ADFS MFA with Office 365

We wanted to implement MFA (multi-factor authentication) for our ADFS servers when authenticating to Office 365. If you just want basic “MFA for all users” then the AD FS GUI will allow you to select your MFA provider and enable. I needed a more granular policy:

Only enable MFA if the user is a member of a specific security group AND the user is coming from outside the corporate network AND it is a browser based authentication request

The third part of that policy is in place so that user’s can still use activesync or skype for business, since they do not support MFA right now.

Granular ADFS policies are set using “claims”, which can be combined together with “and” statements. Here are the three claims I needed enabled:

Only enables MFA for a particular security group (uses the group SID)
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-1-2-46-1537777264-XXXXXXXXXXXXX”] &&

Only enables MFA for users outside the corporate network (auth requests that go through the AD FS proxy servers)
c1:[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, Value == “false”] &&

Only enables MFA for browser based requests
c2:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value =~ “(/adfs/ls)|(/adfs/oauth2)”]

To apply these claims, first enable the MFA provider using the GUI. Open AD FS, click on “Authentication Policies” and then click “Edit Global Multi-Factor Authentication” on the left-hand side. From there you can select your MFA provider and click “Apply”. After this, you must use powershell. I also used powershell variables to make the process a little cleaner.

PS C:\windows\system32> $mfarule='c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-2-46-1537777264-XXXXXXXXXXXXX"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

PS C:\windows\system32> $rpt = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules $mfarule

And now you are done! The following command reverts the changes made back to default:

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules ''

These commands enable MFA just for Office 365 relying party (so I can have different policies per party). If you would like to enable these settings on a global scale, use this:

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules $mfarule

And finally, to see all your changes made:

Get-AdfsRelyingPartyTrust -Name DisplayNameofTrust

———————————————————————————————————————

These blogs were extremely helpful throughout this process:

https://doubledit.co.uk/2015/10/21/adfs-multi-factor-authentication-force-mfa-for-browser-based-access-to-office-365/

http://blog.auth360.net/2014/10/23/mfa-conditional-access-policies-in-ad-fs-2012-r2/

http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

https://technet.microsoft.com/en-us/library/dn479343(v=wps.630).aspx

ASR 1001-X Show Transceiver

On our new ASR I was looking for a command similar to “show interface XXX transceiver”, but that didn’t exist. Here is the command for the ASR:

To show transceiver hardware details:
#show hw-module interface g0/0/1 transceiver idprom

To show transceiver temp and light levels:
#show hw-module interface g0/0/1 transceiver status

Active Directory Transfer Roles

If you need to transfer the Active Directory FSMO roles to a new server, these simple steps were easy to follow. Took about 5 minutes.

http://www.techieshelp.com/how-to-transfer-fsmo-roles-graphical-and-command-line/

Windows SSL Certificate Installation

The Digicert cert utility for Windows make the process so much easier:

To generate the CSR:
https://www.digicert.com/util/csr-creation-microsoft-active-directory-ldap-2012-digicert-utility.htm

To install the Cert:
https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm

For LDAPS on a domain controller, I did not have to import the cert file into the AD DS personal store.

Duo Security – HA Radius Servers

If you are using Duo Security MFA (great solution btw), you may want high-availability for your Duo Radius servers. Duo doesn’t currently have a “supported” solution for this, but keepalived worked great after a quick call to support. This is also assuming you have followed Duo’s instructions to install their radius server (found HERE)

Using Ubuntu 14.04, install keepalived (basic instructions: https://raymii.org/s/tutorials/Keepalived-Simple-IP-failover-on-Ubuntu.html)

Radius server #1 config:

vrrp_instance VIP_1 {
 state MASTER
 interface eth0
 virtual_router_id 100
 priority 101
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

Radius server #2 config:

vrrp_instance VIP_1 {
 state BACKUP
 interface eth0
 virtual_router_id 100
 priority 100
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

After this was completed, keepalived was up and running, and I could ping/ssh to the VIP. BUT, Duo was not responding to radius requests on the VIP!? After trying several different options, I called into Duo Support to see if anything could be done. The support engineer and I discovered that the “interface=” command in authproxy.cfg could be used to bind to an IP address other than the default eth0 address. This is what I added to the top of the authproxy.cfg:

[main]
interface=10.0.0.1

[ad_client]
...etc

After I restarted the duoauthproxy service, radius requests completed successfully using the VIP and my HA solution is complete! Testing shows 1-second failover times between both servers with keepalived.

View the VIP assigned to eth0:

ip addr show eth0

Cisco ISR4431 Random Reboot

My ISR4431 router has randomly rebooted a couple times, finally found this field notice:

http://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63938.html

The router is being used for light VPN duties, nothing too heavy. After upgrading per the Field Notice, all has been fine.

Active Directory Health Check

Migrated a DC and wanted to do some basic AD health checks.

From the cmd prompt (domain joined pc with sufficient privileges or on the DC):

Replication Info:

repadmin /replsummary
repadmin /showrepl

Query FSMO role holders, which should confirm that they are online:

netdom query fsmo

General Server Diagnosis:

dcdiag /a /s:<DC server name>

If you want the DC’s to force sync and see if there are any issues:

repadmin /syncall

Cisco Router Packet Capture and Export

I’ve recently had to troubleshoot some SIP calls going through a Cisco router (CUBE) and needed a way to capture the stream and view it easily.

To do this, you will need:

CLI access to the router
Wireshark installed on your PC
tftp server installed on your PC (I used tftpd found here: LINK)

Here are the steps required:

Log into your router and create the capture policy:

ip traffic-export profile <name> mode capture
bidirectional

Assign the capture profile to the interface:

interface <interface>
ip traffic-export apply <name> size 20000000

Clear any data and start the export:

traffic-export interface <interface> clear
traffic-export interface <interface> start

Test your application (or in my case, a SIP call)

Once the test is complete, stop the export:

traffic-export interface <interface> stop

Export the captured traffic to your PC via tftp:

traffic-export interface <interface> copy tftp:

Use Wireshark to open the file, then click “Telephony” at the top and then “VoIP Calls” to analyze the SIP traffic

Also, if you want to send your logs (in case of a debug) to your PC via tftp, the command is:

show logging | redirect tftp://tftpserver/destinationfilename

Source: https://thevoiceman.wordpress.com/2014/11/28/ip-traffic-exporting-cube/

Cisco CUCM/CUBE SIP Troubleshooting

Some quick notes on troubleshooting tools in a Cisco SIP Call Manager environment:

Commands on the CUBE router:
show call active voice compact
debug ccsip messages
debug voip ccapi inout

Article on understanding SIP traces:
https://supportforums.cisco.com/document/113271/understanding-sip-traces

SIP call flows and troubleshooting:
https://supportforums.cisco.com/document/71131/basic-sip-call-flows-troubleshooting-commands

Using CUCM RTMT Session Trace:
http://www.ucguerrilla.com/2012/03/cisco-cucm-rtmt-session-trace.html

Using TranslaterX as an additional tool to Session Trace:
https://wiklunds.wordpress.com/2013/06/09/sip-traces-from-cucm-in-transla/

2 Hour Cisco Live breakout on SIP troubleshooting with CUCM and CUBE:
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=6098&tclass=popup

Nexus C9372PX NX-OS Upgrade

Recently upgraded a pair of C9372PX switches with the following commands:

Copy new .bin file over to switch
copy scp://username@scpserverIPaddress//n9000-dk9.7.0.3.I1.2.bin bootflash:n9000-dk9.7.0.3.I1.2.bin
Show the impact of installing the new version
show install all impact nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
Install the new version
install all nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
After you run the install, it will do the impact evaluation again and ask you to confirm installation
Install took less than 5 minutes and then rebooted

The official Cisco install guide can be found HERE

DANIEL KUCHENSKI

site migrated to https://thenetworkstack.com