The Hitchhiker's Guide to Networking: June 2015

Friday, June 26, 2015

Pushing CLI Configlets with JUNOS SPACE

CLI (Command Line Interface) Configlets are an exceptional little tool that can be used to manage enterprise wide changes that are the same across multiple platforms.

For example pushing the same login message/banner to all of your devices with a few clicks.

If you only have one device it may not be such a big deal but if you have 100's or thousands of switches, routers or security devices then that could be time consuming.
....Ain't nobody got time for that!!!!...

If you've worked in the CLI on network devices you start to notice that large chunks of the configuration are the same across every platform. There may be some deltas between your EX devices and your SRX devices but CLI Configlets will help you there as well by setting device family. When you categorize by family it gives you the ability to pick and choose the groups to push the configlet to.

OK enough about how cool configlets are lets get in the Space GUI and get some!

1. Open your favorite browser and point it at space https://[space-ip]/mainui

2. Enter your login credentials: Default user = super password= juniper123

3. You should now be at the main dashboard

4. Navigate to CLI Configlets > Configlets

5. Click the green (+) icon and then fill in the information for your configlet. It is pretty straight forward and user friendly. Unless you are updating physical or logical interfaces with this configlet choose /device for the context.

6. Click Next and then click the green (+) icon to add a configlet. Again, this is pretty self explanatory. My context is device I give it a parameter name, description etc and then click the add button to add it. Then you should see something similar to:

7. Click the Create button and you wind up with your very own CLI Configlet! It will take you back to the configlet screen and you will see the entry with Name Domain Category etc. To modify that specific configlet, or view it or even clone it, first, highlight your configlet and then right click on it. You will see a menu pop up where you can do all that self explanatory fun stuff. We are going to skip that to cut down on the length of this post. The REAL purpose of this is to PUSH the configlet to the network device! So lets do that!

First lets make an observation. When I log into the device now it has a PRE configlet message that I put there manually:

ssh space@192.168.1.140

BEFORE THE CONFIGLET!

Password:

--- JUNOS 13.2X50-D19.2 built 2014-05-20 02:56:07 UTC

{master:0}

space@ex2200-1>

8. So now lets select the device, an ex2200 that is under the device section. We highlight and right-click on the ex2200 and then navigate to Device Operations > Apply CLI Configlet

9. Now locate our DEMO configlet and highlight it. The device we selected from the device field should appear below. Click Next and you should see the preview configlet area that we created a few steps ago.

10. Next you can click Apply. You can also validate the configlet but lets go ahead and Apply this puppy!

11. BAM as you can see the CLI configlet was applied succesfully! Now lets check on SSH login just to verify:

$ ssh space@192.168.1.140

THIS IS THE DEMO MESSAGE. WHEN WE PUSH THIS USING SPACE IT WILL AUTO MAGICALLY SHOW UP ON THE SWITCH!

SEVERAL CARRIAGE RETURN LINE FEEDS

Password:

--- JUNOS 13.2X50-D19.2 built 2014-05-20 02:56:07 UTC

{master:0}

space@ex2200-1>

12. Now you have the knowledge on how to create and apply a CLI configlet to not just one device but your entire enterprise if needed.

NOW THATS POWERFUL! Not to mention efficient!

Imagine having to log into 100 or 1000 devices and do that by hand? Sure you could script it but you would be the only one who really knew how to run it. Now, that it is a CLI configlet, you have empowered your entire team to make minor changes to it and push it to the network.

The login message was pretty basic. Think of it in terms of large firewall policies, policers, snmp client updates, ntp or dns updates. With a couple of clicks you can update your entire network!

I hope this provides some insight into the power and maturity of JUNOS Space and how you can use this utility to improve your network.

For more information go to: https://www.juniper.net/documentation/en_US/junos-space13.1/platform/information-products/pathway-pages/junos-space-cli-configlets-pwp.html

Tuesday, June 23, 2015

Enabling and utilizing cu for USB to console connections

cu - Call up another system

I know I am upgrading my MBA with a Mac Book Pro soon so I wanted to post these instructions before I forget how to get cu to work again :)

First, to get the usbserial ports to work, on the mac, we have to download PL2303_MacOSX_v1.5.1.pkg and install it. (update 26 Jan 2016: If you have upgraded to El Captain then refer to this link. http://plugable.com/2011/07/12/installing-a-usb-serial-adapter-on-mac-os-x AND http://plugable.com/drivers/prolific/ )

NOTE: If your Mac complains about the security you'll have to go into System Preferences - Security & privacy and tell it to install anyway.

Once it does install you have to reboot the laptop.

Upon reboot:

$ ls /dev/cu.*
/dev/cu.usbserial

$ sudo cu -l /dev/cu.usbserial -s 9600
Connected

Login:

Now to end this session you want to use ~. (tilde dot) to close it out

JUNOS SPACE and free radius Authentication

Today I had the pleasure of setting up freeradius in my lab and having JUNOS Space authenticate to it.

For those of you running 14.1R2.9 be aware of TSB16642

JUNOS Space 14.1R2.9 has issue with some RADIUS/TACACS authentication configuration

This was just a quick lab test and I used the following:

JUNOS SPACE 14.1R3.4
Acer Aspire with fresh load of Fedora

Linux acer 4.0.4-301.fc22.i686 #1 SMP Thu May 21 13:43:18 UTC 2015 i686 i686 i386 GNU/Linux
dnf install freeradius freeradius-utils

[root@acer raddb]# dnf search freeradius

========================================================

freeradius.i686 : High-performance and highly configurable free RADIUS server

freeradius-utils.i686 : FreeRADIUS utilities

Once the package is downloaded navigate to /etc/raddb

# cp clients.conf orig.clients.conf

# vi clients.conf

add the following:
client 0/0 {
# This is the shared secret between the Authenticator (the
# access point) and the Authentication Server (RADIUS).
secret = somePassword
shortname = junosspace
ipv4addr = * # any. 127.0.0.1 == localhost
}

# cp users orig.users
# vi users

add the following:
edward Cleartext-Password := "spaceRocks"

# vi dictionary

add the following to the bottom of the file
ATTRIBUTE Juniper-Junosspace-Profiles 3003 String

# cd /etc/raddb/mods-available

# cp ead orig.ead

# vi ead

change the default_eap_type = peap

# service radiusd restart

Everything should be good to go at this point!

Now lets go to Space and configure our remote user:

Log into space as super (default password is juniper123) help
Navigate to Adminstration -> Authentication Servers
Check the Use Remote Authentication box
Select Remote-Local Authentication radio button
Click the green + icon to add you server
Click OK

Highlight your server and click Test Connection

This shows you have a good connection to the radius server and that the passwords are good
Next, navigate to Role Based Access Control -> User Accounts
Click User Accounts
Click the green Add button
Fill in the user information
Click Next
Check the GUI Access box and then select a role for the user
Click Next
Select Global domain
Click Finish

Now without a password assigned to this user you should be able to authenticate against the free radius server and gain access.
First you have to restart radiusd on the server
# service radiusd restart
Then get to the https://[space-address]/mainui and enter your credentials
You should now be logged in using remote authentication!!

The Hitchhiker's Guide to Networking