Success!!!!

I’m happy to report that I have passed the CCIE Security in RTP on October 9th 2012. It is a great feeling….reaping the rewards after putting in so much effort.

Now, I will try to relax and enjoy spending time with my family

Certificate Subject Names

The subjectname argument can be any of the following:
– commonname—Certification common name.
– country—Certificate country.
– email—Certificate e-mail.
– ipaddress—Certificate IP address.
– locality—Certificate locality.
– organization—Certificate organization.
– organizationalunit—Certificate organizational
unit.
– postalcode—Certificate postal code.
– serialnumber—Certificate serial number.
– state—Certificate state field.
– streetaddress—Certificate street address.
– title—Certificate title.
– unstructuredname—

VPN Group Lock

The purpose of the Group-Lock feature is to make sure a user is only allowed to
login under a certain group. Without this feature, a user knowing other group’s
password may use the group’s name to authenticate with the server an gain
access to features not allowed for its native group. When the Group Lock feature
is enabled for a group, all Xauth usernames must be in the format
username@GROUP
username\GROUP
username/GROUP
username%GROUP
where GROUP is the ezVPN group name. The server will extract the group name
from the Xauth username and compare it with the ezVPN group name. If they
don’t match, the connection is rejected.
This automatically means that all names stored in the local database must follow
the syntax specified above. Notice that this Group Lock differs from the Group
Lock feature found in Cisco VPN 3000 concentrators and ASA firewalls.

IOS Group Lock only works with pre-shared keys authentication, not
digital signatures.

Certificate Maps in IOS

ASA firewall allows using the certificate maps
to translate names found in digital certificates to tunnel group names. IOS has
similar feature called certificate-based access-lists. This feature allows a router to
additionally check the names in certificates presented by peers to match specific
criteria. In order to configure this feature, perform the following steps:
1) Create a certificate map, using the command crypto ca certificate
map <MAP_NAME> <SEQ#>. Every entry in this map should match either the
issuer’s or the subject’s name. You can match other fields found in digital
certificates, such as expiry date or validity start. The match operators are
intuitive, however unlike the ASA firewall you cannot explicitly select an attribute
of the DN to match. For example, if you need to match the OU filed in the DN,
you should use the operator co ou=name meaning “contains” this string.
2) When you’re done with the certificate map configuration, you should apply it
under the CA trustpoint used for peer authentication as follows:
crypto ca trustpoint <NAME>
match certificate <CERT_MAP_NAME>
After this, all certificates validated via this trustpoint are matched against the
map. The certificate is accepted only if it could be validated via the trustpoint and
the certificate matches the certificate map criteria.

AAA

Here is some highlights:

– Default authorization is “none”
– By default, console line authorization is disabled, regardless of the configured default authorization.
* “privilege level” is used for exec authrization by default.
* To make sure AAA authorization takes effect, use the “aaa authorization console”
* This behavior is different on Catalyst IOS which by default has console authorization enabled
– Local authorization is always on by default and works according to the privilege levels assigned to the users and commands associated with the levels
– You don’t need to type out the entire command. It is automatically expanded for you.
– Initial components of a compound command are added automatically. E.g. “ip” will be added if “ip address” is authorized
– Fully expanded commands are sent to the TACACS server including “Enter”
– If a command has no arguments, then make sure to check “permit unmatched arguments”
– The interface number is a separate argument. Be aware of this!
– Radius doesn’t separate authentication and authorization. When user logs in, the server returns a set of Cisco AV pairs
– “Privilege=15” in TACACS+ is equivalent to “Service-Type=Administrative” in RADIUS. You can also send the AV pair “shell:priv-lvl=15”
– For the enable privilege authentication, “$enab<N>$” is used. Eg $enab15$, $enab7$
– No per-user enable password or per-command authorization in RADIUS. No AAA banners either
– Downloadable ACLs require the “per-user override” parameter on the access-group command
– When there is an “include” and “exclude” statement in cut-through proxy, “exclude” overrides
– You can’t use the “match” and “include” statements at the same time for cut-through proxy
– User “CTRL + V” to insert a “?” in passwords or else it will be misinterpretted
– For dot1x and auth-proxy, the “default” method list has to be used. Pay attention to these.
– IETF RADIUS attributes 064, 065 and 081 are needed for dot1x authentication from RADIUS

RADIUS eZVPN

Couple of pointers:

Radius eZVPN:

– Special user as VPN group – Password has to be “cisco” for IOS so that router can query the ACS server. For ASA, this could be any password. – You need a group for the user. The group has RADIUS (IETF) settings  (006) Service-Type = Outbound  (064) Tunnel-Type = ESP  (069) Tunnel-Passwod = CISCO – In RADIUS (Cisco IOS/PIX 6.0), you need to define Cisco AV-Pair attributes for this group  (00601) cisco-av-pair   ipsec:addr-pool=EZVPN   ipsec:inacl=SPLIT_TUNNEL – New group name must match the VPN group as well – username/password used for Xauth must be created on the ACS box.  cisco-av-pair “ipsec:user-vpn-group=EZVPN” is needed

User-VPN-Group for IOS. Tunnel-Group-Lock for ASA

eZVPN with digital certificates: – matches the value of the OU field in the client’s certificate subject name – ISAKMP profiles could be used as second method. The “match” statement references a hostname or domain name – you use a certificate map to map fields in a certificate. This is then referenced in an ISAKMP profile – Default authentication method is LOCAL for RA VPN

– When using certificate-based VPN Authorization, the username and password should be the same on the ASA  For IOS, the password has to be “cisco”

ASA between BGP Peers with MD5 Authentication enabled.

This is a new concept for me. Here is the highlight to remember.

-) First either NAT needs to be disabled (default on ASA) or a static NAT entries needs to be created between the peers

-) Sequence Number Randomization needs to be disabled (this could be done on the NAT statement or using MPF/tcp-map). MPF is the preferred method

-) TCP OPTION 19 needs to be be disabled. This done using MPF via tcp-map.

Exam scheduled! – July 6th.

I still can’t believe I’m doing this. This is crazy! July 6th is the last possible date that I can sit to the exam. It buys me the most time to prepare…..so here you go. It is scheduled and paid for. So, no turning back at this point. I’m all in!

INE CCIE Security ATC – ASA Active/Standby Failover Transparent Firewall Configuration

Completed.

This is a short class that went over the configuration of active/standby for transparent firewalls. The concept is very similar to configuring active/standby for routed mode firewalls. The main difference is that the IP address for management (global IP address) is reconfigured with the “standby” option. Then the failover interface is configured with an IP address just like for routed mode.

INE CCIE Security ATC – ASA Active/Standby Failover Routed Firewall Configuration

Completed

This class went into detail in configuration active/standby failover. I’m very familiar with this configuration (both on the ASA and FWSM).

Couple of tips:

– “write standby” to save config on standby unit from the active unit
– graceful restart isn’t supported on the ASA so the routing protocols will have to re-establish adjacency