Cisco FirePOWER (On-Box / ASDM) Change the Time Zone

KB ID 0001363

Problem

At first this was just a bug, now it’s annoying, I don’t know why Cisco have not got round to fixing this, it’s still a problem in the latest (6.2.2 at time of writing,) version.

Solution

Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Manually > Save Policy and  Exit.

Deploy > Deploy FirePOWER Changes > Deploy.

To View Task Progress: Monitoring > ASA FirePOWER Monitoring > Ensure the policy has applied successfully, (go and have a coffee).

Configuration > ASA FirePOWER Configuration > Local > Configuration > Time > Select the time zone ‘Hyperlink’ > Set the correct zone > Save > Done.

Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Via NTP From… > Type in a public NTP Server  > Save Policy and  Exit.

or use;

[box]

0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, 3.sourcefire.pool.ntp.org

[/box]

Deploy > Deploy FirePOWER Changes > Deploy.

Related Articles, References, Credits, or External Links

Special Thanks to Craig Paolozzi for this article, because he asks me how to do it, every 27 days.

VMware ESXi 6.5 – Setting up ESX Time Sync via Web Client

KB ID 0001274 

Another guest post from Daniel Newton

Problem

Now that we have the web console instead of the VI client, and don’t have a windows machine anymore, it would be better to use the web console.

Also, having your ESXi Server running the correct time/date is very important, before you follow this article I should suggest that by making sure the time is set in the ESX Servers BIOS, e.g. the internal clock is set correctly first!!! The amount of times that Windows Domains fail because the time had not been setup properly on the hosts and DC is more than you think! Last thing you want is a massive pain in the arse from your Boss!

Note: Due to the privacy of the customer, I have blurred out their information.

Solution

Note: For this to work the hosts need to be able to communicate with public time servers over NTP (UDP Port 123), ensure your firewall has this port open or time sync will fail.

Firstly, login into the ESX host itself and click on manage on the left-hand side.

Secondly, click on “Time and Date” and edit the settings.

Now, edit the boxes and dropdowns to look like the screenshot below (I am from the UK and typed in the NTP servers for my country, it will be different in other parts of the world) and then click save.

Now that we completed that, we have to start the service. So, go to Actions > NTP Service > Start.

After 30 seconds, you will have this message saying it has completed successfully.

 

Related Articles, References, Credits, or External Links

NA

Windows – Setting Domain Time

KB ID 0000112

Problem

If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.

Time Problem Events – On the PDC Emulator

Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).

Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).

Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).

Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).

Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).

Time Problem Events – On Domain Members

Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).

Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).

Solution

Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.

Locate the PDC Emulator

1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.

2. Take note of the PDC name and go to that server.

NTP Firewall config

1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.

To Test Use NTPTool

Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);

This is how it should look, every-time you press query you should get a response, now you know the correct port is open;

Configure the PDC Emulator to collect Reliable Time

There’s two ways to do this, 1. Use Group Policy, and 2. Use command line.

Setting PDC Emulator Time With Group Policy

Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.

Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.

Don’t panic if you see this error > OK > Save.

Create a new GPO linked to the Domain Controllers OU.

Change the policy so it uses your WMI filter;

Edit The Policy, and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.

Enable Windows NTP Client

Enable the Policy (The server still needs to get its time from the external source!)

Enable Windows NTP Server

Enable the policy (The server also needs to provide time to the domain clients).

Save and exit the policy editor, then on the PDC emulator force a policy update  and resync the time. Finally run rsop to make sure the settings have applied.

Setting PDC Emulator Time From Command Line

 

1. On the PDC emulator Windows Key+R > cmd {Enter}.

2. At command line execute the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.

3. Look in the servers Event log > System Log for Event ID 37.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time 
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

4. You will also see Event ID 35.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source 
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

Step 2 Check the domain clients

This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;

1. Windows Key+R > cmd {enter}.

2. Execute the following command;

[box] w32tm /monitor [/box]

3. You will see the time this client can see, on all the domain controllers.

[box]

C:Documents and SettingsAdministrator.yourdomain>w32tm /monitor
server-dc.yourdomain.co.uk [192.168.1.1]:
ICMP: 0ms delay.
NTP: +363.2032725s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.69.6]
site2-dc.yourdomain.co.uk [192.168.2.1]:
ICMP: 70ms delay.
NTP: +0.0470237s offset from server-pdc.yourdomain.co.uk
RefID: dc.yourdomain.co.uk [192.168.69.4]
serverdc2.yourdomain.co.uk [192.168.1.4]:
ICMP: 0ms delay.
NTP: +0.0000553s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.1.6]
server-pdc.yourdomain.co.uk *** PDC *** [192.168.1.6]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from server-pdc.yourdomain.co.uk
RefID: scarp.mc.man.ac.uk [130.88.203.64]

[/box]

(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).

4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.

5. Execute the following commands on a client machine;

[box]

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

6. The machines event log should show the following successful events;

Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).

Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).

Setting Domain Clients Time via GPO

As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.

Create a GPO, and link it to the OU containing the computers you want to sync’

Edit the policy and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9  > Set the Type to NT5DS.

Enable Windows NTP Client

Enable this policy.

Testing Client NTP Settings

Either run;

[box]w32tm /query /status[/box]

Or run RSOP.

 

Related Articles, References, Credits, or External Links

PDC Emulator: PDC Emulator: Cannot Sync Time From External NTP Server

Cisco ASA – Configuring for NTP 

 

Windows – Error ‘A Good Time server could not be located’

KB ID 0000705

Problem

Seen when running dcdiag,

Error(s):

Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising

 

Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck

Solution

Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.

1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.

Locate your FSMO Role Servers

2. Now configure your PDC emulator to get its time from a reliable external source.

Windows – Setting Domain Time

3. If you have got this far, then should already have the windows time service running, check!

4. From command line, remove and reinstall the Windows time service with the following two commands.

[box]w32tm /unregister<br />w32tm /register[/box]

Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,

Error
The following error occurred: Access is denied (0x80070005)

If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.

WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.

5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;

[box]HKLM > System > CurrentControlSet > services > W32Time > Parameters[/box]

Ensure the Type value it set to NTP, the restart the Windows time service and check again.

5. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.

6. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]

Make sure the Enabled value is set to 1 (one).

7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.

Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).

As above navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure Global Configuration Settings is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are set to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

Related Articles, References, Credits, or External Links

NA

Securing Network Device Access With Cisco ACS (and Active Directory)

KB ID 0000942

Problem

For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.

Solution

I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.

When you have run through the initial setup on the appliance it will set;

  • Hostname.
  • IP Address.
  • Subnet Mask.
  • Default Gateway.
  • DNS Domain Name.
  • DNS IP Address.
  • Secondary DNS (if required).
  • NTP Server IP address. (Ensure UDP port 123 is open or this will fail).
  • Secondary NTP (if required).
  • Timezone.
  • Username.
  • Password.

Then connect via a web browser (https);

  • Username: ACSAdmin
  • Password: default

1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.

2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.

3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.

Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).

4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.

5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).

6. Common Tasks tab > Default Privilege > Static > 15 > Submit.

7. Then repeat to create a profile for read-only (level 1) access.

8. Common Tasks tab > Default Privilege > Static > 1 > Submit.

9. Access Policies > Access Services > Default Device Admin > Identity >Select > AD1 (this got created when you joined the domain earlier) > OK.

10. Access Policies > Access Services > Default Device Admin > Authorisation > Customise > Add ‘Compound Condition’ > OK.

11. Create > Tick ‘Compound Condition’ > Select > ExternalGroups > Select your full-access group.

12. Add > Shell Profile > Select > Select the full-access profile > OK.

13. Repeat for the read-only group.

14. Set the shell profile to read-only access > OK.

15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.

16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.

17. Make the necessary changes on your Cisco devices, like so;

Cisco IOS TACACS+ Config

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router# 

[/box]

Cisco ASA 5500 (and Next Generation) TACACS+ Config

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

-=-=-=-=-Authentication-=-=-=-=-
ASDM Authentication

Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL 
Console Authentication

Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCAL
SSH Authentication

Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCAL
Telnet Authentication

Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL

Enable Mode Command Protection Authentication

Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL
-=-=-=-=-Authorisation-=-=-=-=-

Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa

<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>
-=-=-=-=-Accounting-=-=-=-=-

Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS

[/box]

18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).

19. The results are the same if I connect via SSH.

Enabling TACACS+ Though a Firewall

Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.

Related Articles, References, Credits, or External Links

JunOS – Using TACACS+ With Cisco ACS

Cisco IOS – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your Cisco Router or Switch to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your device is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Setting IOS Time (Manually and via NTP)

1. Choose either of the options below, (as applicable). Note: I’m in the UK so my time is GMT, and I need to allow for daylight saving time, (so your settings ma vary depending on your locale).

[box]

Setting Time Manually

Petes-RTR(config)#clock timezone GMT 0
Petes-RTR(config)#clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00
Petes-RTR(config)#exit
Petes-RTR#clock set 10:47:00 Apr 30 2014
Petes-RTR#show clock
10:47:05.499 BST Wed Apr 30 2014
Petes-RTR#

Setting Time via NTP

Petes-RTR#show clock
*15:36:38.383 PCTime Mon Feb 16 2009
Petes-RTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-RTR(config)#ntp server 87.124.126.49
APPLY THE 'CUP Of COFFEE RULE'

Petes-RTR#show clock
10:09:52.437 PCTime Wed Apr 30 2014
Petes-RTR#

[/box]

Enrolling via NDES

1. Make sure the device can contact the NDES server, (simply pinging it should suffice). Then set a hostname and domain name. These are required to generate an RSA Key-pair on the device before we start.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname RTR-1
RTR-1(config)#ip domain-name testbench.local
RTR-1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: RTR-1.testbench.local

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

RTR-1(config)#
*Mar 1 01:01:47.491: %SSH-5-ENABLED: SSH 1.99 has been enabled

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

RTR-1(config)#crypto pki trustpoint PNL-TRUSTPOINT
RTR-1(ca-trustpoint)# enrollment url http://192.168.80.130/CertSrv/mscep/mscep.dll
RTR-1(ca-trustpoint)#enrollment mode ra
RTR-1(ca-trustpoint)#revocation-check crl
RTR-1(ca-trustpoint)#enrollment retry count 3
RTR-1(ca-trustpoint)#enrollment retry period 5
RTR-1(ca-trustpoint)#fqdn RTR-1.testbench.local

RTR-1(ca-trustpoint)#exit
RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
Certificate has the following attributes:
Fingerprint MD5: 0454B8F4 73374DE8 2FB034CB B887B1D4
Fingerprint SHA1: 2A542238 0CF3856B D0EF3E1A CBB57003 21C114F5

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
RTR-1(config)#
[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password 24033E4BFF217D60[/box]

4. Enroll for a certificate.

[box]

RTR-1(config)#crypto pki enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

% The subject name in the certificate will include: RTR-1.testbench.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate PNL-TRUSTPOINT verbose' commandwill show the fingerprint.

RTR-1(config)#
May 14 10:46:46.479: CRYPTO_PKI: Certificate Request Fingerprint MD5: 25E06B18 2BF6E2B7 780AA427 89AB9A15
May 14 10:46:46.483: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 044725E7 B34F6AF8 EFB4C28B 8E7CE192 230BDC9E
RTR-1(config)#
May 14 10:46:47.875: %PKI-6-CERTRET: Certificate received from Certificate Authority
RTR-1(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Oh Crap! It went wrong?

Possible errors you might see;

Error 1

[box]

RTR-1(config)#crypto key generate rsa modulus 2048
% Please define a domain-name first.

[/box]

To be honest, it couldn’t be more descriptive! You can’t generate an RSA key-pair without a hostname, and a domain name.

[box]

R1(config)#hostname RTR-1 RTR-1(config)#ip domain-name testbench.local[/box]

Error 2

[box]

RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
% Error in saving certificate: status = FAIL

RTR-1(config)#%CRYPTO_PKI: Cert not yet valid or is expired -
start date: 13:18:46 UTC May 12 2014
end date: 13:28:46 UTC May 12 2019

[/box]

Certificates are time specific, make sure the device has its clock set correctly, (preferably via NTP). And the time on the Certificate Services Server is set correctly.

Windows – Setting Domain Time

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

 

Sync Microsoft Domain Time To A Cisco NTP Device

KB ID 0001038

Problem

I’ve been posting domain time articles for a long time, and on more than one occasion I’ve really needed to take my Windows time from a Cisco Device and failed miserably. I’ve even used third party NTP software to solve this problem on my own test network.

On a client network, my colleague deployed ACS5 this week, I secured the ASA5585-X for AAA and it failed authentication. Logging revealed a clock skew error, so we manually set the time on the domain PDC. Within half an hour it was failing. The network topology prevented me syncing to a public NTP server from the domain PDC.

We did however have all the network devices syncing from a public time source, if only we could use one of those?

Solution

Step 1 Configure NTP on your Cisco Device.

Here I’m using a 7200 Router in GNS3, the NTP IP addresses I use are UK based NTP servers, I suggest you replace them with some public NTP servers on your own continent. I’m using two for redundancy.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ntp server 130.88.202.49 prefer
Petes-Router(config)#ntp server 194.35.252.7

[/box]

NOTE: You need to force the Cisco device to advertise itself with a low stratum, typically the lower the stratum, the closer to atomic time you are supposed to be, (so we are actually forcing the device to lie, but if we don’t, Windows wont trust it!)

[box]

 Petes-Router(config)#ntp master 5 

[/box]

It can take a while for NTP, (go and have a coffee), then check it’s synchronised, DO NOT proceed until the Cisco device has synchronised.

[box]

R1#show ntp status
Clock is synchronized, stratum 5, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
ntp uptime is 364600 (1/100 of seconds), resolution is 4000
reference time is D898D3A0.319A96D4 (23:05:04.193 GMT Wed Feb 25 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.26 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000000 s/s
system poll interval is 16, last update was 3 sec ago.

[/box]

Step 2 Configure Windows to use Cisco NTP Time

In the past I’ve said “Windows Does not use NTP, it uses Win32 Time” This is not strictly true, it does use NTP, but by default it uses ‘Symmetric Active Mode NTP’ and your Cisco Device expects its NTP requests to be submitted via ‘Client Mode NTP‘. (See MS KB 875424 for more info).

Note: By default Windows Domains take their time from the PDC emulator, carry this procedure out on that server!

Locate your FSMO Role Servers

Open an elevated command prompt and execute the following commands (the Cisco device IP is shown in red, change accordingly);

[box]

w32tm /config /manualpeerlist:"123.123.123.148",0x8 /syncfromflags:MANUAL
net stop "windows time"
net start "windows time"
w32tm /resync

Note: If you want to specify TWO Cisco devices, use the following syntax

w32tm /config /manualpeerlist:"123.123.123.148,123.123.123.149",0x8 /syncfromflags:MANUAL

[/box]

Now in the Servers System log, you should see the following two events logged.

Event ID 37

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:33:19
Event ID: 37
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time provider NtpClient is currently receiving valid time data from 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).

Event ID 35

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:21:17
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time service is now synchronizing the system time with the time source 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).

 

Windows and Cisco NTP Problems and Errors

Event ID 47

Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:11:07
Event ID: 47
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
Time Provider NtpClient: No valid response has been received from manually configured 
peer 123.123.123.148 after 8 attempts to contact it. This peer will be discarded as a 
time source and NtpClient will attempt to discover a new peer with this DNS name. The 
error was: The peer is unreachable.

On your Cisco Device you will see debug output like so, (it will repeat 8 times);

[box]

Petes-Router#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
Petes-Router#
000031: Feb 25 22:07:45.831: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000032: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: message received
000033: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
000034: Feb 25 22:07:54.967: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000035: Feb 25 22:07:54.967: NTP Core(DEBUG): ntp_receive: message received
000036: Feb 25 22:07:54.971: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#

[/box]

Causes:

This is a pretty generic error, but in this case, one of the following situations can cause this;

1. UDP Port 123 is blocked between Windows and the Cisco NTP device.

2. The Cisco NTP device has not synchronised form a reliable NTP source.

3. The stratum of the Cisco NTP device is to high.

4. Windows is attempting to sync time using ‘Symmetric Active Mode NTP‘ See my comments above.

Related Articles, References, Credits, or External Links

Windows – Setting Domain Time

Cisco ASA – Configuring for NTP

VMware – Setting up ESX NTP Time Sync

Cisco ISE NFR Appliance Setup

KB ID 0001066

Problem

The Cisco ISE NFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah.

Solution

The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance.

VMware vSphere – How to Import and Export OVF and OVA Files

1. Default username and Password: Username admin Password ISEc0ld

Cisco ISE NFR Setup Basic IP Addressing.

2. By default the appliance has an IP address of 10.1.100.21, you can see that at CLI.

[box]ise/admin# show interface[/box]

3. Or here you can see the IP address in the vSphere console.

4. To change the IP (Note: The ISE appliance has two virtual NIC’s I’m just changing the default ones IP address).

[box]
ise/admin# configure
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)# ip address 192.168.200.12 255.255.255.0

Enter ‘Y’ to restart the services.

[/box]

[box] ise/admin(config-GigabitEthernet)# exit
ise/admin(config)#
ip default-gateway 192.168.200.1[/box]

Cisco ISE NFR Set Hostname and DNS Information

6. To change the appliances default domain;

[box]
ise/admin(config)# ip domain-name pnltest1.com

Enter ‘Y’ to restart the services.

[/box]

7. To set the DNS server to use for local lookups;

[box]ise/admin(config)# ip name-server 192.168.200.10

Enter ‘yes’ to restart the services.

[/box]

8. To set the Hostname, simply use the following syntax;

[box]ise/admin(config)# hostname ISE-01 [/box]

Cisco ISE NFR Set NTP Information

9. To set the timezone;

[box]ise/admin(config)# clock timezone GB [/box]

10. To set the NTP servers it’s a little more convoluted, you can have up to three, two are already configured. If you try and delete the pre-configured ones it will error. So you need to add one, then delete the two factory ones, then you can add up to another two.

[box]

To Add an NTP Server

ise/admin(config)# ntp server 123.123.123.123
To Remove an NTP Server

ise/admin(config)# no ntp server 123.123.123.123

[/box]

11. As usual NTP can take a while to synchronise, I’d go and have a coffee at this point, to test;

[box]ise/admin(config)# show ntp [/box]

12. Save your changes.

13. At this point you should be able to get to the web console.

14. Logged in successfully.

 

Related Articles, References, Credits, or External Links

NA

Set Cisco ASA for Kerberos Authentication

KB ID 0000039

Problem

You want to set up a Cisco ASA to authenticate users (VPN access for example).

Solution

Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time.

Step 1: Set the ASA to get time from an External NTP Server

1. Log onto the ASA > Go to “Enable Mode” > Issue the following command;

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box]

Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

[box]

If you see a message like the following, go and have a coffee.
Petes-ASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
What you are looking for is "Clock is Syncronized"
Petes-ASA(config)# show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cdd7b741.119bcc72 (16:13:53.068 UTC Mon Jun 8 2009)
clock offset is 15.0836 msec, root delay is 56.50 msec
root dispersion is 15931.63 msec, peer dispersion is 15890.63 msec

[/box]

3. Save the update to your firewall with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box] Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Step 2 – Set the server(s) you are going to authenticate against to a public NTP Server.

Note TCP Port 123 needs to be open outbound for this to work 🙂

1. Log into the Server > Start > run > cmd {enter}

2. Issue the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update {enter}
net stop "windows time" {enter}
net start "windows time" {enter}
W32TM /resync {enter}

[/box]

Step 3 – Set up the AAA Kerberos in ASDM

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Add

3. Give the Server group a name i.e. KerberosGroup > Change the protocol to “Kerberos” > OK.

4. Move to the bottom section of the page (Servers In the Selected Group) > Add.

5. Enter the IP Address of the Domain Controller providing Authentication > In the Realm section enter the “Domain Realm.”

Note: To Find out the REALM, on the domain controller issue the following command; [box] set USERDNSDOMAIN [/box]

Note: enter the Realm “IN CAPITALS

6. Click Apply  > File > “Save running configuration to flash”.

To set up from Kerberos AAA command line

[box]

Petes-ASA>
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server KerberosGroup protocol kerberos
Petes-ASA(config-aaa-server-group)# aaa-server KerberosGroup (inside) host 192.1.2.10
Petes-ASA(config-aaa-server-host)# kerberos-realm PETENETLIVE.COM
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

[/box]

Step 5 – Test Kerberos Authentication

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Select the Kerberos Group.

3. In the bottom section click Test.

4. Enter the username and password > OK.

5. It should say that the test was successful.

If It says “Error: Authentication Rejected: Clock skew greater than 300 Seconds” then steps 1 and 2 did not work.

Kerberos Pre-Authentication

Also Note: You may need to turn of “Require pre-authentication” on a user by user basis. If so, log onto the domain controller > Start > Run > dsa.msc > Locate the user > Right Click > Properties > account > Account options (scroll down) > Select “Do Not require Kerberos preauthentication”.

Related Articles, References, Credits, or External Links

Thanks to Zsolt Horvath at Cisco TAC Cisco ASA – Configuring for NTP

Cisco ASA – Configuring for NTP

KB ID 0000608

Problem

With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.)

Solution

Allow internal host(s) to get system time though the firewall.

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. To rules are being applied to traffic going OUT through the firewall, run a “show run access-group” command.

[box]

PetesASA(config)# show run access-group

        Sample Output

access-group outbound in interface inside
access-group inbound in interface outside

[/box]

Note: If it returns nothing then outbound traffic is NOT being filtered, and NTP should work anyway, but in the example above I can see the traffic that is going IN the inside interface (That’s traffic going out if you think about it!) Is being filtered by an access list called ‘outbound’ (Because I give the ACL’s sensible names, yours could be called anything!)

3. To allow ALL hosts use the word any, for a specific host use the keyword host.

[box]

Allow all hosts access to NTP

PetesASA(config)# access-list outbound permit udp any any eq 123

Allow one host (192.168.1.1)
        to NTP

PetesASA(config)# access-list outbound permit udp host 10.254.254.1 any eq 123 

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
  PetesASA#

[/box]

Set the ASA to get its System Time from an External NTP Source

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. The IP address I’m using is in the UK if you want one more local look here.

[box]

PetesASA(config)#  ntp server 130.88.212.143 source outside

[/box]

3. To check on its status, simply execute a “show ntp status” command. BUT it will take a few minutes to synchronise, until it does you will see;

[box]

PetesASA(config)#  show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a01de.60ad92ea (13:04:30.377 UTC Fri May 25 2012)
clock offset is 3414265.0854 msec, root delay is 26.09 msec
root dispersion is 3430186.81 msec, peer dispersion is 16000.00 msec
PetesASA(config)#

[/box]

When it is finally synchronised it will say;

[box]

PetesASA(config)#   show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a0f74.a34d5dde (14:02:28.637 UTC Fri May 25 2012)
clock offset is -9.1688 msec, root delay is 25.91 msec
root dispersion is 15915.95 msec, peer dispersion is 15890.63 msec 
PetesASA(config)#

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box]

Related Articles, References, Credits, or External Links

Set Cisco ASA for Kerberos Authentication