TACACS+: Is that a WLC, or are you just happy to see me?

In an earlier post, we got started with a pretty basic TACACS+ configuration on an Ubuntu server. That config works pretty well for most, if not all, IOS devices.

So, what about Cisco WLAN controllers? They’re definitely not IOS, but they do speak TACACS+ for administrative access, as well as RADIUS.

This one was a little more difficult to get working, but not because of the config on the Ubuntu server. The difficulty was in putting (3) very important configurations together:

1. You must configure authentication and authorization on the WLC for your login to work. Authentication configured without authorization will appear to log your user in, but will send you quickly back to the login prompt.
2. You must configure the order for authentication–with TACACS+ at the top of the list. If you don’t, local accounts will be used first.
3. It doesn’t appear that the service configuration in the TACACS+ user WLC group can exist with the service configuration for an existing group, so nested groups may be required.

Read more

Puppetmaster XCVII: Getting your new server registered

So, this post has nothing to do with low-rent horror movies. Sorry to disappoint.

What it’s really about is the Puppet server management system deployed to keep general server Linux settings synchronized–stuff like NTP servers and user accounts. Puppet is extremely powerful, but this will only be an introduction to what it can do, as I’m learning as I go.

It may seem a little backward to start with the client configuration, but this really seems like the easiest part to me: tell the client who the server is, sign some certificates, and wait for the updates. The puppet master server is where all the heavy lifting is done.

Once the puppet master server is created and configured with manifests and such (take for granted that they exist already), it’s time to configure your client and get it registered.
Read more

Cisco ASA: AnyConnect for phone using self-signed certificates for authentication

Yeah, I know the title is pretty boring, but I wanted it to be clear what this one is all about, especially if you’re looking specifically for something like this.

So, here’s the deal: Cisco 99xx and 79xx phones out on the internet somewhere connecting back to an ASA over an SSL tunnel to register with an internal network’s Call Manager, using only self-signed certificates. To me, this is the best option, rather than having users try to type usernames and passwords into the phone interface. For some users, that really is just too much to ask. This method makes it easy on them, and still gives the ASA administrator and Call Manager administrator the ability to prevent a stolen or misused phone from connecting to the network.
Read more

I like free, so I like TACACS+

Yes, I still like free stuff, even though I’m turning into a bit of a Mac fanboy. Ubuntu and I remain very close, just not as my daily (desktop) driver.

I am leaning on Ubuntu as my new server platform at work, however, since it’s so much easier to count on than CentOS. And as I wrote last, TACACS+ authentication for network device administration is one of my current projects.

There are several pieces to that project,

• setting up two servers
• configuring them the same
• configuring TACACS+ user accounts that can’t login to the server
• sync-ing the TACACS+ user accounts between servers, with one as primary
• sync-ing the TACACS+ config file between servers

but this post is only going to focus on getting TACACS+ installed on Ubuntu 11.10 server (64-bit) and the configuration file. In a later post, we’ll take a look at IOS, ASA, and NX OS configurations for AAA that I’ve found to work well. As always, “your mileage may vary”, but I’d love to know of any tricks or tips others might have. I’m definitely not claiming to have invented this stuff.

On to the installation!

Read more

A tip or two for VMware Fusion (OS X) guest networking

Before I get into this post too far, yes, I’m now a Mac user. Not exactly a fanboy yet, but my new employer let me choose between a Windows laptop and a MacBook for my work computer, so I chose–wisely. I’d been using Ubuntu on an HP laptop (ugh to HP) for a few years, so it seemed like a chance to try something new at no cost to me, which is my favorite cost.

As you can see from my other posts about virtualization, I’m a big fan of Virtualbox, but this post is about VMware Fusion, which was provided to me with my MacBook.

On to the tips…

I’ve been creating a testing environment for tacacs+ servers for a Cisco networking environment as well as Puppet server management, and I’m horrible with remembering IP addresses, unless there’s a very distinct pattern. When you use NAT in Fusion, addresses are assigned to guests VMs via DHCP in an automatically generated scope. The problem is, every time you boot your server you may get a new DHCP address! That sucks.

What to do?

Read more

Virtualbox 4.0 = good stuff

Virtualbox is definitely my favorite virtualization tool. Yes, I know there are other, more popular ones, but Virtualbox is free, runs on many platforms, and isn’t clunky to use, like some unnamed others. We all have our preferences, and Virtualbox is definitely mine.

I haven’t had a lot of time to kick the tires yet, but one of the best features I’ve found in the latest, 4.0, version is an easy method to export virtual machines that you’ve built. There were ways to do it before, but now it’s easy.

Once you’ve installed/upgraded to version 4.0, simply choose Export Appliance from the File menu of the Virtualbox Manager. The first one I did took less than 10 minutes from start to finish, all wrapped-up in a single file.

Like I said: good stuff.

Fast Web Installer is…well…fast.

If you like AppBrain as much as I do, you’ll love their new Fast Web Installer. With Fast Web Installer, there are just two steps to super-easy, auto-magic Android app installs:

1. Use the Fast Web Installer app to register your device with AppBrain.
2. Login to the AppBrain website from any computer with internet access, and go shopping for the app(s) you want to install.

In a few moments, you should see a notification on your phone that your app(s) has been installed!

inactive

XBMC + Android = superawesome

It’s true that there’ve been XBMC/Boxee remotes available in the Android Market for quite awhile, but only recently has there been an “official” one from the XBMC Team…and it blows the others away. I’d share my own screenshots I’ve taken with drocap2, but xbmc.org has plenty, as well as the system requirements and a QR link for the Market.

I’ve used it quite a bit with my HTPC, and frankly prefer it to my Streamzap remote. Another bonus is that now I don’t have to copy my custom Lircmap.xml over every time XMBC is updated.

Ubuntu, Linksys WUSB600N v1, Dish DVR: whose @#$% idea was this?

I love Ubuntu and give myself a little “mental hug” each day for making the switch from Windows to Linux. But, sometimes, the stuff I want/need to do in Linux just isn’t as obvious to me as I’d like; so, I beat my head against a wall trying to figure it out, until my wife gives me that “walk away from it for awhile so you can maintain the little bit of sanity you have left” look. This particular situation is one of those.

What I wanted to do: I have a Dish Network DVR in my living room that has an ethernet card in it, but I don’t have any ethernet wiring where it is. What I do have is an Ubuntu XBMC HTPC with an on-board ethernet card and a Linksys WUSB600N v1 (the version number is important here, I think), connected to a Linksys WAP610N AP (configured for 5GHz 802.11N only), so it stands to reason that I should be able to share the HTPC’s internet connection with the Dish DVR, right?

Ok, so it wasn’t. Twice. Once for Ubuntu 9.10 (Karmic) and once for 10.04 (Lucid).
Read more

QR Codes +1

Since the last post about those nifty little QR codes was so awesome, I thought I’d add one more: creating QR codes using the goo.gl URL shortener, automatically. Hang on a sec, before you hyperventilate, it is possible.

If you’re a Google Chrome user, there’s a browser extension called goo.gl URL Shortener that will reach out to Google’s URL shortener API to create a short URL for you on the fly. Sadly, I don’t think the web interface for goo.gl is available otherwise. Once you have a goo.gl short URL, all you have to do to get the corresponding QR code for that URL is add .qr to the end of it, like so:

http://goo.gl/EFj6 becomes http://goo.gl/EFj6.qr

When wrapped in image tags, it looks like this:

And here’s the HTML:

<img src="http://goo.gl/EFj6.qr" alt="QR code for eison.net" />