Other firewall vendors has been lacking in this area , & with functions supporting syslog , ntp, radius, tacacs, etc and it's support of IPv6. These local services for the most part has been ignored in regards to IPv6. In this post, I will demo most of these services being deployed on a branch model SRX.
1st here's the JunOS version deployed & used in these examples.
For IPv6 to work, you need to check and possible enable ipv6 flow mode & yes a reboot would be required after committing.
NTP configuration and a IPv6 tcpdump for proof.
SYSLOG and IPv6 tcpdump capture of our syslog messages.
RADIUS and IPv6
take heed to change the authentication order and select radius
Here's the freeradius cfg details for RADIUS the user is steve and the radius_client NAS is 2001:DB8:199::1
NOTE ALL RADIUS ACCEPT/REJECT MESSAGES ARE SENT UNENCRYPTED
( TCPDUMP for various radius messages between NAS and RADIUS-Server )
NOTE: Between the NAS client and freeradius , PAP is the default . You can change this behavior within JunOS radius options and use chap for more security. Ideally RADIUS+DTLS will encrypt the full transmission which offers greater security.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment