Default IP address and enable password of a Cisco 887V-W ISR router

This will probably be the case for other Cisco routers as well but for reasons unknown Cisco has decided to set an enable password on this router. The usual guessing (cisco, Cisco etc) didn’t work out so I had to break out the console cable and recover it as it didn’t seem to be documented anywhere.

It it c. Yes that’s just that one letter. The ip address was 10.1.1.34.

Advertisements

Tele2 Fiberspeed VDSL with a Cisco modem

I have ordered Fiberspeed from Tele2, an affordable 50/5 VDSL connection. The modem is in but I’d like to hook it up to a Cisco router. I’ve ordered a 887VW that should do the job and used this hint to gain access to the setup of the Comtrend modem that Tele2 ships. The setup backup file reveals your PPPoE username and password although I suspect that they’re the same for everyone (username Comtrend, password Q29xxxxxxxxx). If this is indeed the case I’ll post them here later.

Update: Those settings indeed apply to every new modem shipped to a customer. However once connected it will download a new connection profile with your own PPPoE username and password in it which you’ll need to setup your Cisco router (or any other router for that matter). As of today the Tele2 Comtrend modem is still vulnerable to the hack listed in the link above so you should have no problem extracting the username and password. The username ends in @3p.versatel.nl and the password is encoded with base64 that you can safely decode here. Once you have this information it’s time to setup your Cisco router, I posted the required config lines here.

Setting up a Cisco aironet bridge

Setting up a Cisco Aironet bridge should be simple but the webinterface is slow and can issue commands that can not be processed (like changing the priority for processing EAP requests). I gave up on the Cisco supplied tutorial (can be found here) and set it up through the CLI myself. A good FAQ concerning the Aironet hardware and setup can be found here.

I configured 2 Aironet 1310 outdoor antennas to act as a wireless bridge between 2 LAN’s. In Europe the allowed transmit power is far more strict than in the USA so any other antenna than the integrated antenna (like the parabolic dish) will output too much power. I therefore used the (AIR-BR1310G-E-K9) model with the integrated antenna in an autonomous setup  (required for bridge functions) to replace the current EnGenius EOC-5610 (discontinued, succeeded by the 5611) antenna that I found to be unreliable. The mounting kit (AIR-ACCRMK1300=) is advised if you plan on using it outdoors, the mounting materials are made out of aluminum and it comes with clear instructions and enough cabling to get you started.

Some stuff you want to know. While most cheap wireless antennas use a proprietary PoE standard over Ethernet, the Aironet uses a proprietary PoE injector over coax. The advantage is that you can mount the power injector inside while placing only the antenna itself outside. The power injector is included with the antenna.

Onwards with the configuration. I used the example from Cisco (mentioned before) to set up a simple WEP encryption with Cisco’s LEAP authentication. I configured one AP as a root bridge and used the built-in RADIUS server for LEAP authentication (why oh why isn’t this part of the default IOS?). The non-root bridge connects to the AP and authenticates itself with LEAP after which the connection is made. I didn’t use VLAN to keep things simple (there’s only 1 subnet to bridge anyway).

Read more of this post

Using the Radius server in Mac OS X Server 10.6 for Cisco IOS WebVPN user and group authentication

One of my customers was looking for a simple WebVPN Cisco solution to replace his older EasyVPN. Goals were to increase security (by defining user groups and IP access lists) and ease deployment for external parties that needed to log onto the VPN. This posed the following problems:

– The Cisco router that was used (a 1921) only supports local users, in order to apply different group policies there had to be group authentication as well.
– Mac OS X 10.6 uses a Radius server only to authenticate users on Airport basestations. Authorization for other devices is not enabled by default and groups are not pushed to other devices.

So… let’s get started! For this to work you’ll need to have your Cisco router connected to your Mac OS X server in some way. I won’t go into the basics of setting up your router, your WebVPN or your Mac OS X server here, there are plenty of tutorials on that on the web already.

First of all we’ll have have to alter the configuration of the excellent FreeRADIUS server that Apple ships with Mac OS X Server 10.6. This is easier than it seems. Stop the RADIUS server in the Server Admin utility and browse to the /etc/raddb/ directory. We’ll make changes to 2 files here.

In users.conf we’ll have to instruct the RADIUS server to accept incoming connections form the Cisco router. This is done by adding the following lines just above the “client localhost {” part:

client 192.168.9.1/32 {
secret = somesecretyoucameupwith
shortname = vpn
nastype = cisco
}

The shortname is the hostname of the router, the IP address is the IP address of the router. Save the file (you’ll need administrator access to do this) but don’t start the RADIUS server just yet. We have to edit the users file (in the same directory) as well in order to push group information to the router.

In the users file you can specify the return values that should be pushed back to the router upon a successfull authentication. I looked into the possibility to make the RADIUS server push the default user group to the router but deemed that it was far too difficult to make it work. Instead I opted to make separate entries for all my users and specify their policy group explicitly. At the bottom of the users file you can add entries like this:

user1          Cleartext-Password := “password”
Service-Type = NAS-Prompt-User,
cisco-avpair = “webvpn:user-vpn-group=management”

When user1 tries to login to the WebVPN the RADIUS server will (upon a successfull authentication) push the webvpn:user-vpn-group attribute to the router. This attribute (in this case the group name management) will select the correct policy for the user. Now the RADIUS part is done, start the RADIUS server and see if it runs. If it doesn’t start you probably made a typo somewhere, see below on how to debug it.

Now it’s time to implement RADIUS authentication in the router. First we’ll add the radius server to the config:

radius-server host 192.168.9.12 auth-port 1812 acct-port 1813 key 7 <somesecretyoucameupwith>

The secret needs to be the same as the secret you entered in the clients file.

These are the AAA settings that I used, I first want the router to check for a local account so I can always access it in case the RADIUS server stops working. After that the router will query the RADIUS server to look for valid accounts.

aaa authentication login default local group radius
aaa authorization exec default local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius cache radius local
aaa accounting auth-proxy default start-stop group radius

From here it’s easy, you can create different policy groups in your webvpn context. In this case I would create a policy group called management for user1 that will allow him to reach certain hosts and see a specific URL list.

policy group management
url-list “URLs”
functions svc-enabled
svc address-pool “sslvpn-pool”
svc keep-client-installed
svc split include 192.168.43.0 255.255.255.0
svc split include 192.168.9.0 255.255.255.0
svc dns-server primary 8.8.8.8
svc dns-server secondary 8.8.4.4

Also add the following line to your webvpn context to make sure the RADIUS server is queried for valid accounts:

aaa authentication auto

Now your Cisco will pass on logins to the RADIUS server and receive the correct attribute to select the right group policy for the WebVPN. Nice!

Notes:

– In order for this to work the users specified have to both exist in the OpenDirectory and the users file.
– I have used port 1812 and 1813. In older RADIUS implementations port in the 1600 range were used. The Cisco configuration professional still suggests these ports but they don’t work with FreeRADIUS.
– I included the DNS servers as there is a bug with the current version of the AnyConnect client where DNS requests are not correctly forwarded in case of a split tunnel (CSCtf20226).
– If this doesn’t work first launch the RADIUS server in debug mode on Mac OS X server to see if the authentication runs well. This can be done by starting a terminal session and launching radiusd -X as root.
– Secondly use the radius debug feature of the Cisco router to see if the authentication packets that are returned contain the avpair attribute. If the attribute is not included the router will assign the default policy. In my case I removed the default policy as it poses a security risk.

A big thanks for the folks on the FreeRADIUS mailinglist for their assistance!

SSID with a space in your Cisco config

Everybody says you shouldn’t do it but no one tells you why so I will.

You can create a new ssid with a space character in the config like this:

dot11 ssid My Network
vlan 75
authentication open
authentication key-management wpa
wpa-psk ascii 0 your_great_password

And this seems to be working fine. Since this network isn’t configured as guest-mode you’ll have to manually add it to your configuration and this is where the problems arise. Windows Vista i.e. will not login to this network, not even with the ‘join network when name is not being broadcasted’ check box is selected. So it doesn’t work and you want to change the ssid (and because Cisco tell you to).

And you can’t! Because of the extra space in the SSID there’s no way you can edit this ssid configuration again. When you try to remove it you’re stuck with the same problem. Fortunately there’s a trick, when configuring the dot11radio interface type the ssid name with brackets surounding it to remove it:

no ssid [My Network]

It will disable the ssid form the dot11radio configuration but it will not remove the entry itself form the configuration (if that would be possible you could also edit the entry ;). However since it’s no longer applied to the interface you can create a new ssid for that vlan and be home free.

If you want to reload the entire config be my guest but I’ve yet to see a customer worry about the way his config looks.

Making your iPhone voicemail key work

If you happen to walk around with an unlocked iPhone you might want to use the voicemail button that’s in the down right corner of your screen to dial your voicemail box with your provider.

To do so just type **5005*86*#

Apple Diagnostic Error Messages for MacBooks

A while ago I encountered a MacBook that was prone to random crashes. The log files listed some weird I/O problems in relation to the SMC chip so I decided to take out the battery. This did resolve the issue. To confirm my suspections I ran the Apple supplied diagnostics CD and got the following error message

4SNS/1/40000000:TBOT

After some testing this turns out to be a temperature sensor that is actually embedded in the battery itself. Not having the battery inserted resulted in this error, with the battery everything seems to test OK so I still don’t know whether the battery is indeed at fault or something else is troubling the MacBook.