Cisco ASA: AnyConnect for phone using self-signed certificates for authentication

Yeah, I know the title is pretty boring, but I wanted it to be clear what this one is all about, especially if you’re looking specifically for something like this.

So, here’s the deal: Cisco 99xx and 79xx phones out on the internet somewhere connecting back to an ASA over an SSL tunnel to register with an internal network’s Call Manager, using only self-signed certificates. To me, this is the best option, rather than having users try to type usernames and passwords into the phone interface. For some users, that really is just too much to ask. This method makes it easy on them, and still gives the ASA administrator and Call Manager administrator the ability to prevent a stolen or misused phone from connecting to the network.

Read more

I like free, so I like TACACS+

Yes, I still like free stuff, even though I’m turning into a bit of a Mac fanboy. Ubuntu and I remain very close, just not as my daily (desktop) driver.

I am leaning on Ubuntu as my new server platform at work, however, since it’s so much easier to count on than CentOS. And as I wrote last, TACACS+ authentication for network device administration is one of my current projects.

There are several pieces to that project,

• setting up two servers
• configuring them the same
• configuring TACACS+ user accounts that can’t login to the server
• sync-ing the TACACS+ user accounts between servers, with one as primary
• sync-ing the TACACS+ config file between servers

but this post is only going to focus on getting TACACS+ installed on Ubuntu 11.10 server (64-bit) and the configuration file. In a later post, we’ll take a look at IOS, ASA, and NX OS configurations for AAA that I’ve found to work well. As always, “your mileage may vary”, but I’d love to know of any tricks or tips others might have. I’m definitely not claiming to have invented this stuff.

On to the installation!

Read more

Ubuntu, Linksys WUSB600N v1, Dish DVR: whose @#$% idea was this?

I love Ubuntu and give myself a little “mental hug” each day for making the switch from Windows to Linux. But, sometimes, the stuff I want/need to do in Linux just isn’t as obvious to me as I’d like; so, I beat my head against a wall trying to figure it out, until my wife gives me that “walk away from it for awhile so you can maintain the little bit of sanity you have left” look. This particular situation is one of those.

What I wanted to do: I have a Dish Network DVR in my living room that has an ethernet card in it, but I don’t have any ethernet wiring where it is. What I do have is an Ubuntu XBMC HTPC with an on-board ethernet card and a Linksys WUSB600N v1 (the version number is important here, I think), connected to a Linksys WAP610N AP (configured for 5GHz 802.11N only), so it stands to reason that I should be able to share the HTPC’s internet connection with the Dish DVR, right?

Ok, so it wasn’t. Twice. Once for Ubuntu 9.10 (Karmic) and once for 10.04 (Lucid).

Read more