firewall

fw tab -t sam_blocked_ips Block IPS via SmartTracker

fw tab -t connections -s Show connection stats

fw tab -t connections -f  Show connections with IP instead of HEX

fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX

fw tab -t peers_count -s Shows VPN stats

fw tab -t userc_users -s Shows VPN stats

fw checklic Check license details

fw ctl get int [global kernel parameter] Shows the current value of a global kernel parameter

fw ctl set int [global kernel parameter]  [value] Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.

fw ctl arp Shows arp table

fw ctl install Install hosts internal interfaces

fw ctl ip_forwarding Control IP forwarding

fw ctl pstat System Resource stats

fw ctl uninstall Uninstall hosts internal interfaces

fw exportlog .o Export current log file to ascii file

fw fetch Fetch security policy and install

fw fetch localhost Installs (on gateway) the last installed policy.

fw hastat Shows Cluster statistics

fw lichosts Display protected hosts

fw log -f Tail the current log file

fw log -s -e Retrieve logs between times

fw logswitch Rotate current log file

fw lslogs Display remote machine log-file list

fw monitor Packet sniffer

fw printlic -p Print current Firewall modules

fw printlic Print current license details

fw putkey Install authenication key onto host

fw stat -l    Long stat list, shows which policies are installed

fw stat -s Short stat list, shows which policies are installed

fw unloadlocal Unload policy

fw ver -k Returns version, patch info and Kernal info

fwstart Starts the firewall

fwstop Stop the firewall

fwm lock_admin -v View locked admin accounts

fwm dbexport -f user.txt used to export users , can also use dbimport

fwm_start starts the management processes

fwm -p Print a list of Admin users

fwm -a Adds an Admin

fwm -r Delete an administrator

Provider 1

mdsenv [cma name] Sets the mds environment

mcd  Changes your directory to that of the environment.

mds_setup To setup MDS Servers

mdsconfig Alternative to cpconfig for MDS servers

mdsstat To see the processes status

mdsstart_customer [cma name]  To start cma

mdsstop_customer [cma name] To stop cma

cma_migrate To migrate an Smart center server to CMA

cmamigrate_assist If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server

VPN

vpn tu                          VPN utility, allows you to rekey vpn

vpn ipafile_check ipassignment.conf detail‏

Verifies the ipassignment.conf file

dtps lic show desktop policy license status

cpstat -f all polsrv show status of the dtps

vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA

vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA

vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA

vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA

vpn shell show interface detailed [VTI name] show VTI detail

Debugging

fw ctl zdebug drop shows dropped packets in realtime / gives reason for drop

SPLAT Only

router Enters router mode for use on Secure Platform Pro for advanced routing options

patch add cd  Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)

backup Allows you to preform a system operating system backup

restore Allows you to restore your backup

snapshot Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop.

VSX

vsx get [vsys name/id] get the current context

vsx set [vsys name/id] set your context

fw -vs [vsys id] getifs show the interfaces for a virtual device

fw vsx stat -l shows a list of the virtual devices and installed policies

fw vsx stat -v shows a list of the virtual devices and installed policies (verbose)

reset_gw resets the gateway, clearing all previous virtual devices and settings.

hmmm first bash post and it's for windows, how does that work ?

still here it is

install cygwin on asset

add the following packages just because they will be needed

ssh

vi

inetutil (contains telnet etc)

expect

add this nice little sc<x>ript to the root of the cygwin install

################################################

#!/usr/bin/expect

set name [lindex $argv 0]

spawn /usr/bin/telnet.exe $name

expect "Username:"

send "mradminr"

expect "Password:"

send "secretstuffr" # note the r means send carriage return

expect ">"

send "enabler"

expect "Password:"

send "moresecretstuffr"

#send "sh ver | inc up"

interact

###############################################

save as telex.sh or something

now create a bat to exe file with the following sc<x>ript

@echo off

d:Datacygwinbinexpect.exe d:Datacygwintelex.sh %1

rem the first part is to point to the expect.exe cygwin program the second part to the sc<x>ript file

rem save this sc<x>ript as c:windowssystem32telnet.com as when typing telnet blabla windows checks .com then .exe files

now when you goto cmd just type telnet (ip address) bingo your logged in.