HiddenOne

Continuing with my Procurve articles, my current article will detail how to use a RADIUS server to handle authentication on a switch. This article will cover using a RADIUS server to handle authentication for the following methods of access on a Procurve switch:

• Web Interface
• Console
• Telnet
• SSH

This configuration was tested on an HP Procurve 5412zl switch running K.13.25 software. Configuration on other switches with different software versions may vary. Consult the Access Security Guide for your switch for further details.

Configuring your RADIUS server is beyond the scope of this article, particularly since there are many options for RADIUS servers out there. Free Radius is one popular option. I can personally confirm that this configuration works with Microsoft’s IAS which was setup to authenticate against Active Directory.

Once your RADIUS server has been properly configured, you need to configure your switch so that it knows how to communicate with the server. This is done using the command:

radius-server host IP Address key 'MyKey01'

This command accomplishes a few tasks. First, it tells the switch at what IP address to reach the RADIUS server. You should substitute IP Address with the IP address of your server. The second part establishes the password or key that has been set for this switch. This key is used by the RADIUS server to verify the identity of the switch. On your RADIUS server, you can set a unique key for each switch (which are usually called RAIDUS clients).

With the connection to the RADIUS server established, you are now ready to configure authentication for each of the modes of access. This will be accomplished using the aaa authentication command. Below is an example of the format of the command.

aaa authentication method enable/login auth1 auth2

The first option is the access method for which you would like to apply the authentication. Your options here are: console, telnet, ssh, and web. The enable/login options specify when authentication should be attempted. Login specifies that authentication should be attempted when a user first attempts to login. Enable specifies that authentication should be attempted when a user enters the “enable” command. The enable option will not apply to web access.

The last two options specify the means of authentication. Auth1 is the primary means of authentication, which in this case you should set to radius. Auth2 is optional as it is a backup means of authentication. However, it is a good idea to set this to local, just in case the switch cannot communicate with the RADIUS server. Local specifies that the passwords set locally will be used for authentication.

Here are some of the various commands that could be used to enable RADIUS authentication.

aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication web login radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

One final command to note is something that many network administrators may find useful. That command is:

aaa authentication login privilege-mode

This command tells the switch to expect additional parameters from the RADIUS server upon successful authentication. These parameters tell the switch which mode the user can gain access into. You can configure the RADIUS server to send the Administrative-User service type for users that are granted access to enable/configuration modes. On the other hand, you can configure the server to return the NAS-Prompt-User service type for users that you only want to grant access to operator mode.

This is very useful if you have a group of users that you only wish to have minimal access to your switches. If these limited access users attempt to enter manager mode with the enable command, they will be prompted to login again but they will then be presented with an “Access Denied” error message.

After everything has been configured, you can confirm that the proper forms of primary and secondary authentication have been applied with the following command:

show authentication

Below is some output produced by this command:

J8698A-01# show authentication

 Status and Counters - Authentication Information

  Login Attempts : 3
  Respect Privilege : Enabled

              | Login      Login      Enable     Enable
  Access Task | Primary    Secondary  Primary    Secondary
  ----------- + ---------- ---------- ---------- ----------
  Console     | Local      None       Local      None
  Telnet      | Radius     Local      Radius     Local
  Port-Access | Local      None
  Webui       | Radius     None       Local      None
  SSH         | Local      None       Local      None
  Web-Auth    | ChapRadius None
  MAC-Auth    | ChapRadius None

I made a change to the comments feature tonight, and in the process discovered a “bug”.

First, readers will now be able to leave a comment without being a registered user. All you need to do is provide your name and an email address. There are still some conditions that will hold a comment until it is approved, such as if it contains a certain amount of links.

In the process, I dicovered that after leaving a comment users were redircted to a 404 error page. After some quick investigation, I found the cause to be an extra space I had in the permalink configuration. The error has now been remediated so everything is running normally.

Update: I should also mention that when you post a comment, your email address is not displayed. You name will be a hyperlink to your web site.

A topic not often covered in the Procurve community is the issue of licensing certain features on a switch. HP does an excellent job of providing a robust feature set on most of their equipment out of the box. However, some applications require additional features that are not included with the switch.

An issue arose at work where we wanted to use a 5406zl to route to an external entity. There was a thought that we could peer with the entity using OSPF. After some quick digging around the command line, I found that our 5406zl only supported RIP with the current license. Upgrading to a premium license would be required to support OSPF. The premium license adds support for the following on 3500 and 5400 series switches.

• OSPFv2
• PIM Dense mode
• PIM Sparse mode
• VRRP
• QinQ (IEEE 802.1ad)

How can you tell what license is currently installed on your switch? If you are running OSPF, that is a good indicator that you switch currently has a premium license installed. A better way to view the installed license is with the show licenses command:

J8698A-01# show licenses

 Feature Group         License Status
 ——————–  ————–
 premium               Not Installed
   OSPF
   PIM-SM/DM
   VRRP
   QinQ

Here you can clearly see that this switch does not have the premium license installed, as is indicated by the “Not Installed” license status.

Installing a premium license is a multi-step process that will require you to use the my.procurve.com web site. Obtaining a premium license is beyond the scope of this article, however I will cover how to obtain the hardware ID for you switch. The hardware ID is required when obtaining a premium license.

Obtaining the Hardware ID

In order to obtain the hardware ID for the switch, you need to enter configuration mode using the configure terminal command. Once you have entered configuration mode, issue the command licenses hardware-id premium. The output of this command is shown below:

J8698A-01(config)# licenses hardware-id premium

The hardware Id for package “premium” is
  XXXXXXXXXX-X-XXXXXXX-XXXXXXX-XXXXX8X-XXXXXXX

There are a few points I would like to note. First, the hardware ID has been sanitized. However, the format above is the same format that you can expect on other switches. Second, the exact command to be used will depend on the model switch in use. Some HP documentation makes use of the licenses hardware-id premium-edge command to retireve the hardware ID. The use of context sensitive help will reveal which command should be used on your switch.

Installing a Premium License

Installing a premium license is strightforward. Again, you need to enter configuration mode using the configure terminal command. Once in configuration mode, issue the following command:

licenses install premium <license-key>

You will replace <license-key> with the key that was provided to you on the my.procurve.com web site. Keep in mind that after the switch installs the license, it will reboot.

Removing a Premium License

At some point, you may need to remove a license from a switch for various reasons. Like the previous commands, you must be in configuration mode to uninstall a license. From configuration mode issue the command:

licenses uninstall premium

This command will issue the following warning:

J8698A-01(config)# licenses uninstall premium
                              **** CAUTION ****

Completion of this operation will remove the functionality that is enabled
in the premium feature group, and will delete the configuration for
those features from the active configuration.

Device will be rebooted, do you want to continue [y/n]?

After you answer yes, the switch will delete the key and issue an uninstall verification number. It is very important that you copy this uninstall verification number, as you will need to enter it into the my.procurve.com website to “release” the license for use on another switch. After this the switch will reboot.

Viewing Uninstalled Licesnes

Should you need to view a license that was uninstalled from a switch you can use the following command:

show licenses uninstalled

This will show the license that was uninstalled, as well as the uninstall verification key. This command comes in handy if you forgot to save the uninstall verification key after removing a license.

Virtualization has been a hot topic in the IT would for a while now. From the datacenter to our home labs, virtualization is changing the way we work and play.

I recently made an addition to my lab that I think will allow me to add more complexity to lab simulations, at the same time it has saved me some money! A few months back you will recall that I purchased some additional hardware and made a virtualization server (using Windows 2008 Server and Hyper-V). Since that setup was not getting much use, I went a different route that should prove to be more useful.

There are three physical parts to my current lab setup. They are: 16U rack with physical network equipment, server running VMware Server, and my laptop. The rack consists of the following:

• 1 x 2528 access server
• 3 x 2525 routers
• 1 x 3640 router (NM-2FE2W, NM-1E2W, NM-8A/S)
• 1 x 2924 switch
• 2 x 3550 switches (L3 support)

The server running VMware has a quad core Intel Xenon processor with 8GB of RAM and 5 x 500GB hard drives in a hot-swappable drive cage. This used to be a file server which is why it has so many hard drives and a hot-swap cage. Only one hard drive is being used to house both the operating system and all of the virtual machines. Finally, my laptop is my old reliable Compaq Presario V2000. With 1GB of RAM, a 1.8Ghz AMD Turion processor, and a 5400RPM hard drive this thing gets bogged down in a hurry when I start running anything more than a few routers in GNS3! It survived five years of college as many other laptops around me crumbled, so I can’t come to replace it just yet!

How do I connect all of this? It’s not overly complicated once you get everything straight in your head, however when putting something like this together for the first time I suggest some actual planning! The diagram below will help illustrate what I have done.

The two large boxes at the top (vmware-server and Laptop) are the two physical computers. The setup on my laptop is straightforward, since I only have GNS3 running there (no VMs). As you can see, I use the cloud feature in GNS3 to connect the wired network card on my laptop to my physical lab (The rack at the bottom of the diagram).

The VMware server is what complicates things. First you will notice that the server has two network cards. I have used this to my advantage to segment some things out. The first network card (eth0) is used for management of the VMware server through the web interface, as well as linking any VMs to the Internet (either directly via a bridged network or through some GNS3 routing). The second network card (eth1) is strictly used to tie the VM running GNS3 to my physical lab rack. There are two virtual network adaptors (vmnet0 and vmnet5) that are bridged directly to each of the physical network cards.

Inside of the VMware server there are four other virtual network adaptors (vmnet1 to vmnet4). These four devices are host-only network adaptors. This means that they are not tied in any way to either of the servers physical network cards. Notice that the GNS3 VM connects to each of these virtual network adaptors. I did this so that I can perform routing between each subnet. The GNS3 VM is also tied to each of the bridged network adaptors so that I can route traffic externally as well.

One thing not pictured in the diagram is the other VMs I use. These are simple setups, as each VM connects to one (and only one) of the host only network adaptors. These VMs act as endpoints/nodes to test connectivity between other nodes.

Hopefully this will provide other people with a jumping off point for adding virtualization to their lab. This can be accomplished for a small amount of money. A desktop with plenty of RAM will work just fine as a VMware server. Combine the price of memory now with the low, low price of free for Linux and VMware Server and you have an incredible deal!

It seems like not too long ago that I had to jump through hoops just to be able to get some lab time in at work, or when I was otherwise away from my rack. My original routine for remote labbing was to leave the equipment I needed powered on with my laptop connected via console cable to my access server. I then setup port forwarding to my laptop so that I could RDP into it while I was at work.

This setup was inefficient for several reasons. The most obvious was the fact that I had to leave all of that equipment powered on for a full eight hours just so I might be able to get less than an hour of lab time. Another problem I ran into was that the connections between the equipment could not be reconfigured when I was not physically present.

My recent purchase of a Western Digital Passport external hard drive sent me on a quest for more portable apps to install onto it for remote use. It was then that I discovered GNS3 could be installed onto a flash drive or external hard drive (just about any removable media for that matter). The process was simple, during the installation of GNS3, you just set the installation directory of a folder on your removable media. The installation only requires about 40MB, so a minimal amount of space is required. From there you just copy the IOS images you need onto the flash drive and you are good to go!

It should be noted that GNS3 does WinPcap if you would like to bind some of your labs to the physical network card on the laptop. If you do not require this feature, then there are no other dependencies.

Links:

GNS3

GNS3 on a USB Key

Network jitter, or jitter, is the name given to a variation in the time delay between packet arrival. This concept is better explained using the illustration below.

In the above illustration, the gaps between each of the packets represent the time it takes for each packet to reach the destination. Jitter is shown by the uneven gaps between packets two and three, as well as three and four.

In a perfect world, every packet should arrive at a set amount of time after the preceding packet. In reality, there are many factors to take into consideration when jitter is experienced. Sometimes the cause of jitter is beyond your control, since issues may arise outside your network.

The effect Jitter has on network applications can vary. It is unlikely for a user surfing the internet to report a problem that is a result of jitter. Other real time services, such as VOIP, can experience serious problems related to jitter. Lucky for us, many vendors (including Cisco) build provisions into their routers that can compensate for jitter.

On Cisco routers, the playout delay buffer (PDB) is the mechanism that is used to compensate for jitter. The PDB stores the incoming packets and then sends them to the next destination as a steady stream. This buffering process is similar to that used with other real-time protocols such as those used for audio and video. The ultimate goal of the buffer is to negate any jitter by relaying the packets as a steady stream. An illustration of the packets before and after the playout delay buffer does its job is shown below.

The buffer can only compensate for packets that are delayed within a specified range. If packets start to arrive outside of the working range of the buffer, those packets are dropped. With VOIP a dropped packet can mean the loss of some of the audio, which can make part of a conversation seem choppy.

In a Cisco router, the playout delay buffer sends a steady stream of packets to the digital signal processors. The main job of the DSP is to convert the audio from digital to analog. A secondary function of the DSP is to compensate for missing packets. If a packet is missing, the DSP can make an educated guess as to the contents of the missing packet and insert that missing piece into the audio stream. The result is that the end user never hears a difference. The DSP can only compensate for a finite amount of dropped packets before the end users start to notice an effect on call quality.

Jitter can present some interesting problems, particularly when you are dealing with real-time services. Cisco has built some provisions into their routers to help counter some of the effects of jitter.

You just landed that new networking position after months of interviews and waiting! If you’re lucky, the hard part is over and you will slip into a position where the network paracticly manages itself. Meanwhile, back in the real work…

Network administrators are like software developers. That is documentation is usually an afterthought, and sometimes it is not a thought at all! We have all faced this problem. This is the situation that I walked into this past summer. The key here is not to look at the situation as a problem, but as a challenge.  Our largest building was our biggest challenge. The cabling was not done in a structured manner, and in some cases I was baffled how some of the “redundant links” did not cause network loops since STP was not activated.

The biggest challenge in this building was troubleshooting link problems between the switch closets. Dropping the link from one cabinet to another would cause half the building to go down in some cases. Without proper network documentation, we were left in the dark. With the way the cabling between the switches was laid out, it would be a copious amount of work document this by hand. Enter Solarwinds with their LANsurveyor product.

LANsurveyor can be used to create network maps with a minimal amount of information. In my case, I was able to create a network map for each of our seven buildings using nothing more then the IP address range for that building and our SNMP community strings. Even if your community strings are not standardized, changing them on your devices would be considerably less work than creating a manual network map.

This convenience does come at a price. The version I use sells for about $2000 and is a standalone piece of software. There is a $500 version that integrates with Visio, but I have not used that so I cannot comment. You do have the option of downloading a trial before you purchase the software. If $2000 is not in your personal budget, you may be able to sell the software to your boss if you calculate all of the man hours it would take to map your network by hand!

Below are some screen shots of LANsurveyor, one of which shows the chaotic network map for the building I mentioned above.

LANsurveyor network discovery settings:

Sample Network Map (I zoomed out so you can see how difficult this would have been to document by other means):

Note: This is not an advertisement for Solarwinds, and thus I am not profiting from this post! If you have used other software to solve a similar problem, please share your experiences in the comments section.

Hyper-V is similar to VMware in the respect that it abstracts the hardware from the vitrual machines. This is different from other products such as VMware workstation or Microsoft Virtual PC, where the VMs run on top of the host operating system.

Hyper-V has a few requirements to get everything up and running. First, you need to install Windows Server 2008 x64 (64-Bit). Other versions will not satisfy the Hyper-V requirements. The second requirement is probably going to be the biggest problem for people trying to run older hardware.

Hyper-V requires a processor that supports hardware assisted virtualization. AMD calls this AMD-V, while Intel calls it VT. Some older processors may support this with an update to the motherboard BIOS, others will not. I found that my 3-4 year old Opteron 165 did not support hardware assisted Virtualization. Some research will be required to see if your specific hardware is supported.

The past five months have been crazy! I landed my first network related job, as a network administrator. As soon as I started there was a major project to put a new network in the one building over the summer (cabling and all). That was followed by some slightly smaller projects, such as an upgrade to our main router. On top of that I have been busy with personal projects, including working on my car.

Unfortunately all of this caused many things to fall by the wayside. This site and my CCNA study where two major things that I fell behind with. The past few weeks I have really stepped up my CCNA study. The down side of that is that I have had to review many old topics and my books are now a version behind the current CCNA tests.

I am going to try to update this site more often. One change I am going to make is the renaming of the “VMware Whitebox” section. I have not given up on that, but I have decided to play with some ofther virtualization options. That means I will be setting up and playing with Windows Sever 2008 with Hyper-V! I am hoping to get this setup soon and share my setup here.

In the first part, I detailed how to get the CME basic and GUI files from your computer to your router. In this part of the series, I will detail how to enable the GUI as well as setting up authentication for the GUI interface.

Note: All commands should be issued in global configuration mode unless otherwise noted.

The first step is to enable the web (http) server on the router:

ip http server

Next, you need to tell the web server where to find the HTML files used by the GUI:

ip http path flash:

Finally, you need to tell the web server which form of authentication to use:

ip http authentication {aaa | enable | local | tacacs}

Below is a quick run down of the authentication methods.

• aaa – Use aaa login service.
• enable – Uses the enable password that is set on the router (This is the default authentication method).
• local – Uses a local username and password that is set on the router using the username command.
• tacacs – Uses a TACACS server.

Before you can access the CME GUI, you need to set an initial username and password for the administrator. The following commands will allow you to do this.

Enter telephony service configuration mode:

telephony-service

Set the GUI administrator username and password:

web admin system name username {password string | secret {0 | 5} string}

With the last command it is suggested that you use the secret 5 option, since it will encrypt the password using an MD5 hash.

Once you have completed all of these steps you should be able to access the CME GUI from a web broswer by navigating to http://xxx.xxx.xxx.xxx/ccme.html (relace xxx.xxx.xxx.xxx with the IP address of your router). You will be prompted for a username and password, which should be the one you just set with the web admin command.

Note: I had some problems with the GUI when viewing it with Firefox (2.0.0.14). It’s suggested that you used Internet Explorer.

This only covers a very small portion of CME configuration. I suggest that you consult the Cisco Unified Communications Manager Express Administrator’s Guide. It is very detailed and worth the time spent reading though it.