Martijn's public notebook

Friday, July 3, 2015

Solving Cisco Universal access point provisioning

We are currently working with Cisco universal access points. In our case, we are using AIR-AP2702I-UXK9 with a 2504 wireless controller. I have used the Cisco guide to set it up:
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/ux-ap/guide/uxap-mobapp-g.html#81980

The process is pretty simple. Create an SSID with Universal AP Admin Support turned on, put it in an AP group and you're set. This works... once. Once I've closed the Cisco AirProvision app and restarted it, the following error occurs:

Not a universal AP
Please connect to a Universal AP to use the application

Resetting, reloading, switching the AP on and off does NOT remove this error. The only way to reset this state is by switching Universal AP Admin Support off (and apply) and then on (and apply) on the provisioning WLAN:

I've seen the error on Software Version 8.0 and 8.1.102.0 of the controller software.

Sunday, January 5, 2014

Basic certificate usage on a Cisco IOS web server - Part 2

In this part, we will address the two errors we’ve encountered in the first example:

- The self-signed certificate

- The signature algorithm

I’ve made a basic set up in GNS3:

R1 will be the CA root; R2 becomes the client.

After basic interface and hostname config, we will set the clock. This is one of the most important things to do, since the certificate validity is based on time/date!

R1(config)#clock timezone AMS 1

R1(config)#exi

R1#clock set 12:57:00 january 5 2014

We will do the same on R2:

R2(config)#clock timezone AMS 1

R2#clock set 12:57:00 january 5 2014

*Jan 5 11:57:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 02:19:01 AMS Fri Mar 1 2002 to 12:57:00 AMS Sun Jan 5 2014, configured from console by console.

Basic root CA config:

R1(config)#crypto pki server R1-root

R1(cs-server)#grant auto

we will automatically assign a certificate after a request.

Jan 4 10:44:00.267: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.

R1(cs-server)#hash sha256

This will address the signature algorithm issue. Cisco IOS will always use MD5 as a default.

R1(cs-server)#issuer-name cn=R1

We will give de CA a really basic name, in a real environment this will be much more descriptive.

R1(cs-server)#no shut

%Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password:

Re-enter password:

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

% Exporting Certificate Server signing certificate and keys...

Result config:

crypto pki server R1-root

issuer-name cn=R1

grant auto

hash sha256

crypto pki trustpoint R1-root

revocation-check crl

rsakeypair R1-root

crypto pki certificate chain R1-root

certificate ca 01

308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

Our very, very basic root CA is now running. Note that a trustpoint is created. This trustpoint contains the public/private key pair of the root CA.

As you will see, a root certificate and RSA keys are generated, but with some default settings. Of course, you can customize this, but you need to make all these decisions beforehand.

Now we will set up a trustpoint on our client router. A trustpoint may be seen as a configuration anchor for certificates. If a new certificate chain is configured, you will make a new trustpoint. It’s as simple as that.

R2 trustpoint configuration:

R2(config)#crypto pki trustpoint R2

R2(ca-trustpoint)#subject-name cn=R2

Again, a basic name

R2(ca-trustpoint)#enrollment terminal

We will do a manual enrollment, for clarity

R2(ca-trustpoint)#hash sha256

Again, sha256 hash.

R2(ca-trustpoint)#exi

Since this is the most basic configuration, we will not do more than this.

We need to give the public key of R1 to R2. This is needed because R2 needs to be sure the certificate received from R1, truly is from R1.

R1(config)#crypto pki export R1-root pem terminal

% The specified trustpoint is not enrolled (R1-root).

% Only export the CA certificate in PEM format.

% CA certificate:

-----BEGIN CERTIFICATE-----

MIIB8zCCAVygAwIBAgIBATANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJSMTAe

-----END CERTIFICATE-----

Now, we will import the CA certificate on R2.

R2(config)#crypto pki authenticate R2

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIIB8zCCAVygAwIBAgIBATANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJSMTAe

-----END CERTIFICATE-----

Certificate has the following attributes:

Fingerprint MD5: 261B0F52 062F0310 B1459331 D287142C

Fingerprint SHA1: 601F179A 158A2F4B EEDA6CC1 19368902 19B71B29

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

Now, we will create the certificate for R2:

R2(config)#crypto pki enroll R2

% Start certificate enrollment ..

% The subject name in the certificate will include: cn=R2

% The subject name in the certificate will include: R2

% Include the router serial number in the subject name? [yes/no]: no

Jan 5 12:26:43.311: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair

Since we did not specify the key length, the router assumes the default, 512 bit..

% Include an IP address in the subject name? [no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

MIH7MIGmAgEAMCAxCzAJBgNVBAMTAlIyMREwDwYJKoZIhvcNAQkCFgJSMjBcMA0G

---End - This line not part of the certificate request---

Now, on R1 we will request and receive the certificate:

R1#crypto pki server R1-root request pkcs10 terminal

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.

% End with a blank line or "quit" on a line by itself.

MIH7MIGmAgEAMCAxCzAJBgNVBAMTAlIyMREwDwYJKoZIhvcNAQkCFgJSMjBcMA0G

% Granted certificate:

MIIBsTCCARqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJSMTAe

Here comes the more tricky part. We will import the granted certificate on the trustpoint on R2:

R2(config)#crypto pki import R2 certificate

Enter the base 64 encoded certificate.

End with a blank line or the word "quit" on a line by itself

MIIBsTCCARqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADANMQswCQYDVQQDEwJSMTAe

% Router Certificate successfully imported

This completes the certificate configuration of the R2 router. Now we will tell the R2 HTTPS server that it must use the trustpoint:

R2(config)#ip http secure-trustpoint R2

We will now open the webpage in the Firefox browser:

We’ve solved the first two errors, but received a new issue. As Firefox does not have the R1 root certificate and public key, it implicitly does not trust R2’s certificate (as it is signed by R1). In order to solve this, we need to import R1’s certificate into the trusted root store, containing R1’s signature and public key.

Note the ‘issued by’ field.

Remember the certificate export on R1? We will re-use this information on our Client PC with Firefox browser.

Copy the

-----BEGIN CERTIFICATE-----

MIIB8zCCAVygAwIBAgIBATANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJSMTAe

-----END CERTIFICATE-----

Information to a basic text editor (IE: notepad), and save it as a .cer file and import it into the Firefox (root) authorities certificate store.

Now the certificate chain is complete. We will receive another error, though:

This is because we have entered https://<ip address> instead of https://<host name>, as the certificate was made for R2.

Of course, this can be solved to adding R2 to your local DNS or host file.

After adding R2 to the local hostfile, the browser finally continues without errors.

Basic certificate usage on a Cisco IOS web server - Part 1

Using a Public Key Infrastructure (PKI) on Cisco routers is something that I do not encounter in the field. The only PKI usage I’ve seen is the absolute necessity on DMZ servers (I.E: Netscaler, Citrix AG, TMG, etcetera). It is used more and more frequently in a private organizations, mainly for wireless and in some cases Microsoft Direct Access.

In this entry, I will do a very basic certificate use case on two Cisco routers.

For this example, we will use the Cisco IOS secure HTTP server. Enabling the IOS secure HTTP server without further configuration will automatically generate a self-signed certificate:

R2(config)#ip http secure-server

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

*Mar 1 00:00:43.647: %SSH-5-ENABLED: SSH 1.99 has been enabled

*Mar 1 00:00:43.787: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate

A show run will now show the following:

crypto pki trustpoint TP-self-signed-4279256517

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4279256517

revocation-check none

rsakeypair TP-self-signed-4279256517

crypto pki certificate chain TP-self-signed-4279256517

certificate self-signed 01

3082023A <output omitted for clarity>

quit

More info about the self signed certificate is displayed with the following show commands:

show crypto pki certificates verbose

Router Self-Signed Certificate

Status: Available

Version: 3

Certificate Serial Number: 0x1

Certificate Usage: General Purpose

Issuer:

cn=IOS-Self-Signed-Certificate-4279256517

Subject:

Name: IOS-Self-Signed-Certificate-4279256517

cn=IOS-Self-Signed-Certificate-4279256517

Validity Date:

start date: 00:00:43 UTC Mar 1 2002

end date: 00:00:00 UTC Jan 1 2020

Subject Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Signature Algorithm: MD5 with RSA Encryption

Fingerprint MD5: 591700B0 1D5D98A5 AF9C18DD C3595BAB

Fingerprint SHA1: AD09EEAB A9F6A921 F2CBFC00 4797268F 697CE734

X509v3 extensions:

X509v3 Subject Key ID: E3DA9D5B 909C9FFA 6831BE80 F01FCCD6 32D60E10

X509v3 Basic Constraints:

CA: TRUE

X509v3 Subject Alternative Name:

X509v3 Authority Key ID: E3DA9D5B 909C9FFA 6831BE80 F01FCCD6 32D60E10

Authority Info Access:

Associated Trustpoints: TP-self-signed-4279256517

show crypto key mypubkey rsa

% Key pair was generated at: 00:00:43 UTC Mar 1 2002

Key name: TP-self-signed-4279256517

Storage Device: not specified

Usage: General Purpose Key

Key is not exportable.

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A755F1

BBC33C21 C6784EF2 842876E5 A938574C 325FF0D8 F2421350 FCFB597B B1BB5138

2E56FDAC D55B467C 3507545A 482A5DCD 70DC580F 7F03BA70 ADF750BF 605EC370

DF277E4A F39732B7 9DC6A001 E32541CD 6681B230 7E286450 D0CE9FFF 8038A582

6E47C2D9 9330A0E1 2712840D 85645F36 69036FE7 0DFE6997 FB0D8F61 0F020301 0001

% Key pair was generated at: 00:00:44 UTC Mar 1 2002

Key name: TP-self-signed-4279256517.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AF71B8 4ADF80AA

5E542982 7C086554 14FD5E4D F6BDCA14 4E5C5491 3CA562B6 B75E83FA 9EFD5CE8

9CF2AAC5 4338AF70 93852486 52E9A4C1 1B097714 58BFC098 2FCDA1E3 929002BC

2281F739 69EFF9B0 FFF5E17D 1F10B908 40396FAF 18563D0D 59020301 0001

Opening the IOS web page in a Firefox browser will show the following:

As a sidenote, Firefox serves as a great troubleshooting tool, as it generates verbose information about your certificate. In this case, it shows two problems with this certificate:

a) It is self-signed

b) It’s signature algorithm is disabled in this browser (and, most likely, all other browsers)

If you’ve clicked through, viewing the certificate details again shows verbose information:

The router output ( Signature Algorithm: MD5 with RSA Encryption) matches the detailed output:

In the next part, we will address the first two issues with self-signed certificates.