4215 EoS and cisco general EoS policy
Hello,
Can anybody help me on this matter:
I'm finding a discrepancy between Cisco general EoS policy and the 4215 EoS announcement.
As per Cisco general EoS policy:
http://www.cisco.com/en/US/products/products_end-of-life_policy.html
Software support will be as follows:
⢠For the first year following the end-of-sale date, we will provide bug fixes, maintenance releases, work arounds, or patches for critical bugs reported via the TAC or Cisco.com Web site.
⢠After the first year and for Operating System SW -where available- we will provide bug fixes, maintenance releases, workarounds or patches for a period of 4 years for operating system software. Bear in mind that it may be necessary to use software upgrade release to correct a reported problem.
⢠After the first year and for Application SW -where available - we will provide bug fixes, maintenance releases, workarounds or patches for a period of 2 years for application software. Bear in mind that it may be necessary to use software upgrade release to correct a reported problem.
So as a result, Cisco will provide bug fixes, maintenance releases, workarounds or patches for:
⢠A total period of 5 years (from EoS announcement) for Operating System SW
⢠A total period of 3 years (from EoS announcement) for Application SW.
Now, on the other hand, if we look specifically to the 4215 end of life announcement:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps5367/end_of_life_notice_for_cisco_ids_4215_sensor.html
It's clear that:
End of SW Maintenance Releases Date: HW The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software. July 29, 2009
Which is only one year aver the EoS announcement, and it's said regardless of the support contract.
We can see that there is discrepancy between the general EoS policy and the 4215 EoS announcement.
My questions are:
⢠is the IPS4215 considered as an âOperating System SWâ or âApplication SWâ?
⢠Can anybody please explain this discrepancy between the general EoS policy and the 4215 EoS announcement? It is not stated at all in the 4215 announcement that Cisco will provide bug fixes, maintenance releases, workarounds or patches for:
- A total period of 5 years (from EoS announcement) for Operating System SW
- A total period of 3 years (from EoS announcement) for Application SW.
Thank you
Hello,
Can anybody help me on this matter:
I'm finding a discrepancy between Cisco general EoS policy and the 4215 EoS announcement.
As per Cisco general EoS policy:
http://www.cisco.com/en/US/products/products_end-of-life_policy.html
Software support will be as follows:
⢠For the first year following the end-of-sale date, we will provide bug fixes, maintenance releases, work arounds, or patches for critical bugs reported via the TAC or Cisco.com Web site.
⢠After the first year and for Operating System SW -where available- we will provide bug fixes, maintenance releases, workarounds or patches for a period of 4 years for operating system software. Bear in mind that it may be necessary to use software upgrade release to correct a reported problem.
⢠After the first year and for Application SW -where available - we will provide bug fixes, maintenance releases, workarounds or patches for a period of 2 years for application software. Bear in mind that it may be necessary to use software upgrade release to correct a reported problem.
So as a result, Cisco will provide bug fixes, maintenance releases, workarounds or patches for:
⢠A total period of 5 years (from EoS announcement) for Operating System SW
⢠A total period of 3 years (from EoS announcement) for Application SW.
Now, on the other hand, if we look specifically to the 4215 end of life announcement:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps5367/end_of_life_notice_for_cisco_ids_4215_sensor.html
It's clear that:
End of SW Maintenance Releases Date: HW The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software. July 29, 2009
Which is only one year aver the EoS announcement, and it's said regardless of the support contract.
We can see that there is discrepancy between the general EoS policy and the 4215 EoS announcement.
My questions are:
⢠is the IPS4215 considered as an âOperating System SWâ or âApplication SWâ?
⢠Can anybody please explain this discrepancy between the general EoS policy and the 4215 EoS announcement? It is not stated at all in the 4215 announcement that Cisco will provide bug fixes, maintenance releases, workarounds or patches for:
- A total period of 5 years (from EoS announcement) for Operating System SW
- A total period of 3 years (from EoS announcement) for Application SW.
Thank you
Similar Messages
-
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
Juniper SSG and Cisco ACS v5.x Configuration
I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1
set auth-server CiscoACSv5 server-name 192.168.1.100
set auth-server CiscoACSv5 account-type admin
set auth-server CiscoACSv5 type tacacs
set auth-server CiscoACSv5 tacacs secret CiscoACSv5
set auth-server CiscoACSv5 tacacs port 49
set admin auth server CiscoACSv5
set admin auth remote primary
set admin auth remote root
set admin privilege get-external
Configure the Cisco ACS v5.x (GUI)
1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Create the Juniper Shell Profile.
Click the [Create] button at the bottom of the page
Select the General tab
Name: Juniper
Description: Custom Attributes for Juniper SSG320M
Select the Custom Attributes tab
Add the vsys attribute:
Attribute: vsys
Requirement: Manadatory
Value: root
Click the [Add^] button above the Attribute field
Add the privilege attribute:
Attribute: privilege
Requirement: Manadatory
Value: root
Note: you can also use 'read-write' but then local admin doesn't work correctly
Click the [Add^] button above the Attribute field
Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
Create the Juniper Authorization Policy and filter by Device IP Address.
Click the [Customize] button at the bottom Right of the page
Under Customize Conditions, select Device IP Address from the left window
Click the [>] button to add it
Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule
Under General, name the new rule Juniper, and ensure it is Enabled
Under Conditions, check the box next to Device IP Address
Enter the ip address of the Juniper (192.168.1.100)
Under Results, click the [Select] button next to the Shell Profile field
Select 'Juniper' and click the [OK] button
Under Results, click the [Select] button below the Command Sets (if used) field
Select 'Permit All' and ensure all other boxes are UNCHECKED
Click the [OK] button to close the window
Click the [OK] button at the bottom of the page to close the window
Check the box next to the Juniper policy, then move the policy to the top of the list
Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server. -
IPSEC between Fortinet and Cisco SA540
Hi,
We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised. Can you help me out to resolve the issue.
Regards,
Satish.Hello Venkatasatish,
I gonna send you an example of VPN between Cisco ASA 8.2 version and Fortigate mr4.
In my example i gonna use the following environments:
Cisco ASA "Zones"
Inside: 192.168.1.0/24 "Asa inside interface Ip address 192.168.1.1"
Outside: 200.200.200.0/29 "Asa outside interface Ip address 200.200.200.1"
Fortigate "Zones"
inside: 172.16.1.0/24 "Asa inside interface Ip address 172.16.1.1"
outside: 201.201.201.0/29 "Asa outside interface Ip address 201.201.201.1"
=================================> VPN Script of ASA <=================================
access-list inside_access_in remark Firewall rule from ASA to Fortigate
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 log notifications
access-group inside_access_in in interface inside
access-list VPN_NONAT remark Nonat to VPN traffic over VPN
access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list CryptoMap_ASA_to_Fortigate remark VPN Site-to-Site to Fortigate Site
access-list CryptoMap_ASA_to_Fortigate extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list VPN_NONAT
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map OUTSIDE_map 1 match address CryptoMap_ASA_to_Fortigate
crypto map OUTSIDE_map 1 set peer 201.201.201.1
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
crypto map OUTSIDE_map interface outside
group-policy GP_TO_FORTIGATE internal
group-policy GP_TO_FORTIGATE attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
tunnel-group 201.201.201.1 type ipsec-l2l
tunnel-group 201.201.201.1 general-attributes
default-group-policy GP_TO_FORTIGATE
tunnel-group 201.201.201.1 ipsec-attributes
pre-shared-key cisco123
=================================> VPN Script for Fortigate ==============================
Phase 1:
FORTIGATE# config vpn ipsec phase1-interface "enter"
FORTIGATE (phase1-interface) # edit 200.200.200.1 "enter"
set interface "outside"
set keylife 86400
set mode main
set dhgrp 2
set proposal 3des-sha1
set remote-gw 200.200.200.1
set psksecret ENC cisco123
next "to apply the configuration"
Phase 2
FORTIGATE# config vpn ipsec phase2-interface
edit 200.200.200.1
set keepalive enable
set pfs disable
set phase1name "200.200.200.1"
set proposal 3des-sha1
set dst-subnet 192.168.1.0 255.255.255.0
set keylifeseconds 3600
set src-subnet 172.16.1.0 255.255.255.0
next "to apply the configuration"
Config route to VPN: I am using 100 entry, you need to take a look at your firewall.
FORTIGATE# config router static "enter"
FORTIGATE (static) # edit 100 "enter"
FORTIGATE (100) # set device "200.200.200.1"
set distance 1
set dst 192.168.1.0 255.255.255.0
Create a Rule: in my example I´m using any to any over VPN, but you can to filter based on network environments.
FORTIGATE # config firewall policy "enter"
FORTIGATE (policy) # edit 100 "enter"
config firewall policy
edit 100
set srcintf "200.200.200.1"
set dstintf "inside"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
set comments "Access from VPN ASA site"
FORTIGATE (policy) # edit 101 "enter"
config firewall policy
edit 101
set srcintf "inside"
set dstintf "200.200.200.1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
set comments "Access to VPN ASA Site"
After that, please start a traffic between private network, 192.168.1.0 and 172.16.1.0/24.
Please let me know about it!
Good luck.
Fabio Jorge Amorim -
Communication problem between Cisco 3560 and Cisco SG300.
Dear Support,
I have a Cisco SG300 and Cisco 3560 switches.
3560 is my Core Switch and SG300 is access switch.
From 3560 VLAN information is not passed to SG300.
3560 Configuration:
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,10,11
switchport mode trunk
SG300 Configuration:
interface gigabitethernet49
spanning-tree link-type point-to-point
switchport mode general
switchport general allowed vlan add 2,10-11 tagged
macro description switch
Please suggest how this issue is resolve.
Regards,
JItesh Mahajan.Dear Aleksandra,
Below Configuration is right or wrong for 3560 and SG300.
3560 Configuration:
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan remove VLAN 1
switchport native vlan 1
switchport trunk allowed vlan 1,2,10,11
switchport mode trunk
SG300 Configuration:
interface gigabitethernet49
spanning-tree link-type point-to-point
switchport mode general
switchport general allowed vlan add 2,10-11 tagged
macro description switch
Regards,
JItesh Mahajan. -
Dears,
Please i need to know what is the difference in the features between Cisco prime infrastructure 1.2 and Cisco prime 1.4.
Already i see the release note for each one but the release indicate only the New feature for every one. so i need to know the difference between them not new features.
Wait your kind feedback plz
Regards,Hi,
New Features and Enhancements
The following topics describe new features and enhancements in Cisco Prime Infrastructure 1.4.
Management Support for WLC Release 7.5
Support for 802.11ac Module
Support for Cisco AP 700
Policy Classification Engine
FlexConnect Audit Support
Autonomous AP Support
Client Stateful Switchover
Cable Modem Monitoring
Support for Secure File Transfer Protocol
and please go through the link and check the data sheet for further clearance.
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/datasheet-c78-729879.html -
DAP using LDAP and Cisco Attributes
I would like to be able to set up a Dynamic Access Policy with the criteria that if all of the following:
cisco.grouppolicy=Sales
ldap.memberOf=Remote_Access
can have specific set of access. My Connection profile is using a Radius server to authenticate and assign the Group Policy.
Is it possible to accomplish this? since it doesn't seem to work for me.Hi Luis,
if you want to use LDAP attributes in your DAP policy, then you have to use LDAP for authentication or authorization in your tunnel-group.
So you will either have to replace radius with ldap for authentication, OR keep radius for authentication and add ldap for authorization on top.
hth
Herbert -
FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]
Hi Cisco People
I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time ranges.
Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .)
+++++++++++++++ +++++++++++++++++ +++++++++++++
+ User +++++++++++++++++++++++ Cisco 2600 +++++++++++++++++++++ Network +
+ + + Terminal Serv + + Devices +
+++++++++++++++ +++++++++++++++++ +++++++++++++
(NAS)
+
+
+++++++++++++++
+ FreeRadius +
+++++++++++++++
Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
clients.conf
==============
client 192.168.1.1 {
secret = SECRET_KEY
shortname = termserver
nastype = cisco
A typical transaction would be :
Access-Request
=======
NAS-IP-Address = 192.168.1.1
NAS-Port = 35
NAS-Port-Type = Async
User-Name = "cisco"
Calling-Station-Id = "1.1.1.1"
User-Password = "cisco"
Access-Accept
=======
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Session-Timeout = 20
Cisco Terminal Server
==============
aaa new-model
aaa authentication login default group radius local none
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Session-Timeout = 20
But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
2. Is the 2600 terminal server with [IOS 12.1(3)T] compliant with RFC 2865?
3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
Thanks
FrankFrank,
I think you should use the login time s well:
Login-Time
Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
The following line will grant Alice access only between 08:00 and 18:00 each day.
"alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
http://www.packtpub.com/article/getting-started-with-freeradius
http://wiki.freeradius.org/config/Users
yes, the terminal server is RFC 2865 compliant.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed -
IPSec ikev2 between ASA and Cisco Router
Hi,
i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
- Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
- Authentication with Certificats
- integrity sha2
I try a lot of configurations without success.
Thanks for your help.
MicThe more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
Best option with very little needed configuration:
Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
Best option with a little stronger crypto but more configuration:
Move to AnyConnect with IPsec/IKEv2.
Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
For option 1) and 2) there is an extra license needed, but thats not very expensive. -
VPN between RV042 and Cisco 2801
HI
Kindly help me out. I'm configuring a p2p vpn between a cisco 2801 with IOS 12.3 and a linksys RV042. I'm getting following error on Linksys and Cisco respectively.
[Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Dec 19 02:40:42 2011
VPN Log
Received informational payload, type NO_PROPOSAL_CHOSEN
dst src state conn-id slot status
x.x.x.x x.x.x.x MM_NO_STATE 0 0 ACTIVE
Below are my config:
Linksys RV042:
Keying Mode: IKE with Preshared Key
Phase1 DH Group: Group2
Phase1 Encryption: 3DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect forward secrecy : enabled
Phase2 DH Group: Group2
Phase2 Encryption: 3DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 28800
Preshared Key: xxxxxx
Cisco 2801:
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxx address xxxxxx
no crypto isakmp ccm
crypto ipsec transform-set STRONGER esp-3des esp-md5-hmac
crypto map myvpn 10 ipsec-isakmp
set peer xxxxxx
set transform-set STRONGER
set pfs group2
match address 103
interface FastEthernet0/0
ip address 10.0.0.56 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
ip address xxxx xxxx
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
crypto map myvpn
ip nat pool branch xxxxxx xxxxx netmask 255.255.255.240
ip nat inside source route-map nonat pool branch overload
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
snmp-server community public RO
route-map nonat permit 10
match ip address 110
Rgards
SAMHi,
It looks like you are using the default hash for the crypto isakmp policy and that your connection is failing on the phase 1 negotiation. The default hash on the crypto isakmp policy is sha. On the 2801 try adding hash md5.
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
Let me know if that helps.
Thank you,
Jason NIckle -
Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis
We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.Hi,
So you have N7k acting as L3 with servers connected to 4510?.
Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
This will help narrow down if issue is between server to 4510 or 4510 to N7k.
Thanks,
Nagendra -
Mavericks VPN dropouts with native VPN client and Cisco IPSec
Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions?Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions? -
fire fox opens with tabs from preveous session not home page in tools under options and tab general I have start up with home page but all tabs from previous session open instead
It is possible that there is a problem with the files [http://kb.mozillazine.org/sessionstore.js sessionstore.js] and sessionstore.bak in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile Folder]
Delete [http://kb.mozillazine.org/sessionstore.js sessionstore.js] and sessionstore.bak in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile Folder]
* Help > Troubleshooting Information > Profile Directory: Open Containing Folder
If you see files sessionstore-##.js with a number in the left part of the name like sessionstore-1.js then delete those as well.
Deleting sessionstore.js will cause App Tabs and Tab Groups to get lost, so you will have to create them again (make a note).
See:
* http://kb.mozillazine.org/Session_Restore -
I have a Gen 4 Ipod Touch, it is still running with IOS 4. When i go to my settings and select <General> there is no <Software Update> button to choose from. How do i update my Ipod to the new IOS system?
You have to hook it up to a computer and update it to ios 5 and then there will be a "software update" button.
-
Transfer VOIP Calls Between Cisco Desk Phone and Cisco Jabber For IPhone 9.5
Does anyone know how to transfer an active voip call from a Cisco IP Desk Phone to Cisco Jabber for IPhone? I can transfer a call from Cisco Jabber for IPhone to my Cisco IP Desk Phone no problem. I put the call on hold and then click "Resume" on my Cisco IP Desk Phone. However I cannot do the same but the other way around. If I put the call on hold on my Cisco IP Desk Phone, I see "no active call" on my Jabber client. The only information I could find slighlty relevant was using the Mobility Key/Remote Destination Profile feature however this defeats the object as this will forward to an external number, e.g. mobile and I just want to transfer the call within the VOIP environment between the two devices that are using the same directory number.
I am using Cisco Call Manager 9.1(2), Cisco Presence 9.1 and Cisco Jabber for IPhone 9.5.
Any help would be greatly appreciated.
Kind Regards,
Paul Parker.Did you ever find an answer to this ?
I am seeing the same behavior and trying so see if I can put calls on hold and pick them up both ways also.
The only answer I seem to have found is to use park instead
That would/should work but I would just prefer to hold/unhold
Just not sure why we would not be able to hold/unhold on what is essentially a "shared" line
Does anyone have this working for them ?
Maybe you are looking for
-
Unable to generate spool for two tables in report output
Hi, I created report with two custom containers displaying two tables in output. When I execute the report in background spool is created only for one table in top custom container. What should be done to generate spool for both the tables in two dif
-
Podcasts no longer downloading overseas
I am writing with a question about iTunes use in Turkey. I am an American living abroad in Turkey and before December 2010 was downloading several US-based podcasts via iTunes to listen to on my iPod touch. Since December, however, many of the podcas
-
Logic 9.0.0 is not workig on OS 10.8 what to do?
Hi! I just upgraded my OS to 10.8 and somehow logic 9.0.0 stop working on my mac it seems to be a problem with PowerPC. When I want to run logic it says that I can't use this version of logic with OS 10.8 what to do I need your help guys.
-
Pixma MX 882 in if there is an answer machine on the line I can only receive faxes manually
I have a Pixma MX 882. I was told a while back by Canon Support that if there is an answer machine on the same line as the Canon that I can only receive faxes manually. Has Canon solved the problem.? HP can do it, Brothers can do it, old Fax only mac
-
Hi, We are trying to do this: - precompile foo.jsp to foo.class offline; - copy foo.class and foo.jsp into a machine weblogic is running, maintain their timestamp when they are compiled and generated; - when accessing foo.jsp, we hope weblogic will l