AAA on 4503

Similar Messages

• Desktop and windows have all capital A's (AAAA...) instead of normal labels

  Hi, folks.
  While having trouble getting my AC power supply cord to power up the 'book (the cord wires were broken and the power would only flow if the cord were held in one position) the battery eventually was
  exhausted and the 'book shut down.
  This interruption caused the desktop menu, labels, and submenus, to all be labeled AAAAAAAAA....etc.
  The A's appear within box (square) shapes. For example the word 'view' looks like this AAAA but in boxes.
  I tried to rebuild the desktop but that didn't help. I wanted to trash the desktop preferences, but since everything is labeled AAAAAAA I can't find them! Even the master OS disk (Tiger) is littered with AAAAAA's! I can read the internet ok, however.
  What's going on?

  Hi Ddale53, and a warm welcome to the forums!
  http://discussions.apple.com/thread.jspa?messageID=7629337&#7629337
  http://discussions.apple.com/thread.jspa?threadID=856498&tstart=195

• Server 2012 R2 - The system failed to register host (A or AAAA) resource records (RRs) for network adapter

  We seem to be having an issue recently after introducing new Windows Server 2012 R2 servers where they fail to register DNS correctly. The Windows Firewall is off and the servers are on the same VLAN with no firewalls between them.
  When I do an ipconfig /registerdns or wait 24 hours for the system to try we get the following error:
  The system failed to register host (A or AAAA) resource records (RRs) for network adapter
  with settings:
             Adapter Name : {4A0ECF05-193F-4BEA-AA46-BEC593BA752B}
             Host Name : SRV-DATA
             Primary Domain Suffix : internal.local
             DNS server list :
  192.168.0.50, 192.168.0.42
             Sent update to server : <?>
             IP Address(es) :
               192.168.0.99
  The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative
  for this name does not support the DNS dynamic update protocol.
  To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
  On our DNS server we have set for the internal.local zone Secure Updates only so that looks good because it is Active Directory that should be handling this authentication to update the record I assume. Just to mention that when also doing an ipconfig /regsiterdns
  the update fails within a few seconds. 
  Source: DNS Clients Events
  Event ID: 8018
  User: NETWORK SERVICE
  This issue is only affecting Windows Server 2012 R2 clients and testing with Windows Server 2008 R2 clients works no issues. So is this a mis-configuration or a bug with Windows 2012 R2? I have checked all DNS settings on client / server which all look good
  to me so reaching out now to see if anyone has any ideas?
  Environment:
  - Windows Server 2012 R2 Domain Controllers (Forest/Domain Levels 2012 R2)
  - Windows Server 2012 R2 Client machines (Physical and Virtual)
  - Windows Server 2008 R2 Client machines (Physical and Virtual)

  The zone is configured as "Secure Only"
  The PDC is the SOA for the zone
  I dont have a packet capture from the DC, only the client. 
  The query you asked me to run is too long to paste in here, however this is the DNS zone it cannot update:
  NotifyServers                     : 
  SecondaryServers                  : {10.2.0.3, 10.2.0.5}
  AllowedDcForNsRecordsAutoCreation : 
  DistinguishedName                 : DC=internal.local,cn=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=local
  IsAutoCreated                     : False
  IsDsIntegrated                    : True
  IsPaused                          : False
  IsReadOnly                        : False
  IsReverseLookupZone               : False
  IsShutdown                        : False
  ZoneName                          : internal.local
  ZoneType                          : Primary
  DirectoryPartitionName            : ForestDnsZones.internal.local
  DynamicUpdate                     : Secure
  IsPluginEnabled                   : False
  IsSigned                          : False
  IsWinsEnabled                     : False
  Notify                            : NoNotify
  ReplicationScope                  : Forest
  SecureSecondaries                 : TransferToSecureServers
  ZoneFile                          : 
  PSComputerName                    : 
  CimClass                          : root/Microsoft/Windows/DNS:DnsServerPrimaryZone
  CimInstanceProperties             : {DistinguishedName, IsAutoCreated, IsDsIntegrated, IsPaused...}
  CimSystemProperties               : Microsoft.Management.Infrastructure.CimSystemProperties

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• VPN Client and AAA services on a Cisco ISR Router

  Hi, my name is Jim, and I was just promoted as a trainer for the company I work for.  Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training.  I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
  So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router.  Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from.  My questions are these:
  1.  What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
  2.  I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
  3.  In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
  4.  Are there helpful articles I can read that will answer some or all of these questions? 
  Thanks in advance,
  Jim

  Hi Jim,
  congratulations
  Assuming a basic setup, your router will have something like this:
  crypto isakmp client configuration group MyGroup
    key cisco123
  So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
  I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
  Does this help?
  Herbert

• How to survive an ACS audit with aaa-reports!

  For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
  Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
  Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
  Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
  Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
  Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
  Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
  Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
  Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
  In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
  Below are some additional TDA specific tips:
  Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
  Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
  Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
  Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
  Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
  Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
  The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
  For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

  .

• Acs 4.2 :- router# test aaa group tacacs+ uid pwd .... works but not when authenticating

  I have setup ACS 4.2 and when I run
  router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
                 Both options work fine
  But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
  My commands are :-
  tacacs-server host xx.xx.xx.xx single-connection port 49
  tacacs-server key xxxxxxxxxxx
  aaa authentication banner ^CUnauthorized access forbidden^C
  aaa authentication username-prompt "Enter Username: "
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  I dont see the banner NOR the "Enter Username:" prompt.
  Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
  I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
  there was "shared secret does not match", on the AAA server logs
  I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
  seem to understand why it fails with telnet
  Any idea why this may be happning ?
  Thanks

  I tried both the sugestion.. no luck
  Below are th eoutput of debug, with some lines in BOLD to help you
  find interesting lines in the log output.
  Thanks
  fixeddemo#sh run | inc tacacs
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  ip tacacs source-interface FastEthernet0/1
  tacacs-server host 10.1.7.15
  tacacs-server key xxxxxxxxxx
  fixeddemo#sh debugging
  General OS:
    TACACS+ events debugging is on
    TACACS+ authentication debugging is on
    TACACS+ packets debugging is on
    AAA Authentication debugging is on
    AAA Subsystem debugs debugging is on
  fixeddemo#
  Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
  Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
  Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
  Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
  Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
  Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
  Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
  Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
  Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
  Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
  ) data_len:0
  Jun 17 14:15:54.674: T+: user:
  Jun 17 14:15:54.674: T+: port:  tty515
  Jun 17 14:15:54.674: T+: rem_addr:  10.1.1.216
  Jun 17 14:15:54.674: T+: data:
  Jun 17 14:15:54.674: T+: End Packet
  Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  16 bytes data)
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
  Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
  Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
  fixeddemo#
  Jun 17 14:15:54.674: T+: msg:  Username:
  Jun 17 14:15:54.674: T+: data:
  Jun 17 14:15:54.678: T+: End Packet
  Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
  Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
  Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
  on
  Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
  fixeddemo#
  Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
  Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
  Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
  Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
  Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
  Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
  Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
  Jun 17 14:15:58.794: T+: User msg:
  Jun 17 14:15:58.794: T+: User data:
  Jun 17 14:15:58.794: T+: End Packet
  Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  16 bytes data)
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
  Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
  Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
  fixeddemo#
  Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Jun 17 14:15:58.798: T+: msg:  Password:
  Jun 17 14:15:58.798: T+: data:
  Jun 17 14:15:58.798: T+: End Packet
  Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
  Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
  Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
  cation
  Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
  D
  fixeddemo#
  Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
  Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
  Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
  Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
  Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
  Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
  Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
  Jun 17 14:16:02.502: T+: User msg:
  Jun 17 14:16:02.502: T+: User data:
  Jun 17 14:16:02.502: T+: End Packet
  Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  6 bytes data)
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
  Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
  Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
  fixeddemo#
  Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
  Jun 17 14:16:02.554: T+: msg:
  Jun 17 14:16:02.554: T+: data:
  Jun 17 14:16:02.554: T+: End Packet
  Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
  Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
  Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
  Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
  fixeddemo#
  [ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
  Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
  Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
  Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
  Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
  Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
  Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
  Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
  Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
  ) data_len:0
  Jun 17 14:16:04.558: T+: user:
  Jun 17 14:16:04.558: T+: port:  tty515
  Jun 17 14:16:04.558: T+: rem_addr:  10.1.1.216
  Jun 17 14:16:04.558: T+: data:
  Jun 17 14:16:04.558: T+: End Packet
  Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
  Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  43 bytes data)
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
  Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
  Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
  Jun 17 14:16:04.562: T+: msg:   0x0A User Access Verification 0x0A  0x0A Usernam
  e:
  fixeddemo#
  Jun 17 14:16:04.562: T+: data:
  Jun 17 14:16:04.562: T+: End Packet
  Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
  Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
  Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
  on
  Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
  fixeddemo#

• How to use 2 AAA server for different login purpose

  Hello, could you help me?
  This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.
  The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.
  ! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication login no_tacacs enable
  aaa authentication ppp default group tacacs+
  aaa authorization exec default group tacacs+
  aaa authorization network default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  virtual-profile virtual-template 1
  virtual-profile aaa
  interface Serial2/0:15
  description ISDN30
  no ip address
  encapsulation ppp
  no ip route-cache
  no keepalive
  dialer pool-member 10
  isdn switch-type primary-net5
  isdn tei-negotiation first-call
  isdn caller xxxxxxx
  no fair-queue
  compress stac
  no cdp enable
  ppp authentication chap
  ppp multilink
  interface Virtual-Template1
  ip unnumbered FastEthernet1/0
  ip nat outside
  ppp authentication chap
  tacacs-server host 10.20.30.40 key ********
  line con 0
  exec-timeout 20 0
  password ************
  login authentication no_tacacs
  transport input none
  flowcontrol hardware
  line aux 0
  line vty 0 4
  access-class 1 in
  exec-timeout 60 0
  password *************
  login authentication no_tacacs
  transport input telnet
  transport output telnet
  If I just add
  aaa authentication login vtymethod group tacacs+ enable
  tacacs-server host 10.50.60.70 key ********
  line vty 0 4
  login authentication vtymethod
  My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?
  Thanks

  Jens
  I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:
  aaa group server tacacs+ vty_TAC
  server 10.50.60.70
  aaa authentication login vtymethod group vty_TAC enable
  tacacs-server host 10.50.60.70 key ********
  I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.
  Give it a try and let us know what happens.
  HTH
  Rick

• While running dcdiag /test:dns getting Warning: The AAAA record for this DC was not found

  DCDIAG /test:dns result is pested here.
  C:\Users\administrator.SUD>dcdiag /test:dns
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = MUM-ADS-01
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\MUM-ADS-01
        Starting test: Connectivity
           ......................... MUM-ADS-01 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\MUM-ADS-01
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           ......................... MUM-ADS-01 passed test DNS
     Running partition tests on : ForestDnsZones
     Running partition tests on : DomainDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : sud
     Running enterprise tests on : sud.in
        Starting test: DNS
           Test results for domain controllers:
              DC: MUM-ADS-01.sud.in
              Domain: sud.in
                 TEST: Basic (Basc)
                    Warning: The AAAA record for this DC was not found
                 TEST: Forwarders/Root hints (Forw)
                    Error: Root hints list has invalid root hint server:
                    a.root-servers.net. (198.41.0.4)
                    Error: Root hints list has invalid root hint server:
                    b.root-servers.net. (128.9.0.107)
                    Error: Root hints list has invalid root hint server:
                    c.root-servers.net. (192.33.4.12)
                    Error: Root hints list has invalid root hint server:
                    d.root-servers.net. (128.8.10.90)
                    Error: Root hints list has invalid root hint server:
                    e.root-servers.net. (192.203.230.10)
                    Error: Root hints list has invalid root hint server:
                    f.root-servers.net. (192.5.5.241)
                    Error: Root hints list has invalid root hint server:
                    g.root-servers.net. (192.112.36.4)
                    Error: Root hints list has invalid root hint server:
                    h.root-servers.net. (128.63.2.53)
                    Error: Root hints list has invalid root hint server:
                    i.root-servers.net. (192.36.148.17)
                    Error: Root hints list has invalid root hint server:
                    j.root-servers.net. (192.58.128.30)
                    Error: Root hints list has invalid root hint server:
                    k.root-servers.net. (193.0.14.129)
                    Error: Root hints list has invalid root hint server:
                    l.root-servers.net. (198.32.64.12)
                    Error: Root hints list has invalid root hint server:
                    m.root-servers.net. (202.12.27.33)
                 TEST: Delegations (Del)
                    Error: DNS server: sud-ad.sud.in. IP:<Unavailable>
                    [Missing glue A record]
                 TEST: Records registration (RReg)
                    Network Adapter
                    [00000006] Intel(R) PRO/1000 MT Network Connection:
                       Warning:
                       Missing AAAA record at DNS server 10.1.6.132:
                       MUM-ADS-01.sud.in
                       Warning:
                       Missing AAAA record at DNS server 10.1.6.132:
                       gc._msdcs.sud.in
                       Warning:
                       Missing AAAA record at DNS server 10.1.6.133:
                       MUM-ADS-01.sud.in
                       Warning:
                       Missing AAAA record at DNS server 10.1.6.133:
                       gc._msdcs.sud.in
                 Warning: Record Registrations not found in some network adapters
           Summary of test results for DNS servers used by the above domain
           controllers:
              DNS server: 128.63.2.53 (h.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 128.63.2.53
              DNS server: 128.8.10.90 (d.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 128.8.10.90
              DNS server: 128.9.0.107 (b.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 128.9.0.107
              DNS server: 192.112.36.4 (g.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 192.112.36.4
              DNS server: 192.203.230.10 (e.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 192.203.230.10
              DNS server: 192.33.4.12 (c.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 192.33.4.12
              DNS server: 192.36.148.17 (i.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 192.36.148.17
              DNS server: 192.5.5.241 (f.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 192.5.5.241
              DNS server: 192.58.128.30 (j.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 192.58.128.30
              DNS server: 193.0.14.129 (k.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 193.0.14.129
              DNS server: 198.32.64.12 (l.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 198.32.64.12
              DNS server: 198.41.0.4 (a.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 198.41.0.4
              DNS server: 202.12.27.33 (m.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
  S server 202.12.27.33
           Summary of DNS test results:
  Auth Basc Forw Del  Dyn  RReg Ext
              Domain: sud.in
                 MUM-ADS-01                   PASS WARN FAIL FAIL PASS WARN n/a
           ......................... sud.in failed test DNS

  Hi Meinolf,
  Please find the IP Details as well as DNS test results.
  C:\Users\Administrator.SCI>dcdiag /test:dns
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = MDCDCDNS
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: MDC-Powai\MDCDCDNS
        Starting test: Connectivity
           ......................... MDCDCDNS passed test Connectivity
  Doing primary tests
     Testing server: MDC-Powai\MDCDCDNS
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
   ERROR: NO DNS servers for IPV6 stack was found
           ......................... MDCDCDNS passed test DNS
     Running partition tests on : ForestDnsZones
     Running partition tests on : DomainDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : sci
     Running enterprise tests on : sci.com
        Starting test: DNS
           Test results for domain controllers:
              DC: MDCDCDNS.sci.com
              Domain: sci.com
                 TEST: Basic (Basc)
                    Warning: The AAAA record for this DC was not found
                 TEST: Records registration (RReg)
                    Network Adapter
                    [00000009] Microsoft Virtual Network Switch Adapter:
                       Warning:
                       Missing AAAA record at DNS server 10.64.7.32:
                       MDCDCDNS.sci.com
                       Warning:
                       Missing AAAA record at DNS server 10.64.7.32:
                       gc._msdcs.sci.com
                       Warning:
                       Missing AAAA record at DNS server 10.64.7.35:
                       MDCDCDNS.sci.com
                       Warning:
                       Missing AAAA record at DNS server 10.64.7.35:
                       gc._msdcs.sci.com
                       Warning:
                       Missing AAAA record at DNS server 10.20.33.72:
                       MDCDCDNS.sci.com
                       Warning:
                       Missing AAAA record at DNS server 10.20.33.72:
                       gc._msdcs.sci.com
                       Warning:
                       Missing AAAA record at DNS server 10.20.33.71:
                       MDCDCDNS.sci.com
                       Warning:
                       Missing AAAA record at DNS server 10.20.33.71:
                       gc._msdcs.sci.com
                 Warning: Record Registrations not found in some network adapters
                 MDCDCDNS                     PASS WARN PASS PASS PASS WARN n/a
           ......................... sci.com passed test DNS
  C:\Users\Administrator.SCI>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : MDCDCDNS
     Primary Dns Suffix  . . . . . . . : sci.com
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : sci.com
  Ethernet adapter Local Area Connection 7:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : External Internal Virtual Network
     Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.64.7.32(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.64.7.1
     DNS Servers . . . . . . . . . . . : 10.64.7.32
                                         10.64.7.35
                                         10.20.33.72
                                         10.20.33.71
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Ethernet adapter Local Area Connection 6:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : TEAM : Team #1
     Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Autoconfiguration IPv4 Address. . : 169.254.105.163(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter Local Area Connection* 8:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{2D5A4A27-298F-48E5-A376-EA886EF1E
  42A}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 9:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{14FA7CD4-8B69-4C86-A58B-056793B7D
  901}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Please check and revert back for any queries..
  Thanks...
  Deva Self-trust is the first secret of success.

• How to set the Context path to AAA/BBB in Weblogic 5.1?

  Hi folks,
            I want to deploy a web application and set the servlet context as:
            AAA/BBB. Put more simply, my application should be accessible via the
            following:
            http:localhost:7001/AAA/BBB/main.jsp
            where http://localhost:7001/AAA/BBB maps to my document root.
            One work around is to set the context to AAA:
            weblogic.httpd.webApp.AAA=WebAppLocation
            And in the deployment descriptor (web.xml) to register all servlets
            with a BBB/ prepended to the desired alias:
            <servlet-mapping>
            <servlet-name>main</servlet-name>
            <url-pattern>BBB/main.jsp</url-pattern>
            </servlet-mapping>
            But this solution does not work for me. Parts of the application refer
            the context root (AAA) and create URLs relative to that. These URLs
            will not have the BBB part. Searching for it in the code and replacing
            it is not desirable (we do not own the code). Does anyone have any
            suggestions?
            Thanks in advance,
            Musafir
            

  What you have done for changing the context root to "/" is all fine but it is important to know that there is a ROOT.war in the deploy folder of JBoss which by default gets bound to "/" context. You must be getting the error message like "Web mapping already exists for deployment" when you would be starting your JBoss server after changing your context root to "/". So either you can completely remove the ROOT.war from the deploy folder or change the context-root of ROOT.war by updating its web.xml like:
  <web-app>
  <display-name>Welcome to JBoss</display-name>
  <description>
  Welcome to JBoss
  </description>
  *<context-param>*
  *<param-name>context-root</param-name>*
  *<param-value>/jboss-root</param-value>*
  *</context-param>*
  <servlet>
  <servlet-name>Status Servlet</servlet-name>
  <servlet-class>org.jboss.web.tomcat.service.StatusServlet</servlet-class>
  </servlet>
  </web-app>
  and also update the jboss-web.xml of ROOT.war:
  <jboss-web>
  <security-domain>java:/jaas/jmx-console</security-domain>
  *<context-root>/jboss-root</context-root>*
  </jboss-web>
  I hope this serves your purpose.
  There can be a workaround also by modifying the index.html of ROOT.war in the deploy folder of your server and redirect request to your web application using meta refresh like:
  <meta http-equiv="refresh" content="0;URL='/store'">

• Aaa New format configuation on IOS and Nexus-OS based devices ?

  Dear all,
  I have been working on an assignment to get our TACACs servers  standardized and to change the old format  aaa configs to the new  standard before the old format gets deprecated.
  I have many multiple IOS based model devices such as 2350, 2821,  3650,   Firewalls, Nexus based 3048s 3064s  and 7010s
  However,   I have tried the new format on both the IOS based 2350s and also on  the Nexus based 3048s which has error on both cases
  our plan is to move to the new style of aaa configuration and at  least to have one standard format configuration for IOS based devices  and one other standard format for Nexus based devices.
  •Our tacacs appliances are crashing on AD authentication on a fairly  regular basis. And I was wondering as to where to get resource on  Cisco.com to see if we are on the latest version. Can you point me  resource where I can find the latest version so that I will be able to  compare it with what we have
  Also if you have a forum recommendation for me to get help on this and other related staff that will be a huge help.
  probably we might need to upgrade our IOS for example the below new  aaa config format didn’t work?  when I tried it on 2350 based on  flash:/c2350-lanlite-mz.122-46.EY/c2350-lanlite-mz.122-46 version any  suggestion here?
  I have attached the sample config I have been trying to use-- If you have a better configuration suggestion let me know? Thanks a million for the help!
  Abe
  With Regards,
  Abe

  Yes, the focus with ML is certainly on trying to get people who have iOS devices to switch to using Apple computers.
  For long-time devotees of OS X like us, there's not much in it. Snow Leopard was still a far more versatile and more widely compatible OS than either 10.7 or 10.8. If you're on 10.6.8. I would think twice about upgrading.
  However, I think if you're on 10.7 already, it's worth upgrading to 10.8, simply because ML seems to be more stable and more refined. They have fixed some of the annoying things in Lion (like you can now put Devices back to the top of the Finder sidebar, Resume is turned off by default, 'Save As' has been resurrected, Launchpad actually has a filter bar etc etc.). Some of the apps are better too - some nice new features in Preview for editing and Safari has an all-in-one address/search bar).
  More features are advertised explained here: http://www.apple.com/osx/whats-new/features.html

• Read-only aaa statements

  I've setup the TACACS server with two groups
  -FULL admin rights
  -READ only rights
  Two users have been created
  -admin_test
  -read_test
  The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?
  aaa authentication login default group tacacs+ line enable
  aaa authentication enable default group tacacs+ enable line
  aaa authorization exec default if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  Privilege is not scalable in a big environment.
  What you need is authorization on the ACS
  server. In Cisco Freeware TACACS+ I defined
  the following groups: readonly, advanced and
  admin:
  group = readonly {
  default service = deny
  cmd = show { deny .* }
  cmd = show { permit .* }
  cmd = copy { permit .* }
  cmd = ping { permit .* }
  cmd = enable { permit .* }
  cmd = configure { deny .* }
  cmd = disable { permit .* }
  cmd = telnet { permit .* }
  cmd = disconnect { permit .* }
  cmd = where { permit .* }
  cmd = set { permit .* }
  cmd = clear { permit line }
  cmd = exit { permit .* }
  cmd = debug { permit .* }
  group = advanced {
  default service = deny
  cmd = show { permit .* }
  cmd = copy { permit flash }
  cmd = copy { permit running }
  cmd = ping { permit .* }
  cmd = configure { permit .* }
  cmd = enable { permit .* }
  cmd = disable { permit .* }
  cmd = telnet { permit .* }
  cmd = disconnect { permit .* }
  cmd = where { permit .* }
  cmd = set { permit .* }
  cmd = clear { permit line }
  cmd = exit { permit .* }
  cmd = interface { permit .* }
  group = admin {
  default service = permit
  As you can see, admin can access everything,
  readonly can only read. Advanced can make
  limited changes and admin can do everything.
  On the Cisco router, I have the following
  configuration:
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  I find that by doing it this way, it is much
  more scalable than using privilege commands
  on the router itself.
  David
  CCIE Security

• How to stop ACS intergated AD users to login in AAA clients(network device)

  I have ACS 4.2 Appliance which is integrated with Active directory.
  AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
  What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
  For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
  aaa group server radius rad_admin
  server xxx.xxx.xxx.xxx
  aaa group server tacacs+ tac_admin
  server xxx.xxx.xxx.xxx
  If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• Cisco 4503 "1000BaseLH" SFP light is not coming ---- Urgent

  Dear Team,
  I have Cisco 4503 and I have inserted 1000BaseLH and light is not coming up but for 1000BaseSX its fine.
  Please suggest.
  CORE#show int GigabitEthernet1/18
  GigabitEthernet1/18 is down, line protocol is down (notconnect)
    Hardware is Gigabit Ethernet Port, address is 001e.4aa6.b891 (bia 001e.4aa6.b891)
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, Auto-speed, link type is auto, media type is 1000BaseLH
    input flow-control is off, output flow-control is off
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts (0 multicast)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 input packets with dribble condition detected
       0 packets output, 0 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier
       0 output buffer failures, 0 output buffers swapped out
  CORE#show inventory
  NAME: "GigabitEthernet1/18", DESCR: "1000BaseLH"
  PID: TRF5735AALB202    , VID: A1 , SN: OPA11241478
  Thank You,
  Abhisar.

  Dear Reza,
  we connected cable and it came up. The conclusion is single m9de sfps does not show light where multimode sfp shows light when sfp is connected on switch port.
  Thank you for your suggesion.
  Thank You,
  Abhisar.