Implementing NAP with 802.1x enforcement

In my earlier post, I've configured 802.1x with EAP-TLS. Now, I'm expanding the effort to Network Access Protection (NAP) with 802.1x enforcement. Machines that are validated compliant to the policy are able to access authorized network or VLAN. Otherwise, it would go into Guest VLAN for further remediation action. In NAP with 802.1x enforcement, clients would send Statement of Health (SoH) to the Windows NPS server for System Health Validation against the Health Policies on top of 802.1x authentication. The SoH would contain information pertaining to the Security Center of the Windows clients.

In this example, I would just configure the Health Policies to check the status of Windows Firewall. The Windows 7 client and the NPS (Windows Server 2008 R2) have been setup in a full AD environment with AD Certificate Services. All certificates have been issued and the network switch is configured with 802.1x settings.

On the NPS server, click on the "Configure NAP" to start the wizard. Follow the wizard instructions carefully. Go to the "Connection Request Policies" after the completion of wizard. Right-click on the NAP policy and click "Properties". Click on the "Settings" tab and edit on the "Microsoft Protected EAP (PEAP)". Read the below underlined description that you must configure the PEAP properties here.

Choose the correct server cert that is generated based on the "RAS and IAS Server" template as mentioned in my previous post. In addition, ensure that the below highlighted items are added and enabled. Edit on the "Smart Card or other certificate" to choose the correct cert and CA if you're using cert authentication.

On the client configuration, it would be more efficient to use Group Policy to configure and enable the NAP setting. On the computer configuration, create the "Wired Network (IEEE802.3) Policies" as shown below:

Ensure that the clients' PEAP authentication settings match the NPS server's. In addition, under the "Security Settings", edit the Startup of "Wired AutoConfig" and "Network Access Protection Agent" to "Automatic".  Next, go to "Network Access Protection" to enable "EAP Quarantine Enforcement Client". You may also like to configure other optional settings like "User Interface Settings".

Once the GPO is created, link it to the client OUs and run "gpupdate" on the Windows 7 client. Check the status on the event viewer. If everything runs well, try disabling the Windows firewall and it will be enabled back automatically for compliant. For more details and troubleshooting, refer to this NAP with 802.1x enforcement step-by-step guide.

A certificate could not be found that can be use with this EAP when configuring 802.1x on NPS

I was running the default 802.1x wizard to configure a new RADIUS server on Windows Server 2008 R2. I had an error that prompt "A certificate could not be found that can be use with this Extensible Authentication Protocol" as shown below:

But when I run the cert manager, I saw a computer certificate! So what's wrong?! It's the template. Most of the time, we configure auto-enrollment for machines based on Computer template. This time, you'll need the "RAS and IAS Server" template. Rather than auto-enrollment, you may want to perform a manual cert enrollment for the NPS server. Hence, I duplicate a new NPS server template from the "RAS and IAS Server". And yes, you'll also need to register the NPS server on AD using "netsh ras add registeredserver" command. Ensure that the NPS server is a member of the "RAS and IAS Server" security group on the AD.

To further ensure that the NPS server is using the "correct" cert, click "edit" on the PEAP or EAP-TLS authentication method and verify the cert as follows:

In summary (click for detailed step-by-step guide):

1. Register the NPS server 
2. Enroll a new cert based on "RAS and IAS Server" template
3. Excellent link for NAP with 802.1x troubleshooting
4. Setting up & verifying NAP CA to issue health certificates

Re-Learning the Basic of Relational Database - Normalization, Primary Key and Foreign Key

The last time that I worked on SQL-based relational database was more than 10 years back when I first started my first job as a C/C++ and Java programmer. It's time for me to revise that knowledge again. Recently, I've picked up a book called "Microsoft SQL Server 2012: A Beginner's Guide" by a German professor named Dusan Petkovic. I've started chapter 1 and it's all about the basic of relational database on Normalization process and various key concepts. How I wished the author could explain in a even more simpler language.

Normal Forms
Normalization is the process of efficiently organizing data in a database by reducing data redundancy while ensuring the integrity of data dependency. Normal forms are used in this process to describe the stages of normalization. In theory, it started from stage one (the lowest form of normalization, referred to as first normal form or 1NF) through five (fifth normal form or 5NF). In practical applications, you'll often see the first three NFs (1NF, 2NF, and 3NF) and the last two NFs (4NF and 5NF) are seldom used.

First Normal Form (1NF)
1NF means that the value of any column in a row must be single valued (i.e. atomic). Imagine a table with following fields: Employee No (emp_no) and Project No (project_no) where the relationship is one-to-many i.e. one employee may take up multiple projects. The table may look like this:
emp_no         project_no
10102           (p1, p3)    


The table is not in 1NF, as project_no contains more than 1 value. Once we've ensured the rule of atomic, the table will be in 1NF as follows:
emp_no         project_no
10102               p1         
10102               p3         


Second Normal Form (2NF)
Primary key refers to the column of a table that is able to identify each row uniquely. In the earlier table, both emp_on and project_no form a composite primary key (i.e. having more than 1 column as primary key).  Expanding the same example with more columns that entails which department  the employees belong to, such as  department id (dept_id), department name (dept_name) and department location (dept_loc). A table may look like this:
emp_no         project_no       dept_id      dept_name       dept_loc
10102               p1                 d1             Sales                  L1    
10102               p3                 d1             Sales                  L1    
25348               p1                 d2             Marketing           L2     


Here, there is some redundancy on the dept_name and dept_loc. Not only the redundant info would take up more storage space, there is a chance of update error whenever the employee changes department or the department relocates. To be in 2NF, remove subsets of data that apply to multiple rows of a table and place them in separate tables. Create relationships between these new tables and their predecessors through the use of foreign keys (i.e. primary keys in other table). The resultant tables may look like this:
emp_no         project_no  
10102               p1           
10102               p3           
25348               p1           


emp_no           dept_id        dept_name       dept_loc
10102                  d1                Sales                  L1  
25348                  d2                Marketing           L2  

In the newly separated table, the emp_no is both the primary key and foreign key (i.e. reference key to a primary key of another table). Note: a table with a one-column primary key is always in 2NF.


Third Normal Form (3NF)
To be in 3NF, the table must first satisfy the requirements of 1NF and 2NF. Next, there must be no functional dependencies between the non-key columns. In the earlier separated table, it is not in 3NF because the dept_name is dependent on the dept_id, which is another non-key. To be in 3NF, another  new table is separated from it and the final resultant tables may look like this:
emp_no         project_no  
10102               p1           
10102               p3           
25348               p1           


emp_no           dept_id 
10102                  d1   
25348                  d2   


dept_id        dept_name       dept_loc
d1                   Sales                  L1   
d2                   Marketing           L2   


In the last table, dept_id becomes the primary key and all the three tables are now in 3NF.

BIOS upgrade using bootable USB to DOS

Recently, I bought a new Acer Aspire 5560G notebook. It came with Win7 home premium. I wanted to start installing the new MS SQL 2012 on some Virtual Machine. Since VMWare is no longer giving away free VMWare workstation, the natural choice is for me to install Windows Server 2008 R2 on it that comes with free Hyper-V. 

Upon successful installation of the new OS, I noticed that rebooting and shutting down of this new notebook is not seamless. I've to press down the power button in order for it to shutdown completely. I thought it's the BIOS error and downloaded the latest BIOS update. Only then, I realised that the update can only be run on DOS mode. Hey, it's not Win98 and the newer MS OSes no longer come with DOS! (MS now has something called WinPE but it's still not DOS)

After searching the Internet high and low, I came across this good article that shared how to boot the machine into DOS using USB stick. It requires a free simple HP utility called "HP USB Disk Storage Format Tool". After formatting the USB stick with MS DOS system files, I copied the BIOS update DOS utilities. 

Rebooting the notebook using the USB stick, I've finally managed to upgrade the BIOS firmware. It's still couldn't solve the shutting down problem but at least I know of this easy-to-use method to boot any machine into DOS mode quickly.

Making Changes to MST Config with Care

Multiple Spanning Tree (MST) is great for VLAN spanning tree management and load-balancing. In concept, you can have multiple VLANs and group them up into 2 regions. Instead of managing every individual VLAN spanning tree, you would just need to manage the two MST regions regardless of the number of VLANs.

However, for two or more switches to be in the same MST region, they must have the identical MST name,

VLAN-to-instance mapping, and MST revision number. Any changes applied to existing MST configuration on one switch but not on others would cause network disruptions. To minimize such disruptions, learn to make MST changes but only commit them until all switches are 'standardized' in the new MST configuration.

This is how to enter MST configuration sub-mode on the switch:

switch# configure terminal

switch(config)# spanning-tree mst configuration

This shows how to leave MST-submode configuration on the switch without committing the

changes:

switch(config-mst)# abort

This shows how to commit the changes and leave MST configuration sub-mode on the switch:

switch(config-mst)# exit

For more information, download this Cisco "Configuring MST" doc.

How to add new interfaces on Juniper SRX chassis cluster

There are many good JUNOS articles on setting up the Juniper SRX chassis. But I just want to summarize the steps on how to add new interfaces to existing chassis cluster. In other words, the following pre-requites are complete as follows:

1. Configuring Chassis Cluster information on both nodes e.g. set chassis cluster-id 1 node 0 
2. Configuring Redundancy Groups (RG) and specify which node should be the primary node for each RG. e.g. set chassis cluster redundancy-group 1 node 0 priority 200. This is also where you determine whether it is a Active-Passive or Active-Active setup
3. Configuring Out-of-Band management interface for fxp0 - optional
4. Configuring Virtual Routing instances (a.k.a VRF-lite in Cisco networking) - optional 
5. Configure the number of Redundant Interfaces using "set chassis cluster reth-count n" where n is the number of reth.
6. Configuring Redundant Interface (reth) using at least one interface from each node
7. Configuring control link using fxp1 interface where configuration synchronization takes place between 2 nodes 
8. Configuring fabric interface (fabn where n denotes the node id) consisting of at least one ethernet interface from each node
9. Successful cluster setup!

After you have established the cluster successfully, you may wish to add more interfaces to it. The additional steps are as follows:

Step1: Increase the reth count by using

• set chassis cluster reth-count n where n is the new number of reth interfaces

Step 2: Identify 2 similar interfaces (one from each node e.g. ge-0/0/2 and ge-8/0/2) to form a new reth. e.g. 

• set interfaces ge-0/0/2 gigether-options redundant-parent reth2
• set interfaces ge-8/0/2 gigether-options redundant-parent reth2

Step 3: Configure new reth2 by heading to "edit interfaces reth2"

• Enable VLAN tagging if you intend to use VLAN: "set vlan-tagging"
• Create new sub-interface: "set unit nnn vlan-id " where nnn is any sub-interface number.
• Assign IP address to sub-interface: "set unit nnn family inet address 1.1.1.1/24" 
• Return to top level edit: "top"

Step 4: Assign this interface to the virtual routing instance

• set routing-instances interface reth2.nnn

Step 5: Assign this interface to the appropriate security zone

• set security zones security-zone interfaces reth2.nnn

Step 6: Check new configurations and commit

• top
• show | compare rollback 0
• commit

Ethernet over MPLS (EoMPLS) Cisco Configuration Makes Simple

Ethernet over MPLS (EoMPLS) is part of Cisco's Any Transport over MPLS to provide L2 connectivity (pseudo-wire) over MPLS cloud. If you wish to extend EoMPLS on L3 VLAN interface (SVI-based EoMPLS or SwEoMPLS), you must have an OSM or an Enhanced FlexWAN module on the MPLS core-facing interface. Otherwise, you can configure PFC-based EoMPLS on a physical interface or sub-interface. In this example, we would use PFC-based EoMPLS on Cisco IOS 15.x, as I believe most of us won't have any special interface cards. Consider this network diagram below. We'll extend L2 connectivity on VLAN 10 to connect both servers over the MPLS cloud.

Here, we assume that basic MPLS configuration has been put in place. Configuring EoMPLS would be pretty straightforward.

On both PE1 and PE2 routers:
!

interface GigabitEthernet0/1.10
encapsulation dot1Q 10
xconnect 10.1.1.x 10 encapsulation mpls
no shut

!
Replace above 'x' with the peer PE router ID i.e. on PE1 x = 2 and on PE2 x = 1. The router ID is determined by the "mpls ldp router-id" command on the router.

On both CE1 and CE2 switches, let's assume Gi0/1 switch interface is used to connect to their respective PE routers.
!
Vlan 10
  name EoMPLS
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1Q
switchport mode trunk
!
interface GigabitEthernet0/2
description Host port
switchport mode access
switchport access vlan 10
!

To verify the EoMPLS connectivity, enter "show mpls l2transport vc" on both PE routers. The status should indicate UP. You can also perform "show spanning tree vlan 10" on both CE switches to ensure the sanity of spanning tree i.e. only one of the switches should be the root. And finally, both hosts should be able to ping each other on same IP subnet. For further details, refer to this Cisco article.