DOCSLIB.ORG

BRKSEC-2881.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
BRKSEC-2881.Pdf #CLUS Designing Remote- Access and Site-to- Site IPSec networks with FlexVPN Piotr Kupisiewicz – Technical Leader Services BRKSEC-2881 #CLUS Objectives & Prerequisites • Session objectives: • Introduce IKEv2 & FlexVPN, with a focus on AAA-based management • Demonstrate the value-add and possibilities of FlexVPN as a Remote Access solution with a variety of clients (software & hardware) • Solve simple & complex use cases using FlexVPN • It’s intermediate session • Other sessions of interest • BRKSEC-3036 – Advanced IPSec with FlexVPN and IKEv2 • BRKSEC-3005 - Cryptographic Protocols and Algorithms - a review #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 About me #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda • Introduction • IKEv2 Overview • Tunnel Interfaces • Configuration Building Blocks • FlexVPN AAA Integration • Remote Access Clients • Deployment Scenarios & Use Cases • Wrap-up #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2881 by the speaker until June 18, 2018. #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Cisco Press Book ‘IKEv2 IPsec VPNs’ by Amjad Inamdar & Graham Bartlett Customer Reviews Cisco Press rebate One of the best technical books I've read code: CLSAVE This book is the IKEv2 VPN equivalent of Jeff Doyle's Routing TCP/IP Vol 1 & 2 - a must read for any network security engineer wanting to design and build secure VPN's. One of the best technical books I've read. Superb book and well worth the money for anyone even thinking about Cisco crypto This book is the most comprehensive book on IKEv2 for Cisco network engineers that you will find and is all about real-world scenarios. Definitive guide on modern IPsec VPN theory and practice Many times I wish I had a book like this to help distill many complex IETF RFCs into “plain English” and provide practical and actionable security best practices. Brilliant I bought the Kindle version of this on a bit of an impulse. I'm really glad I did, it's well worth the money. Not only can I establish secure IKEv2 tunnels, I also feel like I know the subject thoroughly now. Even in respect to non- Cisco equipment. The book is a great reference too. I don't usually leave reviews but was motivated to in this instance. Good job, highly recommended. The best book on IKEv2 IPsec VPNs The book is awesome! I appreciate authors' work on presenting deeply technical topics in extremely easy to understand manner. Finally, all you need to know about FLEX in one place! Well written , concise and accurate. An absolute must for anyone designing, https://www.amazon.com/IKEv2-IPsec-Virtual-PrivateNetworks/ supporting or troubleshooting IKEv2 VPNs. You too can become a FLEX dp/1587144603/ expert! Listed in the CCIE Security reading list Very good Book on IPsec VPN for Enterprise networks https://learningnetwork.cisco.com/community/certifications/ Very well Written book, This book touches on most important topic on ccie_security/written_exam/study-material building Dynamic VPN for enterprise networks. #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Introduction to FlexVPN FlexVPN Overview • What is FlexVPN? • IKEv2-based unified VPN technology that combines site-to-site, remote-access, hub-spoke and spoke-to-spoke topologies • FlexVPN highlights • Unified CLI • Based on and compliant to IKEv2 standard • Unified infrastructure: leverages IOS Point-to-Point tunnel interface • Unified features: most features available across topologies (AAA, IPv6, Routing…) • No IWAN Support • Simplified configuration using smart-defaults • Interoperable with non-Cisco implementations • Easy to learn, market and manage #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Key Platforms ASR 1000 series ISR 1100 ISR 800 Series & 4000 Series #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 IKEv2 Overview Comparing IKEv1 & IKEv2 Authentication Same Integrity Objectives Confidentiality DPD ISAKMP RFC 2408 Suite-B IPSec DOI IKEv2 More Secure RFC 2407 IKEv1 Mode IKEv2RFC 5996 Anti-DoS Config IKE RFC 2409 PSK, RSA-Sig NAT-T Authentication EAP Auth. Options Hybrid Auth. Cleaner Identity/Key Exchange Similar but Uses UDP Ports 500 & 4500 Different Main + Aggressive INITIAL Acknowledged Notifications #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 IKEv2 Exchanges Initiator (I) Responder (R) IKEv2 Security Association (SA) establishment IKE_SA_INIT (proposal selection, key exchange) Mutual authentication & identity exchange Initial IPSec SAs establishment IKE_AUTH Certificate exchange (optional) Configuration exchange (optional) Additional IPSec SAs establishment CREATE_CHILD_SA IKEv2 & IPSec SA rekey Can be (I R) with ACK or (R I) with ACK INFORMATIONAL Notifications (SA deletion, liveness check, ...) Configuration exchange (one or both ways) #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Key Differentiators IKEv1 IKEv2 Auth messages 6 max Open ended First IPsec SA 6-9 messages ~ 4-6 messages minimum Authentication pubkey-sig, [pubkey-encr], PSK pubkey-sig, PSK, EAP, asymmetrical authentication Security Vulnerable to DOS attacks Anti-clogging, Suite-B Support, … IKE rekey Requires re-auth (expensive) No Re-auth Notifies Fire & Forget Acknowledged Message Segmentation None, relies on IP fragmentation Protocol built in NG Cryptography Support is stopped* Yes #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Tunnel Interfaces Dynamic Point-to-Point Virtual Interfaces P2P virtual interface template FlexVPN Server crypto ikev2 profile default ... virtual-template 1 Dynamically instantiated P2P interfaces ! interface Virtual-Access1 interface Virtual-Template1 type tunnel ipinterfaceunnumbered Virtual Loopback0-Access2 ip unnumbered Loopback0 ipipinterfaceaccessunnumbered-group Virtual Loopback0mobile-Access3-users VT1 tunnel mode ipsec ipv4 ipipvrfipaccessunnumberedforwarding-group travelerLoopback0mobile-VRF-users tunnel protection ipsec profile default tunnelip ipvrf accesssourceforwarding- group<local travelerhome-address>-office-VRF-users VA1 VA2 VA3 tunneltunnelip vrfdestination sourceforwarding <local <remote -homeaddress>-officeaddress>-VRF tunneltunneltunnel mode destination source ipsec <localipv4 <remote-address>-address> Server routing table (RIB/FIB) tunneltunneltunnel protection mode destination ipsec ipsecipv4 <remoteprofile-address> default S default via Ethernet0/0 servicetunneltunnel- policyprotection mode outputipsec ipsec ipv4mobileprofile-QoS default L 10.0.1.1/32 local Loopback0 servicetunnel-policy protection output ipsec travelerprofile-QoS default S 10.0.1.10/32 via Virtual-Access1 service-policy output home-office-QoS S 10.0.1.11/32 via Virtual-Access2 S 10.0.1.12/32 via Virtual-Access3 S 10.42.1.0/24 via Virtual-Access3 Static P2P virtual interface interface Tunnel0 ip address negotiated 10.0.1.10/32 10.0.1.11/32 10.0.1.12/32 tunnel source Ethernet0/0 Tun0 tunnel destination <server-address> tunnel mode ipsec ipv4 10.42.1.0/24 tunnel protection ipsec profile default #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Interface Features FlexVPN Server Pre-encapsulation RIB/FIB (routing table) IPSec encapsulation interface output features (tunnel protection) (apply to cleartext packet) Interface input features Post-encapsulation (apply to cleartext packet) interface output features (apply to encrypted packet) Eth0/0 (LAN) V- Eth0/1(WAN) Access1 IP L4 Data IP IPsec IP L4 Data Encrypted Cleartext Traffic Encrypted Traffic (from server LAN) (to RA client) Interface feature (NAT, PBR, QoS, NetFlow, ...) #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Tunnel Encapsulation • IPSec Tunnel Mode (IPv4 or IPv6) interface Virtual-Template1 type tunnel tunnel mode ipsec {ipv4 | ipv6} • Classic dVTI: compatibility with software clients tunnel protection ipsec profile default (any-to-any or any-to-assigned-address) IP IPsec IP L4 Data • Multi-SA dVTI: compatibility with legacy Encrypted crypto map peers (ASA, other vendors) • IPv4 over IPv6 Mixed Mode in IOS-XE3.10 • GRE over IPSec interface Virtual-Template1 type tunnel tunnel mode gre {ip | ipv6} • Enables tunneling of non-IP protocols (e.g. MPLS) tunnel protection ipsec profile default • Required for dynamic mesh scenarios (aka DMVPN, IP IPsec GRE IP L4 Data but with the extra flexibility of point-to-point interfaces) Encrypted • “tunnel mode gre ip” is the default on static & dynamic tunnel interfaces #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 IPv6 Support Summary • GRE over IPSec Passenger Protocol – Dual-stack (IPv4 + IPv6 IPv4 IPv6 over IPSec) out of the box IPv4 ✔ ✔ IPv6 ✔ ✔ Transport Transport Protocol Passenger Protocol • IPSec Tunnel Mode IPv4 IPv6 – Dual-stack support IPv4 ✔ ✔ – IPv4 over IPv6 mixed-mode IPv6 ✔ ✔ (Since XE3.10) Transport Transport Protocol
Load more

Recommended publications
  • EAP-TLS Authentication with an NPS RADIUS Server
    EAP-TLS Authentication with an NPS RADIUS Server 802.1X/EAP-TLS (Extensible Authentication Protocol-Transport Layer Security), defined in RFC 5216, provides secure authentication methods. Client devices (RADIUS supplicants) and a RADIUS authentication server verify each other's identity by validating the signature on the computer and server certificates that they send one another. This authentication method uses an infrastructure that includes a RADIUS authentication server that communicates with an external LDAP database. It also needs a mechanism for installing certificates on the server and all the supplicants, which you can do with a Windows NPS (Network Policy Server) using a GPO (Group Policy Object) to distribute computer certificates and an 802.1X SSID client configuration for wireless access. You can also employ the same infrastructure to authenticate users (also referred to as RADIUS supplicants) who submit user names and passwords to the authentication server. This document explains how to set up the following components to provide wireless client and user authentication through 802.1X/EAP-TLS: • (Aerohive) An 802.1X SSID that instructs APs (RADIUS authenticators) to forward authentication requests to an NPS RADIUS server • (Windows) An NPS RADIUS server that accepts authentication requests from the APs and EAP-TLS authentication requests from clients • (Windows) A GPO to deploy computer certificates and a wireless network configuration to clients • (Aerohive and Windows – optional) An Aerohive and NPS configuration in which different RADIUS attributes are returned based on authentication method (EAP-TLS or PEAP-MS-CHAPv2 in this example) assigning one user profile to clients authenticating by certificate and another to users authenticating by user name/password.
    [Show full text]
  • Utility-Grade Core Network Services
    WHITEPAPER Utility-Grade Core Network Services The infoblox appliance-based platform integrates distributes, and manages DNS, DHCP, IPAM, TFTP, NTP and more to drive networks and applications Executive Summary Networks and applications have become highly dependent on a collection of essential core network services that are not always “visible” or on the forefront of IT project lists. For example, virtually all applications, including web, e-mail, ERP, CRM, and Microsoft’s Active Directory require the Domain Name System (DNS) for their basic operation. Most IP-based devices, including laptops and desktops, require Dynamic Host Configuration Protocol (DHCP) to obtain an IP address. Newer devices such as IP phones, RFID readers, and cameras that are network-connected require file transfer services (via TFTP or HTTP) to receive configuration information and firmware updates. If core network services are compromised, networks and applications fail. These failures often manifest themselves as “network” or “application” issues but are often caused by failure of the underlying core network services themselves. A majority of enterprises still use an “ad-hoc” collection of disparate systems to deploy core network services and are, therefore, experiencing growing problems with availability, security, audit-ability, and real-time data integration that threaten current and future applications. For more than a decade, the focus of networking professionals has been on physical network architectures with high levels of redundancy and fault-tolerance. From the endpoint inward, enterprise networks are designed to provide high availability with device redundancy and multiple paths among users and data. One of the key components of these architectures has been the network appliance, purpose-built devices that are designed to perform a specific function such as routing, switching, or gateway applications.
    [Show full text]
  • 7750 SR OS System Management Guide
    7750 SR OS System Management Guide Software Version: 7750 SR OS 10.0 R4 July 2012 Document Part Number: 93-0071-09-02 *93-0071-09-02* This document is protected by copyright. Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2012 Alcatel-Lucent Alcatel-Lucent. All rights reserved. Table of Contents Preface. .13 Getting Started Alcatel-Lucent 7750 SR Router Configuration Process . .17 Security Authentication, Authorization, and Accounting . .20 Authentication . .21 Local Authentication . .22 RADIUS Authentication . .22 TACACS+ Authentication . .25 Authorization . .26 Local Authorization. .27 RADIUS Authorization . .27 TACACS+ Authorization. .27 Accounting. .28 RADIUS Accounting . .28 TACACS+ Accounting . .28 Security Controls . .30 When a Server Does Not Respond . .30 Access Request Flow . .31 CPU Protection . .32 CPU Protection Extensions ETH-CFM . .36 Vendor-Specific Attributes (VSAs) . .38 Other Security Features . .39 Secure Shell (SSH) . .39 Per Peer CPM Queuing. .41 Filters and Traffic Management. .42 TTL Security for BGP and LDP . .43 Exponential Login Backoff . .43 User Lockout . .45 Encryption . .46 802.1x Network Access Control . .46 TCP Enhanced Authentication Option. .46 Packet Formats . .48 Keychain. .49 Configuration Notes . .50 General . .50 Configuring Security with CLI . .51 Setting Up Security Attributes. .52 Configuring Authentication . .52 Configuring Authorization .
    [Show full text]
  • Aerohive Configuration Guide: RADIUS Authentication | 2
    Aerohive Configuration Guide RADIUS Authentication Aerohive Configuration Guide: RADIUS Authentication | 2 Copyright © 2012 Aerohive Networks, Inc. All rights reserved Aerohive Networks, Inc. 330 Gibraltar Drive Sunnyvale, CA 94089 P/N 330068-03, Rev. A To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc. Aerohive Configuration Guide: RADIUS Authentication | 3 Contents Contents ...................................................................................................................................................................................................................... 3 IEEE 802.1X Primer................................................................................................................................................................................................... 4 Example 1: Single Site Authentication .................................................................................................................................................................... 6 Step 1: Configuring the Network Policy ..............................................................................................................................................................7 Step 2: Configuring the Interface and User Access .........................................................................................................................................7 Step 3: Uploading the Configuration and Certificates ....................................................................................................................................
    [Show full text]
  • RADIUS Tunnel Preference for Load Balancing and Fail-Over
    RADIUS Tunnel Preference for Load Balancing and Fail-Over The RADIUS Tunnel Preference for Load Balancing and Fail-Over feature provides industry-standard load balancing and fail-over functionality for an Layer 2 Tunnel Protocol network server (LNS), rather than requiring the use of a Cisco proprietary Vendor Specific Attribute (VSA). The feature conforms to the tunnel attributes that are to be used in a multivendor network environment as defined in RFC 2868, thereby eliminating interoperability issues among network access servers (NASs) manufactured by different vendors. • Finding Feature Information, page 1 • Prerequisites, page 2 • Restrictions, page 2 • Information About RADIUS Tunnel Preference for Load Balancing and Fail-Over, page 2 • How RADIUS Tunnel Preference for Load Balancing and Fail-Over is Configured, page 4 • Configuration Example for RADIUS Tunnel Preference for Load Balancing and Fail-Over, page 4 • Additional References, page 4 • Feature Information for RADIUS Tunnel Preference for Load Balancing and Fail-Over, page 6 • Glossary, page 6 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
    [Show full text]
  • Breaking PPTP Vpns Via RADIUS Encryption
    Breaking PPTP VPNs via RADIUS Encryption Matthias Horst, Martin Grothe, Tibor Jager, and Jorg¨ Schwenk Horst Gortz¨ Institute, Ruhr-University Bochum matthias.horst, martin.grothe, tibor.jager, f joerg.schwenk @rub.de g Abstract. We describe an efficient cross-protocol attack, which enables an at- tacker to learn the VPN session key shared between a victim client and a VPN endpoint. The attack recovers the key which is used to encrypt and authenticate VPN traffic. It leverages a weakness of the RADIUS protocol executed between a VPN endpoint and a RADIUS server, and allows an “insider” attacker to read the VPN traffic of other users or to escalate its own privileges with significantly smaller effort than previously known attacks on MS-CHAPv2. 1 Introduction The Point-to-Point Tunneling (PPTP) protocol [5] implements a confidential and au- thenticated virtual private network (VPN) tunnel in public computer networks like the Internet. In this work, we analyze the security of PPTP using MS-CHAPv2 in combi- nation with a RADIUS authentication server. This is a standard setting, which is used in large-scale and enterprise networks, where RADIUS is used to centralize user man- agement and to perform authentication for different applications. Large scale analysis of public VPN service providers shows that over 60% of these still offer PPTP [14]. Contributions. We describe an efficient cross-protocol attack, which enables an attacker to learn the VPN session key shared between a victim client and a VPN endpoint. The attack recovers the key which is used to encrypt and authenticate VPN traffic, usually with the Microsoft Point-to-Point Encryption (MPPE) [9] scheme.
    [Show full text]
  • Configuring RADIUS Authentication and Accounting
    Nortel Ethernet Routing Switch 8300 Configuration — Security using Device Manager NN46200-508 (317346-E Rev 01) . Document status: Standard Document version: 03.01 Document date: 27 August 2007 Copyright © 2007, Nortel Networks All Rights Reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document. Trademarks *Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other products or services may be trademarks, registered trademarks, service marks, or registered service marks of their respective owners. The asterisk after a name denotes a trademarked item. Restricted rights legend Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
    [Show full text]
  • FREERADIUS TECHNICAL GUIDE CHAPTER 1 - INTRODUCTION WHAT IS FREERADIUS? Chapter 1 - Introduction
    THE FREERADIUS TECHNICAL GUIDE CHAPTER 1 - INTRODUCTION WHAT IS FREERADIUS? Chapter 1 - Introduction This chapter describes: • What is RADIUS? • What is FreeRADIUS? • FreeRADIUS benefits • FreeRADIUS case studies 1.0 What is RADIUS? RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol - a system that defines rules and conventions for communication between network devices - for remote user authentication and accounting. Commonly used by Internet Service Providers (ISPs), cellular network providers, and corporate and educational networks, the RADIUS protocol serves three primary functions: • Authenticates users or devices before allowing them access to a network • Authorizes those users or devices for specific network services • Accounts for and tracks the usage of those services For a detailed look at how RADIUS performs these functions, see section 2.2, “The RADIUS Session Process”, on page 11. 1.0.1 History In 1991, Merit Network, a non-profit internet provider, required a creative way to manage dial-in access to various Points-Of-Presence (POPs) across its network. In response to this need, RADIUS was created by Livingston Enterprises. At the time RADIUS was created, network access systems were distributed across a wide area and were run by multiple independent organizations. Central administrators wanted to prevent problems with security and scalability, and thus did not want to distribute user names and passwords; instead, they wanted the remote access servers to contact a central server to authorize access to the requested system or service. In response to contact from the remote access server, the central server would return a “success” or “failure” message, and the remote machines would be in charge of enforcing this response for each end user.
    [Show full text]
  • A Framework for the Development of Mobile Social Software on Android
    A Framework for the Development of Mobile Social Software on Android Robert Lübke, Daniel Schuster, and Alexander Schill Computer Networks Group, Technische Universität Dresden, Dresden, Germany {robert.luebke,daniel.schuster,alexander.schill}@tu-dresden.de Abstract. Nowadays, social aspects can be found in more and more mobile applications. Analyzing the domain of mobile social software and especially the offered features shows much similarity in the different apps. A framework that supports often used functionalities can facilitate and speed up the development of new innovative mobile applications. This paper presents the Mobilis framework, which aims to extensively support the developers of mobile social software. It provides often used features and offers the functionality in a service environment, that can easily be integrated into new mobile applications. Keywords: social software, mobile computing, framework, social network, group formation, collaboration, XMPP, Android. 1 Introduction In the last years social networks have gained a huge popularity. Nowadays they connect millions of internet users with each other. Facebook Places1, Foursquare2 and Gowalla3 are well-known examples of apps that combine social networking and pervasive computing and thereby form the trend of pervasive social com- puting. While many social platforms are accessible via apps for mobile devices, they do not unfold their full potential until the connected users can interact and collaborate with each other in a way that is adapted to the current situa- tion and technical infrastructure. With collaborative features users interact with each other in a target-oriented way to reach a common goal and they coordi- nate each other with their mobile devices.
    [Show full text]
  • Contents Bintec/Teldat VPN Gateway Configuration for SMS PASSCODE
    Bintec/Teldat VPN gateway configuration Contents Bintec/Teldat VPN gateway configuration for SMS PASSCODE ................................ 1 Connect Radius .............................................................................................. 1 Bintec/Teldat VPN gateway configuration for SMS PASSCODE In this scenario about the VPN configuration on the Bintec gateway, an IPSec peer configuration entry is created which allows the simultaneous connection of multiple clients (IPSec Multi-User). Following the IPSec pre-shared key authentication, the One-Time Passcode (OTP) authentication between the Bintec VPN client and the SMS PASSCODE™ server is completed via a RADIUS server, in this case a Microsoft Network Policy Server (NPS). Note Instead of the Multi-User IPSec configuration, there is also the option to create a separate IPSec peer configuration entry for each VPN client. The priority of the Multi-User IPSec peer must always be lower than other IPSec peer configuration entries. Connect Radius To connect the RADUIS server to the Bintec VPN gateway, go to the following menu: 1. Go to System Management -> Remote Authentication -> RADIUS ->New. System Management->Remote Authentication->RADIUS->New Proceed as follows: 1. Select Authentication Type XAUTH in order to enable authentication via the Windows Server. 2. Enter theServer IP Address, e.g. 172.16.105.131 , to communicate with the Microsoft RADIUS server. 3. Enter the shared password used for communication between the RADIUS server and your device, e.g. supersecret . 4. Press OK to confirm your entries. An address pool must be created to assign an IP pool to the VPN profile of the Multi-User IPSec peer. 1. Go to VPN -> IPSec -> IP Pools -> Add VPN -> IPSec -> IP Pools -> Add Proceed as follows: 1.
    [Show full text]
  • Configuring Secure Shell (SSH)
    Configuring Secure Shell (SSH) • Finding Feature Information, page 1 • Prerequisites for Configuring the Switch for Secure Shell (SSH) and Secure Copy Protocol (SCP), page 1 • Restrictions for Configuring the Switch for SSH, page 2 • Information about SSH, page 2 • How to Configure SSH, page 5 • Monitoring the SSH Configuration and Status, page 8 • Additional References, page 8 Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Configuring the Switch for Secure Shell (SSH) and Secure Copy Protocol (SCP) The following are the prerequisites for configuring the switch for secure shell (SSH): • For SSH to work, the switch needs an RSA public/private key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport. • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair. • SCP relies on SSH for security. Consolidated Platform Configuration Guide, Cisco IOS XE 3.3SE (Catalyst 3850 Switches) OL-30686-01 1 Configuring Secure Shell (SSH) Restrictions for Configuring the Switch for SSH • SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level.
    [Show full text]
  • Radsec a Secure, Reliable Radiator RADIUS Protocol
    October 19, 2012 RadSec a secure, reliable Radiator RADIUS Protocol Copyright (C) 2012 Open System Consultants Pty. Ltd. This white paper discusses RadSec, a secure, reliable protocol for proxying RADIUS requests. 1.0 Introduction This document provides an overview and technical description of the RadSec protocol, which provides secure, reliable RADIUS transport for Radiator and other compliant products. RadSec has been formalised as an official IETF RFC 6614. RadSec allows RADIUS authentication and accounting data to be passed safely and reliably across insecure networks such as the internet. 2.0 Rationale and Overview The RadSec protocol is designed to provide secure, reliable transport of RADIUS requests across insecure networks such as the Internet. It was designed by Open System Consultants in response to some of the shortcomings of the conventional RADIUS pro- tocol. In 2012, it was released as an official IETF RFC 6614 (http://datatracker.ietf.org/ doc/rfc6614/). The RADIUS protocol (RFC 2865) has been in use for many years and has become the de-facto standard for providing AAA (Authentication Authorisation and Accounting) services. In the time since its release, it has revealed a number of serious shortcomings when used in some environments. Many operators use RADIUS proxying to send conventional RADIUS requests across insecure networks as part of various global roaming or open campus projects. Typical are educational and other institutions which permit their users to roam on the networks of their partners, and arrange to send RADIUS authentication and accounting requests to the user’s home RADIUS server, based on the user’s Realm. This is called ‘Realm- 1 of 6 Rationale and Overview based proxying’, and is usually implemented with the Radiator AuthBy RADIUS clause.
    [Show full text]