Downloading the software

As you know, you have to have a Cisco maintenance agreement as well as an online account linked to that agreement so you can legally download the new IOS. So assuming you meet that criteria and have already downloaded your desired IOS, let’s get started on the upgrade process. If you haven’t downloaded the IOS yet, you can do so at http://support.cisco.com

Prepare for disaster

Ok, maybe that title was a little strong. But you need to backup your existing IOS image as well as your current configuration. If something goes wrong during the upgrade, you’ll want to bring things back as quickly as possible.

• So first, let’s run the TFTP server software. I’m using Tftpd32 available for free at http://tftpd32.jounin.net
• Now from the switch CLI determine your current IOS version by typing:

Router# show version

On my switch the version, as mentioned before, is 12.2(25) SEE3.

• Now locate the current IOS image using the dir command as shown:

Router# dir

From here I can see a directory named c3560-ipbasek9-mz.122-25.SEE3 which matches my version number above. Obviously depending on the version of IOS you’re running, this directory name will be different.

• So we now see the directory that contains the current IOS. Change to that directory and issue the dir command again to view the image file name.

Router# cd c3560-ipbasek9-mz.122-25.SEE3

Router# dir

• I can now see the image file c3560-ipbasek9-mz.122-25.SEE3.bin and that’s the file that we want to backup. So with our TFTP program running we have what we need to back up the current IOS. From the switch CLI type the following to start the IOS backup:

Router# copy flash:c3560-ipbasek9-mz.122-25.SEE3.bin tftp

Address or name of remote host []? 192.168.28.1

Destination filename [c3560-ipbasek9-mz.122-25.SEE3.bin]?

The remote host IP address is the IP displayed in the Server Interface field of the Tftpd32 program. After a little time, the download will finish and you should see a copy of the IOS in the directory shown in the Current Directory field of Tftpd32 as shown in Figure A.

Figure A: You’ll need TFTP software to be able to upgrade and backup your switch.

• Next you need to back up your current configuration as follows:

Router# cd ..

Router# copy flash:config.text tftp

Address or name of remote host []? 192.168.28.1

Destination filename [config.txt]?

Upgrading the switch

So now that we have a good copy of both the current IOS and configuration, we’re ready to upload the new image. I’ve downloaded the tar package named c3560-ipbasek9-tar.122-44.SE6.tar form Cisco and placed it in my Tftpd32 Current Directory location. Also, on my switch I have enough room in flash to leave the current IOS and still be able to upload the newer image. This allows me to specify which image to boot from and test the upgrade before actually removing the older version. If you have the space, I suggest you do the same. It’s just another safety net in case something goes awry. If you don’t have the space, then you’ll have to delete the existing image first before performing the upgrade.

• To start the upgrade, from the switch CLI type the following:

Router# archive tar /xtract tftp://192.168.28.1/c3560-ipbasek9-tar.122-44.SE6.tar flash:

After a few minutes the tar file will complete the upload and extraction and you’ll receive an OK when it has finished. Since I left the original IOS in place, I need to specify which IOS I want the switch to load at boot up. I did so with this command and then saved and reloaded the switch.

Router(config)# boot system flash:c3560-ipbasek9-mz.122-44.SE6/c3560-ipbasek9-mz.122-44.SE6.bin

Router# write memory

Router# reload

Proceed with reload? [confirm]

• Once the switch loads, login and confirm the new IOS version is running.

Router# show version

• Now that the new image loaded successfully, I can delete the older version and remove the boot system command.

Router# delete /force /recursive flash:c3560-ipbasek9-mz.122-25.SEE3

Router# no boot system

And that’s it. The switch has been upgraded, tested, and the older version removed.

Setting up the Internet Authentication Service

Windows Server 2003 ships with IAS so all you need to do is install it from the Add/Remove Programs. Make sure to login to the server with administrator privileges and follow these steps:

• Open the Add or Remove Programs applet from the Control Panel.
• Click Add/Remove Windows Components, select Networking Services, and click Details.
• Place a check mark at Internet Authentication Service and click OK, Next, and then Finish.

Now that you have IAS installed, let’s take a look at how to configure it.

Configuring IAS

For my configuration, since I only have two in house people that would require access to the Cisco equipment, I’ve created an AD security group named CiscoAdmin. Any members of this group are granted access to the Cisco devices as well as level 15 privileges. So let’s first start with setting up the Remote Access Policy on the IAS.

• Launch the Internet Authentication Service from the Administrative Tools applet in the Control Panel.
• Select Remote Access Policies from the left pane and right-click the Default policy in the right pane and select Delete.
• In the right pane, right-click select New Remote Access Policy to invoke the Remote Access Policy Wizard.
• Click Next, select Set up a custom policy,  type a name for your new policy in the Policy name text field and click Next. I used CiscoAuthentication for my policy name as seen in Figure A:

Figure A: Creating a custom remote access policy.

• In the resulting dialog box click Add, select the Windows-Groups attribute type, and click Add as shown in Figure B:

Figure B: Specify that Windows groups will be used for authentication.

• Next, click Add in the resulting Groups dialog box and select the AD group that will contain the members who will be granted access to your Cisco equipment and Click OK. As mentioned previously, I created a group named CiscoAdmin so that will be the group I’m adding here. Once the group is selected, you’ll see the dialog shown in Figure C:

Figure C: Specify the condition to meet to be granted access.

• Now click Next, select ‘Grant remote access permission’, and click Next. On the Profile dialog, click Edit Profile and click the Authentication tab. Now deselect all of the options and select ‘Unencrypted Authentication (PAP, SPAP)’. The Authentication tab should now look like the one shown in Figure D:

Figure D: Set the Authentication type to only what’s shown in this figure.

• Now click the Advanced tab, highlight the Service-Type attribute and click Edit. Set the Attribute value to Administrative and click OK. Next, select the Framed-Protocol attribute and click Remove. The Advanced tab now looks like the one shown in Figure E: Click Ok.

Figure E: Configuring the service type as a RADIUS server.

At this point the system will warn about the authentication method that you’ve selected and ask if you’d like to view the help files for configuration. Click No and continue with the following steps.

• Now click Next and then Finish to complete the new Remote Access Policy.

Adding a RADIUS client

Now that you’ve setup the IAS, you ready to start adding clients. These clients are your Cisco routers, switches, etc that will use the RADIUS box for authentication. In this example we’ll be adding a router with the IP address of 192.168.1.1.

• In the Internet Authentication Service window, right-click on the RADIUS Clients folder and select New Radius Client form the resulting menu.
• In the Friendly name field enter a name to identify your client by. This name can be whatever you want, I’ve chosen to use the host name of the router so I typed CLE_ROUTER.
• Enter the IP address of the router in the Client address (IP or DNS) field. As mentioned previously the IP of my router is 192.168.1.1 so that’s what is entered here. Figure F shows this information entered as described. Click Next to contiue.

Figure F: Specify a name and the IP of the client.

• In the Client-Vendor pulldown menu, select Cisco.
• In the Shared/Confirm secret fields enter a secret word or phrase using a combination of letters, numbers, upper & lower case, etc and then click Finish. Remember what you type here. This shared secret needs to also be entered into your routers configuration which I’ll cover later in this article.  If they don’t match, authentication will fail. For simplicity, I’ve neglected my own advice and just entered ‘stevenson’ as my shared secret. Figure G shows the dialog completed with the vendor and shared secret.

Figure G: Your shared secret must match the shared secret that you’ll enter into your router for authentication to succeed.

That completes the IAS configuration part of the article. Next I’ll show you how to configure the router to authenticate against the IAS server.

Configuring the router for authentication

Before we forge forward, you should make sure that you have a secret password enabled on the router.  You should also maintain a local user account on the router itself. That way, you still have a way back into the router if it loses connectivity to the IAS server. Once you have these two items in place, you’re ready for the next step. Enter the following commands into the router configuration:

CLE_Router(config)# aaa new-model

In this line, the IP address is the IP of your IAS server that you configured in the last section. Where you see ‘stevenson’, that’s the same shared secret that we entered when creating the RADIUS client on the IAS server.

CLE_Router(config)# radius-server host 192.168.1.100 auth-port 1645 acct-port 1646 key stevenson

These lines setup the authentication & authorization using the list ‘StevensonList’ which obviously can be named whatever you choose. Notice where you see ‘radius local’. This means access the RADIUS server for authentication but if the server cannot be reached, then use the routers local database for authentication.

CLE_Router(config)#aaa authentication login StevensonList group radius local
CLE_Router(config)# aaa authorization console
CLE_Router(config)# aaa authorization exec  StevensonList group radius local

If you’re using the web interface for managing your router, add these commands.

CLE_Router(config)# ip http authentication aaa login-authentication StevensonList
CLE_Router(config)# ip http authentication aaa exec-authorization  StevensonList

And add these lines for console port access and terminal access.

CLE_Router(config)# line con 0
CLE_Router(config)# authorization exec StevensonList
CLE_Router(config)# login authentication StevensonList
CLE_Router(config)# line vty 0 4
CLE_Router(config)# authorization exec StevensonList
CLE_Router(config)# login authentication StevensonList
CLE_Router(config)# line vty 5 15
CLE_Router(config)# authorization exec StevensonList
CLE_Router(config)# login authentication  StevensonList

And that completes the router side configuration. I’d leave your current telnet/ssh session open and test logging in from a new telnet/ssh using the AD credentials. Once everything seems to be working as expected, save the changes.

If you have over 50 pieces of equipment that you want to authenticate against the IAS server you’ll have to be running Windows 2003 Enterprise Edition or higher. The Standard Edition tops out at 50 RADIUS clients.

Of course this can be avoided by manually copying the running configuration for safe keeping, but we like automatic. The kind of automatic that we don’t have to worry about. The kind of automatic that Cisco provided to us with the ‘archive’ command starting with the IOS versions shown in Table A.

Table A: Archive command release history from Cisco.

The archive command allows you to create a copy of your configuration manually, periodically, or when the configuration is stored in NVRAM via FTP, TFTP, HTTP, or RCP.

In this example, I’ll being configuring the router to copy the configuration to a Windows 2003 FTP server  every time the ‘write memory’ command is issued. The file name is built on the routers host name, appended with “-x”, where “x” is an incremental number.  I’m also using the credentials of an Active Directory user, that I created for this purpose,  to allow the router to connect to the FTP server.

The FTP server address is: 192.168.1.50
Username: stevenson\netadmin
Password: n3t4dm1n

First we’ll configure the router with the FTP username and password.

Router(config)# ip ftp username stevenson\netadmin
Router(config)# ip ftp password n3t4dm1n

Now execute the ‘archive’ command.

Router(config)# archive

Now specify the path for the configuration archives

Router(config-archive)# path ftp://192.168.1.50/$h
Router(config-archive)# write-memory


The &h in the path instructs the system to use the hostname of the router when naming the archived configuration. And write-memory causes the configuration to be archived each time the write memory command is issued.

That’s it! You now have your router setup to automatically archive/copy your most recent configuration file to an FTP server for safe keeping. To test it out either enter:

Router# write memory

or

Router# archive config

Now check your FTP server and you should find the archived copy of your routers configuration.

If you want the router to archive your configuration at a desired interval, you can do that too by using the time-period command followed by the number of minutes that you want the archiving to wait between archive creation.

Router(config-archive)# time-period 10080

If you want to see a list of archives with the most recent highlighted, simply use this command:

Router# show archive

Now that you have the configuration backed up and can see the listed archives, lets look at restoring from one of the archived configuration files. Decide which archive file that you want to restore, from the list you saw when you issued the show archive command and enter that name as shown:

Router# configure replace ftp://192.168.1.50/Router-1

This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]:y
Total number of passes: 1
Rollback Done

After you see “Rollback Done”, your selected archived configuration is now back in place on your router.

I’ve deployed this solution to a mix of Cisco routers, switches, and voice gateways and let me tell ya, it’s a nice feeling to know that all of those configs are being backed up automatically. Now if I have a failure or issue a bad command I can quickly and easily get things back to the way they were previously.