The Unspoken Truth About Managing Geeks

Must read, spot-on: http://www.computerworld.com/article/2527153/it-management/opinion–the-unspoken-truth-about-managing-geeks.html

CUCM IM change postgres external database

If you need to change the postgres external database for CUCM, there a few steps to follow:

1. Change database server name
   1. External server setup -> External databases
2. Unassign servers and disable persistent chat
   1. Messaging -> Group Chat and Persistent Chat
   2. Change “Persistant Chat Database Assigntment” to unsassigned
   3. Uncheck “Enable Persistant Chat” and Save
3. Assign servers and enable persistent chat
   1. Messaging -> Group Chat and Persistent Chat
   2. Change “Persistant Chat Database Assigntment” to sassigned
   3. Check “Enable Persistant Chat” and Save
4. Restart Cisco XCP Router
5. Start XCP Text Conference Manager

 

 

This blog post helped figure out the process: http://collabtechnotes.blogspot.com/2015/07/postgre-sql-cisco-xcp-message-archiver.html

ADFS MFA with Office 365

We wanted to implement MFA (multi-factor authentication) for our ADFS servers when authenticating to Office 365.  If you just want basic “MFA for all users” then the AD FS GUI will allow you to select your MFA provider and enable.  I needed a more granular policy:

Only enable MFA if the user is a member of a specific security group AND the user is coming from outside the corporate network AND it is a browser based authentication request

The third part of that policy is in place so that user’s can still use activesync or skype for business, since they do not support MFA right now.

Granular ADFS policies are set using “claims”, which can be combined together with “and” statements.  Here are the three claims I needed enabled:

Only enables MFA for a particular security group (uses the group SID)
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-1-2-46-1537777264-XXXXXXXXXXXXX”] &&

Only enables MFA for users outside the corporate network (auth requests that go through the AD FS proxy servers)
c1:[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, Value == “false”] &&

Only enables MFA for browser based requests
c2:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value =~ “(/adfs/ls)|(/adfs/oauth2)”]

To apply these claims, first enable the MFA provider using the GUI.  Open AD FS, click on “Authentication Policies” and then click “Edit Global Multi-Factor Authentication” on the left-hand side.  From there you can select your MFA provider and click “Apply”.  After this, you must use powershell.  I also used powershell variables to make the process a little cleaner.

PS C:\windows\system32> $mfarule='c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-2-46-1537777264-XXXXXXXXXXXXX"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

PS C:\windows\system32> $rpt = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules $mfarule

And now you are done!  The following command reverts the changes made back to default:

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules ''

These commands enable MFA just for Office 365 relying party (so I can have different policies per party).  If you would like to enable these settings on a global scale, use this:

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules $mfarule

And finally, to see all your changes made:

Get-AdfsRelyingPartyTrust -Name DisplayNameofTrust

———————————————————————————————————————

These blogs were extremely helpful throughout this process:

https://doubledit.co.uk/2015/10/21/adfs-multi-factor-authentication-force-mfa-for-browser-based-access-to-office-365/

http://blog.auth360.net/2014/10/23/mfa-conditional-access-policies-in-ad-fs-2012-r2/

http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

https://technet.microsoft.com/en-us/library/dn479343(v=wps.630).aspx

 

ASR 1001-X Show Transceiver

On our new ASR I was looking for a command similar to “show interface XXX transceiver”, but that didn’t exist.  Here is the command for the ASR:

To show transceiver hardware details:
#show hw-module interface g0/0/1 transceiver idprom

To show transceiver temp and light levels:
#show hw-module interface g0/0/1 transceiver status