Grace period licensing for extra features such as MPLS or VDC on the Nexus 7000/7700 is uptime based, not calendar based. So cable your lab equipment to a remote controllable power distribution board and turn it off overnight/weekends to triple the 120 day grace period. Unsure if this applies to other Nexus or IOS licensing.
Note this doesn’t apply to temporary licences issued by Cisco – they are calendar based.
SSH key authentication is awesome.
If you don’t already have a key, generate one using ‘ssh-keygen’. These details are for OpenSSH on OSX. Google for PuttyGen if you’re on Windows.
You must protect the key with a passphrase. If you don’t want to enter this passphrase every time you connect, you can use an SSH agent. Thats another post.
ianh@bloodshot:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/ianh/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/ianh/.ssh/id_rsa. Your public key has been saved in /Users/ianh/.ssh/id_rsa.pub. The key fingerprint is: SHA256:ClvUzv0VhbNifvVO4J+yC9/teCTJ7W2z8LIANFaRoTM ianh@bloodshot.ianh.net.au The key's randomart image is: +---[RSA 2048]----+ | ++ ..| | . o. o. | | . .E .o | | . oo.+ o o..| | . . S..o +.=.| | + . ....* =| | . . o.o Bo| | +o++O| | =BB=| +----[SHA256]-----+ ianh@bloodshot:~$
Once you’ve generated your key, you need to add the public side to the router. To paste the public key in, you need it to wrap on smaller lines, otherwise IOS will truncate the end. Use ‘fold’ for this.
ianh@bloodshot:~$ cat .ssh/id_rsa.pub | fold ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM wlaCDJFCrQoMjmkNvPzdjIKD63DjQSoM6W6y7OuFV9g6BiXaRgWATLPbxa3mXHLNee06ZesOQblscmxC tUZMfCwLlRtYYQXEmBximtxk4b5rHKpTS6ft2aUiQbDtDMak1phRdkYI2RtHAZpJ6f+L0a65vEY1nRdz VRw7VA2WWdBTOXPJrUeLVx9O/rYkKS25o7v4YuNVK3t3PIgysVX12rppq5t9m1VH+/zd1thozr0gR84U lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh .net.au ianh@bloodshot:~$
Now add it to the router, pasting in the folded public key from above. Note the prompt doesn’t indicate this is multi-line data very well (like it would for a switchport macro or MOTD).
rt1#conf t Enter configuration commands, one per line. End with CNTL/Z. rt1(config)#ip ssh pubkey-chain rt1(conf-ssh-pubkey)#username ianh rt1(conf-ssh-pubkey-user)#key-string rt1(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgctwEQjbFfIQ0W0F7f2e/zPo8Xkd5++Jol6RTFLQM rt1(conf-ssh-pubkey-data)#wlaCDJFCrQoMjmkNvPzdjIKD63DjQSoM6W6y7OuFV9g6BiXaRgWATLPbxa3mXHLNee06ZesOQblscmxC rt1(conf-ssh-pubkey-data)#tUZMfCwLlRtYYQXEmBximtxk4b5rHKpTS6ft2aUiQbDtDMak1phRdkYI2RtHAZpJ6f+L0a65vEY1nRdz rt1(conf-ssh-pubkey-data)#VRw7VA2WWdBTOXPJrUeLVx9O/rYkKS25o7v4YuNVK3t3PIgysVX12rppq5t9m1VH+/zd1thozr0gR84U rt1(conf-ssh-pubkey-data)#lzCeZ32jvqPeN0/eW0Y8ChkN7d6w+hoeU5ix4okD6oozLH5ltIT9ijY9htCH ianh@bloodshot.ianh rt1(conf-ssh-pubkey-data)#.net.au rt1(conf-ssh-pubkey-data)#exit rt1(conf-ssh-pubkey-user)#exit rt1(conf-ssh-pubkey)#exit rt1(config)#exit rt1#
Now lets test! Because I’m using OSX, I get asked for the passphrase using a GUI window. Other OSes will ask on the CLI.
ianh@bloodshot:~$ ssh rt1 rt1#
Warning! If you are creating a user that will exclusively use public key authentication, you still need to configure a password on the IOS device. Otherwise, the user can simply connect without offering pubkey as an option. i.e. Don’t use ‘username ianh privilege 15’ on its own, you must use ‘username ianh privilege 15 secret stuff’.
ianh@bloodshot:~$ ssh -o pubkeyauthentication=no rt1 Password: <press enter> rt1#
Unfortunately you can’t store the public key in TACACS or RADIUS, but you can still use them as the basis of the account existing or not.
How do you setup a Cisco ASA SSL VPN using a CA supplied cert?
You need three things here.
First we combine the certificate and key into a base 64 encoded PKCS12 file, with a password of ‘areallystrongpassword’. This password is only required during the import process, we delete the file once the import is complete.
ianh@linux:~/cert$ openssl pkcs12 -CAfile vpn.ianh.net.au.ca-bundle -in vpn.ianh.net.au.crt -inkey vpn.ianh.net.au.key -nodes -export -out vpn.ianh.net.au.p12 Enter Export Password: areallystrongpassword Verifying - Enter Export Password: areallystrongpassword ianh@linux:~/cert$ openssl base64 -in vpn.ianh.net.au.p12 -out vpn.ianh.net.au.b64p12 ianh@linux:~/cert$ cat vpn.ianh.net.au.b64p12 ***lots of cert, copy this output to clipboard for next step***
Then we create a new trust point on the ASA pasting in the base 64 armoured PKCS12 certificate file.
asa(config)# cry ca trustpoint VPN asa(config-ca-trustpoint)# en term asa(config-ca-trustpoint)# cry ca import VPN pass areallstrongpasword Enter the base 64 encoded pkcs12. End with the word "quit" on a line by itself: ***paste cert here*** quit INFO: Import PKCS12 operation completed successfully
Then we add the CA bundle (yes, you do have to do ‘en term’ again):
asa(config)# cry ca trustpoint VPN asa(config-ca-trustpoint)# en term asa(config-ca-trustpoint)# cry ca authenticate VPN Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself ***Paste CA bundle here*** quit INFO: Certificate has the following attributes: Fingerprint: 83ea0465 b722ed33 ff0b4f53 5e1d396b Do you accept this certificate? [yes/no]: yes Trustpoint 'VPN' is a subordinate CA and holds a non self-signed certificate. Trustpoint CA certificate accepted. % Certificate successfully imported asa(config)# exit asa#
If this is a replacement certificate, you may need to point wevpn/DTLS to the new trust point.
asa(config-webvpn)#no ssl trust-point VPN outside asa(config-webvpn)#ssl trust-point VPN outside
Then you need to save the config to force the DTLS process to look at the new certificate.
asa# wr Building configuration... Cryptochecksum: 1c43aaba fbb00b48 2b771bef e5a3598d 154662 bytes copied in 0.890 secs [OK] asa#
Don’t forget to delete the certificate files from your workspace to keep them secure.
ianh@linux:~/cert$ rm vpn.ianh.net.au.crt vpn.ianh.net.au.key vpn.ianh.net.au.ca-bundle vpn.ianh.net.au.p12 vpn.ianh.net.au.b64p12
Hi folks,
First blog post, please be kind. My aim for this blog is to post neat things I’ve found in the networking universe. My current focus is on the Cisco datacentre ecosystem (Nexus, UCS and friends), with a smattering of VMWare, NetApp and Linux.
