Wednesday, March 30, 2016

Configure Freeradius on Centos6.7

Need a quick freeradius server up and running on a 64bit CentOS 6.7 VM?


In a previous post I installed freeradius on a 32bit platform and it went very smooth.

Recently I needed to add freeradius service on a X86_64 machine and I noticed there are some differences in the install process.

If you need to stand up freeradius on a 32 bit machine use the instructions from my previous blog: http://thgtn.blogspot.com/2015/06/junos-space-and-free-radius.html

If you need to stand up radius on a X86_64 machine keep reading.

The process is pretty much the same from and I am currently using a CentOS 6.7 VM.

First, we need to grab the freeradius server and the freeradius-utils using the yum repositories.

[root@localhost user]# yum install freeradius
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
base                                                     | 3.7 kB     00:00     
base/primary_db                                          | 4.6 MB     00:01     
extras                                                   | 3.7 kB     00:00     
extras/primary_db                                        | 4.6 MB     00:01     
scl                                                      | 2.9 kB     00:00     
scl/primary_db                                           | 366 kB     00:00     
updates                                                  | 3.7 kB     00:00     
updates/primary_db                                       | 4.6 MB     00:01     
Resolving Dependencies
--> Running transaction check
---> Package freeradius.x86_64 0:2.2.6-4.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch            Version                Repository     Size
================================================================================
Installing:
 freeradius          x86_64          2.2.6-4.el6            base          1.5 M

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 1.5 M
Installed size: 6.3 M
Is this ok [y/N]: y
Downloading Packages:
freeradius-2.2.6-4.el6.x86_64.rpm                        | 1.5 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : freeradius-2.2.6-4.el6.x86_64                                1/1 
  Verifying  : freeradius-2.2.6-4.el6.x86_64                                1/1 

Installed:
  freeradius.x86_64 0:2.2.6-4.el6                                               

Complete!
[root@localhost user]# yum install freeradius-utils
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package freeradius-utils.x86_64 0:2.2.6-4.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch           Version             Repository    Size
================================================================================
Installing:
 freeradius-utils         x86_64         2.2.6-4.el6         base         126 k

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 126 k
Installed size: 243 k
Is this ok [y/N]: y
Downloading Packages:
freeradius-utils-2.2.6-4.el6.x86_64.rpm                  | 126 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : freeradius-utils-2.2.6-4.el6.x86_64                          1/1 
  Verifying  : freeradius-utils-2.2.6-4.el6.x86_64                          1/1 

Installed:
  freeradius-utils.x86_64 0:2.2.6-4.el6                                         

Complete!
[root@localhost user]# 

[root@localhost user]# cd /etc/raddb/
[root@localhost raddb]# ls
acct_users                 eap.conf           proxy.conf
attrs                      example.pl         radiusd.conf
attrs.access_challenge     hints              sites-available
attrs.access_reject        huntgroups         sites-enabled
attrs.accounting_response  modules            sql
attrs.pre-proxy              sql.conf
certs                              sqlippool.conf
clients.conf               panic.gdb          templates.conf
clients.conf.rpmsave       policy.conf        users
dictionary                 policy.txt         users.rpmsave
dictionary.rpmsave         preproxy_users

[root@localhost raddb]# cp clients.conf orig.clients.conf

[root@localhost raddb]# cp clients.conf orig.clients.conf

[root@localhost raddb]# cp users orig.users

ADD THE FOLLOWING STANZA TO THE CLIENTS.CONF FILE

[root@localhost raddb]# vi clients.conf

client 0/0 {
        secret = Test123
        shortname = labuser
        ipv4addr = * #any
        127.0.0.1 == localhost
}

ADD YOUR USERS TO THE USERS FILE

[root@localhost raddb]# vi users

labuser Cleartext-Password := "Test123"

ADD THE ATTRIBUTE TO THE DICTIONARY FILE

[root@localhost raddb]# vi dictionary

ATTRIBUTE       Juniper-Profile         3003    string

EDIT THE INNER-EAP FILE INT THE MODULES DIRECTORY

[root@localhost raddb]# cd modules/
[root@localhost modules]# vi inner-eap

eap inner-eap {
        # This is the best choice for PEAP.
       #default_eap_type = mschapv2
       default_eap_type = peap
        timer_expire     = 60

        #  This should be the same as the outer eap "max sessions"
        max_sessions = 2048

        # Supported EAP-types
        md5 {
        }

START RADIUSD WITH DEBUGGING

[root@localhost raddb]# radiusd -X
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 23 2015 at 20:25:51
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
  stripped_names = no
  auth = no
  auth_badpass = no
  auth_goodpass = no
 }
 security {
  max_attributes = 200
  reject_delay = 1
  status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
 }
 home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = "testing123"
response_window = 20.000000
  response_timeouts = 1
  max_outstanding = 65536
  require_message_authenticator = yes
  zombie_period = 40
  status_check = "status-server"
  ping_interval = 30
  check_interval = 30
  num_answers_to_alive = 3
  num_pings_to_alive = 3
  revive_interval = 120
  status_check_timeout = 4
  coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
  }
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = "testing123"
  nastype = "other"
 }
 client 0/0 {
  require_message_authenticator = no
  secret = "Test123"
  shortname = "labuser"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/raddb/modules/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
  expiration {
  reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
  logintime {
  reply-message = "You are calling outside your allowed timespan  "
  minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file 
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/raddb/modules/pap
  pap {
  encryption_scheme = "auto"
  auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = no
  allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/raddb/modules/unix
  unix {
  radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
  default_eap_type = "md5"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 1024
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
   challenge = "Password: "
   auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
   rsa_key_exchange = no
   dh_key_exchange = yes
   rsa_key_length = 512
   dh_key_length = 512
   verify_depth = 0
   CA_path = "/etc/raddb/certs"
   pem_file_type = yes
   private_key_file = "/etc/raddb/certs/server.pem"
   certificate_file = "/etc/raddb/certs/server.pem"
   CA_file = "/etc/raddb/certs/ca.pem"
   private_key_password = "whatever"
   dh_file = "/etc/raddb/certs/dh"
   fragment_size = 1024
   include_length = yes
   check_crl = no
   cipher_list = "DEFAULT"
   ecdh_curve = "prime256v1"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
   default_eap_type = "md5"
   copy_request_to_tunnel = no
   use_tunneled_reply = no
   virtual_server = "inner-tunnel"
   include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
   default_eap_type = "mschapv2"
   copy_request_to_tunnel = no
   use_tunneled_reply = no
   proxy_tunneled_request_as_eap = yes
   virtual_server = "inner-tunnel"
   soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
   with_ntdomain_hack = no
   send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
  preprocess {
  huntgroups = "/etc/raddb/huntgroups"
  hints = "/etc/raddb/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/raddb/huntgroups
reading pairlist file /etc/raddb/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/modules/files
  files {
  usersfile = "/etc/raddb/users"
  acctusersfile = "/etc/raddb/acct_users"
  preproxy_usersfile = "/etc/raddb/preproxy_users"
  compat = "no"
  }
reading pairlist file /etc/raddb/users
reading pairlist file /etc/raddb/acct_users
reading pairlist file /etc/raddb/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
  acct_unique {
  key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
  detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  header = "%t"
  detailperm = 384
  dirperm = 493
  locking = no
  log_packet_header = no
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
  attrsfile = "/etc/raddb/attrs.accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
reading pairlist file /etc/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
  radutmp {
  filename = "/var/log/radius/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  perm = 384
  callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
  attrsfile = "/etc/raddb/attrs.access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
reading pairlist file /etc/raddb/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipaddr = *
  port = 0
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
}
listen {
  type = "control"
 listen {
  socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
 ... adding new socket proxy address * port 39995
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.


OPEN ANOTHER TERMINAL WINDOW AND RUN A TEST FROM CLI

[user@localhost ~]$ radtest labuser Test123 localhost 0 testing123
Sending Access-Request of id 220 to 127.0.0.1 port 1812
User-Name = "labuser"
User-Password = "Test123"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=220, length=20

WATCH ON THE radiusd -X window and you should see something like the following

rad_recv: Access-Request packet from host 127.0.0.1 port 54612, id=220, length=78
User-Name = "labuser"
User-Password = "Test123"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x173cb7d2ac15e1640a4892f7198a5d24
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "labuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry labuser at line 204
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "Test123"
[pap] Using clear text password "Test123"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 220 to 127.0.0.1 port 54612
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 220 with timestamp +140

Ready to process requests.

SUMMARY

As you can see the radtest worked and the password was accepted by radiusd so we should now be able to start pointing network devices to the radius server.

Posted by at No comments:

Tuesday, March 29, 2016

2-Step Authentication for GMAIL

Secure your GMAIL accounts


If you own a gmail account you need to do this now!

Don't wait! Go to https://www.google.com/landing/2step/ and follow the instructions.

This is probably the ONLY thing that will protect your account.

Posted by at No comments:

Tuesday, March 22, 2016

VoIP using ZoiPer and Asterisk

ZoiPer and Asterisk 



After playing around with different softphones for use with Asterisk in the lab I have stumbled across what I believe to be the best softphone yet! ZoiPer is cross platform (platform independent) and for lab purposes I can download a free copy.

I can't say enough about how easy it is to get ZoiPer up and running on your system compared to any other softphone I have tried on Linux. It is a super clean install, intuitive and simple.

Asterisk has been around for a long time and the ease of installation is just amazingly simple for my lab purposes.

For the lab i'm going to pull down asterisk-1.8 form the asterisk download site and load it on my CentOS VM. My CentOS build is:

[root@localhost asterisk]# uname -a
Linux localhost.localdomain 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

INSTALL ASTERISK:

Step 1:
$ sudo su
[sudo] password for junspace:

Make sure we have C Compiler installed:

Step 2:
[root@localhost junspace]# yum install gcc
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirror.rackspace.com
 * extras: cosmos.illinois.edu
 * updates: mirrors.gigenet.com
Package gcc-4.4.7-16.el6.x86_64 already installed and latest version
Nothing to do

Step 3:
[root@localhost home]# wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8-current.tar.gz

 --2016-03-22 06:29:24--  http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8-current.tar.gz
Resolving downloads.asterisk.org... 76.164.171.238, 2001:470:e0d4::ee
Connecting to downloads.asterisk.org|76.164.171.238|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29637478 (28M) [application/x-gzip]
Saving to: “asterisk-1.8-current.tar.gz”

 100%[====================================================================================================================================================================>] 29,637,478  4.12M/s   in 7.8s    

 2016-03-22 06:29:32 (3.64 MB/s) - “asterisk-1.8-current.tar.gz” saved [29637478/29637478]

Step 4:
[root@localhost home]# file asterisk-1.8-current.tar.gz 
asterisk-1.8-current.tar.gz: gzip compressed data, from Unix, last modified: Wed Apr  8 12:01:26 2015

 [root@localhost home]# tar zxvf asterisk-1.8-current.tar.gz
asterisk-1.8.32.3/
asterisk-1.8.32.3/Makefile.moddir_rules
asterisk-1.8.32.3/missing
asterisk-1.8.32.3/CREDITS
...

 Step 5:
[root@localhost home]# cd asterisk-1.8.32.3/

 Step 6:
[root@localhost asterisk-1.8.32.3]# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
...
configure: Menuselect build configuration successfully completed

               .$$$$$$$$$$$$$$$=..      
            .$7$7..          .7$$7:.    
          .$$:.                 ,$7.7   
        .$7.     7$$$$           .$$77  
     ..$$.       $$$$$            .$$$7 
    ..7$   .?.   $$$$$   .?.       7$$$.
   $.$.   .$$$7. $$$$7 .7$$$.      .$$$.
 .777.   .$$$$$$77$$$77$$$$$7.      $$$,
 $$$~      .7$$$$$$$$$$$$$7.       .$$$.
.$$7          .7$$$$$$$7:          ?$$$.
$$$          ?7$$$$$$$$$$I        .$$$7 
$$$       .7$$$$$$$$$$$$$$$$      :$$$. 
$$$       $$$$$$7$$$$$$$$$$$$    .$$$.  
$$$        $$$   7$$$7  .$$$    .$$$.   
$$$$             $$$$7         .$$$.    
7$$$7            7$$$$        7$$$      
 $$$$$                        $$$       
  $$$$7.                       $$  (TM)     
   $$$$$$$.           .7$$$$$$  $$      
     $$$$$$$$$$$$7$$$$$$$$$.$$$$$$      
       $$$$$$$$$$$$$$$$.                

configure: Package configured for: 
configure: OS type  : linux-gnu
configure: Host CPU : x86_64
configure: build-cpu:vendor:os: x86_64 : unknown : linux-gnu :
configure: host-cpu:vendor:os: x86_64 : unknown : linux-gnu :

Step 7:
[root@localhost asterisk-1.8.32.3]# make && make install && make samples CC="cc" CXX="" LD="" AR="" RANLIB="" CFLAGS="" make -C menuselect CONFIGURE_SILENT="--silent" menuselect make[1]: Entering directory `/home/asterisk-1.8.32.3/menuselect' gcc -g -D_GNU_SOURCE -Wall -c -o menuselect.o menuselect.c gcc -g -D_GNU_SOURCE -Wall -c -o strcompat.o strcompat.c gcc -g -D_GNU_SOURCE -Wall -c -o menuselect_stub.o menuselect_stub.cCREATE SIP USERS/LINES:
...
Config file phoneprov/polycom.xml is unchanged Config file phoneprov/snom-mac.xml is unchanged [root@localhost asterisk-1.8.32.3]# 


Step 8:




[root@localhost yum.repos.d]# cd /etc/asterisk/



[root@localhost asterisk]# 








Step 9:




[root@localhost asterisk]# mv sip.conf orig.sip.conf



[root@localhost asterisk]# mv extensions.conf orig.extensions.conf








Step 10:




[root@localhost asterisk]# vi sip.conf



[general]



port=5060



bindaddr=192.168.2.252








[51000]



type=friend



host=dynamic



secret=51000








[51001]



type=friend



host=dynamic



secret=51001








[51002]



type=friend



host=dynamic



secret=51002





Step 11:





[root@localhost asterisk]# vi extensions.conf



[general]



static=yes



wrtiteprotect=no



priorityjumping=no



autofallthrough=yes



clearglobalvars=no







[default]



exten => 51000,1,Dial(SIP/51000,10)



exten => 51001,1,Dial(SIP/51001,10)



exten => 51002,1,Dial(SIP/51002,10)
















RUN ASTERISK:











[root@localhost asterisk]# asterisk -vvvvc
Privilege escalation protection disabled!
See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details.
Asterisk 1.8.32.3, Copyright (C) 1999 - 2013 Digium, Inc. and others.
Created by Mark Spencer 
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
  == Parsing '/etc/asterisk/extconfig.conf':   == Found
  == Parsing '/etc/asterisk/logger.conf':   == Found









...





Asterisk Ready.
  == Parsing '/etc/asterisk/cli.conf':   == Found
*CLI>  








*CLI> sip show peers
Name/username             Host                                    Dyn Forcerport ACL Port     Status     
51000/51000                 192.168.2.50                             D   N             55929    Unmonitored 
51001/51001                 192.168.2.252                            D   N             45921    Unmonitored 
51002/51002                 192.168.2.254                            D   N             62379    Unmonitored 
3 sip peers [Monitored: 0 online, 0 offline Unmonitored: 3 online, 0 offline]
*CLI> 








INSTALL ZoiPer:











For my lab I used both the Linux and MAC files.







They have excellent install instructions for linux: http://www.zoiper.com/en/voip-softphone/download/zoiper3#linux/step3









Using the SIP account setup on ZoiPer I used the following:







user / user@host: 51000



Password: 51000



Domain / Outbound Proxy: 192.168.2.252:5060







The user is the information we created in the sip.conf file and the domain is the IP address of my CentOS VM running Asterisk: 192.168.2.252:5060 







5060 is the default SIP port.







NOTE: It may be required to open IPTABLES on LINUX to allow udp port 5060 to communicate.







[root@localhost junspace]# iptables -I INPUT -i eth0 -p udp --dport 5060 -j ACCEPT



[root@localhost junspace]# iptables -L | grep sip
ACCEPT     udp  --  anywhere             anywhere            udp dpt:sip 







MAKE A CALL:



I'm going to make a call from 51002 to 51001 and not answer:







    -- Executing [51001@default:1] Dial("SIP/51002-00000006", "SIP/51001,10") in new stack
  == Using SIP RTP CoS mark 5
    -- Called SIP/51001
    -- SIP/51001-00000007 is ringing
    -- Nobody picked up in 10000 ms
    -- Auto fallthrough, channel 'SIP/51002-00000006' status is 'NOANSWER'
  == Using SIP RTP CoS mark 5





Then I make a call from 51002 to 51001 and pick up:



    -- Executing [51001@default:1] Dial("SIP/51002-00000008", "SIP/51001,10") in new stack
  == Using SIP RTP CoS mark 5
    -- Called SIP/51001
    -- SIP/51001-00000009 is ringing
    -- SIP/51001-00000009 answered SIP/51002-00000008
    -- Remotely bridging SIP/51002-00000008 and SIP/51001-00000009



HELLO WATSON _ COME HERE!!!!



SUMMARY:



As you can see all of the ZoiPer clients are working now across 2 different Linux machines and a MAC and communicating to a CentOS VM running Asterisk.








Very simple and clean!
Posted by at No comments:

Monday, March 21, 2016

Link Aggregation Juniper EX-Series Switches

Link Aggregation (LAG)Aggregate Ethernet (AE)Link Aggregation Control Protocol (LACP)


Link Aggregation Group (LAG) is a method to bundle multiple physical interfaces into a single logical interface using IEEE 802.3ad.

There are a couple of advantages to using LAG over a single physical interface.

One advantage is the survivability of the point-to-point link or trunk. If one of the physical interfaces or paths supporting an Aggregate Ethernet (AE) interface is lost the interface will survive (assuming that the AE interface has multiple physical interfaces associated).

Another advantage of an AE is to provided additional bandwidth over a single interface. An EX4300 can support up to a maximum of 16 physical interfaces in a LAG and up to 112 total LAG's per Virtual Chassis (VC).

Configuring LAG is really very simple but first let me discuss some of the guidelines before jumping into actual configuration:
  • LAG must be configured on both sides of the link
  • The interface speed must be the same on both sides of the link
  • Firewall filters can be applied to AE/LAG interfaces
  • When utilizing VC different Line Cards/member interfaces can be used to create the LAG bundle
Link Aggregation Control Protocol (LACP) is used to detect and report configuration errors between the LAG endpoints.
  • Link Aggregation Control Protocol (LACP) can be configured for link protection and negotiation
  • If LACP is not enabled on a LAG bundle the AE could attempt to send all packets to a single remote interface in the LAG.
  • IF LACP is enables the remote end must be configured for LACP as well
  • LACP can be implemented as active or passive but at least one endpoint must be active
  • LACP can utilize slow or fast timers.
Now that we have some of the details lets press on with the configuration.



You'll notice in the diagram that there are two physical interfaces ge-0/0/0 and ge-0/0/2, between ACCESS-1 and AGG-1 that will be used to create our AE interface. Remember that we can have up to 16 physical interfaces in an AE on EX4300 and up to 112 total AE's per VC.

Now lets jump onto the ACCESS-1 switch and configure the LAG Bundle or AE0.

ACCESS-1:

First, tell the device how many AE interfaces will be instantiated on the device. 

NOTE: This is the total AE interfaces being utilized on the device.


junspace@ACCESS-1# set chassis aggregated-devices ethernet device-count 1  

Next, configure the physical interfaces that will be utilized for the AE interface.


junspace@ACCESS-1# delete interfaces ge-0/0/0 unit 0 
junspace@ACCESS-1# delete interfaces ge-0/0/2 unit 0 

NOTE: logical units cannot be assigned to physical interfaces when assigned to an AE.


Configure the physical interface ether-options for 802.3ad and assign it to the logical AE interface.

junspace@ACCESS-1# set interfaces ge-0/0/0 ether-options 802.3ad ae0
junspace@ACCESS-1# set interfaces ge-0/0/2 ether-options 802.3ad ae0

Since the AE interface is a trunk we need to configure it as such.


junspace@ACCESS-1# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk vlan members all

Now we can commit this and take a look at the interfaces:

junspace@ACCESS-1# run show interfaces terse | match ae0 
ge-0/0/0.0              up    up   aenet    --> ae0.0
ge-0/0/2.0              up    up   aenet    --> ae0.0
ae0                     up    up
ae0.0                   up    up   eth-switch

Before we jump to the AGG-1 switch let's configure LACP on the AE interfaces as well.

junspace@ACCESS-1# set interfaces ae0 aggregated-ether-options lacp active
junspace@ACCESS-1# set interfaces ae0 aggregated-ether-options minimum-links 1 

                                         NOTE: the minimum-links 1 knob can be used to make sure that the bandwidth is sufficient at all times. If for example you had 8 physical ge interfaces in a single link and you always wanted to have at least 4 gig available then you would set the minimum-links to 4. For this example we are only using two physical links so I am setting it to 1.

Now commit the configuration and move on to AGG-1.

AGG-1:

junspace@AGG-1# set chassis aggregated-devices ethernet device-count 1

junspace@AGG-1# delete interfaces ge-0/0/0 

junspace@AGG-1# set interfaces ge-0/0/0 ether-options 802.3ad ae0 

junspace@AGG-1# delete interfaces ge-0/0/2

junspace@AGG-1# set interfaces ge-0/0/2 ether-options 802.3ad ae0 

junspace@AGG-1# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk vlan members V100 

junspace@AGG-1# set interfaces ae0 aggregated-ether-options minimum-links 1 

junspace@AGG-1# set interfaces ae0 aggregated-ether-options lacp active

junspace@AGG-1# commit 
configuration check succeeds
commit complete

junspace@AGG-1# run show interfaces terse | match ae0 
ge-0/0/0.0              up    up   aenet    --> ae0.0
ge-0/0/2.0              up    up   aenet    --> ae0.0
ae0                     up    up
ae0.0                   up    up   eth-switch


LACP CHECK:

Now let's check LACP over the AE interface.

junspace@AGG-1# run show lacp statistics interfaces ae0 
Aggregated interface: ae0
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx 
      ge-0/0/0                9932        9966            0            0
      ge-0/0/2                9932        9966            0            0

junspace@AGG-1# run show lacp interfaces    
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/0/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/0     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/2       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/2     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
    LACP protocol:        Receive State  Transmit State          Mux State 
      ge-0/0/0                  Current   Fast periodic Collecting distributing
      ge-0/0/2                  Current   Fast periodic Collecting distributing

So there are a few things in this output that should be discussed. First, the LACP State table shows our two physical interfaces listed as actor and partner. Next we see Timeout is Fast and that they are both active. In the LACP Protocol table we see that mux state is distributing, and the periodic rate is fast. This periodic rate can be set to slow (every 30 seconds) but this can cause issues with other vendors and its best practice to leave the periodic rate to fast.

We can also see the LACP interaction across the physical links utilizing the monitor traffic command:

junspace@AGG-1# run monitor traffic interface ge-0/0/0 no-resolve detail       
Address resolution is OFF.
Listening on ge-0/0/0, capture size 1514 bytes

22:21:42.651691 Out LACPv1, length 110
Actor Information TLV (0x01), length 20
  System cc:e1:7f:8f:7a:c0, System Priority 127, Key 1, Port 1, Port Priority 127
  State Flags [Activity, Timeout, Aggregation, Synchronization, Collecting, Distributing]
Partner Information TLV (0x02), length 20
  System 78:fe:3d:e4:01:80, System Priority 127, Key 1, Port 1, Port Priority 127
  State Flags [Activity, Timeout, Aggregation, Synchronization, Collecting, Distributing]
Collector Information TLV (0x03), length 16
  Max Delay 0
Terminator TLV (0x00), length 0
22:21:43.120588  In LACPv1, length 110
Actor Information TLV (0x01), length 20
  System 78:fe:3d:e4:01:80, System Priority 127, Key 1, Port 1, Port Priority 127
  State Flags [Activity, Timeout, Aggregation, Synchronization, Collecting, Distributing]
Partner Information TLV (0x02), length 20
  System cc:e1:7f:8f:7a:c0, System Priority 127, Key 1, Port 1, Port Priority 127
  State Flags [Activity, Timeout, Aggregation, Synchronization, Collecting, Distributing]
Collector Information TLV (0x03), length 16
  Max Delay 0
Terminator TLV (0x00), length 0
22:21:43.653671 Out LACPv1, length 110
Actor Information TLV (0x01), length 20
  System cc:e1:7f:8f:7a:c0, System Priority 127, Key 1, Port 1, Port Priority 127
  State Flags [Activity, Timeout, Aggregation, Synchronization, Collecting, Distributing]
Partner Information TLV (0x02), length 20
  System 78:fe:3d:e4:01:80, System Priority 127, Key 1, Port 1, Port Priority 127
  State Flags [Activity, Timeout, Aggregation, Synchronization, Collecting, Distributing]
Collector Information TLV (0x03), length 16
  Max Delay 0
Terminator TLV (0x00), length 0

MAXIMUM-LINKS CHECK:

Now that we have an operational LAG Bundle using ge-0/0/0 and ge-0/0/2 across ae0.0 let's make sure I can ping the host hanging off of ACCESS-1.

junspace@AGG-1# run ping 172.16.100.2 routing-instance VIN 
PING 172.16.100.2 (172.16.100.2): 56 data bytes
64 bytes from 172.16.100.2: icmp_seq=0 ttl=64 time=3.101 ms
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=2.417 ms
64 bytes from 172.16.100.2: icmp_seq=2 ttl=64 time=2.282 ms
^C
--- 172.16.100.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.282/2.600/3.101/0.359 ms

NOTE: I referenced a routing-instance here as my vlan.100 interface was used in a previous lab configuration where i have routing-instances supporting PIM

Now let me disable one of the physical interfaces supporting the LAG bundle and check again.

junspace@AGG-1# set interfaces ge-0/0/2 disable 

{master:0}[edit]
junspace@AGG-1# commit 
configuration check succeeds
commit complete

{master:0}[edit]
junspace@AGG-1# run show interfaces terse | match ae0 
ge-0/0/0.0              up    up   aenet    --> ae0.0
ge-0/0/2.0              up    down aenet    --> ae0.0
ae0                     up    up
ae0.0                   up    up   eth-switch

{master:0}[edit]
junspace@AGG-1# run ping 172.16.100.2 routing-instance VIN    
PING 172.16.100.2 (172.16.100.2): 56 data bytes
64 bytes from 172.16.100.2: icmp_seq=0 ttl=64 time=4.100 ms
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=3.452 ms
^C
--- 172.16.100.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.452/3.776/4.100/0.324 ms

{master:0}[edit]
junspace@AGG-1# run show lacp interfaces 
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/0/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/0     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/2       Actor    No   Yes    No   No   No   Yes     Fast    Active
      ge-0/0/2     Partner    No   Yes    No   No   No   Yes     Fast   Passive
    LACP protocol:        Receive State  Transmit State          Mux State 
      ge-0/0/0                  Current   Fast periodic Collecting distributing
      ge-0/0/2            Port disabled     No periodic           Detached


OK so several things here. First I disabled the ge-0/0/2 interface simulating a link break or optic issue (and then committed). Next I checked the interfaces supporting ae0 and see that ge-0/0/2 is indeed down but that ae0.0 is still up. Then I issued a ping to the  host over the LAG and it still works! (Because we have multiple interfaces supporting the logical AE interface).

Then I checked LACP which has discovered that the ge-0/0/2 interfaces is disabled and is no longer distributing or collecting across that interface.

SUMMARY:

Pretty simple and easy to utilize Aggregate Ethernet across a LAN/CAN or WAN to improve the bandwidth available and survivability of connections where required. Just remember to set the chassis aggregated-devices to the number you need and supported on the device and you will be good to go.
Posted by at No comments:
Subscribe to: Posts (Atom)