Extract private key from Cisco private-config

This blog post discusses extracting a private key from Cisco IOS’s private-config file. I recently generated a keypair on an IOS router and had forgot to flag it as “exportable”, making it difficult to backup. As the key-pair was used for IPSec authentication it was an important key to backup.

The first step is to recover private-config from the device, which I’m not going to cover in this post. Opening the file in a text editor, locate the section that begins “crypto RSA-key-pair” and save the hexadecimal values to a text file, the section will look like this:

crypto RSA-key-pair MyKey 0 1440004978
308204BC 02010030 0D06092A 864886F7 0D010101 05000482 04A63082 04A20201
00028201 0100DE8D 63241465 57356A77 57FC2C3D BBDD8454 F25B6B1A DB487C6D
AA0C1157 F665AF18 08EFC785 C23D3185 06F3D51A 42C94F06 5A97756A C83693C6
...

When saving to a text file, omit the section beginning “crypto RSA-key-pair”, only the hexadecimal values are required.
Continue reading Extract private key from Cisco private-config

Configure Cisco IOS DHCP to use vendor class IDs

The IOS DHCP server can be configured to provide different address information to clients based on information they provide via DHCP option 60.

DHCP Option 60 is the “vendor class identifier option” that allows the DHCP client to identify its type so that custom configuration can be applied.

Configuring the DHCP Client

For custom address configuration to be applied the client must specify option 60. This is configured with the “ip dhcp client class-id XXX” command, where XXX is an ASCII label to use. For example:

interface Vlan10
  description ** Corporate LAN - Management Address **
  ip dhcp client class-id CUSTOM_CLASS
  ip address dhcp
  end

Configuring the DHCP Server

To configure the IOS DHCP server you must specify a default class and then a class that will match against DHCP option 60. When matching against option 60 you must convert the ASCII string the client sends (e.g. “CUSTOM_CLASS”) to hexadecimal.

ip dhcp class DEFAULT
  remark IP addresses for devices not providing a class-id
!
ip dhcp class CUSTOM_CLASS
  remark IP addresses for devices providing "CUSTOM_CLASS"
  option 60 hex 435553544f4d5f434c415353

With the matching setup the DHCP pool configuration can be split into the custom class and a default:

ip dhcp pool LAN
  network 192.168.0.0 255.255.255.0
  default-router 192.168.0.254
  class CUSTOM_CLASS
    address range 192.168.0.210 192.168.0.220
  class DEFAULT
    address range 192.168.0.0 192.168.0.200

If this doesn’t work the following debug commands may be helpful in identifying the cause of the problem:

debug ip dhcp server class
debug ip dhcp server packet detail

Public Key authentication on Cisco IOS

I rely on SSH pretty heavily, be it for remotely managing a hanful of Linux systems or connecting to Cisco routers. I do this from my laptop and more recently – my phone. Rather than type passwords all the time (which can be tricky on on-screen keyboards) I decided to setup public key authentication for the Cisco routers I use.

Cisco IOS has supported public key authentication (for RSA keys only) since IOS 15. If you don’t already have a public/private RSA key-pair you can use PuttyGen (free, open-source) to generate them. If you’re a Linux user you can use the “ssh-keygen” command.

To set up RSA public key authentication, enter global configuration mode and issue the “ip ssh pubkey-chain” command. Then specify the username you want to provide a key for:

Router(config)#ip ssh pubkey-chain
Router(conf-ssh-pubkey)#username admin
Router(conf-ssh-pubkey-user)#key-string

Now, paste the data part of your public key (highlighted in red below).

ssh-rsa AAAAB.....aaa== rsa-key-20130820

Continue reading Public Key authentication on Cisco IOS