Wednesday, May 8, 2013

How to configure PPP authentication

I would like to explain in this article how to configure PPP authentication between two routers.
First, I would like to invite all job seekers to post their CV in https://www.security-architecture.com/. Our website is free not only for employees but also for employers.

Let's take a look first at our diagram:

As you see in the image, we have 2 routers connected through serial point-to-point interfaces. The subnet is 192.168.13.0/24.
R3 must authenticate R1, means in order for router R3 to accept PPP connection with router R1, R1 must proove his identity to router R3. And let's say that Router R3 will authenticate R1 by PAP authentication

Let us start with first basic ppp connectivity

Router R3
sh run int s0/0/1
interface Serial0/0/1
ip address 192.168.13.3 255.255.255.0
encapsulation ppp
end


router R1
show run int s0/1/0
interface Serial0/1/0
ip address 192.168.13.1 255.255.255.0
encapsulation ppp
clock rate 2000000
end


So as we said the authentication is PAP, and it is local (means when R3 wants to authenticate router R1, R3 will look in its own local database). So for that purpose, we will create a local username and password on router R3. We will name the user R1User and password is password.
R3(config)#username R1User privilege 1 password password
Now On router R3, we need to tell the router R3 to use local database for ppp authentication.
so first:
R3(config)#aaa new-model
Then we created a list called R1-PPP-AUTH, this list is local authentication list for ppp connectivity
R3(config)#aaa authentication ppp R1-PPP-AUTH local
So now let us attach this list authentication to the ppp connection on the serial interface s0/0/
R3(config-if)#ppp authentication pap R1-PPP-AUTH
R3(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down
R3(config-if)#
As you see that once we configured the ppp authentication, the line protocol goes down on s0/0/1

So what we have to do now is to move the router R1 and configure it to send username and password to router R3, so that router R3 will know that the connection is sent from router R1
R1(config-if)#ppp pap sent-username R1User password password
R1(config-if)#
*Jan 14 10:52:36.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0
As you see, once we entered this command on router1, the ppp connection came up.
For PPP CHAP authentication, I will explain it in my ne


you can follow our FTP services and solutions blog on https://ftp-services.blogspot.com
You can also follow our DHCP services and ip services solutions on https://dhcpservices.blogspot.com

I hope this was helpful, and I would like to thank you for reading

Posted by CCIE consultant at 7:48 PM 0 comments

Saturday, February 16, 2013

5 interview questions for a system administrator

I would like to write a series of questions that can be asked in for a sysadmin position.
First, I would like to introduce myself. My name is anthony, and I am from the team of www.find1job.com. If you are looking for an IT job don't hesitate to post an announce and submit your CV with us http://www.find1job.com/postad/employee/postadv.html


Linux Questions:

How to create a symbolic link ?
ln -s

How to reset a password for a CentOS operating system ?

Boot with the CentOS CD,
Then run ls /dev/sda* to get a list of the drives
mount them, then try to see which one is the / drive (it should contains the /etc directory). change to this drive with chroot, then run passwd command

Windows questions:
How to clean the active directory from a domain controller that had a hardware failure ?
First, if it has one of the 5 roles, I have to seize the roles with another domain controller, then I have to use the ntdsutil command line to remove the failed domain controller form the active directory.

How do I use a domain local group and global group ?
Global group should be related to departments or team. For example, i create a global group for accountants, i create a global group from system admin, another global group for database admin.
Domain local group can be used to assign permissions to ressource (Files,Folders and printers..)
So I assign permission to domain local group (maybe 1 for read only and 1 for read and write), then I add the global group that need access to the specific resource inside that domain local group

 Exchange Server 2010
How to clear the transaction log files for a specific database ?
Backup this datbase

If you are looking for a job as system administrator, or a network administrator. If you are searching a job in IT field. We invite you to post an announce in our recruitment website. It is a totally free website . Our website is not only free for employees, but it is also free for employers. http://www.find1job.com/postannounce.html

I hope this was helpful and I would to thank you for reading.


Posted by CCIE consultant at 3:10 PM 0 comments

Sunday, November 6, 2011

Get Calendar permissions in Exchange 2010

If you need to give access to a mailbox for a certain user. You can through the Exchange management console give him full access.
How about if you need to give him only a read access to the calendar.
By default everybody in the organization has read free/busy time for the calendar of any mailbox in the organization. How about if you need to give a manager to be able to know what are the meeting, appointments for his employees. You need to give him Reviewer permission on the calendar of his employees.
You cannot do this in Exchange management console, you need to do it in Exchange management shell.
Add-MailboxFolderPermission -Identity "Employee1:\Calendar" -User Manager1 -AccessRights Reviewer

If you are looking for a job as System Analyst, i invite you to post your CV in the website below:
https://www.security-architecture.com/add-cv/

Thanks
Posted by CCIE consultant at 7:40 PM 0 comments

Monday, August 22, 2011

Get the Mailbox Size for a list of users in Exchange 2010

In the previous blog "Get Mailbox Size for an account in Exchange 2010", we talked on how to get the mailbox size for 1 user using the Microsoft Exchange Shell of Exchange 2010.
Now, we will explain how to get the mailbox size for a list of users.

It is very simple, Have the list of users sorted by line in a text file.
An example of the text file ITDepartment.txt file:

ITServices Montreal
Networking Montreal
Exchange2010 Montreal

where "ITServices Montreal"is the display name of the user. You can also use the email address, or the user principal name instead of the display name.We will the place the ITDepartment.txt file in the C:\Scripts folder.

What we need to do first is to get the list of the users inside this text file:
Try the command:
Get-Content "C:\Scripts\ITDepartment.txt"

The result will be:
[PS] C:\windows\system32>Get-Content "C:\scripts\ITDepartment.txt"
ITServices Montreal
Networking Montreal
Exchange2010 Montreal

[PS] C:\windows\system32>

Now for each line resulted from the Get-Content command, we need to run the MailboxStatistics, so we use the "|"

Now try the whole command:

[PS] C:\windows\system32>Get-Content "C:\Scripts\ITDepartment.txt" | Get-MailboxStatistics | Format-List -property displayName, TotalItemSize



DisplayName : ITServices Montreal
TotalItemSize : 61.18 MB (64,155,174 bytes)

DisplayName : Networking Montreal
TotalItemSize : 163 MB (170,937,036 bytes)

DisplayName : Exchange2010 Montreal
TotalItemSize : 25.03 MB (26,243,124 bytes)

[PS] C:\windows\system32>

I invite you to read another blog about recruitment and how to find a job
 http://findonejob.blogspot.ca/

I hope this blog was helpful, and I would like to thank you for reading.
Posted by CCIE consultant at 8:10 PM 0 comments

Get Mailbox Size for an account in Exchange 2010

Let's say we need to get the Mailbox Size of the user: ITServices

[PS] C:\Windows\system32>Get-MailboxStatistics -Identity ITServices  | Format-List -property displayName, TotalItemSize

DisplayName   : ITServices
TotalItemSize : 26.32 MB (27,601,859 bytes)

So In order to get the mailbox size
, you have to get the MailboxStatistics, but if you use only the command: Get-MailboxStatistics -Identity ITServices , you will not get the mailbox size, you will get the ITemCount and the storageLimitStatus


DisplayName               ItemCount      StorageLimitStatus       LastLogonTime
-----------                   ---------         ------------------        -------------
ITServices User           1792              BelowLimit                  22/08/2011 5:57:29 PM

To show all values of the Mailbox you need to use the command:
Get-MailboxStatistics -Identity ITServices | Format-List

If you need to show only the display name and the size value, then you must specify to show the properties "displayName" and "totatItemSize" only:

Get-MailboxStatistics -Identity   ITServices  | Format-List -property displayName, TotalItemSize


If you are looking or a System admninistrator position, create a profile in the recruitment website below:
http://www.security-architecture.com/

 I hope this was helpful, and I would like to thank you for reading.

Posted by CCIE consultant at 6:31 PM 0 comments

Saturday, May 28, 2011

Configure ASA Failover

I will explain in this article how to configure failover with a cisco ASA.
The product used in this article is an ASA5520-BUN-K9. ASA 5520 has a failover license included.

ASA 5520 has 4 Gigabit interfaces and 1 management interface. The management interface is a fastethernet interface.

Instead of using one of the Gigabit interface to create the failover, we will use the management interface.

The primary unit:



failover lan unit primary
we configured this unit as primary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface ip FAILOVERINT 192.168.1.1 255.255.255.252 standby 192.168.1.2
we assigned active and standby ip address to the failover link
failover link FAILOVERINT Management0/0
Specifies the interface to be used as stateful failover link. If you added this command the Management0/0 interface cannot be use for anything else than failover
failover polltime unit 1 holdtime 5
failover polltime interface 1 holdtime 5
These 2 commands are used to specify the holdtime. If one interface goes down on the primary ASA, the secondary ASA will be the primary. The state of active/standby failover is not active until the interface that was down goes up again. The holdtime that the ASA failover status will know that the interface is up again. So the state of the failover will be heathy again and ready in case a second failure. You must configure this holdtime as low as possible, especially as in our case, we have dedicated physical interface for the failover.

failover
enable the failover

interface Management0/0
description this interface is used for failover
no shut
On the interface that was dedicated for the failover, we must not configure anything except making this interface up

The secondary unit:

failover lan unit secondary
we configured this unit as secondary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface IP FAILOVERINT 192.168.1.1 255.255.255.252 STANDBY 192.168.1.2
we assigned active and standby ip address to the failover link
failover
we enabled failover

interface Management0/0
description this interface is used for failover
no shut
we brought up the the interface Management0/0 that will be used in failover.

I hope this article was helpful, and my explanation was clear.


https://www.security-architecture.com
Posted by CCIE consultant at 12:49 PM 0 comments

Saturday, May 14, 2011

OSPF Authentication

When we think about OSPF authentication, we have to think about negotiation between 2 routers:
  • The authentication method: it can be either clear text (type 1) or md5 (type 2). If the authentication method differs between 2 routers,  the neighbour relationship cannot be formed between these 2 routers, even if we set the authentication method without setting keys. Same case if one has authentication method enabled, while the other doesn't have.
  • The authentication key. Each key has an identifier and a value (alphanumeric). The router negotiate all of his keys, the same key number on both routers, must match the same value. Once there is one match, the authentication is successful.
Note that the authentication method type 0 means there is no authentication configured.
*May 14 10:38:57.843: OSPF: Rcv pkt from 192.168.253.5, FastEthernet1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
OSPF Authentication method can be configured under interface configuration mode or router configuration mode. In both cases, the authentication process occurs per interface.
For example If I enter the command:
router ospf 1
area 0 authentication message-digest
This command lets the router enable md5 authentication on all interfaces that are in area 0.

Here is an example. The network is very simple. 3 routers connected to the same ethernet network with a network ID 192.168.253.0

Case1:
We will configure the authentication method on R3 to be type 1, and on R5 & R2 to be type 2

Router R5:
router ospf 1
log-adjacency-changes
network 192.168.253.5 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.5 255.255.255.0
ip ospf authentication message-digest
speed auto
end

Router R2:
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 192.168.253.2 0.0.0.0 area 0
interface FastEthernet1/0
ip address 192.168.253.2 255.255.255.0
duplex auto
speed auto
end

Router R3:
router ospf 1
log-adjacency-changes
network 192.168.253.3 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.3 255.255.255.0
ip ospf authentication
speed auto

As you see that in Router2, I configured the authentication method under the router configuration mode :
 area 0 authentication message-digest  ; Will enable authentication type 2 on all interfaces that are in area 0
While in R3 and R5, We configured the authentication method under the interface configuration mode:
ip ospf authentication ; will enable authentication type 1 on interface f0 (R3)
ip ospf authentication message-digest  ; will enable authentication type 2 on interface f0 (R5)

If we try to see the neighbour relationship on R3:
Router R3:
R3#show ip ospf neigh
R3#

This debug is on Router R5:
00:25:01: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authenticat ion type. Input packet specified type 1, we use type 2
00:25:05: OSPF: Send with youngest Key 0
00:25:11: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authentication type. Input packet specified type 1, we use type 2

Now if we change the authentication method on Router 3, the neighbour relationship will be successful:
R3:
int f0
ip ospf authentication message-digest



R3#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
192.168.253.5 1 FULL/DR 00:00:38 192.168.253.5 FastEthernet0
172.18.20.20 1 FULL/BDR 00:00:31 192.168.253.2 FastEthernet0
R3#You can see the authentication type, by using the command: show ip ospf int
R2#show ip ospf int f1/0
FastEthernet1/0 is up, line protocol is up
Internet Address 192.168.253.2/24, Area 0
Process ID 1, Router ID 172.18.20.20, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.253.5, Interface address 192.168.253.5
Backup Designated router (ID) 172.18.20.20, Interface address 192.168.253.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.253.5 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0

If you see that there is no key configured, it uses default key 0 ( which by default has no value).

Case2:
Now that authentication method negotiation was successful, let us configure the keys.
For a clear text authentication (method type 1), you can configure only 1 key:
int f0
ip ospf authentication-key blogkey
where blogkey is the alphanumeric key, this negotiation is simple, it is only 1 key that must have the same alphanumeric match.

For the md5 authentication ( method type 2), you can configure as many keys as you want. Each 2 routers will check their key-ids, when there is key-id match they will negotiate the alphanumeric key.
int f0
ip opsf message-digest-key 30 md5 blogmd5key

If no key-id was found in both routers, that has the same alphanumeric, then the negotiation will fail, and the neighbour relationship will not be established.

I hope this was helpful for ospf authentication. Please don't hesitate to write your comments or questions
You can follow our FTP services and solutions blog on http://www.ftp.services




                                                                                    

Blog Tags:  CCNP CCNA CCIP CCIE Boot Camp Bangalore India Shanghai China IT Jobs Network Engineer Dubai  IT Manager North America  System Administrator Doha
Posted by CCIE consultant at 7:35 AM 0 comments
Subscribe to: Posts (Atom)