ADFS MFA with Office 365

We wanted to implement MFA (multi-factor authentication) for our ADFS servers when authenticating to Office 365.  If you just want basic “MFA for all users” then the AD FS GUI will allow you to select your MFA provider and enable.  I needed a more granular policy:

Only enable MFA if the user is a member of a specific security group AND the user is coming from outside the corporate network AND it is a browser based authentication request

The third part of that policy is in place so that user’s can still use activesync or skype for business, since they do not support MFA right now.

Granular ADFS policies are set using “claims”, which can be combined together with “and” statements.  Here are the three claims I needed enabled:

Only enables MFA for a particular security group (uses the group SID)
c:[Type == “”, Value == “S-1-2-46-1537777264-XXXXXXXXXXXXX”] &&

Only enables MFA for users outside the corporate network (auth requests that go through the AD FS proxy servers)
c1:[Type == “”, Value == “false”] &&

Only enables MFA for browser based requests
c2:[Type == “”, Value =~ “(/adfs/ls)|(/adfs/oauth2)”]

To apply these claims, first enable the MFA provider using the GUI.  Open AD FS, click on “Authentication Policies” and then click “Edit Global Multi-Factor Authentication” on the left-hand side.  From there you can select your MFA provider and click “Apply”.  After this, you must use powershell.  I also used powershell variables to make the process a little cleaner.

PS C:\windows\system32> $mfarule='c:[Type == "", Value == "S-1-2-46-1537777264-XXXXXXXXXXXXX"] && c1:[Type == "", Value == "false"] && c2:[Type == "", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "", Value = "");'
PS C:\windows\system32> $rpt = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules $mfarule

And now you are done!  The following command reverts the changes made back to default:

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules ''

These commands enable MFA just for Office 365 relying party (so I can have different policies per party).  If you would like to enable these settings on a global scale, use this:

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules $mfarule

And finally, to see all your changes made:

Get-AdfsRelyingPartyTrust -Name DisplayNameofTrust


These blogs were extremely helpful throughout this process:


ASR 1001-X Show Transceiver

On our new ASR I was looking for a command similar to “show interface XXX transceiver”, but that didn’t exist.  Here is the command for the ASR:

To show transceiver hardware details:
#show hw-module interface g0/0/1 transceiver idprom

To show transceiver temp and light levels:
#show hw-module interface g0/0/1 transceiver status

Duo Security – HA Radius Servers

If you are using Duo Security MFA (great solution btw), you may want high-availability for your Duo Radius servers.  Duo doesn’t currently have a “supported” solution for this, but keepalived worked great after a quick call to support.  This is also assuming you have followed Duo’s instructions to install their radius server (found HERE)

Using Ubuntu 14.04, install keepalived (basic instructions:

Radius server #1 config:

vrrp_instance VIP_1 {
 state MASTER
 interface eth0
 virtual_router_id 100
 priority 101
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
virtual_ipaddress  { dev eth0

Radius server #2 config:

vrrp_instance VIP_1 {
 state BACKUP
 interface eth0
 virtual_router_id 100
 priority 100
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
virtual_ipaddress  { dev eth0

After this was completed, keepalived was up and running, and I could ping/ssh to the VIP. BUT, Duo was not responding to radius requests on the VIP!?  After trying several different options, I called into Duo Support to see if anything could be done.  The support engineer and I discovered that the “interface=” command in authproxy.cfg could be used to bind to an IP address other than the default eth0 address.  This is what I added to the top of the authproxy.cfg:



After I restarted the duoauthproxy service, radius requests completed successfully using the VIP and my HA solution is complete!  Testing shows 1-second failover times between both servers with keepalived.

View the VIP assigned to eth0:

ip addr show eth0

Active Directory Health Check

Migrated a DC and wanted to do some basic AD health checks.

From the cmd prompt (domain joined pc with sufficient privileges or on the DC):

Replication Info:

repadmin /replsummary
repadmin /showrepl

Query FSMO role holders, which should confirm that they are online:

netdom query fsmo

General Server Diagnosis:

dcdiag /a /s:<DC server name>

If you want the DC’s to force sync and see if there are any issues:

repadmin /syncall

Cisco Router Packet Capture and Export

I’ve recently had to troubleshoot some SIP calls going through a Cisco router (CUBE) and needed a way to capture the stream and view it easily.

To do this, you will need:

  1. CLI access to the router
  2. Wireshark installed on your PC
  3. tftp server installed on your PC (I used tftpd found here: LINK)

Here are the steps required:

Log into your router and create the capture policy:

ip traffic-export profile <name> mode capture

Assign the capture profile to the interface:

interface <interface>
ip traffic-export apply <name> size 20000000

Clear any data and start the export:

traffic-export interface <interface> clear
traffic-export interface <interface> start

Test your application (or in my case, a SIP call)

Once the test is complete, stop the export:

traffic-export interface <interface> stop

Export the captured traffic to your PC via tftp:

traffic-export interface <interface> copy tftp:

Use Wireshark to open the file, then click “Telephony” at the top and then “VoIP Calls” to analyze the SIP traffic

Also, if you want to send your logs (in case of a debug) to your PC via tftp, the command is:

show logging | redirect tftp://tftpserver/destinationfilename


Cisco CUCM/CUBE SIP Troubleshooting

Some quick notes on troubleshooting tools in a Cisco SIP Call Manager environment:

Commands on the CUBE router:
show call active voice compact
debug ccsip messages
debug voip ccapi inout

Article on understanding SIP traces:

SIP call flows and troubleshooting:

Using CUCM RTMT Session Trace:

Using TranslaterX as an additional tool to Session Trace:

2 Hour Cisco Live breakout on SIP troubleshooting with CUCM and CUBE:

Nexus C9372PX NX-OS Upgrade

Recently upgraded a pair of C9372PX switches with the following commands:

  1. Copy new .bin file over to switch
    copy scp://username@scpserverIPaddress//n9000-dk9.7.0.3.I1.2.bin bootflash:n9000-dk9.7.0.3.I1.2.bin
  2. Show the impact of installing the new version
    show install all impact nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
  3. Install the new version
    install all nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
  4. After you run the install, it will do the impact evaluation again and ask you to confirm installation
  5. Install took less than 5 minutes and then rebooted

The official Cisco install guide can be found HERE