Deploying 802.1x for LAN access

Scenario :
As a part of a global security project you want to control which machine is granted access to your wire(less) network. This means you need a port-based Network Access Control.
The standard 802.1x is an IEEE implementation of this need. It’s often used in wireless networks to authenticate users WLAN access using smardcards. But you can use it in a wire network as well. The underlaying protocol used 802.1x is EAP.
EAP him self is composed of differents methods : EAP-PEAP, EAP-MD5, …

I will expose an example of how to make a machine authentication against Active Directory in a Cisco wire network. I will use EAP-PEAP as it’s simple and strong enough for my needs.

• First, You need an Active Directory domain with the PKI service running on the DC. Install IAS (MS radius server) service on the DC and issue a new server certificate for it (Friendly name Radius1).
  Create a new security group named 802.1x_Auth
• Open the IAS mmc ant shutdown the service. Then with a right clic on the local IAS server, choose Register Server in Active Directory and accept, to allow IAS to access AD information.
• Create a new radius client with the relevant information (name, IP), as Client-Vendor choose : Radius Standard
• choose a strong pre-shared key which will be shared with the authenticator (switch)
• choose Remote Access Logging, select all the checkbox to have activity logs
• delete all the useless Remote Access Policies
• create a new one with an explicit name, next
• choose Ethernet radio button, next
• add the 802.1x_Auth group you created before, next
• for the EAP type select : PEAP then click on configure
• choose the certificate you issued for IAS (Radius1)
• select Fast Reconnect
• select EAP-MSCHAP v2 as an Eap Types
• After you finished you need to re-open the policy properties and change the NAS-Port-Type from Ethernet to Async
• Start the IAS service

It’s time to The last steps are to configure your windows XP machines :

• you need to make the machines member of your domain
• open the machine properties on Active Directory Users and Computers and locate the machine you want
• Add it to the 802.1x_Auth group
• in the dial-in tab, choose Grant Access
• be careful : there is a difference between configuring 802.1x on SP2 and SP3 XP machines.
  For XP SP3 machines you must to follow this link
• On Protecter EAP Proterties you need to select Validate server certificate and also the Trusted Root Certificate Autority that issued the IAS certificate.

At last, you must configure the Cisco switch (for this I use a 3750) like this :

conf t
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host [IAS IP server]
radius-server key [pre-shared key]

The line n° 5 is used to throw an unauthentified machine, or one that doesn’t support 802.1x to this guest Vlan.
For each interface on which you want to activate 802.1x you need to do at least this :

1. conf t
2. int f1/0/13
3. switch acces vlan X
4. dot1x port-control auto
5. dot1x guest-vlan Y


For troubleshooting you can use :

sh dot1x all

And for the IAS logs see EventViewer > System.

Natting a network range with NETMAP+Iptables

Some times we need to do a 1 to 1 NAT of a network range depending upon a condition (the destination network for example).
For example, you have the 192.168.1.0/24 network and you would like to NAT each IP to its equivalent in 192.168.2.0/24 when the packet travels through the NAT device (so 192.168.1.100 becomes 192.168.2.100).

If you use Netfilter as a NAT device or gateway you can use the NETMAP module like this :

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.1.1.0/24 -j NETMAP --to 192.168.2.0/24


I think that’s clear enough

Netfilter log viewer

I’ve been using the Netfilter firewall at home for years. To view logs in realtime with a nice colored output I use :
tail -f file | lwatch -i-
this is the most simple way.
But if you want, for any reason, to use your favorite browser for the same purpose, you won’t have too many choice… My needs are :

• to be able to see realtime and colored logs,
• the application must be simple to use/maintain and with a filter engine.

I searched this kind of viewer for a while, none fits exactly what I need. Then I decided to combine what I found to get what I need and the result is : NetfilterEyes

It’s a PHP+Ajax Web interface which allows to have a nice and clear view of Netfilter’s logs in real time.

Hope this will fit your needs too. Your feedback and suggestions are highly appreciated.

Xen : NetInstall a PV Debian domU

I got my first domU working…

Here are the steps, please read all of them before to proceed :

1. I installed a fresh Lenny (with a VG for VMs) with only xen, ssh and vim
2. I created a LV called debianVM
3. I downloaded xm-debian.cfg from the debian site and renamed it to debian.cfg
4. I changed the line disk = [ .... ] to
   disk = [ 'phy:vg1/debianVM,xvda,w' ]
   You can remark that thereis no kernel, no ramdisk and no root option.
5. in a terminal, I entered :
   xm create debian.cfg install=true
   You need to know that xm-debian.cfg downloads two archives : vmlinuz and initrd.gz that are used at the vm creation step
6. I entered xm console debian then I got the debian ncurses installer which was a great news
7. I continued the installation as usual
8. Once the installation completes the VM shuts down
9. I tried to boot it but this fails…
10. I edited the debian.cfg and commented whole the section Debian Installer specific variables
11. I added these lines :
    
kernel = "/boot/vmlinuz-2.6.26-1-xen-686"
ramdisk = "/boot/initrd.img-2.6.26-1-xen-686"
root = "/dev/xvda1"

    The kernel and ramdisk are created at the xen installation on the Lenny
12. I started the VM xm create -c debian and got the login prompt
13. network is ok, I can connect to it over SSH, the VM is stable, a pleasure

I will see now how to install a domU from an iso or CD, because I can’t have an Internet access all the time and I don’t have an internal repository…

Install a Xen PV domU from CD or ISO

I’m trying to have my first domU working…

As a first step, I want to install my PV domU using a CD.
This simple thing is really hard to realise with a PV Xen system, the lack of documentation about this is

impressive.

I had many errors :

Waiting for root file system ... ...
or
no init found

I used this syntax :

disk = [ 'phy:hdc,hdc:cdrom' ]
boot = "d"
root = "/dev/hdc ro"

I know that the root “/dev/hdc ro” is not correct at all, but I tried.
As I don’t have a full Internet access, to ask for help is not simple…
But I found this :

Currently, there’s no paravirtual CDROM driver available. So in PV guest, you can only add a iso image as a disk and cannot change this disk at runtime. But as a workaround, you can detach it and re-attach another iso as the same frontend.

I don’t have a VT enabled hardware, so I tried an iso without success… pffff

I use Vmware ESX at works, so I thought it won’t be difficult to get a domU working, but sincerly it is.

Trying Xen with VMKnoppix

Talks about my first experience with Xen LiveCD on a Dell D610