Open MMC
Add certs snap-in
user account and computer store
Check certificates > personal
exported the user cert from user store (use PKCS12 or DER base-64 encoded)
imported user cert into machine
Friday, 7 March 2025
switch aaa and radius authentication settings for duo etc
aaa group server radius DUO-AUTH
aaa authentication login default group DUO-AUTH local
aaa authentication login CON-LOCAL local
aaa group server radius DUO-AUTH
server name DUO-AUTH-PROXY
ip radius source-interface Vlan2
radius server DUO-AUTH-PROXY
address ipv4 192.168.1.1 auth-port 18122 acct-port 18122
pac key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Wednesday, 5 March 2025
find what DH group an ikev1 S2S VPN is using in ASA
Move away from Groups 2, 5, 24.
DH Groups 2, 5, 24 are considered insecure and are deprecated in FTD’s running 6.5/6.6 and will be removed in a later version.
check 6.7 and 7.1 release notes and search for group 5
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html?
IKEv1
show vpn-sessiondb detail l2l filter ipaddress x.x.x.x
Look for "D/H Group" in IKEv1 section
sh crypto isakmp sa detail | i Grp:
sh crypto isakmp sa | i PFS Group 2,
Looking for groups 2 and 5
sh crypto isakmp sa detail | i Grp:2,
sh crypto isakmp sa detail | i Grp:5,
Can copy the full output of " sh crypto isakmp sa detail" to a text file and search
Tuesday, 4 March 2025
QoS palo alto
Make QoS policies
Policies > QoS
Assign policies to a profile:
Network > Network Profiles > QoS Profile
Assign a profile to interfaces
Network > QoS
Subscribe to:
Posts (Atom)