Syed Jahanzaib Personal Blog to Share Knowledge !

December 16, 2019

TACACS+ Cisco centralized authentication server

Filed under: Cisco Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:29 PM

tacacs plus server.png

Disclaimer:

My humble request, Kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others


TACACS+

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a authentication / authorization related services for cisco switches/routers/firewalls access control through a centralized server. With the help of Tacacs+ you can set up a much more granular level access for the users, groups, subnets or device type etc. Example which user can issue which commands on switches etc.

 

central auth server.jpeg

 

Hardware Software Components used in this guide:

In this post I have used

  • Ubuntu 18 server edition for TACACS+ deployment / IP: 101.11.11.254
  • Cisco WS-C3850-24T switch / IOS Version 16.3.9 [Denali]

Quick Notes:

TACACS Server installation

apt-get -y install tacacs+

Once the installation is done , we will modify or add the tacacs+ server default config file to to suite our needs. On default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf

nano /etc/tacacs+/tac_plus.conf

Remove existing configuration, and use below sample config, make sure to change the KEY, id pass as required

# Key is like password or shared secret, make sure to make it strong

key = testing123
accounting file = /var/log/tacplus.log
#default authentication = file /etc/passwd
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}

# For support group, we are allowing only specific sets of CMD only
group = support {
default service = deny
service = shell {
priv-lvl = 15
}
cmd = show {
permit version.*
permit clock.*
permit interface.*
permit running-config.*
permit logging.*
}
cmd = configure {
permit .*
}
cmd = interface {
permit .*
}
cmd = vlan {
permit .*
}
cmd = switchport {
permit .*
}
cmd = write {
permit .*
}
}

#Create local user here
user = admin {
login = cleartext admin123
name = "Admin Group"
member = admins
}
user = support {
login = cleartext support123
name = "Network Support"
member = support
}<span style="color:var(--color-text);">


 

& if all configuration is OK , you should get something like below …

 * Checking TACACS+ authentication daemon configuration files successful tacacs+

Restart tacacs+ service

/etc/init.d/tacacs_plus restart

Next up we will make changes to the Cisco switch ,
in this example am using a Cisco switch WS-C3850-24T and the one working configuration look like this:

Note: This is just basic example. It may be not well tuned insecure too but for test it will work fine.


Switch configuration

enable
conf t

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization commands 1 support group tacacs+ local
aaa authorization commands 15 admins group tacacs+ local
aaa accounting commands 1 support-act1 start-stop group tacacs+
aaa accounting commands 15 admins-act15 start-stop group tacacs+
login on-success log

# change tacacs IP address / KEY as per your local network
tacacs-server host 101.11.11.254
tacacs-server key 0 testing123

!
line con 0
exec-timeout 35791 0
privilege level 15
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 3
privilege level 15
authorization commands 1 support
authorization commands 15 admins
accounting commands 1 support-act1
accounting commands 15 admins-act15
length 0
transport input ssh
line vty 4
exec-timeout 35791 0
privilege level 15
authorization commands 1 support
authorization commands 15 admins
length 0
transport input ssh
line vty 5 15
length 0
!

do wr

Done.

Now try to login to switch with support account & execute try to permitted / non-permitted commands.

Result for SUPPORT ACCOUNT

login as: support
Using keyboard-interactive authentication.
Password:

spare-sw#ping 101.11.11.254
Command authorization failed.

spare-sw#show clock
*10:24:07.527 UTC Mon Dec 16 2019

spare-sw#sh inter
spare-sw#sh interfaces status

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/3 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/7 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/8 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/9 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX

spare-sw#

 



Regard’s
Syed Jahanzaib

December 13, 2019

Mikrotik – Packet Chain Topology

Filed under: Mikrotik Related — Syed Jahanzaib / Pinochio~:) @ 9:36 AM

 


Firewall Mangle

Firewall mangle is used to mark IP packet. These marks are used by other router facilities like routing, firewall filter and bandwidth management to identified the packets. Moreover it also used to modify some fields in the IP header, like TOS (DSCP) and TTL fields. There are 5 default chain in firewall mangle.

INPUT

Packet that come into router will check with input chain. It is used to process packets entering the router. For example If we want to filter packet that telnet or ssh to router we need to use input chain in firewall filter.– Used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router addresses. Chain input is useful for limiting the configuration access to Mikrotik Router.
or
– The connection that occurs from local to router and ends in router
example: use of the internal proxy (internal proxy right in the router)

PREROUTING

Prerouting is looked at before the router makes a routing decision. It’s happen before input chain. The packet that forward passthrough the router will match prerouting first.Pre-routing means that the connection will enter the router (no matter from where / depends on the settings mangle in interface later) . this connection will be in the process inside the router, can the process of bending to the external proxy, can filtering port, can anything, anyway there is a process, prerouting it marks the connection before the process occurs.

FORWARD

After prerouting, packet that passthrough router will process by forward chain. Used to process packets passing through the router. Example we want to block users to open facebook. We will use firewall forward chain to do it.– Used to process data packets through routers, connections that occur from the public to local
or
– The connection that occurs from local to public
with the provision that there is no process inside the router, it means that the connection is direct and only passing in the router does not happen a process inside the router.

POSTROUTING

Postrouting is a connection that will exit the router after a process occurs inside the router. It’s happen after forward. Postrouting is looked at after the router makes a routing decision.

OUTPUT

OUTPUT is used to process packets that originated from the router. Normally we rarely use this chain. Example we ping from router to Internet that’s output traffic.

or to process data packets originating from the router and left through one of the interfaces, connections that occur from the router to the public. It is used to process packets that originated from the router

============================================================================

Firewall Filter

Most of the time we use it for filter traffic simply say to protect our network from unauthorized user or bad guy. There are three default chain in firewall filter. It’s input, output and forward.

 

Does it matter where you mark?

Yes, because sometimes you might overmark and sometimes you might undermark. Choose the right place for the right classification/marking

 

December 10, 2019

Short notes for UNBOUND Caching DNS Server under Ubuntu 18

Filed under: Linux Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 12:05 PM

unbound.PNG

Installation of UNBOUND dns server for local network is fairly simple but I encountered some hurdles setting it up with Ubuntu 18 therefore I took notes on how I resolved it in this post for reference purposes.

After fresh installation of Ubuntu 18, It’a a good idea to keep your system TIME with any NTP source.

apt-get -y install ntp ntpdate
# Change timezone as per your local
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
sudo /etc/init.d/ntp restart

Install UNBOUND DNS Server

Step#1

apt-get install -y unbound

Step#2

#Additional notes for Ubuntu 18 version

The problem with Ubuntu 18.04 is the systemd-resolved service which is listening on port 53 and therefore conflicts with unbound service

Edit the file /etc/systemd/resolved.conf

nano /etc/systemd/resolved.conf 

& modify this

DNSStubListener=no

Now reboot

shutdown -r now

You can now confirm if 53 port is now free up

netstat -tulpn | grep :53

Step#3

Some housekeeping stuff

sudo service systemd-resolved stop
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo service systemd-resolved start

Step#4

Edit the existing UNBOUND configuration file for customization…

nano /etc/unbound/unbound.conf

Example of unbound.conf

# Unbound configuration file for Debian.
server:
# Use the root servers key for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Enable logs
chroot: ""
#verbosity (log level from 0 to 4, 4 is debug)
#verbosity: 1
#logfile: /var/log/unbound/unbound.log
#log-queries: yes
#use-syslog: (do not write logs in syslog file in ubuntu /var/log/syslog -zaib)
use-syslog: no
#interface (interfaces on which Unbound will be launched and requests will be listened to)
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
# DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# Authorized IPs to access the DNS Server / access-control (determines whose requests are allowed to be processed)
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/16 allow
access-control: 101.0.0.0/8 allow

# Root servers information (To download here: ftp://ftp.internic.net/domain/named.cache)
#root-hints: "/var/lib/unbound/root.hints"

# Hide DNS Server info
hide-identity: yes
hide-version: yes

# Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC)
harden-glue: yes
harden-dnssec-stripped: yes

# Rewrite URLs written in CAPS
use-caps-for-id: yes

# TTL Min (Seconds, I set it to 7 days)
cache-min-ttl: 604800
# TTL Max (Seconds, I set it to 14 days)
cache-max-ttl: 1209600
# Enable the prefetch
prefetch: yes

# Number of maximum threads CORES to use / zaib
num-threads: 4

### Tweaks and optimizations
# Number of slabs to use (Must be a multiple of num-threads value)
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache and buffer size (in mb)
rrset-cache-size: 51m
msg-cache-size: 25m
so-rcvbuf: 1m

# Make sure your DNS Server treat your local network requests
#private-address: 101.0.0.0/8

# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000

# Authorize or not the localhost requests
do-not-query-localhost: no

# Use the root.key file for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-clean-additional: yes
include: "/etc/unbound/unbound.conf.d/*.conf"

Example of /etc/unbound/myrecords.conf

You can use this file to add your custom records as well.

Create new file at

nano /etc/unbound/myrecords.conf
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 127.0.0.1"
local-zone: "googlesyndication.com" redirect
local-data: "googlesyndication.com A 127.0.0.1"
local-zone: "googleadservices.com" redirect
local-data: "googleadservices.com A 127.0.0.1"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 127.0.0.1"
local-zone: "ads.youtube.com" redirect
local-data: "ads.youtube.com A 127.0.0.1"
local-zone: "adserver.yahoo.com" redirect
local-data: "adserver.yahoo.com A 127.0.0.1"
local-zone: "1.com" redirect
local-data: "1.com A 0.0.0.0"
local-data: "zaib.com A 1.2.3.4"
local-data: "zaib2.com A 1.2.3.4"

Once all done, restart the unbound service by

service unbound restart
OR
service unbound reload

Test if UNBOUND service is started successfully.

service unbound status

Result:

â unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-12-10 12:28:59 PKT; 2s ago
Docs: man:unbound(8)
Process: 1588 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 1576 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Main PID: 1610 (unbound)
Tasks: 4 (limit: 2290)
CGroup: /system.slice/unbound.service
ââ1610 /usr/sbin/unbound -d

Dec 10 12:28:58 u18 systemd[1]: Starting Unbound DNS server...
Dec 10 12:28:59 u18 package-helper[1588]: /var/lib/unbound/root.key has content
Dec 10 12:28:59 u18 package-helper[1588]: success: the anchor is ok
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 0: subnet
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 1: validator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 2: iterator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] info: start of service (unbound 1.6.7).
Dec 10 12:28:59 u18 systemd[1]: Started Unbound DNS server.

Test if DNS server is responding to DNS queries

dig @127.0.0.1 bbc.com

1st Result: [check the Query time]

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16313
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86400 IN A 151.101.192.81
bbc.com. 86400 IN A 151.101.128.81
bbc.com. 86400 IN A 151.101.0.81
bbc.com. 86400 IN A 151.101.64.81

;; Query time: 971 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:21 UTC 2019
;; MSG SIZE rcvd: 100

2nd Result: [check the Query time]

root@u18:/etc/unbound/unbound.conf.d# dig @127.0.0.1 bbc.com

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14171
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86398 IN A 151.101.192.81
bbc.com. 86398 IN A 151.101.128.81
bbc.com. 86398 IN A 151.101.0.81
bbc.com. 86398 IN A 151.101.64.81

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:23 UTC 2019
;; MSG SIZE rcvd: 100

See the difference between 1st & second response which shows that cache is working

 


Enabling LOG File [recommended for troubleshoot purposes only]

Create a Log file and assign rights to write logs:

mkdir /var/log/unbound
touch /var/log/unbound/unbound.log
chmod -R 777  /var/log/unbound/

Now enable it in the unbound config file. I have commented it in the configuration file.

An example of viewing logs:

sudo tail -f /var/log/unbound/unbound.log
sudo tail -f /var/log/syslog

UNBOUND.LOG

[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: reply from  193.0.14.129#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: reply from  199.7.83.42#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:1] info: 101.11.11.161 bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. DS IN
[1575963664] unbound[1962:1] info: NSEC3s for the referral proved no DS.
[1575963664] unbound[1962:1] info: Verified that unsigned response is INSECURE
[1575963672] unbound[1962:0] info: 101.11.11.161 bbc.com. AAAA IN

Example of cache export and import:

unbound-control dump_cache > backup
unbound-control load_cache < backup

#Clear one site from cache

unbound-control flush_zone google.com

# View cached DNS contents or count

unbound-control dump_cache
unbound-control dump_cache | wc -l

Regard’s
Syed Jahanzaib

December 5, 2019

Intervlan Routing with Mikrotik DHCP Option 121 & 249

Filed under: Mikrotik Related — Syed Jahanzaib / Pinochio~:) @ 12:18 PM

network.jpg

Disclaimer! This is important!

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others


This post is a sequel of Prevent Mikrotik from Chocking with Cisco Inter-Vlan Routing

If you are running mikrotik DHCP along with VLAN, & you want to get benefits of intervlan routing to avoid local traffic (same network but different subnets/vlans) hitting mikrotik by routing local resource requests through switch level directly. There are 2 options to sort this issue. Either provide the static routes for each vlan which becomes useless if you are using pppoe because as soon as client connected with pppoe, it will get preference over your existing default gateway thus all traffic even the local one will be passing via mikrotik resulting in excessive usage of mikrotik resources. This was discussed in details here.

Far better solution is to avoid providing any default routes to DHCP users but assign them CLASSLESS ROUTES for local resources via your DHCP options, either via Cisco or Mikrotik DHCP server. A classless route adds specified route in clients routing table

In this post we will discuss only about Mikrotik DHCP option 121/249.

  • 121 – Generally used for devices / Linux / Mikrotik etc. Option 121 is a RFC3442 *standard*.However, note that DHCP Option 121 is ignored by DHCP clients prior to Windows Vista. O
  • 249 – It is the pre-standard Microsoft implemented option for Classless Static Routes (CSRs). It was eventually standardized as option 121. I think 249 is for microsoft only.

Personnel Note: Don’t use both.  I think this causes routes to be ignored. If you need to support both older and newer OS, use the option 249.

Scenario:

We assume you have working DHCP for each vlan under Mikrotik.

  • Mikrotik interface VLAN-x IP : 192.168.100.1/24
  • Cisco switch Vlan-x IP : 192.168.100.2/24
  • Mikrotik DHCP assignment for VLAN-x: 192.168.100.10 – 192.168.100.255 [no dns, no gateway]
  • Local sharing servers: We have some sharing servers on different subnet on local switch port: 101.0.0.0/8

Now what we want is that our DHCP LAN client 192.168.100.0/24 can access 101.0.0.0/8 via switch intervlan routing directly [via switch vlan port 192.168.100.2]. To achieve this we will assign stateless routes using DHCP options.

Side Note: It strikes me that you have to use classful routes in the Classless Static Routes DHCP Option for older version of windows like XP/2000.


Step # 1

To transfer classless routes to the Mikrotik DHCP server, the option with code 121/249 is used First we need to convert IP to hexadecimal HEX code. If you are a beginner you can simply get the ready made code using this site.

https://ip-pro.eu/en/mikrotik_dhcp_option_121_generator

Enter the details as per your local network scheme

For single Subnet:

dhcp option hex code via web site.PNG

For multiple Subnet:

You can add ADD NEW ROW to add multiple subnet and gateways to get combined HEX value . Z

multiple subnet routes in single line.PNG

Or try

https://billing-beta.galaxy.net.pk/public/option121/


Step # 2

Now we got the HEX value & we can use it in mikrotik dhcp option 121-249 .

  • Goto IP / DHCP / OPTIONS / + Add new

dhcp options for 121-249.PNG

Note: Make two entries, one for 121 & second for 249. As shown above !

Step # 3

Now we will add the above option in OPTION SETS , we can include multiple options in the OPTION SETS window

  • Goto IP / DHCP / OPTION SETS / + Add new

dhcp options set 2.PNG

Step # 4

Now goto IP / DHCP / Double Click on required DHCP & under DHCP OPTION SETS, select the option set we created in Step # 4


Testing …

At client end, renew the IP and you will get all the routes you configured in above steps.

For single Subnet entry:

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
101.0.0.0 255.0.0.0 192.168.100.2 192.168.100.254 11 ***************
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.100.0 255.255.255.0 On-link 192.168.100.254 266
192.168.100.254 255.255.255.255 On-link 192.168.100.254 266
192.168.100.255 255.255.255.255 On-link 192.168.100.254 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.100.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.100.254 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

For Multiple Subnet entry:

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
10.0.0.0 255.0.0.0 192.168.100.1 192.168.100.254 11 ***************
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.10.0 255.255.255.0 192.168.100.1 192.168.100.254 11 ***************
192.168.100.0 255.255.255.0 On-link 192.168.100.254 266
192.168.100.254 255.255.255.255 On-link 192.168.100.254 266
192.168.100.255 255.255.255.255 On-link 192.168.100.254 266
221.132.112.8 255.255.255.255 192.168.100.1 192.168.100.254 11 ***************
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.100.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.100.254 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Regard’s
Syed Jahanzaib

December 3, 2019

Cisco Switch: Upgrading Firmwares & Recovering from Failed ones !

Filed under: Cisco Related — Tags: , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:56 AM

If it ain’t broke, don’t fix it ! So true 🙂 Z@ib


advise on upgrade of switch fw.PNG


Quick notes for myself: Disclaimer! This is important!

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

Maybe this post will help some other novice like me

Regard’s
Syed Jahanzaib


WS-C3650-48PD

Fortunately this model have nice GUI which supports easy upgrade of firmwares , therefore I used it to upgrade to latest stable build Fuji-16.9.4

365048pdl fw upgrade.PNG


SG300-28PP/SG500-52PP

This model also have nice GUI which supports easy upgrade of firmwares , therefore I used it to upgrade to latest stable build

https://www.cisco.com/c/en/us/support/switches/sg500-52-52-port-gigabit-stackable-managed-switch/model.html#~tab-downloads

sg300-500.PNG


3750X-48T-S

.

WS-C3750E-24TD

OLD version:

WS-C3750E-24TD     12.2(40)SE

3750 fw old.PNG

Steps for Upgrade:

First setup new or use existing TFTP server, download the new firmware from

https://software.cisco.com/download/home/280831016/type/280805680/release/15.0.2-SE11?i=!pp

& copy the firmware file (.BIN format) in TFTP root folder. Now from switch console , copy the file from TFTp into switch FLASH

copy tftp: flash:

It will ask the tftp server IP, and source/destination file name, fill them up as per your local scenario

>Address or name of remote host? <IP_ADDRESS_OF_TFTP_SERVER>
>source filename? <IMAGE_NAME.bin>
>Destination filename? <IMAGE_NAME.bin>
conf t
boot system flash:<IMAGE_NAME.bin>
exit
wr
reload

after this switch will reboot , and new firmware will be overwritten.

New version:

Release 15.0.2-SE11 MD

3750 fw new.PNG

 


WS-C3850-24T

Notes:

With this model, I encountered few issues in upgrading 3850 switch.

  • Gibralter 16.12.1 ED : 3850 / Switch was doing reboot in loop with following error

Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(1,0)

  • Fuji 16.9.4 MD : 3850 / Switch Port Orange Light issue

With this upgrade , switch booted but all ports lights runed to amber.

  • Denali 16.3.9 MD : 3850 / Well tested , worked OK

Therefore I reverted back to to Denali-16.3.9 which worked fine & stable.

Steps for Upgrade:

First setup new or use existing TFTP server, download the new firmware from

https://www.cisco.com/c/en/us/support/switches/catalyst-3850-24t-s-switch/model.html#~tab-downloads

>Address or name of remote host? <IP_ADDRESS_OF_TFTP_SERVER>
>source filename? <IMAGE_NAME.bin>
>Destination filename? <IMAGE_NAME.bin>
conf t
software install file flash:cat3k_caa-universalk9.16.03.09.SPA.bin new force verbose

after this switch will ask to reload , do so to apply changes

New version:

16.3.9

3850 new ver.PNG


Recovering from IOS FAILED upgrade on 3850 Switch

after the Gibralter firmware upgrade , 3850 switch wen into reboot loop.

Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(1,0)

More infor on this issue mentioned here @ https://community.cisco.com/t5/switching/catalyst-c3850-gibraltar-16-12-1-ed/td-p/3907723

After entering recovery mode , I made the situation worsen by deleting some flash files. This is how I recovered from this situation.

from the switch Management port, connect a cable directly to your laptop/desktop & assign any private IP on the system like 192.168.99.1/24. Install any free TFTP server like SOLARWINDS TFTP Server. copy the stable firmware like DENALI 16.0.3.09 in the tftp root folder.

cat3k_caa-universalk9.16.03.09.SPA.bin

Now using any terminal tool like putty, connected to switch via CONSOLE port, press MODE button while booting & entered RECOVERY mode. & issued following CMD’s

  • flash_init
  • mgmt_init
  • set IP_ADDR 192.168.99.2/255.255.255.0
  • set default_router 192.168.99.1
  • emergency-install tftp://192.168.99.1/cat3k_caa-universalk9.16.03.09.SPA.bin

There was another easy method by connecting USB into usb port of switch, but since switch may not recognize most modern usb’s , therefore I had to take a long route of TFTP.

To read in more details , refere following post

http://blog.unolution.com/networking/how-to-recover-a-cisco-switch-3560x-3750x-from-boot-loader/


Regard’s
Syed Jahanzaib

 

November 28, 2019

Virtualization: Quick Notes for myself

Filed under: VMware Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:20 AM

vmware esxi



ESXI Server: ‘SEL Fullness’ message

Recently after upgrading ESXI from 6.5 to 6.7u3 on Lenovo (IBM) x3650 M5 machine, I received following error on vsphere web client

System Management Software 1 SEL Fullness: Log almost full

In vSphere 6.7 , Navigate to following and reset event log

Monitor > Tasks and Events > Hardware Health > SYSTEM EVENT LOG > RESET EVENT LOG


Updating ESXI 6.5 to 6.7u3 from the CLI

Recently I did some major updates in our virtual infrastructure including ESXi (ver 6.5.0, 10719125) ,  Vcenter & Veeam (9.5.4.2866) . Things were updated in following order

  • Veeam B&R upgraded to ver 9.5.4.2866
  • Vcenter upgraded to ver 6.7.0.40000
  • ESXI hosts upgraded to ver 6.5.0, 10719125

For ESXI update from 6.5 to 6.7u3. In the past I always use Installer CD/USB to upgrade from older esxi to new version, but for this approach, I have to compromise on my holidays or sit very late in office. This time time I took another approach and upgraded all the esxi hosts one by one on sundays remotely from the home using offline bundle installer & esxi CLI method. This is how I accomplished it.

I first downloaded the 6.7 update offline bundle from the Lenovo site (since we have all the IBM/Lenovo brand servers therefore I selected this option to avoid any hardware driver issue).

https://vmware.lenovo.com/content/custom_iso/6.7/6.7u3/

Afterwards I uploaded this offline bundle zip file to Esxi datastore, then logged in to esxi host via SSH, and issued

esxcli software vib install -d /vmfs/volumes/5d0cf64f-a83e7c86-6a4d-40f2e922c64a/Lenovo_Offline_Bundle_VMware_ESXi_6.7.0.update03_14320388_LNV_20190920.zip

Note: make sure to change datastore and filename as required.

It took few minutes, once I saw SUCCESS message, I completed the process by simply rebooted the ESXI host by cmd

reboot

Better approach is to update rather than install

esxcli software vib update -d /vmfs/volumes/5d0cf64f-a83e7c86-6a4d-40f2e922c64a/Lenovo_Offline_Bundle_VMware_ESXi_6.7.0.update03_14320388_LNV_20190920.zip

Difference between VIB update and VIB install

Excerpt from “https://communities.vmware.com/thread/435959&#8221;

To install or update a .zip file, use the -d option. To install or update a .vib file use the -v option.

Using the update command is the recommended method for patch application. Using this command applies all of the newer contents in a patch, including all security fixes. Contents of the patch that are a lower revision than the existing packages on the system are not applied.

Using the install command overwrites the existing packages in the system with contents of the patch you are installing, including installing new packages and removing old packages. The install command may downgrade packages on the system and should be used with caution. If required, the install command can be used to downgrade a system (only for image profiles) when the –allow-downgrade flag is set.

The install method has the possibility of overwriting existing drivers. If you are using 3rd party ESXi images, VMware recommends using the update method to prevent an unbootable state.

Check esxi version from CLI

esxcli system version get
Product : VMware ESXi
Version : 6.7.0
Build : Releasebuild-14320388
Update : 3
Patch : 73<span style="color:var(--color-text);">


Will update more

Regards
Syed Jahanzaib

November 26, 2019

Assigning friendly/fix name to USB device

Filed under: Linux Related — Tags: , , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:34 AM

depositphotos_86584980-stock-photo-select-confusion-sign

Teltonika Usb Modem

Teltonika Usb Modem


Scenario:

We have Teltonika USB modem connected to our Linux box (Ubuntu) & Kannel is configured as SMS gateway for our network devices so that they can send Info/Alert SMS incase of any failure via HTTP method.

/dev/ttyACM0 is default port name on which this modem is detected by default BUT it happens Often that when the Linux box reboots, modem is detected on different port name like ttyACM1 which result in failure of kannel modem detection as the name is hardcoded in /etc/kannel/kannel.conf

To settle this issue, we fixed the USB device with our customized name , and in kannel we used this fixed name which sorted the modem port name change issue.

Step#1

Run following CMD

udevadm info -a -p $(udevadm info -q path -n /dev/ttyACM1)

& look for following attributes & note down both

  • idVendor
  • idProduct

Step#2

now Edit or create new file in /etc/udev by

nano /etc/udev/rules.d/99-usb-serial.rules

& paste following

SUBSYSTEM=="tty", ATTRS{idVendor}=="1d12", ATTRS{idProduct}=="3e11", SYMLINK+="gsm"

Make sure to change the idVendor & idProduct numbers that you noted in step #1.

Save & Exit.

Now issue below CMD to reload udev rules

sudo udevadm trigger

if all goes well, then look for your new device name gsm in /dev folder

ls -l /dev/gsm

Ok result would be similar to this

lrwxrwxrwx 1 root root 7 Nov 26 09:04 /dev/gsm -> ttyACM1

Regard’s
Syed Jahanzaib

 

November 23, 2019

DMASOFTLAB Radius Manager – Adding custom attribute to facilitate Dynamic address list on Mikrotik

Filed under: Mikrotik Related, Radius Manager — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:04 PM

Quick Recipe: If you are using DMA Radius Manager & want to assign Dynamic Address list to a service so that user can automatically be added to dynamic address list under NAS, you can do so by using custom RADIUS attributesunder services section

  • Login to Admin Panel
  • Goto Services
  • Click on your desired service example 4mb
  • Under `Custom RADIUS attributes` , add below attribute
Mikrotik-Address-List := 4mb

adding attribute in radius manager service

Save , & test any user authentication by CMD,

rmauth 127.0.0.1 test 1

freeradius attribute for dma radius manager test via cmd

 

on NAS dynamic address list will be created for each user of this service group. Late ryou can use this address list to mark connections / packets/ routing/queue etc.

4mb pppoe.PNG

Happy Attributing 😉


Regard’s
Jz.

November 8, 2019

Freeradius 3 with Mikrotik – Part-1 # Time to upgrade


freeradius-ldaps-e1380323478337

fr logo



Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logics & create or modify the solutions as per your network scenario. Never follow copy paste blindly, [unfortunately this has become our national culture]

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

Regard's
Syed Jahanzaib~

This is another post about installation & configuration of ISP related billing system called Freeradius version 3.0.19. My aim is to let people know that creating your own Radius Billing system is not a ROCKET SCIENCE.

The only thing required is your ultimate passion to achieve the goal & with the right search, reading, understanding logic’s, you can do all on your own. I strongly encourage all to read the FR mailing list and Google search

For older version of Freeradius ver 2.x series, you may read below

https://aacable.wordpress.com/2016/03/11/mikrotik-with-freeradiusmysql-part-1/


Make your own Billing system in Linux with Latest version of Freeradius 3.0.19 / MySQL 5.7.27

by Syed Jahanzaib / aacable[at]hotmail[dot]com

[This Guide will be updated with many further supporting posts)

The aim of writing this post was that there are number of radius products available on the internet with lots of features, each have some unique features. But this is also true that none of them is 100% perfect for every type of ISP. The reason is that every ISP/Network have different sort of local requirements and billing mode. If you have searched on google you will find that there are tons of guides for freeradius implementation, but most of them have either incomplete data , or difficult explanation, or does not meet the practical requirements of Desi ISP. That’s why I started this guide so that info that is not common on the net can be shared here. plus most important you can learn on your own using this baby step.

In this post I have made some quick guide to install a very basic level of billing system by using Freeradius/mysql on UBUNTU 18.4 [64bit]. Mikrotik routerboard with firmware version 6.45.7 is being used as NAS to connect user and freeradius will be used for authentication/accounting billing system.

Let’s Rock …

blog-header-collaboration-between-hardware-software-teams_0

Hardware Software components used in this post

Hardware:

  • Xeon 2Ghz CPU x 2
  • 64 GB RAM
  • 480GB SSD x 8 disks in RAID-10
  • Vmware ESXI 6.5 installed on bare metal hardware
  • VM guest created for Radius role with following config
    40 GB RAM / 12 CORES VCPU / 300 GB Disk Space

Software:

  • OS: Ubuntu 18.04.3 LTS Server Edition [Click here for Download Link]
  • FreeRADIUS: Version 3.0.19 [using apt-get with custom repository]
  • Mysql Version: mysql Ver 14.14 Distrib 5.7.27, for Linux (x86_64) using EditLine wrapper [using apt-get]
  • IP scheme

    Radius IP = 101.11.11.254
    Mikrotik IP = 101.11.11.255

 


 

Quick Tips for Ubuntu OS before rolling out FR

helpful_tips1

Network address configuration

18.04_beaver_wp_8192x4608_AW

In Ubuntu 18, network addresses are configured slightly differently as compared to earlier version of ubuntu series. To add / modify IP addresses, edit 50-cloud-init.yaml file

nano /etc/netplan/50-cloud-init.yaml

A working configuration file is attached as below. Make sure to follow syntaxes as defined. U18 is quite sensitive regarding this section.

# Ubuntu 18 Network Config file # Syed Jahanzaib
network:
ethernets:
# Interface Name
ens33:
# Interface IP Address
addresses:
- 101.11.11.254/24
gateway4: 101.11.11.1
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
version: 2
<span style="color:var(--color-text);">


 

ROOT Login Access on local machine is not Allowed by Default on Fresh installation of Ubuntu 18

After fresh installation of Ubuntu 18 server edition, you cannot login with root ID by default. & to perform various functions, you may need ROOT access.

Therefore using your normal user account , issue below cmd’s to change root password in order to enable root login access

sudo passwd root

it will ask you to enter current user password, then it will ask to enter new root password two times. Do so and then you can change to use root user by using

# su

and it will ask you to enter root password, Enter the password that you setup in above steps. and you will be switched to ROOT.

Allow SSH Login for remote access using PUTTY or any other tool

permit-ssh-root-login-ubuntu

By default, Ubuntu 18 will not allow you to remotely login via SSH.

Edit file

nano /etc/ssh/sshd_config

now search for

PermitRootLogin prohibit-password

Change it to

PermitRootLogin yes

Save & Exit , Restart ssh service

service ssh restart

Another quick copy paste method to enable root ssh access

sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
service ssh restart

NTP configuration for timezone configuration &

Automatic time update from the internet [for KHI/PK]

apt-get -y install ntp ntpdate
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
sudo /etc/init.d/ntp restart

Disable iPV6

disable-ipv6-on-ubuntu

if ipv6 not required, its a good idea to disable it from beginning.

Use below CMD

echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6=1" /etc/sysctl.conf
sysctl -p

for further ensurity, now edit

nano /etc/default/grub

& change

FROM:
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""
TO:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"
GRUB_CMDLINE_LINUX="ipv6.disable=1"

Save & exit & run below cmd to update GRUB

sudo update-grub



Installing components required for general operations including MYSQL as well

Install supporting tools like mysql / phpmyadmin etc [make sure you enter mysql password when it asks ]

#During installation, it will ask you to enter PASSWORD, dont let it skip, be vigilant 

apt-get -y install apache2 mc wget make gcc mysql-server mysql-client curl
apt-get -y install phpmyadmin

NOTE# mySQL Empty Root Password 

Try to login to mysql with your defined password. In case if mysql is letting you in with any random or empty password, use this CMD to change mysql root password

Use these steps only if you have mysql login issue with empty/any password

mysql -uroot -pANYPASS
UPDATE mysql.user SET authentication_string= '' WHERE User='root';
UPDATE mysql.user SET plugin = '' WHERE user = 'root';
UPDATE mysql.user SET authentication_string=PASSWORD('zaib1234') WHERE User='root';
UPDATE mysql.user SET plugin = 'mysql_native_password' WHERE user = 'root';
exit

Don’t forget to restart mySQL service, this part wasted some time of mine

service mysql restart

fr logo with hatFR logo new .png

~ Installation & Configuration part ~
~ Freeradius version 3.0.19 ~

To install freeradius 3.0.19 via apt-get on ubuntu 18.4 server, first update the repository by using following

echo "deb http://packages.networkradius.com/releases/ubuntu-bionic bionic main" >> /etc/apt/sources.list

Save and exit, and issue below cmd

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202
sudo apt-get update

~

Now using apt-get install method , we will install FR ver 3.0.19

apt-get -y install freeradius freeradius-mysql freeradius-utils

Once installed, check the FR version, & it should be similar to this

freeradius -v

radiusd: FreeRADIUS Version 3.0.19 (git #ab4c76709), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.19
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

SQL Section:

Create DB in mysql

# Make sure to change password which you setup while installing mySQL

mysql -uroot -pzaib1234
create database radius;
grant all on radius.* to radius@localhost identified by "zaib1234";
exit

Now import sql schema file into the mysql

mysql -u root -pzaib1234 radius < /etc/freeradius/mods-config/sql/main/mysql/schema.sql

Now create SQL link

ln -s /etc/freeradius/mods-available/sql /etc/freeradius/mods-enabled/

FREERADIUS CONFIG Section

now edit /etc/freeradius/mods-enabled/sql

nano /etc/freeradius/mods-enabled/sql

& make modification like in SQL { section

change to below

sql {
dialect = "mysql"
driver = "rlm_sql_${dialect}"
mysql {
# there are few lines related to certs, delete them as we donot require them
warnings = auto
}

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "zaib1234"
# Change password as you configured in initial steps/zaib
# Database table configuration for everything except Oracle
radius_db = "radius"

Save & exit.

Adding your NAS in mysql NAS table

TIP: Quick CMD to add NAS in table,

mysql -uroot -pzaib1234 -e "use radius; INSERT INTO nas (id, nasname, shortname, type, ports, secret, server, community, description) VALUES (NULL, '101.11.11.255', NULL, 'other', NULL, '123456', NULL, NULL, 'RADIUS Client');"

OUTPUT:

mysql> select * from nas;
+----+---------------+-----------------+-------+-------+--------+--------+-----------+---------------+
| id | nasname | shortname | type | ports | secret | server | community | description |
+----+---------------+-----------------+-------+-------+--------+--------+-----------+---------------+
| 1 | 101.11.11.255 | NULL  | other | 3799 | 123456 | | NULL | RADIUS Client |
+----+---------------+-----------------+-------+-------+--------+--------+-----------+---------------+
1 row in set (0.00 sec)


Create TEST USER for validating freeradius & mysql installation

We will now create a simple Test USER in mySQL RADIUS DB for verification / test purposes. It will have

  1. Username Password
  2. Mikrotik Rate Limit for Bandwidth Limitation, example 1mb/1mb
  3. Expiration date time
  4. Simultaneous Use set to 1 , to prevent Multiple login of same ID (it requires further modifications in DEFAULT section of sites enabled)
mysql -uroot -pzaib1234
use radius;
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES ( NULL , 'zaib', 'Cleartext-Password', ':=', 'zaib');
INSERT INTO radreply (username, attribute, op, value) VALUES ('zaib', 'Mikrotik-Rate-Limit', '==', '1024k/1024k');
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Expiration', ':=', '13 Jan 2029 11:00');
INSERT INTO radcheck (username,attribute,op,value) VALUES ('zaib', 'Simultaneous-Use', ':=', '1');
exit

effective-software-testing-tips-testers-on-the-go

Testing FREERADIUS connection using FR built-in tools

It’s time that we should test freeradius connectivity. in first Terminal, issue below cmd to start freeradius in DEBUG mode

service freeradius stop
freeradius -X

If FR configurall are configured correctly, then you will see something like below

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 48178
Listening on proxy address :: port 38713
Ready to process requests

If you see Ready to process requests  , than all good to Go, Else it will show you the particular errors and lines that you must FIX in order to proceed further.

Moving forward, Open second Terminal window, & try below cmd’s to test the user credentials/authentication

Test#1 using RADCLIENT tool with particular calling MAC address

echo "User-Name=zaib,User-Password=zaib,Calling-Station-Id=00:0C:29:71:60:DA" | radclient -s localhost:1812 auth testing123

Result:

Sent Access-Request Id 38 from 0.0.0.0:37282 to 127.0.0.1:1812 length 63
Received Access-Accept Id 38 from 127.0.0.1:1812 to 127.0.0.1:37282 length 26
Packet summary:
Accepted : 1
Rejected : 0
Lost : 0
Passed filter : 1
Failed filter : 0

Test#2 using RADTEST tool

radtest zaib zaib localhost 1812 testing123

Result:

Sent Access-Request Id 26 from 0.0.0.0:53486 to 127.0.0.1:1812 length 74
User-Name = "zaib"
User-Password = "zaib"
NAS-IP-Address = 101.11.11.254
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "zaib"
Received Access-Accept Id 26 from 127.0.0.1:1812 to 127.0.0.1:53486 length 26
Session-Timeout = 289854175

Freeradius Debug Window:

Ready to process requests
(0) Received Access-Request Id 57 from 127.0.0.1:56913 to 127.0.0.1:1812 length 63
(0) User-Name = "zaib"
(0) User-Password = "zaib"
(0) Calling-Station-Id = "00:0C:29:71:60:DA"
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "zaib", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'zaib' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'zaib' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "zaib"
(0) sql: Expiration := "Jan 13 2029 11:00:00 PKT"
(0) sql: Simultaneous-Use := 1
(0) sql: Calling-Station-Id := "00:0C:29:71:60:DA"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'zaib' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'zaib' ORDER BY id
(0) sql: User found in radreply table, merging reply items
(0) sql: Mikrotik-Rate-Limit == "1024k/1024k"
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.27-0ubuntu0.18.04.1, protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'zaib' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'zaib' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) if (notfound){
(0) if (notfound) -> FALSE
(0) expiration: Account will expire at 'Jan 13 2029 11:00:00 PKT'
(0) [expiration] = ok
(0) if (userlock){
(0) if (userlock) -> FALSE
(0) [pap] = updated
(0) if (&request:Calling-Station-Id != &control:Calling-Station-Id) {
(0) if (&request:Calling-Station-Id != &control:Calling-Station-Id) -> FALSE
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section session from file /etc/freeradius/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'zaib' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'zaib' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) } # session = ok
(0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%{reply:Reply-Message}', '%S', '%{NAS-IP-Address}', '%{Calling-Station-Id}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( 'zaib', 'zaib', 'Access-Accept', '', '2019-11-07 15:58:05', '127.0.0.1', '00:0C:29:71:60:DA')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( 'zaib', 'zaib', 'Access-Accept', '', '2019-11-07 15:58:05', '127.0.0.1', '00:0C:29:71:60:DA')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(0) [sql] = ok
(0) [exec] = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 57 from 127.0.0.1:1812 to 127.0.0.1:56913 length 0
(0) Session-Timeout = 289854115
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 57 with timestamp +2
Ready to process requests

Above output shows OK status. You can inspect any errors in the freeradius config or with the user credentials here like, invalid mac, expiratione etc


Workaround to open existing session in RADACCT

welcoem_back_500x143

When there is an disconnection between NAS & RADIUS, following situation will be observed

NAS:

User session will be online on NAS, but NAS will not send interim updates to the Radius because communication between NAS/Radius is lost

RADIUS:

Radius will not receive any interim updates from the NAS & his session will keep alive (acctstoptime IS NULL), But for some local requirements we scheduled a bash script which checks stale session checking last acct update time . Example if the radius doesn’t receives interim update for 10 minutes, it will close this user session in radacct table by setting acctstoptime to current date/time.

Now when the connectivity restore between the NAS & Radius, and since NAS has this user online, it will send Interim Update to the radius, BUT our radius have closed this session already earlier (via bash script), therefore this update packet will only update the old entry using unique acct ID, but acctstoptime will not be set to NULL.

This will create confusion for frontend, because when you will search online users by searching entries whose acctstoptime is NULL. this session will not appear which will create FALSE assumption on your frontend that this user is offline whereas this user is actually online in NAS.

To settle this , I made some dirty workaround by poking in freeradius SQL queries.conf  file. I am not aware if this trick is is already being used or not,but its working fine on my end.

Add below code

acctstoptime = NULL, \

in queries.conf

Edit file by

nano /etc/freeradius/mods-config/sql/main/mysql/queries.conf
interim-update {
#
# Update an existing session and calculate the interval
# between the last data we received for the session and this
# update. This can be used to find stale sessions.
#
query = "\
UPDATE ${....acct_table1} \
SET \
acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \
acctupdatetime = FROM_UNIXTIME(\
%{integer:Event-Timestamp}), \
acctinterval = %{integer:Event-Timestamp} - \
UNIX_TIMESTAMP(@acctupdatetime_old), \
acctstoptime = NULL, \
framedipaddress = '%{Framed-IP-Address}', \
framedipv6address = '%{Framed-IPv6-Address}', \
framedipv6prefix = '%{Framed-IPv6-Prefix}', \
framedinterfaceid = '%{Framed-Interface-Id}', \
delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \
acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Input-Octets}:-0}', \
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Output-Octets}:-0}' \
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"

& as always reload freeradius

service freeradius reload


Prevent Multiple User login [ Simultaneous Login :=1 ]

To prevent multiple login for same user , we have to first enable SQL base session logging , so that our control can check the session details for already logged in user

Edit file

nano /etc/freeradius/sites-enabled/default

& then uncomment sql under session { section

# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
sql

Now we need to add UNLAG query in DEFAULT config to check for MAC address if control is defined in RADCHECK table

edit file

nano /etc/freeradius/sites-enabled/default

Under authorize { section, add below code

if (&request:Calling-Station-Id != &control:Calling-Station-Id) {
update reply {
Reply-Message := "Incorrect Mac"
}
reject
}

 

 

After every change in config files, reload freeradius by

service freeradius reload

Now you can simulate test using below CMD

RADCLIENT test with particular calling MAC address

echo "User-Name=zaib,User-Password=zaib,Calling-Station-Id=00:0C:29:71:60:DA" | radclient -s localhost:1812 auth testing123

Note: If there is no Calling-Station-ID defined in RADCHECK , test will success and in FREERADIUS Debug log, you will see line that failed to evaluate control. but user will be able to connect if no mac defined in radcheck.


Modifying RADPOSTAUTH section for recording user login attempts in sql table

To record all users login attempts with our customized RADPOSTAUTH table, we can following

First edit queries.conf in /etc/freeradius/mods-config/sql/main/mysql

nano /etc/freeradius/mods-config/sql/main/mysql/queries.conf

Goto End & search for section (usually its in the last)

#######################################################################
# Authentication Logging Queries
#######################################################################
# postauth_query - Insert some info after authentication
#######################################################################

Delete existing query & use this one


query = "\
INSERT INTO ${..postauth_table} \
(username, pass, reply, reply_msg, authdate, nasipaddress, mac) \
VALUES ( \
'%{SQL-User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{reply:Packet-Type}', \
'%{reply:Reply-Message}', \
'%S', \
'%{NAS-IP-Address}', \
'%{Calling-Station-Id}')"
}

Save and Exit.

Modify RADPOSTAUTH table

Now modify the RADPOSTAUTH table in radius DB so that reply messages can be stored here in the way want it to be

mysql -uroot -pzaib1234
use radius;
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
DROP TABLE IF EXISTS `radpostauth`;
CREATE TABLE `radpostauth` ( `id` int(11) NOT NULL, `username` varchar(64) NOT NULL DEFAULT '', `pass` varchar(64) NOT NULL DEFAULT '', `reply` varchar(256) NOT NULL DEFAULT '', `reply_msg` varchar(256) DEFAULT NULL, `authdate` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `nasipaddress` varchar(100) DEFAULT NULL, `mac` text ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
ALTER TABLE `radpostauth` ADD PRIMARY KEY (`id`), ADD KEY `username` (`username`(32));
ALTER TABLE `radpostauth` MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=12;
exit

As always reload freeradius service after any modification in the configuration files using

service freeradius reload

Try to auth any user and then look into RADPOSTAUTH table & you will see entries like


mysql> select * from radpostauth;
+----+-----------+-------+---------------+-------------------------------------------+---------------------+---------------+-------------------+
| id | username | pass | reply | reply_msg | authdate | nasipaddress | mac |
+----+-----------+-------+---------------+-------------------------------------------+---------------------+---------------+-------------------+
| 14 | zaib | zaib | Access-Accept | | 2019-11-05 19:21:37 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 15 | zaib | zaib | Access-Accept | | 2019-11-05 19:21:50 | 127.0.0.1 | 00:0C:29:35:F8:21 |
| 16 | zaib | zaib | Access-Reject | | 2019-11-05 19:22:12 | 127.0.0.1 | 00:0C:29:35:F8:21 |
| 17 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:23:51 | 127.0.0.1 | 00:0C:29:35:F8:21 |
| 18 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:23:57 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 19 | zaib | zaib | Access-Accept | | 2019-11-05 19:24:14 | 127.0.0.1 | 11:11:11:11:11:11 |
| 20 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:24:21 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 21 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:25:23 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 22 | zaib | zaib | Access-Accept | | 2019-11-05 19:25:29 | 127.0.0.1 | 11:11:11:11:11:11 |
| 23 | zaib | zaib | Access-Reject | Your account has expired=2C zaib | 2019-11-05 19:25:44 | 127.0.0.1 | 11:11:11:11:11:11 |
| 24 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:26:16 | 127.0.0.1 | 11:11:11:11:11:11 |
| 25 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:26:25 | 101.11.11.254 | |
| 26 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:27:22 | 101.11.11.254 | |
| 27 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:27:41 | 101.11.11.254 | |
| 28 | zaib1 | zaib | Access-Reject | | 2019-11-05 19:27:55 | 101.11.11.254 | |
| 29 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:29:04 | 101.11.11.254 | |
| 30 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:29:12 | 101.11.11.254 | |
| 31 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:30:28 | 101.11.11.254 | |
| 32 | zaib | zaib1 | Access-Reject | Wrong Password | 2019-11-05 19:30:46 | 101.11.11.254 | |
| 33 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:30:54 | 101.11.11.254 | |
| 34 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:32:45 | 101.11.11.254 | |
| 35 | zaib | zaib | Access-Accept | | 2019-11-05 19:32:51 | 101.11.11.254 | |
| 36 | zaib | zaib | Access-Accept | | 2019-11-05 19:33:01 | 101.11.11.254 | |
| 37 | zaib | zaib | Access-Reject | You are already logged in - access denied | 2019-11-05 19:33:57 | 101.11.11.254 | |
| 38 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:21 | 101.11.11.254 | |
| 39 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:28 | 127.0.0.1 | 11:11:11:11:11:11 |
| 40 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:51 | 127.0.0.1 | |
| 41 | zaib | | Access-Reject | Incorrect Mac | 2019-11-05 19:37:23 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 42 | zaib | | Access-Accept | | 2019-11-05 19:37:38 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 43 | zaib | | Access-Reject | Incorrect Mac | 2019-11-05 19:39:13 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 44 | zaib | zaib | Access-Reject | You are already logged in - access denied | 2019-11-06 08:37:04 | 101.11.11.254 | |
| 45 | zaib | zaib | Access-Accept | | 2019-11-06 08:37:24 | 101.11.11.254 | |
| 46 | zaib | | Access-Reject | Incorrect Mac | 2019-11-07 07:56:07 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 47 | zaib | | Access-Reject | You are already logged in - access denied | 2019-11-07 07:57:03 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 48 | zaib | | Access-Accept | | 2019-11-07 07:57:18 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 49 | zaib@zaib | | Access-Reject | Wrong Password | 2019-11-07 07:57:23 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 50 | zaib@zaib | | Access-Accept | | 2019-11-07 08:00:37 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 51 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-07 15:54:53 | 127.0.0.1 | 11:11:11:11:11:11 |
| 52 | zaib | zaib | Access-Accept | | 2019-11-07 15:56:12 | 127.0.0.1 | 00:0C:29:71:60:DA |
| 53 | zaib | zaib | Access-Accept | | 2019-11-07 15:57:05 | 101.11.11.254 | |
| 54 | zaib | zaib | Access-Accept | | 2019-11-07 15:58:05 | 127.0.0.1 | 00:0C:29:71:60:DA |
+----+-----------+-------+---------------+-------------------------------------------+---------------------+---------------+-------------------+

Unable to login with username like zaib@zaib

If you are unable to login with username like z@ib@zaib , then disable the filter_username module under authorize { section

edit file

nano /etc/freeradius/sites-enabled/default

Navigate to authorize { section, & comment the filter_username

authorize {
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
# See policy.d/filter for the definition of the filter_username policy.

# filter_username

Mikrotik-Rate-Limit not working with FR 3
(Updated on 9-NOV-2019)

Today I encountered issue at local network, where radius was not sending the Mikrotik-Rate-Limit syntax to the NAS. After doing some troubleshooting it came to my knowledge that you have to change op value from == to := , Example

Mikrotik-Rate-Limit := 1024k/1024k

Trimming RADACCT table to make it SLIM & blazing Responsive

greensboro-tree-solutions-tree-trimming-1-1024x683

Over the period of time, radacct table will grow enormously. This can slow down many queries , therefore its a good idea to move all closed session entries (NOT NULL) to another table like radacct_archive. I created following bash script which helped me to sort many issues.

Note: Make sure to change credentials section

mkdir /temp
touch /temp/radacct_trim.sh
chmod +x /temp/radacct_trim.sh
nano /temp/radacct_trim.sh

& copy paste following

#!/usr/bin/env bash
####!/bin/sh
#set -x
#MYSQL DETAILS
DATE=`date`
logger radacct_trim script started $DATE
SQLUSER="root"
SQLPASS="YOUR_PASSWORD"
DB="radius"
TBL_ARCH="radacct_archive"
TBL_ARCH_EXISTS=$(printf 'SHOW TABLES LIKE "%s"' "$TBL_ARCH")
MONTHS="12"
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
# This is one time step.
echo "
Script Started @ $DATE
"
echo "- Step 1 : Checking for DB: $DB / TABLE: $TBL_ARCH ..."
DBCHK=`mysqlshow --user=$SQLUSER $DB | grep -v Wildcard | grep -o $DB`
if [ "$DBCHK" == "$DB" ]; then
echo " > $DB DB found"
else
echo " > $DB not found. Creating now ..."
$CMD "create database if not exists $DB;"
fi
if [[ $(mysql -u$SQLUSER -e "$TBL_ARCH_EXISTS" $DB) ]]
then
echo " > $TBL_ARCH TABLE found IN DB: $DB"
else
echo " > $TBL_ARCH TABLE not found IN DB: $DB / Creating now ..."
$CMD "use $DB; create table if not exists $TBL_ARCH LIKE radacct;"
fi

# Start Action: copy data from radacct to new db/archive table
NOTULL_COUNT=`$CMD "use $DB; select count(*) from radacct WHERE acctstoptime is not null;"`
echo "- Step 2 : Found $NOTULL_COUNT records in radacct table , Now copying $NOTULL_COUNT records to $TBL_ARCH table ..."
$CMD "use $DB; INSERT IGNORE INTO $TBL_ARCH SELECT * FROM radacct WHERE acctstoptime is not null;"
echo "- Step 3 : Deleting $NOTULL_COUNT records old data from radacct table (which have acctstoptime NOT NULL) ..."
# --- Now Delete data from CURRENT RADACCT table so that it should remain fit and smart ins size
$CMD "use $DB; DELETE FROM radacct WHERE acctstoptime is not null;"
echo "- Step 4 : Copying old data from $TBL_ARCH older then $MONTHS months ..."
# --- Now Delete data from RADACCT_ARCHIVE table so that it should not grow either more than we required i.e 1 Year - one year archived data is enough IMO
$CMD "use $DB; DELETE FROM $TBL_ARCH WHERE date(acctstarttime) < (CURDATE() - INTERVAL $MONTHS MONTH);"
DATE=`date`
logger radacct_trim script ended with $NOTULL_COUNT records processed for trimming @ $DATE
echo "
radacct_trim script ended with $NOTULL_COUNT records processed for trimming @ $DATE"

Schedule this BASH script to run every minute (or as per required)

1 * * * * /temp/radacct_trim.sh

Check for STALE Sessions in RADACCT [for FR ver3 in particular]

This bash script will close sessions in RADACCT whose interim updates have not received in last XX minutes. You can schedule it to run every minute or as required

#!/usr/bin/env bash
###!/bin/sh
#set -x
#trap "set +x; set -x" DEBUG
# BASH base script to close STALE sessions from freeradius, whose accounting is not updated in last X minutes in RADACCT table
# By Syed Jahanzaib
# CREATED on : 25-July-2018
# Local Variables

# Mysql credentials
SQLID="root"
SQLPASS="YOUR_PASSWORD"
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLID --skip-column-names -s -e"
DB="radius"
INTERVAL="11"
DB="radius"
#Table which contain main users information
TBL="users"
#Rad user group in which we will update user profile like from 1mb to expired or likewise
TBL_LOG="log"
STALE_USR_LIST="/tmp/stale_sessions.txt"
# Date Time Variables
DATE=$(date +%d-%m-%Y)
DT_HMS=$(date +'%H:%M:%S')
FULL_DATE=`date`
CURR_HOUR=$(date +%H)
TODAY=$(date +"%Y-%m-%d")
WEEK=`date -d "-1000 days" '+%Y-%m-%d'`
BEGIN="1970-01-01"
H=$(date +'%-H')

#Check and close session for staleness
$CMD "use $DB; select username,radacctid,nasipaddress from radacct WHERE acctstoptime IS NULL AND acctupdatetime  $STALE_USR_LIST
# IF no user found , show error and exit - zaib
CHK=`wc -m $STALE_USR_LIST | awk {'print $1}'`
if [ "$CHK" -eq 0 ]
then
echo "No stall sesion found (which accounting session have not updated in last $INTERVAL minutes) , exiting ..."
exit 1
fi
$CMD "use $DB; UPDATE radacct SET acctstoptime = NOW(), acctterminatecause = 'Clear-Stale-Session' WHERE acctstoptime IS NULL AND acctupdatetime /dev/null 2>&1

WordPress is not letting pasting of code. look for this line

wp post problem.PNG


TIPS for MYSQL:

following are some mySQL tuning made according to the hardware. These are just my assumptions that this setting will work fine. However you may tune your setup according to your hardware. Install & run MYSQLTUNER tool which will better guide you as per the actual hardware/software scneario.

/etc/mysql/mysql.conf.d/mysqld.cnf

[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
bind-address = 127.0.0.1
skip_name_resolve
key_buffer_size = 4G
thread_stack = 192K
thread_cache_size = 8
myisam-recover-options = BACKUP
max_connections = 2000
table_open_cache = 15000
query_cache_limit = 200M
query_cache_size = 0
query_cache_type = 0
#log_error = /var/log/mysql/error.log
expire_logs_days = 10
max_binlog_size = 100M
innodb_buffer_pool_size = 22G
innodb_log_file_size = 11G
innodb_buffer_pool_instances = 22

MYSQLTUNER to see mySQL performance

It is good idea to install mysqltuner

apt-get install mysqltuner

Let your mysql Run for 1-2 days, then run this tool

mysqltuner

MYSQL FIND ENGINE TYPE FOR DB

mysql -uroot -pzaib1234
use radius;
SHOW TABLE STATUS\G

OUTPUT:

mysql> SHOW TABLE STATUS\G
*************************** 2. row ***************************
Name: radacct
Engine: InnoDB
Version: 10
Row_format: Dynamic
Rows: 1
Avg_row_length: 16384
Data_length: 16384
Max_data_length: 0
Index_length: 212992
Data_free: 0
Auto_increment: 2323234
Create_time: 2019-11-05 19:06:21
Update_time: 2019-11-07 10:27:08
Check_time: NULL
Collation: latin1_swedish_ci
Checksum: NULL
Create_options:
Comment:

In above OUTPUT, You can see the type, with 5.5+ its generally innodb

 


Monitor Disk Read Write

To monitor all disks read/write speed install this tool

apt-get install -y iotop

Run it using below cmd

iotop -o

HTOP – Monitor ALL Processes / CPU Cores Usage Monitor

install this

apt-get install -y htop
htop

Additional:

Doing Stress Test on Radius using BASH scripts

stress test on fr 3

FREERADIUS Stress Test Using BASH script – Zaib


TIP:

Installing Freeradius latest version 3.0.21 on Ubuntu 16.4 Server

echo "deb http://packages.networkradius.com/releases/ubuntu-xenial xenial

main" >> /etc/apt/sources.list

apt-get update

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202

sudo apt-get update

apt-get -y install freeradius freeradius-mysql freeradius-utils

Regard’s
Syed Jahanzaib

August 7, 2019

Exploiting Mikrotik for Good ?

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:30 AM

mikrotik exploit logo.png

Last updated: 7-AUGUST-2019 / 1400 hours

Note: Lot have been written on this vulnerability & this is not something NEW, but this vulnerability helped us in accessing one of our remote site old router with forgotten credentials.


In our remote branch network , we had installed one Mikrotik small box RB750 for branch to HO connectivity. This small unit was installed few years back & we never looked into it again. Recently we needed to make some configuration changes but following some bad practices we didn’t added this particular mikrotik in our centralized automated backup system & we didn’t noted down the credentials & IP configurations of its VPN settings after its deployment considering it less important.

Luckily it was running old firmware which was exploitable dueto to its critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords.


Index of this post

  1. Vulnerable Versions
  2. Requirements
  3. Executing scripts in linux
  4. Results
  5. Securing older version with firewalling
  6. Securing the Mikrotik Router at basics

Vulnerable Versions

Versions affected:

  • Affected all bugfix releases from 6.30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
  • Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 2018-Apr-23
  • Affected all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on on 2018-Apr-23

For more information see: https://blog.mikrotik.com/security/winbox-vulnerability.html

Using this exploit we were able to recover the password and after changes we upgraded it immediately.

We can use Windows or Linux to remotely exploit the older mikrotik firmware to query for all user accounts.


Requirements:

The scripts can be run using PYTHON version 3+ & I have uploaded the scripts @ my Google Drive.


Driving in Linux !

  • I have tested it with Ubuntu ver 12 & 16
sudo apt-get update
sudo apt-get install python3

Now extract scripts in any temp folder.

Executing the scripts …

Extract users details using the Remote Mikrotik IP address [default 8291 port]

python3 WinboxExploit.py 10.0.0.1

Extract users details using the Remote Mikrotik IP address [custom port]

python3 WinboxExploit.py 10.0.0.1 1122

Discover Mikrotik on the network

(it will scan the network for Mikrotik, may take some time, or you can press CTRL+C to exit)

python3 MACServerDiscover.py

 

Extract users details using the Remote Mikrotik MAC Address

python3 MACServerExploit.py e4:8d:8c:9a:ed:11

Results:

mikrotik winbox exploit results.PNG

 

If the firmware is latest or not exploitable, it will give error “Exploit failed


# Securing older version with firewalling

If you dont want to upgrade, than at least use firewall filter to secure older versions……

/ip firewall filter
add action=reject chain=input comment="block CVE-2018-14847 exploit by z@ib" content=user.dat
add action=drop chain=input content="user.dat"

# Securing the Mikrotik Router at basics

  • TOP OF THE LINE THING TO DO : apply port scanning filtering !
  • Remotely Accessible Router Services should be limited to few addresses/interfaces
  • Never use default ports for Winbox / SSH & other services
  • Change there ports number to preferably higher unused ports like 50000 or above or likewise
  • If not in use, Disable all services like FTP / SSH & others
  • Never use default usernames like ADMIN , disable or delete them, and make alternate admin accounts with difficult passwords

Disable following

  • MAC-telnet services
    /tool mac-server set allowed-interface-list=none
  • MAC-Winbox
    /tool mac-server mac-winbox set allowed-interface-list=none
  • MAC-Ping service
    /tool mac-server ping set enabled=no
  • MikroTik Neighbor discovery protocol
    /ip neighbor discovery-settings set discover-interface-list=none
    /ipv6 nd set [find] disabled=yes
  • DNS cache
    /ip dns set allow-remote-requests=no
  • Socks proxy
    /ip proxy set enabled=no
    /ip socks set enabled=no
  • UPNP service
    /ip upnp set enabled=no
  • MikroTik dynamic name service or ip cloud
    /ip cloud set ddns-enabled=no update-time=no
  • Enable More Secure SSH access
    /ip ssh set strong-crypto=yes

Regard’s
Syed Jahanzaib

« Newer PostsOlder Posts »

%d bloggers like this: