Monday 19 November 2012

Cisco WLC cli ACL creation


Here is a simple example of creating ACL's  on a 5500 series wireless controller:

 Creating the ACL
config acl create Guest_Acl_10/8 

 Adding the rules

 config acl rule add Guest_Acl_10/8 1 
config acl rule destination port range Guest_Acl_10/8 1 53 53 
config acl rule destination address Guest_Acl_10/8 1 10.2.249.14 255.255.255.255 
config acl rule protocol Guest_Acl_10/8 1 17 
config acl rule action Guest_Acl_10/8 1 permit 
config acl rule direction Guest_Acl_10/8 1 in 
config acl rule add Guest_Acl_10/8 2 
config acl rule protocol Guest_Acl_10/8 2 17 
config acl rule action Guest_Acl_10/8 2 permit 
config acl rule direction Guest_Acl_10/8 2 out 
config acl rule source port range Guest_Acl_10/8 2 53 53 
config acl rule source address Guest_Acl_10/8 2 10.2.249.14 255.255.255.255 
config acl rule add Guest_Acl_10/8 3 
config acl rule destination port range Guest_Acl_10/8 3 53 53 
config acl rule destination address Guest_Acl_10/8 3 10.2.249.14 255.255.255.255 
config acl rule protocol Guest_Acl_10/8 3 6 
config acl rule action Guest_Acl_10/8 3 permit 
config acl rule direction Guest_Acl_10/8 3 in 
config acl rule add Guest_Acl_10/8 4 
config acl rule protocol Guest_Acl_10/8 4 6 
config acl rule action Guest_Acl_10/8 4 permit 
config acl rule direction Guest_Acl_10/8 4 out 
config acl rule source port range Guest_Acl_10/8 4 53 53 
config acl rule source address Guest_Acl_10/8 4 10.2.249.14 255.255.255.255 
config acl rule add Guest_Acl_10/8 5 
config acl rule destination address Guest_Acl_10/8 5 10.0.0.0 255.0.0.0 
config acl rule direction Guest_Acl_10/8 5 in 
config acl rule add Guest_Acl_10/8 6 
config acl rule direction Guest_Acl_10/8 6 out 
config acl rule source address Guest_Acl_10/8 6 10.0.0.0 255.0.0.0 
config acl rule add Guest_Acl_10/8 7 
config acl rule action Guest_Acl_10/8 7 permit 
config acl rule add Guest_Acl_10/8 65 
config acl apply Guest_Acl_10/8 




Apply  the ACL to the guest2 interface

config interface acl guest2 Guest_Acl_10/8 


 How it all looks


(Cisco Controller) >show acl detailed Guest_Acl_10/8  

                       Source                        Destination                Source Port  Dest Port
Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter 
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
     1  In         0.0.0.0/0.0.0.0             10.2.249.14/255.255.255.255   17     0-65535    53-53     Any Permit           0 
     2 Out     10.2.249.14/255.255.255.255         0.0.0.0/0.0.0.0           17    53-53        0-65535  Any Permit           0 
     3  In         0.0.0.0/0.0.0.0             10.2.249.14/255.255.255.255    6     0-65535    53-53     Any Permit           0 
     4 Out     10.2.249.14/255.255.255.255         0.0.0.0/0.0.0.0            6    53-53        0-65535  Any Permit           0 
     5  In         0.0.0.0/0.0.0.0                10.0.0.0/255.0.0.0        Any     0-65535     0-65535  Any   Deny           0 
     6 Out        10.0.0.0/255.0.0.0               0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny           0 
     7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit           0 

 DenyCounter : 0 





Posted by at 1 comment:
Labels: , ,

Tuesday 23 October 2012

Cisco WLC timeout Values



 Here are a couple of settings I recommend having a look at when configuring WLAN on your Cisco WLC.

The first setting to have a look at relates to a re-authentication timeout for users that are not currently active on the network. i.e. device has powered off, gone offsite etc.

config network usertimeout <seconds> 


The second recommended setting is the sesssion-timeout. The session-timeout value will effect all users if the are active on the network or not and will for the client to re-auth. This setting is set on a per WLAN ID.  It becomes especially import when your users are  connecting via a captive portal network.

config wlan session-timeout <WLAN ID> <seconds>
Posted by at No comments:

Wednesday 8 February 2012

Creating Hidden OSX Users


Create a normal admin account via System Preferences>Users & Groups
Right click on account and goto advanced options ( shown below )
Run the following Command to check current users ID


dscl . list /Users UniqueID ( will list all User ID's in use )
or 
dscl . list /Users UniqueID | grep XXX ( will return an account name & ID if its in use)


where XXX is the ID you wish to use.


Now set the USER ID of the account you wish to hide to a unique ID under 500.


Change the Home directory to a  new location as well, e.g. /var/.macadmin


You now need to move the folder and set permissions for the user
sudo mv /Users/macadmin /var/.macadmin
sudo chown -R macadmin /var/.macadmin


We also want to remove the Public and Sites folders for this user
sudo rm -R /var/.macadmin/Public /var/.macadmin/Sites


And finally Hide Users ID's < 500
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)