转到正文

天亮了说晚安's Blog

欢迎您的光临! http://www.tllswa.com

存档

分类: 防火墙

本文转自:https://www.petenetlive.com/KB/Article/0001272 Problem I was setting up a Cisco ASA this week and needed to enable the ability for users to reset their domain passwords when they are about to expire. To actually test that, I needed a test user that had their password either about to expire, or actually expired. As I dint want to wait 42 days, or setup a password policy just for one user, I needed to find a ‘quick and dirty’ fix for one user. Solution You need to open Active Directory Users and Computers, and you need to have ‘Advanced options’ enabled. Locate your user and open their properties > Attribute Editor > Attributes > pwdLastSet. If you want to set it to expired, then set its value to Zero. It should change to <never>, which is not strictly true, it actually changes to 12:00AM January 1st 1601. Note: If you set its value to -1 and apply the change it resets the attribute to the current day and time (you ma......Read More

本文转自:https://www.petenetlive.com/KB/Article/0001273 Problem If you have remote users who connect via VPN, and a policy that forces them to change their password periodically, this can result in them getting locked out without the ability to change their password (externally). If your Cisco ASA is using LDAP to authenticate your users, then you can use your remote AnyConnect VPN solution to let them reset their passwords remotely. Solution Standard LDAP runs over TCP port 389, to allow the ASA to reset the password for the users, it needs to be connected via LDAPS ((TCP Port 636). Your AD server needs to be able to authenticate via LDAPS, by default it will not. I’ve already covered how to set that up in another post see the following article. Windows Server 2012 – Enable LDAPS So, assuming your AD server(s) that the Cisco ASA is authenticating against is already setup, you need to ensure that your AAA Settings for LDAP is set to use port 636. Ena......Read More

本文转自:https://www.petenetlive.com/KB/Article/0000049 Problem You would like to enable remote access for your clients using the Cisco VPN Client software. Solution Before you start – you need to ask yourself “Do I already have any IPSECVPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command. PetesASA# show run crypto isakmp crypto isakmp enable outside << Mines already enabled. crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 PetesASA# 1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands belo......Read More

本文转自:https://www.petenetlive.com/KB/Article/0000688 Problem Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall. I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first. Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAALocal Users > AAA Server Groups. 2. In the Server group section > Add. 3. Give the group a name and accept the defaults > OK. 4. Now (with the group selected) > In the bottom (Server) section > Add. 5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK. 6. Apply. Configure AAA RADIUS from command lin......Read More

本文转自:https://www.petenetlive.com/KB/Article/0000071 Problem Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I’ve put the commands at the end. You will need a RADIUS server, WIndows Server (2000 and 2003) Has its own RADIUS bolt on called Windows IAS Step 1 Below is a walkthrough on how to set this up. It also uses the Cisco VPN client – the version used is v5 which is still in beta at the time of writing. Solution Note: This is an old post and covers setup on Server 2003, for a more modern version, (Server 2012/2016/2019) of this procedure, see the following article; Windows Server Setup RADIUS for Cisco ASA 5500 Authentication Step 1 Install RADIUS (Server 2003 Windows IAS) Note: for Server 2008 go here and for Server 2012 go here. 1. Assuming you don’t already ha......Read More

本文转自:https://www.petenetlive.com/KB/Article/0000685 Problem Note: The procedure is the same for Server 2016 and 2019 This week I was configuring some 2008 R2 RADIUS authentication, so I thought I’d take a look at how Microsoft have changed the process for 2012. The whole thing was surprisingly painless. I will say that Kerberos Authentication is a LOT easier to configure, but I’ve yet to test that with 2012, (watch this space). Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration. 2. Remote Access VPN. 3. AAA Local Users > AAA Server Groups. 4. In the Server group section > Add. 5. Give the group a name and accept the defaults > OK. 6. Now (with the group selected) > In the bottom (Server) section > Add. 7. Specify the IP address, and a shared secret that the AS......Read More

本文转自:https://www.petenetlive.com/KB/Article/0000943 Problem Also See Cisco ASA5500 AnyConnect SSL VPN This procedure was done on Cisco ASA version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect. Solution 1. The first job is to go get the AnyConnect client package, (download it from Cisco with a current support agreement). Then copy it into the firewall via TFTP. If you are unsure how to do that see the following article. Install and Use a TFTP Server Petes-ASA(config)# copy tftp flash Address or name of remote host [10.254.254.183]? 192.168.80.1 Source filename []?anyconnect-win-3.1.05152-k9 Destination filename [anyconnect-win-3.1.05152-k9]? {Enter} Accessing tftp://192.168.80.1/anyconnect-win-3.1.05152-k9...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!......Read More

本文转自:https://www.petenetlive.com/KB/Article/0001152 Problem When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change. The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group, and then map that group to a particular ASA Tunnel Group/ASA Group Policy. Though to be honest if you have multiple groups and want to assign different levels of access (i.e. different ACLs etc.) then using a blend of LDAP and Cisco Dynamic Access Policies (DAP) is a lot simpler. I’ll post both options, and you can take your pick Solution Firstly you need to cre......Read More

本文转自:https://www.petenetlive.com/KB/Article/0001175 Problem I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step! Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well. Solution Cisco ASA Test AAA Authentication From Command Line You will need to know the server group and the server you are going to query, below the ASA is using LDAP, but the process is the same for RADIUS, Kerberos, TACACS+, etc. Petes-ASA# show run | begin aaa aaa-server TEST-LDAP-SERVER protocol ldap aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10 ldap-base-dn dc=TEST,dc=net ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=asa,OU=Users,OU=Test-Corp,dc=TEST,dc=net server-type auto-detect To te......Read More

备案信息