By using this icon on my website I am stating…

1. That I am opposed to the use of corporate advertising on blogs.

2. That I feel the use of corporate advertising on blogs devalues the medium.

3. That I do not accept money in return for advertising space on my blog.

Signed,

Robert Juric

I did some more research and discovered the use of a library called SharpSSH in Powershell. Now this is what I was looking for. In his post, Joel wrote a few Powershell functions using the SharpSSH library. All I have to do is store the DLLs some place and update the script with their location. The Invoke-SSH function he wrote closely mimics Expect scripts. You run a command and then ‘expect’ the prompt. This allows the function to know when the command is complete, something I was seriously hurting for using PLink.

I’m a firm believer in not re-inventing the wheel, so what I did was take Joel’s functions and use them in a manner that would benefit myself and maybe other network admins. Let me walk you through a quick script I wrote utilizing Joel’s functions:

First I want to create my SSH session:

New-SshSession root 192.168.1.1 ## Will be prompted for password
if (Receive-SSH '%')
{
#root prompt
Write-Host "Logged in as root. Starting CLI."
$a = Invoke-SSH "cli" '>'
$rootlogin = 'true'
}

Now you may ask why I created the if statement to check if I received the % prompt. If you’re a Juniper engineer then you would know that % is the shell prompt you receive if you log in as root. I know I hard-coded sending the root username, but in future posts I will share a snippet that will allow for more dynamic entry of username/password combos, and if it happens to be the root user, then we would like to send CLI to start the CLI and enter operational mode. The Invoke-SSH function sends command ‘cli’ and expects the operational prompt >. I used the variable to call the function because I didn’t want it to write any output at this time so I capture it in the variable and sit on it. I also set a variable to true if logged in as root, for use later in the script.

Next I want to download the entire config for my backup folder:

#Invoke-SSH outputs the command(first line), the output, and the expected string line(EOF)
$a = Invoke-SSH "show config | no-more" '>'
$a|out-file showconfig.txt
Write-Host "Config Backup Complete."

Here I use a variable to call the Invoke-SSH function and send the command “show config | no-more”. Once the command is done executing we should be back at the operational mode prompt, therefore I expect >. I then use out-file to write the variable to a text file, and write-host to display a little status message.

I then want to cleanly close out the session:

#Extra exit when logged in as root.
if ($rootlogin='true')
{
Write-Host "Exiting CLI."
Send-SSH exit
}
Write-Host "Terminating Session."
Remove-SshSession #Will send exit.

If I previously set the variable of rootlogin to ‘true’, then my I need an extra exit to get back to the shell prompt before my final exit closing the session.

This post is not intended to be an introduction to Powershell or scripting in general. There are better places for that. I just wanted to share an example of how you can use Powershell + SharpSSH to make your life a little easier. This script was written for Junos devices, however it could easily be modified for IOS devices, or any device for that matter.This example was a basic, single device, config backup script. I have some great snippets I will be sharing in future posts that can bolt on to make a more powerful script.

If you want the entire script, including Joel’s functions:

## USING the binaries from:
## http://downloads.sourceforge.net/sharpssh/SharpSSH-1.1.1.13.bin.zip
[void][reflection.assembly]::LoadFrom( (Resolve-Path "D:\Scripts\Libraries\Tamir.SharpSSH.dll") )

## NOTE: These are bare minimum functions, and only cover ssh, not scp or sftp
##       also, if you "expect" something that doesn't get output, you'll be completely stuck.
##
## As a suggestion, the best way to handle the output is to "expect" your prompt,  and then do
## select-string matching on the output that was captured before the prompt.

function New-SshSession {
Param(
[string]$UserName
,  [string]$HostName
,  [string]$RSAKeyFile
,  [switch]$Passthru
)
if($RSAKeyFile -and (Test-Path $RSAKeyFile)){
$global:LastSshSession = new-object Tamir.SharpSsh.SshShell `
$cred.GetNetworkCredential().Domain,
$cred.GetNetworkCredential().UserName
$global:LastSshSession.AddIdentityFile( (Resolve-Path $RSAKeyFile) )
}
else {
$cred = $host.UI.PromptForCredential("SSH Login Credentials",
"Please specify credentials in user@host format",
"$UserName@$HostName","")
$global:LastSshSession = new-object Tamir.SharpSsh.SshShell `
$cred.GetNetworkCredential().Domain,
$cred.GetNetworkCredential().UserName,
$cred.GetNetworkCredential().Password
}

$global:LastSshSession.Connect()
$global:LastSshSession.RemoveTerminalEmulationCharacters = $true
if($Passthru) {
return $global:LastSshSession
}
}

function Remove-SshSession {
Param([Tamir.SharpSsh.SshShell]$SshShell=$global:LastSshSession)
$SshShell.WriteLine( "exit" )
sleep -milli 500
if($SshShell.ShellOpened) { Write-Warning "Shell didn't exit cleanly, closing anyway." }
$SshShell.Close()
$SshShell = $null
}

function Invoke-Ssh {
Param(
[string]$command
,  [regex]$expect ## there ought to be a non-regex parameter set...
,  [Tamir.SharpSsh.SshShell]$SshShell=$global:LastSshSession
)

if($SshShell.ShellOpened) {
$SshShell.WriteLine( $command )
if($expect) {
$SshShell.Expect( $expect ).Split("`n")
}
else {
sleep -milli 500
$SshShell.Expect().Split("`n")
}
}
else { throw "The ssh shell isn't open!" }
}

function Send-Ssh {
Param(
[string]$command
,  [Tamir.SharpSsh.SshShell]$SshShell=$global:LastSshSession
)

if($SshShell.ShellOpened) {
$SshShell.WriteLine( $command )
}
else { throw "The ssh shell isn't open!" }
}

function Receive-Ssh {
Param(
[RegEx]$expect  ## there ought to be a non-regex parameter set...
,  [Tamir.SharpSsh.SshShell]$SshShell=$global:LastSshSession
)
if($SshShell.ShellOpened) {
if($expect) {
$SshShell.Expect( $expect ).Split("`n")
}
else {
sleep -milli 500
$SshShell.Expect().Split("`n")
}
}
else { throw "The ssh shell isn't open!" }
}

#Script Start
New-SshSession root 192.168.1.1 ## Will be prompted for password
if (Receive-SSH '%')
{
#root prompt
Write-Host "Logged in as root. Starting CLI."
$a = Invoke-SSH "cli" '>'
$rootlogin = 'true'
}
#Invoke-SSH outputs the command(first line) and the expected string line(EOF)
$a = Invoke-SSH "show config | no-more" '>'
$a|out-file showconfig.txt
Write-Host "Config Backup Complete."
$b = Invoke-SSH "show version" ">"
$b|out-file showversion.txt
Write-Host "Show Version Complete."

#Extra exit when logged in as root.
if ($rootlogin='true')
{
Write-Host "Exiting CLI."
Send-SSH exit
}
Write-Host "Terminating Session."
Remove-SshSession #Will send exit.

First in Windows Server 2008, Microsoft removed support for EAP-MD5 authentication. However you can re-add this support to NPS by modifying the registry according to Microsoft KB922574.

Because phones are the exception to my normal radius policies, I used a separate Connection Request Policy for VOIP phones. I created one with the condition to match UserName = “CP-*”. This should ensure that this policy only applies to Cisco phones(because all their usernames start with CP-*).

Next we need to shorten the username which the phone sends so that we can match it to a valid Windows Domain Account. To do this we use the separate VOIP Connection Request Policy. Under Settings > Attributes we need to override the Username attribute using a match and replace. For example we find “CP-7975G-” and replace with “”. This will essentially remove the first part of the username and leave us with the “SEP…” username. A separate match will have to be configured for every model of Cisco phone which needs to be authenticated.

Finally we need to configure the authentication methods. Under Settings > Authentication Methods we want to Override Network Policy Authentication Settings. We add the EAP Type “MD5-Challenge” and then check Encrypted Authentication (CHAP). This allows us to use a single Network Policy and override it when necessary using our VOIP Connection Request Policy.

The only thing left to do is ensure that a Windows Domain Account is created and the Account Password is Stored using Reversible Encryption. Then enter the account password as the MD5 shared secret on the phone, turn Dot1x on the port and you’re good to go. If you’re using a Cisco switch, ensure you have dual-host authentication enabled so you can also authenticate a computer hanging off the phone.

If you need a little help troubleshooting NPS and can’t find events in MS Event Viewer from CMD Prompt, Run As Admin, type: “auditpol /set /subcategory:”Network Policy Server” /success:enable /failure:enable”. NPS logs are in Event Viewer/CustomViews/Server Roles/Network Policy Server

Here’s an excerpt:

The concert hall at the Syndey Opera House holds 2,700 people. This blog was viewed about 21,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 8 sold-out performances for that many people to see it.

Click here to see the complete report.

Here is the script I ended up with:

use Net::Ping;
use strict;
open(MYINPUTFILE, "hosts.txt");
my(@hosts) = <MYINPUTFILE>;
my($host);
foreach $host (@hosts) {
	$host =~ s/s+$//; #strip newline character from variable
	my $pingobj = Net::Ping->new('icmp');
	my ($status,$time,$ip) = $pingobj->ping($host);
	if ($status) {
		print "Host $host ($ip) responded in $time secondsn";
	} else {
		print "Host $host ($ip) unreachablen";
	}
}
close(MYINPUTFILE);

And the results:

I created a hosts.txt file and put it alongside the script and for testing purposes I tried a few different formats for host entries as well as a “null” value to make sure the script was working as designed. I hope you can pick up where I am headed with this building block. This script will be the basis for more advanced scripts such as automating changes to multiple devices.

For my scripting setup I will be focusing on a Windows perspective. Instead of using ActivePerl I decided to use Cygwin and the Perl modules, so hopefully most of what I write will also apply to *nix users. I’m also using Notepad++ for my editing/coding, but you could also use the default Windows Notepad or if you want to be hardcore, Cygwin and VIM. I may include some VIM tips/shortcuts in future posts.

My first Perl script is not “Hello, World”, but instead a simple Ping script. I used Net::Ping to conduct a simple ICMP Ping and then output the results. The example I first used had a hard-coded variable for the host, which I left commented out for reference purposes. Instead, I added a line to receive a command line argument for the host variable.

use Net::Ping;
use strict;

#Setting a variable
#my $host = "www.google.com";

#Using an arguement
my $host = "$ARGV[$0]";
my $pingobj = Net::Ping->new('icmp');
my ($status,$time,$ip) = $pingobj->ping($host);

if ($status) {
print "Host $host ($ip) responded in $time secondsn";
} else {
print "Host $host ($ip) unreachablen";
}

Voila!

I plan on using this script as a building block to test connectivity before performing more complex tasks in the future. Hopefully this will motivate somebody to get their hands dirty and add another tool to their skill set.

Enter Hurricane Electric and their free IPv6 tunnel broker service at http://tunnelbroker.net/. This is a free service that allows you to build a 6to4 tunnel to their network which then acts as your IPv6 gateway. 6to4 tunneling (RFC 3056 http://tools.ietf.org/html/rfc3056) is an IPv6 transition mechanism which allows IPv6 packets to be encapsulated (aka tunneled) within IPv4 packets to a 6to4 gateway router which is then de-encapsulated and sent on to IPv6 networks. So I registered with HE using my external IPv4 address as the tunnel end-point and was assigned my tunnel endpoints as well as my very own routed /64 block of IPv6 addresses. I was also given an IPv6 DNS server to point to. It was finally time to get IPv6 up and running.

The first thing I needed to do was get my tunnel up and running. On my SRX100 this involved creating an IP tunnel interface, adding an IPv6 static route, and putting the SRX in packet-mode for IPv6 traffic.

interfaces {
   ip-0/0/0 {
      unit 0 {
         tunnel {
            source 99.111.88.228;
            destination 216.66.22.2;
         }
         family inet6 {
            address 2001:470:7:e9e::2/64;
         }
      }
   }
}
routing-options {
   rib inet6.0 {
      static {
         route ::/0 next-hop 2001:470:7:e9e::1;
      }
   }
}
security {
   forwarding-options {
      family {
         inet6 {
            mode packet-based;
         }
      }
   }
}

At that point I could see my tunnel was operational and I was able to ping the remote end of the tunnel. Next I needed to get IPv6 running internally. I decided to use Stateless Address Auto Configuration (SLAAC) for address configuration. Devices running IPv6 will automatically configure for themselves a link-local address. This address is created using the FE80::/64 block + the EIU64 Interface ID. The EIU64 Interface ID is dynamically created using the Ethernet MAC address. The link-local address is required for basic IPv6 operations such as Neighbor Discovery Protocol (NDP) which is used for SLAAC. Basically the link-local address allows for local communication of hosts without configuration in order to facilitate higher-level communications. One thing about link-local address are that they are not globally routable, which means that my computers with only a link-local IPv6 address would not be able to communicate with other IPv6 devices such as web servers.

I needed to use my /64 block of globally routable IPv6 addresses I was given and assign them to my hosts. To do this I needed to configure IPv6 Router Advertisements (RAs) to allow my hosts to use SLAAC and auto-configure themselves an IPv6 address.

interfaces {
   vlan {
      unit 0 {
         family inet {
            address 192.168.1.1/24;
         }
         family inet6 {
            address 2001:470:8:e9e::1/64;
         }
      }
   }
}
protocols {
   router-advertisement {
      interface vlan.0 {
         max-advertisement-interval 20;
         min-advertisement-interval 15;
         prefix 2001:470:8:e9e::/64;
      }
   }
}

Now my hosts have both a link-local and a global IPv6 address and are able to ping through my tunnel. So far I haven’t done enough experimenting to get DHCPv6 working for DNS server assignment so I currently have my hosts DNS servers statically configured. I was then able to go online and check my IPv6 connectivity via http://test-ipv6.com/.

Caveats:
Packet-based forwarding of IPv6 – Still researching the implications of this in regards to security
Had to use Junos 10.4R7.5 to assign family inet6 on vlan interfaces
Still have to experiment with DNS server assignment either through DHCPv6 or some other means
Lack of IPv6 websites/stuff to do
Security Considerations for 6to4 RFC 3964 http://tools.ietf.org/html/rfc3964

Move to Begining of Line
Ctrl+a

Move to End of Line
Ctrl+e

Move Forward a Word
Alt+f

Move Backward a Word
Alt+B

Delete a Line (On Cisco, Only Worked From End of Line)
Ctrl+x or Ctrl+u

Delete a Character (Under Cursor)
Ctrl+d

Delete Word Forward (In Front of Cursor)
Alt+d or Esc+d

Delete Word Backwards (Behind Cursor)
Ctrl+w or Alt+Backspace

Clear Line From Cursor Forward
Ctrl+k

Pass-Through Authentication is limited to Telnet, FTP, and HTTP traffic only(notice these are plain-text protocols). Pass-through auth works by interjecting a login challenge into the original protocol login challenge. For example a user would initiate a telnet connection, the FUA would interject and prompt the security challenge. Once authenticated, traffic from the same source IP is automatically allowed to pass through the SRX(could be dangerous with source NAT). This would allow the telnet connection to continue and the user can authenticate to the telnet host. Once the user has authenticated via FUA the IP address becomes exempt from further FUA requirements. This means that you can create a security policy that matches on ANY traffic type and require FUA; Pass-through authentication only works with Telnet, FTP, or HTTP, however once the IP/user has authenticated then it is exempt from further FUA, and it is then only bound by security policy. I said that to say this: you can use a telnet session to authenticate a user via FUA who, once authenticated, can pass any type of traffic which is allowed by the security policy.

Web Authentication operates in two sub-modes, standard web authentication, and web redirect. Standard web auth first requires you enable the HTTP system service, and also allow http in host-inbound-traffic. With standard web auth, you would direct your users to a secondary IP address of an interface on the SRX. Users would be prompted with an HTTP login form for the FUA. Once authenticated the IP address is added to the exempt list and is able to pass through the firewall as much as security policy allows. The web redirect operates like standard web auth, but you don’t have to hand out an IP address of your firewall or direct users to a separate login page. Web redirect works much like what you’re used to in a hotel room; You open your browser and head to Google.com, and you are automagically redirected to a login page. Once you authenticate you are able to pass through the firewall as much as security policy allows.

With all the authentication methods you are also able to configure a default timeout for inactivity and login/success/failure banners. Web redirect + a login banner would be a great poor-man option for a Guest Wireless NAC. You could hand out the username and password to guests, and they would be prompted with the Acceptable Use Policy before logging in.

All FUA configuration follows the same basic principles: configure an access profile, configure the firewall authentication options, and finally call on the firewall authentication from security policy. (Good to know on an exam).

Configure the access profile (local user database):

set access profile *profile-name* client *name* firewall-user password *pwd*

or (external authentication):

set access profile *profile-name* authentication-order [radius password]
set access profile *profile-name* radius-server *ip-address* secret *radius-secret*

Then configure the authentication type and options:

set access firewall-authentication pass-through default-profile *profile-name*
set access firewall-authentication pass-through [telnet/ftp/http] banner login "You must login"

or

set interface *name* unit 0 family inet address *ip/mask* web-authentication http
set access firewall-authentication web-authentication default-profile *profile-name*
set access firewall-authentication web-authentication banner success "Login successful"

Finally set a permit action of firewall-authentication in the security policy. For pass-through use: “Permit firewall-authentication pass-through client-match *client-name*”. For web auth use: “Permit firewall-authentication web-authentication client-match *client-name*”. For web redirect use the same as pass-through but add a web-redirect argument: “Permit firewall-authentication pass-through web-redirect”.

And finally to verify:

show security firewall-authentication users
show security firewall-authentication history

Junos

We first need to create our address objects:

set security zones security-zone *ZoneName* address-book *AddressName* x.x.x.x/y

Then we need to create our address-set:

set security zones security-zone *ZoneName* address-book address-set *SetName* address *AddressName*

A few caveats, an address-set can only exist when there multiple addresses in the address-book. An address-set can only contain addresses from the same security zone, and also the address-set name cannot be the same as an existing address name.

ScreenOS

First create the address objects:

set address *ZoneName* *AddressName* x.x.x.x/y *Comment*

Then create the address group:

set group address *ZoneName* *GroupName* *Comment*
set group address *ZoneName* *GroupName* add *AddressName*

One thing I noticed in the Junos TechPubs was that when you reference an address-set in policy Junos creates an internal rule for each member, as well as each service. So if you create a policy which references an address-set for both source and destination and also a service group, Junos actually creates multiple internal rules. If you don’t pay attention to the size of your groups you could exceed policy resources even though it appears you have a relatively small number of configured policies.

The main point I want to convey isn’t necessarily how to configure address sets/groups, but to motivate you to use them. It’s standard practice in the Windows AD realm where you rarely want to give an individual user rights to a server, it’s much cleaner to give a security group rights to the server and then manage the membership of that group. This is particularly helpful if the same group will be referenced on multiple servers. The same concept applies to our firewall security policies.

So go forth and simplify your firewall rules…