In past articles I’ve got my F5 BIG IP appliance up and running, and I’ve built some web servers to test load balancing. Now to actually connect things together and start testing things. Below is my lab setup, I will be deploying simple web load balancing (Static: Round Robin) between three web servers, each serving a simple HTTP web site.
Test F5 to Web Server Connectivity
For obvious reasons the F5 needs to be able to speak to the web servers, so it needs to be on the same network/VLAN and have connectivity. To test that we can log onto the the F5 console directly, and ‘ping’ the web servers.
So connectivity is good, let’s make sure we can actually see the web content on those boxes, the best tool for that is to use curl, which will make a web request, and the wen server ‘should’ return some HTML.
[box]curl http://10.2.0.11[/box]
F5 BIG-IP Load Balancing Terminology
Yeah I said ‘load balancing‘ and not ADC sue me! There are a number of building blocks that F5 uses, and you need to understand the terminology to put things together, firstly lets look at things BEHIND the F5 appliance;
Node: An actual machine/appliance, (be that physical or virtual.) That provides some sort of service or a collections of services e.g. a web server, telnet server, FTP site etc.
Pool Member: Is a combination of a Node AND a Port/Service, e.g. 192.168.1.100:80 (IP address and TCP port 80 (or HTTP)).
Pool: A Logical collection on Pool Members, that provide the same service e.g a collection of pool members offering a website on TCP port 80.
F5 BIG-IP Adding Nodes
While connected to the web management portal > Local Traffic > Nodes > Create (Note: You can also press the green ‘add’ button on the Node pop-out on newer versions).
Specify a name > Description (optional) > IP address (or FQDN) > ‘Repeat‘ > Continue to add Nodes as required, then click ‘Finished‘.
F5 BIG-IP Adding Pools
Now we have our Nodes, We need to create a Pool. Local Traffic > Pools > Create, (again on newer versions theres a green add button on the pop-out).
Add a Name > Description (Optional) > Add an applicable Health Monitor (in our case http) > Select the ‘Node List’ radio button > Select your first Node > Set the Port/Service > Add > Continue to Add the remaining Nodes.
Note: Here is where you add the IPs to the Port/Service and create the Pool Members.
Sorry! Busy Screenshot
When all the Nodes are added > ‘Finished‘.
Your web pool ‘should‘ show healthy, Note: that does not mean ALL the nodes are online!
To make sure ‘all’ the Nodes are healthy > Go to the Members Tab.
F5 BIG-IP Virtual Servers
I’m not a fan of using this term ‘Virtual Server‘ I prefer Virtual IP (or VIP,) but we are where we are! Above we’ve looked at things BEHIND the F5, now we need to present those services IN FRONT of the F5 (Note: I don’t say publicly, because we deploy plenty of BIIG-IP solutions inside networks). So a Virtual Server is the outside IP address or FQDN of that a ‘consumer’ will connect to;
Local Traffic > Virtual Servers > Create.
Supply a name > Description (optional) > Destination Address (the ‘available outside’) IP address > Set the service/port > Scroll down to the bottom.
Set the ‘Default Pool’ to the pool you created (above) > ‘Finished‘.
For a brief overview or check what you have created > Click Local Traffic > Network Map Note: This will look different on older versions of the F5.
Then test the service form the outside, here each web server serves a different colour page so I can test it’s working properly.
My Web Page Does Not Change? If you keep seeing the same colour/page then it’s probably because you chose browser is ‘caching’ web content on your test machine, you may need to disable caching on your chosen web browser, for an accurate test.
So that’s Static Round Robin (Equal Ratio) Based Load Balancing. In the next article I’ll look at how you can manipulate the ratios, to better serve your hardware, and requirements.
Related Articles, References, Credits, or External Links
This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work.
Disclaimer: This is not an exercise in deploying AnyConnect, I’ve got that covered to death all over the website, use the search function above, or simply go to the following article;
So before proceeding I’ll assume you have AnyConnect setup, and you can connect with a local username.
Disclaimer 2: Please don’t email me with questions like, “Can I take this and integrate it with Active Directory, eDirectory” etc. Or “I’m trying to get this to work with ‘insert name of some Linux distro” and I’m getting an error.
Prerequisite: You will need to have the Google-Authenticator app on a device, (probably an IOS or Android phone), and have that running, and ready to accept a new identity/account.
Solution
Setup FreeRADIUS
I’m not a Linux guru, I just downloaded the latest version of Ubuntu Server (16.04.1 at time of writing). and deployed it as an ESX host.
Non Linux Types Note: A lot of the commands below require you to either be logged on as root, or ‘su‘ to root, (if that’s not an option, you will need to prefix the commands with ‘sudo‘.
Ubuntu Enable Root Account: I quickly learned that these days the root account is disabled, (for sensible reasons). However because of the way FreeRADIUS works, it needs to run under the root account.
[box]
sudo passwd root
ENTER AND CONFIRM PASSWORD
sudo passwd -u root
[/box]
Ubuntu: Install Prerequisites: We need to get all current updates, then install NTP, (because the authenticator keys are time specific). Then there are some tools that we will need to install the Google Authenticator software.
Install Google Authenticator: This is quite cool, (if like me you don’t do a lot of Linux). We need to connect to a folder on a web server, then move into that ‘Directory’ and install the software.
[box]
cd ~
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install
[/box]
Configuring FreeRADIUS and Google-Authenticator
Ubuntu has nano installed by default thats what I’m going to use, if you’re a sandal wearing ‘vi’ user, then feel free to use that instead.
First we are going to change FreeRADIUS, so it runs under the ‘root’ account.
[box]nano /etc/freeradius/radiusd.conf[/box]
At the bottom of the file, change the user and group from freerad to root, save the file and exit.
Like so:
Next we are going to create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.
[box]addgroup radius-disabled[/box]
Then configure FreeRADIUS to reject members of that group.
[box]nano /etc/freeradius/users[/box]
Locate the lines indicated below;
Change and un-comment them, to add the following text;
[box]
DEFAULT Group == "radius-disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
[/box]
So it looks like below, then save and exit the file;
Enable Pluggable Authentication Mode (PAM): Edit the following file;
Locate the line with ‘pam’ in it and uncomment it (remove the hash/pound sign), like so
Before;
After;
Exit and save the changes.
Configure FreeRADIUS to use Google Authenticator: Edit the following file;
[box]nano /etc/pam.d/radiusd[/box]
Locate all the lines that start with an ‘@’ symbol and comment them out, (prefix them with a “#”), then paste the following text onto the end of the file;
The easiest way to do this is setup a test user, then create a password for them, then assign a Google-Authenticator Code to that user, on your Linux server;
[box]
adduser tommytester
ENTER AND CONFIRM PASSWORD
su tommytester
ENTER THE PASSWORD
google-authenticator
[/box]
Now you can either scan the QR code into the Google Authenticator app on your phone, or type in the ‘secret-key‘.
Once done, you should be looking at a 6 digit number, that changes every 30 seconds;
Test Authentication on the FreeRADIUS Server first! To do that issue the following command;
Note: the password for tommytester is ‘password‘ and the 6 digit code is added to the end of it, the testing123 value is set within FreeRadius in the /etc/freeradius/clients.conf file.
Successful Authentication
[box]
tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302971 localhost 18120 testing123
Sending Access-Request of id 165 to 127.0.0.1 port 1812
User-Name = "tommytester"
User-Password = "password302971"
NAS-IP-Address = 192.168.110.85
NAS-Port = 18120
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=20
tommytester@RADIUS-HOST:/home/petelong$
[/box]
Unsuccessful Authentication
[box]
tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302973 localhost 18120 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
User-Name = "tommytester"
User-Password = "password302973"
NAS-IP-Address = 192.168.110.85
NAS-Port = 18120
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=36, length=20
tommytester@RADIUS-HOST:/home/petelong$
[/box]
Troubleshooting: If there’s a problem, make sure that the time on the FreeRADIUS server is correct, (is NTP getting blocked at the firewall?) Then what I do is, SSH into the server from another session, and enable debugging, then back at the console test authentication again, then you can see the debugging output on the other screen, which will point you in the right direction.
To enable debugging;
[box]
service freeradius stop
freeradius -XXX
[/box]
Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a ‘client’ before it can authenticate. Edit the following file;
[box]nano /etc/freeradius/clients.conf[/box]
Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);
On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).
Change AnyConnect AAA Authentication Method: With nothing set, your AnyConnect is probably using its LOCAL database of usernames and passwords, we now need to change it to use the RADIUS host we just setup. You do that in the AnyConnect’s ‘tunnel-group general-attribures’ section. Issue a show run tun command, to see the tunnel groups listed.
[box]
Petes-ASA# show run tun
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ANYCONNECT-POOL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
[/box]
Then add your RADIUS GROUP as the authentication server.
Why would you want to do this? Well what if you want to test slow link group policy processing, or you are testing BranchCache? Using Group policy you can ‘throttle’ traffic to and from a particular IP address. Below I will pick a domain client on 192.168.110.120, and throttle all traffic between that client, and the domain controller to be 100kbps.
Solution
As I sad above I’m throttling traffic to my domain controller so I’ll create a GPO and link it to the Domain Controllers OU. Call it something sensible.
Edit the policy
Navigate to;
Computer Configuration > Policies > Windows Settings > Policy-based-Qos > Create new policy.
Give the policy a name and set the throttle rate > Next.
All Applications > Next.
Specify the IP you are throttling traffic to and from > Next.
TCP and UDP > Finish.
Then wait for the policy to apply, or run gpupdate /force on the DC.
Related Articles, References, Credits, or External Links
Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.
Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.
Solution
Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.
Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).
4. Then allow this connection server to accept kiosk connections with the following command;
[box]vdmadmin -Q -enable -s PNL-CS[/box]
Note: Where PNL-CS is the name of my VMware Connection Server.
5. You can view the settings configured on this connection server with the following command;
[box]vdmadmin -Q -clientauth -list[/box]
6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.
7. Manual Pool > Next.
8. Dedicated > Next.
9. vCenter virtual Machines > Next.
10. Next.
11. Give the pool an ID and Display name > Next.
12. Select the machine you are using as the source for the Kiosk machine > Next.
13. When the pool is created > Entitlements.
14. Add in the group that you created in step 1 > OK.
15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.
Step 3: Connect to the Kiosk Machine
16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.
Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.
17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.
Related Articles, References, Credits, or External Links
I cringed this morning when I was asked about this, last time I had to get a client to authenticate to a domain through a firewall, it was ‘entertaining’. The problem is Windows loves to use RPC, which likes to use random ports, so to make it work you either had to open TCP ports 49152 and 65535 (Yes I’m Serious). Or you had to registry hack all your domain controllers and specify individual ports for RPC as per MS KB 224196, then allow those ports. I have a client that’s got a separate domain in their DMZ and I need to setup a trust with their internal domain, so I started writing the firewall config. Then when I asked the ‘Do you want to open all these ports or simply lock RPC down on all the domain controllers?’ Question, my colleague found ‘dcerpc’ inspection.
Dcerpc has been available since at least ASA version 7.2, I had never heard of it! Cisco Says;
DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
DCERPC inspection maps inspection for native TCP communication between a server called the Endpoint Mapper (EPM) and client on the well-known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and port number are received from the applicable EPM response messages. Because a client can attempt multiple connections to the server port returned by EPM, creation of multiple pinholes is allowed
Heres how to do it with the following topology;
Note: Setting up a ‘Trust’ or allowing a client to ‘Authenticate’ requires the same configuration, but below I will use the IP of the Domain controller, rather than the IP of the client.
Solution
I’m assuming you ALREADY have access-lists from your internal network, and from your DMZ, you may need to replace the names of the ACL’s I use below with your own, ‘show run access-group’ will tell you.
1. There are a myriad of ports, (both TCP and UDP) that you are required to open, those being;
So connect to the ASA, Go to enable mode, then global configuration mode, and add the ACL’s to open the ports above. BE AWARE the last line enables ICMP/ping (just for testing you can remove it later and you will need to have ICMP inspection on for it to work).
6. Give it a test, make sure the machines can ping each other, and you may at this point want to remove the ICMP lines from the ACL. Once you are happy, save the changes.
[box]PetesASA# write mem
Building configuration…
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#[/box]
Related Articles, References, Credits, or External Links
