Monday 30 March 2015

How to configure Freeradius server as Radius Proxy/ Relay

Setup :

FreeRadius Server (Linux PC1)---------------------Linux PC2 -----------------------------------AP ----------Users
10.1.1.1 /24                                  10.1.1.2/24            10.2.1.2/24              10.2.1.1/24



Details:

1) The users are authenticated from Free radius server.

2) The Linux PC 2acts as Router with IP forwarding enabled.

3) On Linux PC 2 Radius proxy or the Radius relay is to be enabled so that it forwards the requests to/from users.

4) Free radius is installed in both Linux PC , one to act as relay and another as server.

Configuration on Free radius server

1) Users in users.conf
2) The Linux PC 2 as radius client to be defined in clients.conf
3) Start radius server

radiusd -X


Configuration on Linux PC 2:

Modify below lines in proxy.conf


1)    # virtual_server = foo   --> Change to ->         virtual_server = 10.1.1.1

2) Comment below lines

realm LOCAL {
    #  If we do not specify a server pool, the realm is LOCAL, and
    #  requests are not proxied to it.
}

to

#realm LOCAL {
    #  If we do not specify a server pool, the realm is LOCAL, and
    #  requests are not proxied to it.
#}

3) Uncomment below lines and give ip address of the Radius server

#realm DEFAULT {
#    authhost    = radius.company.com:1600
#    accthost    = radius.company.com:1601
#    secret        = testing123
#}

to

realm DEFAULT {
    authhost    = 10.1.1.1
    accthost    = 10.1.1.1
    secret        = testing123
}

4) The secret between Radius server and this relay is "testing123".

5) Start the server which should act as relay.

radiusd -X


Configuration on AP
For AP the Radius server is the immediate server i.e. here relay 10.2.1.2
User

Once users are defined properly in Linux PC 1, and setup is done, the users should get authenticated.

Saturday 28 March 2015

Creating Custom Attributes-Roles in Microsoft LDAP server

Configuring Custom Attributes/ Roles on the external LDAP server

  • Open the Management console on the Active Directory installed server and complete the following steps..
  • Select Start > Run.
  • Type mmc and press Enter.
  • Select File > Add/Remove Snap-in.
  • Click Add.
  • Select Active Directory Schema from the Available standalone snap-ins list and click Add.
  • Click Close..
Right-click the Attributes folder (Console Root/Active Directory Schema/ Attributes) and select New > Attribute.

Create the New Custom attribute by completing the following steps.
  •      Enter TestNew in the Common Name field.
  •      Enter TestNew in the LDAP Display Name field.
  •      Enter a unique object identifier in the Unique x500 Object ID field.
  •      Enter a description of the attribute in the Description field.
  •      Select Case Insensitive String in the Syntax list.
  •      Click OK.

Close the Management console.


Configuring authorization details on the external LDAP server
  • Open the ADSI Edit dialog box on the Active Directory installed server.
  • Select Start > Run.
  • Type adsiedit.msc and press Enter.
  • Right-click CN=User_Name in the CN=Users directory and select Properties.
  • Where User_Name is the name of the user you created in "Creating an AD user account".
  • Select TestNew in the Attributes list and click Edit.
  • Add desired parameters

Close the ADSI Edit dialog box.

Note : Unique x500 Object ID can be generated using Microsoft OID generator script explained in previous post.

Generate OID for Windows Server Custom Class and Attributes

Generate OID using below script

1) copy the script to notepad and name it as oidgen.vbs 
2) Open command prompt in Windows 7 or 8 and type below command
cscript cscript oidgen.vbs

3) Copy the generated OID and assign prefix for custom class and attributes.


Ref:
http://security.stackexchange.com/questions/26516/what-oid-issuance-policies-are-appropriate-for-smartcard-and-browser-certificate/26518#26518


Friday 27 March 2015

How to Run IPerf Traffic on same Computer with two Interfaces


Setup:

           Linux PC/Device -----------Eth1--------|
                                  |                            | Loopback cable
                                   |-------------Eth2------- |

Requirements:

  The Iperf traffic should pass externally from the Ethernet interfaces which are connected using Ethernet cable..

Problem:

We have one interface which is called as loopback interface (lo). When we ping or send traffic to test local interface it is the loopback interface which replies.

Lets say we have three interfaces on Linux PC eth1, eth2 and lo (loopback interface). 

Commands

Ifconfig eth1 10.1.1.1 netmask 255.255.255.0 up
ifconfig eth2 10.2.1.1 netmask 255.255.255.0 up

ifconfig -> Verify loopback interface is up

ping 10.1.1.1 -> Reply will come

ping 10.2.1.1 -> Reply will come

Now disable loopback interface

ifconfig lo down

ping 10.1.1.1 -> Reply will not come

ping 10.2.1.1 -> Reply will not come

So the problem is if the loopback interface is present this interface will reply and the packets will not go from out side the cable or in other words the kernel detects that the destination is a local one, so the traffic is looped back to the machine itself without going through eth1 or eth2.


Solution

Got solution using NAT iptables rules as described in below reference link.


ifconfig eth0 10.50.0.1 netmask 255.255.255.0
ifconfig eth1 10.50.1.1 netmask 255.255.255.0
iptables -t nat -L
iptables -t nat -A POSTROUTING -s 10.50.0.1 -d 10.60.1.1 -j SNAT --to-source 10.60.0.1
iptables -t nat -A PREROUTING -d 10.60.0.1 -j DNAT --to-destination 10.50.0.1
iptables -t nat -A POSTROUTING -s 10.50.1.1 -d 10.60.0.1 -j SNAT --to-source 10.60.1.1
iptables -t nat -A PREROUTING -d 10.60.1.1 -j DNAT --to-destination 10.50.1.1
ip route add 10.60.1.1 dev eth0
arp -i eth0 -s 10.60.1.1 00:22:45:f1:18:53 # eth1's mac address
ip route add 10.60.0.1 dev eth1
arp -i eth1 -s 10.60.0.1 02:22:23:f1:18:52 # eth0's mac address
ping 10.60.1.1

Using above commands it was possible to force the traffic outside the cable.

Once setup is ready, run the Iperf server and client on the PC.

# server
iperf -B 10.50.0.1 -s -u -w 256k -l 1KB &
# client
iperf -B 10.50.1.1 -c 10.60.0.1 -u -b 600M -w 256k -l 1KB -P 10 -t 60

Sunday 15 March 2015

Steps for Installing Hyper-V on windows 2012 Server

Prerequisite

In BIOS setting -> Performance-> virtualization-> on

Step 1-Add Hyper-V
  1. In Server Manager, on the Manage menu, click Add Roles and Features.

  2. On the Before you begin page, verify that your destination server and network environment are prepared for the role and feature you want to install. Click Next.

  3. On the Select installation type page, select Role-based or feature-based installation and then click Next.

  4. On the Select destination server page, select a server from the server pool and then click Next.

  5. On the Select server roles page, select Hyper-V.

  6. To add the tools that you use to create and manage virtual machines, click Add Features. On the Features page, click Next.

  7. On the Create Virtual Switches page, Virtual Machine Migration page, and Default Stores page, select the appropriate options.

  8. On the Confirm installation selections page, select Restart the destination server automatically if required, and then click Install.

  9. When installation is finished, verify the installation by opening the All Servers page in Server Manager, selecting a server on which you installed Hyper-V, and viewing the Roles and Features tile on the page for the selected server.

Step 2-Install Guest operating system

  1. From Hyper-V Manager, in the Virtual Machines section of the results pane, right-click the name of the virtual machine and click Connect.

  2. The Virtual Machine Connection tool opens.

  3. From the Action menu in the Virtual Machine Connection window, click Start.

  4. The virtual machine starts, searches the startup devices, and loads the installation package.

  5. Proceed through the installation.


How to change Postgres Admin Password ?

Reference: http://www.homebrewandtechnology.com/blog/graphicallychangepostgresadminpassword


 ===========================================================

To do this using command prompt. It is good to know that in windows there will be 2 account. One is postgres windows user account. The other is database admin account. Which is also called postgres.

 

  • Edit E:\PostgreSQL\9.1\pg_hba.conf and set the localhost method to trust instead of md5.  Do not forget to save.
  • Use the usual Windows way to reset the password of windows user account.
  • Open up a command prompt and use runas to open another command prompt as postgres user.
  • open up Services manager and restart postgresql service. There might be need to update the postgres user account password setting in the service property at this step.
  • Now running psql will not ask any password.
  • Use the following sql to set the user password

ALTER USER Postgres WITH PASSWORD '<newpassword>'

  • Revert the pg_hba.conf localhost method back to md5 .
  • Restart postgresql service in Services manager.
======================================================

Batch File for Remote shutdown and Wake on Demand using Wake on LAN

For long weekends  or public holiday's its good that all the desktops were shutdown. The below method uses Windows Remote shutdown feature and Wake-On-Lan features to remotely shutdown the desktops and power it on whenever required.


Settings to do on Target PC


1. Turn on the target PC.
2. Open run->secpol.mnc
3.In Security settings, Expand "Local Polices->User rights assignment"
4.Double click on "Force shutdown from a remote system properties".
5.Click on Add user (test) and group
6.click on object types, select "built in security principles and users" and click OK
7.Goto advanced -> find now ->select administrator, everyone, required user (eg:test) and click OK.
8. Click Apply and then OK.
9. Close the window.

Open Port 445: Open TCP port 445 on target computer

1.Goto start->settings->control panel->security centre.
2. Open windows firewall -> Exceptions Tab.
3.Select the following line "File Sharing and printers" and press ok.
4. If this line is missing click on Add port ->choose TCP port 445.
5. Then got to start->settings-control panel->system.
6. Select the remote tab; check the "Allow users to connect remotely to this computer".

Settings to do on Control PC


1.Turn on main PC.
2. Open cmd
3. Use command "net use \\Target PC IP password /user: username 'enter'

Example: net use \\10.10.1.10 test /user: test

Note: IP address used in net use command should be reachable from the main PC.  If that is not reachable then the following error will be shown as net use command output.

 "System error 53 has occurred. The network path was not found".

4. Check the message "The command completed successfully" is shown.
5. Similarly add Target PC IPs.
6. Command "net use" will show you the table containing the Target PC entries.
7. Type "shutdown -i", there opens a remote shutdown dialog box.
8.  Click Add and enter the target ip address. Repeat the same for all IPs.
9. Select the operation "shutdown/restart".
10. Configure the display warning for specific time (sec) before shutdown\restart.
11. Give comments on the Task and click ok.

Wake On LAN

 WakeOnLan, as the name already suggests, is a tool that can boot or wake a computer (on the same local network) by sending a magic packet to the network adapter of the target computer.

 

Prerequisites

1.      All network cards and BIOS are compatible or support the use of Magic Packet.

2.      All PCs should be reachable from main PC, ie from where we are sending magic packet.

3.      All PCs MAC addresses and IP Addresses.

4.      Tool to send magic packet should be installed in main PC.You can download wolcmd from http://www.depicus.com/wake-on-lan/wake-on-lan-cmd.aspx


 To check if your network card is compatible with magic packets:

  • Right click on My Computer and click Manage.
  • Go to Device Manager/Network Cards.
  • Right click on your Network Card then Properties.
  • Search for the following the words: "Magic Packet", "Wake On Magic Packet", "Wake On Lan" or "Wake" - verify that all options related to these words are being activated
  • If you found nothing, you may be required to update the drivers of your Network card

 BIOS

To check if your BIOS is compatible, follow these steps:

  • Enter the BIOS when you start the computer by pressing ESC, F2, F5, F12 or DEL, depending on your system,
  • Once in the BIOS, go to POWER Options and enable Wake-On-LAN, or any similar option.

 Wake on LAN GUI tool: 

·         Launch the Wake on LAN GUI tool.

·         Provide the MAC address, IP Address, Subnet Mask and port of the target PC.

·         Click on Wake me UP.

 Wake on LAN Command line Tool: 

·         Open command prompt and Go to the directory where this command line tool is present.

·         Issue the following command.

            wolcmd [mac address] [ipaddress] [subnet mask] [port number]

 

 

Batch file wakenow.bat

wolcmd.exe 0007E90E7A66 10.10.10.10  255.0.0.0 9

wolcmd.exe 50E549467AAD 10.10.10.11 255.0.0.0 9

 

Batch file Sleepnow.bat

net use \\10.10.10.10 test /user:test  

shutdown -m \\10.10.10.10 -s -t 1 -c "Going to shutdown.... "

net use \\10.10.10.11 test /user:test

shutdown -m \\10.10.10.11 -s -t 1 -c "Going to shutdown..