Tuesday, September 27, 2016

Cisco ACS 5.x and BIG-IQ 5.0 Radius Attributes

In this post I will show you  the relevant  radius cfg on the cisco ACS for attributes and the F5 BIG-IQ.


1st I download the VSA template that we will use for  inserting the f5 vendor specific attributes








I found it's much easier to export the cisco ACS template, modify, replace, and edit and re-import. The time trying to download the f5-support template and getting a flawless import is very time consuming.





2nd, we  after a successful import is wise  to click the show vendor attribute and check things over.







I kept my  radius attribute small and just only the attribute that I  required so the full VSA dictionary was not included.






Now we can define the attribute in our network authorization profiles mapping the attributes that's required such a specific  role.


Here's  a sample of my F5 authorization profiles.  They where generic defined to match a f5 "role" . Notice the  attributes are defined along with the generic_reply  which will we  help in further diagnostics & analysis.



by applingy a unique reply message per ACS  authorization_profile and then using just that profile in a policy,  can help you  narrow down what policy and  authorization_profile that's being used & matched


So here's the final  policies


On the BIG-IQ you will need to define the radius settings and remote-role. It's a good ideal to define a default  role of guest . If no role is found, the "no-access" becomes your default role btw.

( cli  cfg   BIG-IQ 5.0 )

Sys::Version
Main Package
  Product     BIG-IQ
  Version     5.0.0
  Build       0.0.3026
  Edition     Final

  Date        Tue Jun  7 00:17:51 PDT 2016



admin@(BIGIQCALITECH01)(Active)(/Common)(tmos)# list auth 
auth password-policy { }
auth radius system-auth {
    debug enabled
    servers {
        RAD1 
        RAD2
        RAD3
    }
    service-type default
}
auth radius-server RAD01  {
    secret test1234567890
    server 10.3.1.11
    timeout 30
}
auth radius-server RAD02 {
    secret test1234567890
    server 10.4.1.11
    timeout 30
}
auth radius-server RAD03 {
    secret test1234567890 
    server 10.5.1.11
    timeout 30
}
auth remote-role {
    role-info {
        operator {
            attribute F5-LTM-User-Info-1=operator
            console tmsh
            line-order 2
            role 400
            user-partition All
        }
        resource-admin {
            attribute F5-LTM-User-Info-1=resource
            console tmsh
            line-order 3
            role 20
            user-partition All
        }
    }
}
auth remote-user {
    default-role guest
    remote-console-access tmsh
}
auth source {
    type radius
}
auth user admin {
    description "Predefned Admin User"
    encrypted-password  myencpsssword_admin_user
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell tmsh
}

(END)


During  debugging my  lack of attributes being sent via cisco ACS, I found out depending on what means you access  BIG-IQ the  radius request is pretty much different.

Check out this WebGUI and then SSHd access and notice the  attributes sent via the radius_client ( BIGIQ )




Also ,  another finding; "  the  security and audit logs" via the cli , will never shows the WebGUI access success or failures and nor do we have audit logging from  command-executions  that are done via the WebGUI.

(audit logging via cli)


( security logging via cli )



TIP: The   f5 security logs typically  display  either RAW: sshd(pam_audit): for SSH access  or RAW: httpd(mod_auth_pam): for webgui access


BTW: 

In the WebGUI, it's was  unclear to me if you need to define  user-groups, but if you do, the  groups needs to match the  F5 attributes that are being sent via ciscoACS ( see the above  Vendor-3375-Attr-12 =  aka  F5-LTM-User-Info-1   attribute#12 for VSA  F5 )


( example radius servers configuration and user-group via the webgui  )



(user-group  and specific RAdius-VSA attribute that's  expected for this role )



(  BIG-IQ roles  numbers-2-names  )







And lastly, I used the wrong browser initially ( safari ) and then later Firefox  rls.48 and the same bug where corrupt our ACS policies database. So even tho the  webgui of the cisco ACS shows the authorization_profile and policy being correctly configured, the  cisco ACS instance did not send the radius-attribute.


So we will look at the next patch ( #5 ) and see what the release note shows.


Tip if you are trying ssh access and can not get a shell, the log will show the following



Tip use the ACS reporter if your experiencing  authentication issues





Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

Monday, September 26, 2016

wildfireEU

I happen to login into my PALO_ALTO account,  and found that they have a EU portal.

Wildfire can be access via the  following URL links


https://wildfire.paloaltonetworks.com 
https://wildfire.paloaltonetworks.jp
https://eu.wildfire.paloaltonetworks.com

reference:

https://www.paloaltonetworks.com/company/press/2016/palo-alto-networks-unveils-new-wildfire-european-cloud-hosted-in-the-netherlands






It looks like PaloAlto also redirect  ARIN address spaces to  the general WF instance, RIPE to  the EU instance and  Pacific based users to Japan.












Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

OPENsense configuration backups

In this post I will demonstrate one of the best  new feature in  OPENsense firewall. In fact I'm surprise it took this long and why no other commercial firewall vendor has a means to "selective" cfg backup.

In OpenSense, you can now do full backups or selected areas.



Okay so what this allows;

  •  you can backup specific or all parts of the configuration for the firewall
  •  you can restore all or specific part
  •  you can still a option to  encrypt the backup  
  • this allows  you to make changes and restore only the area that the change was in  if you have a backup
  • great for also providing outside 3rd party  XML configurations for auditing purposes

Here's a interface cfg backup in xml format;





Here's the same configuration, but encrypted;







You have to love  open source networking and firewalls.






It would be nice if  the open source dev team would allow;

1; selected encryption methods
2:  "diffs"  just for  configurations files  before restore operations
3: automated  configuration backups via a schedule for a particular area

OpenSource  firewalls or manager are the an alternative. A few great solutions exist from; iptables firewalld iptables manager , monowall, pfsense, opensesne, Packet filter  firewall, untangle,etc...

Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, September 14, 2016

My PCNSE7 exam review

I finally took and pass the Palo Alto PCNSE7  exam  this AM. It like the PCNSE6 straight forward  questions.




Since I could't find any PaloAlto  PCNSE7 study materials, I used the following;



  • re-study PANOS6 and 7 cli commands
  • review the PCNSE7 blueprint material from PaloAlto
  • look at the various ACC tabs
  • remember the hard to forget test commands
  • re-read a lot of paloalto live notes on panorama


The combination and experience with  PANOS6 was what let me   get a passing score on the PCNSE7. It's challenging exam but not very hard if you have experience and put a few hours aside to read and study up on PANOS.



I used the pearsonvue exam-test center in  NE Austin off Dessau ridge road & Howard ln.


The challenging issues with PaloAlto are;


  •  no press books
  •  very limit  study forums or community forums information available ( I start posting PANOS blog information here in the next few months )
  •  very little collaboration amongst  security engineers


The positives;


  •    nexgewnfw  with cool application decoders
  •    great videos



 



PANW
https://www.paloaltonetworks.com/services/live-community





Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, September 9, 2016

CRL certificate revocation checks

Here's a quick tutorial on how manually look &  query a CRL list for a certificate revocation status.

http://www.entrust.net/customer/crl_form.cfm

If you used Entrust  to sign a  certificate and you need to revoke it. You  can retrieve the  certificate serial# and the CA details from the certificate , and use the above link to query the certificate status.

Here's a certificate installed on a F5-LTM,  ( take note of the hex serialnumber  and the CA issuer  )



Next, we pop the serial# in the query input  ( after  selecting l1k ) and if it's revoked, you will get the status which includes the date/time of revocation







the openssl  utility is a good means also for gathering the certificate serial#,






eg

openssl x509 -in < certificatename.crt> -noout -serial




Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, September 1, 2016

GNUtls serv for testing certficates and keys

openssl has s_client and s_server support for testing  certificates. Within GNUtls   { gnutls-serv }  we have the serve option which mimic the  s_server function in openssl

Here's an example for load a server.certificate and key


 you will need   sudo  if you want to bind to a address below 1024





Even if we have a bad key or mismatch of the key+certificate , gnutls-serv  will complain on the certificate  and will not launch.




The GUNtls server is great for SSL/TLS checks pre-launch and give you great diagnostics. If you use a -d option and specify a integer you can give verbose information.







Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, August 30, 2016

SNI checks for F5 VirtualServers

Using SNI ( server name indicator )  for a virtual-server in a host web environment that requires  TLS connections , is not un-heard feature.


The combined use of layer7 host header and SNI allows for one single address to host dozens or hundred of websites. To learn more about SNI review here.

https://en.wikipedia.org/wiki/Server_Name_Indication

A quick means for testing  support  for SNI support or no-SNI ,  is to use the common  GNUtls utility gnutls-cli without or with the --disable-extensions option.

Check out a Virtual-Server that was enabled for support in the client-side-ssl profile;



In this case my way port wifi provider intercepted my request for www.wwt.com, here's a direct request to the same size without and with SNI in the initial client-ssl hello.




If you happen to  initiate a ssl-session with the SNI extension disable the end-node does not support SNI & the clientssl profile defined for the default SNI is incorrectly set for "required", you will get a  ssl fatal error.



Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \