AAA on 4503
Hi,
I have a curious problem about radius authentication. I have a 4503 with radius enabled authenticating on ACS 4.0. For while I don?t enabled dot1x. I?m testing authentication throught telnet. I have a ACS 3.3 and a 4.0 and the problem happens with both.
My config is:
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa accounting exec default start-stop group radius
radius-server host 192.168.1.13 auth-port 1812 acct-port 1813 key 7 141F1E0C2C052938
I configured ACS correctly as the follow url: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d11a4.shtml
I tried change the radius ports to 1645 and 1646 and the problem remained.
When I put the 3550 with the same config, it works fine with the two ACS servers.
The conectivity between ACSs and 4503 is perfect, they are and the same network.
Look the results of debug radius and debug aaa authentication on the file attached.
Thanks a lot.
Hello,
Based on the debug output, it sounds like connectivity problem to 192.168.1.13. Can the 4506s ping 192.168.1.13? Do you see failed attempts on the ACSs logs coming from the 4503s(if not that means that the access-request packet is not getting to ACS)?
Hope this helps! If so, please rate.
Thanks
*Jul 12 14:52:16: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/78
*Jul 12 14:52:16: RADIUS: acct-delay-time for 17B1C9CC (at 17B1CA33) now 10
HT4503#
*Jul 12 14:52:19: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79
HT4503#
*Jul 12 14:52:21: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/78
*Jul 12 14:52:21: RADIUS: acct-delay-time for 17B1C9CC (at 17B1CA33) now 15
HT4503#
*Jul 12 14:52:25: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79
HT4503#
*Jul 12 14:52:27: RADIUS: Tried all servers.
*Jul 12 14:52:27: RADIUS: No valid server found. Trying any viable server
*Jul 12 14:52:27: RADIUS: Tried all servers.
*Jul 12 14:52:27: RADIUS: No response from (192.168.1.13:1812,1813) for id 21645/78
*Jul 12 14:52:27: AAA/MEMORY: free_user (0x175ABDD8) user='halogica' ruser='NULL' port='tty2' rem_addr='192.168.1.194' authen_type=ASCII service=LOGIN priv=1
HT4503#
*Jul 12 14:52:31: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79
HT4503#
*Jul 12 14:52:36: RADIUS: Tried all servers.
*Jul 12 14:52:36: RADIUS: No valid server found. Trying any viable server
*Jul 12 14:52:36: RADIUS: Tried all servers.
*Jul 12 14:52:36: RADIUS: No response from (192.168.1.13:1812,1813) for id 21645/79
*Jul 12 14:52:36: RADIUS: No response from server
Similar Messages
-
Hi, folks.
While having trouble getting my AC power supply cord to power up the 'book (the cord wires were broken and the power would only flow if the cord were held in one position) the battery eventually was
exhausted and the 'book shut down.
This interruption caused the desktop menu, labels, and submenus, to all be labeled AAAAAAAAA....etc.
The A's appear within box (square) shapes. For example the word 'view' looks like this AAAA but in boxes.
I tried to rebuild the desktop but that didn't help. I wanted to trash the desktop preferences, but since everything is labeled AAAAAAA I can't find them! Even the master OS disk (Tiger) is littered with AAAAAA's! I can read the internet ok, however.
What's going on?Hi Ddale53, and a warm welcome to the forums!
http://discussions.apple.com/thread.jspa?messageID=7629337�
http://discussions.apple.com/thread.jspa?threadID=856498&tstart=195 -
We seem to be having an issue recently after introducing new Windows Server 2012 R2 servers where they fail to register DNS correctly. The Windows Firewall is off and the servers are on the same VLAN with no firewalls between them.
When I do an ipconfig /registerdns or wait 24 hours for the system to try we get the following error:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:
Adapter Name : {4A0ECF05-193F-4BEA-AA46-BEC593BA752B}
Host Name : SRV-DATA
Primary Domain Suffix : internal.local
DNS server list :
192.168.0.50, 192.168.0.42
Sent update to server : <?>
IP Address(es) :
192.168.0.99
The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative
for this name does not support the DNS dynamic update protocol.
To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
On our DNS server we have set for the internal.local zone Secure Updates only so that looks good because it is Active Directory that should be handling this authentication to update the record I assume. Just to mention that when also doing an ipconfig /regsiterdns
the update fails within a few seconds.
Source: DNS Clients Events
Event ID: 8018
User: NETWORK SERVICE
This issue is only affecting Windows Server 2012 R2 clients and testing with Windows Server 2008 R2 clients works no issues. So is this a mis-configuration or a bug with Windows 2012 R2? I have checked all DNS settings on client / server which all look good
to me so reaching out now to see if anyone has any ideas?
Environment:
- Windows Server 2012 R2 Domain Controllers (Forest/Domain Levels 2012 R2)
- Windows Server 2012 R2 Client machines (Physical and Virtual)
- Windows Server 2008 R2 Client machines (Physical and Virtual)The zone is configured as "Secure Only"
The PDC is the SOA for the zone
I dont have a packet capture from the DC, only the client.
The query you asked me to run is too long to paste in here, however this is the DNS zone it cannot update:
NotifyServers :
SecondaryServers : {10.2.0.3, 10.2.0.5}
AllowedDcForNsRecordsAutoCreation :
DistinguishedName : DC=internal.local,cn=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=local
IsAutoCreated : False
IsDsIntegrated : True
IsPaused : False
IsReadOnly : False
IsReverseLookupZone : False
IsShutdown : False
ZoneName : internal.local
ZoneType : Primary
DirectoryPartitionName : ForestDnsZones.internal.local
DynamicUpdate : Secure
IsPluginEnabled : False
IsSigned : False
IsWinsEnabled : False
Notify : NoNotify
ReplicationScope : Forest
SecureSecondaries : TransferToSecureServers
ZoneFile :
PSComputerName :
CimClass : root/Microsoft/Windows/DNS:DnsServerPrimaryZone
CimInstanceProperties : {DistinguishedName, IsAutoCreated, IsDsIntegrated, IsPaused...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
VPN Client and AAA services on a Cisco ISR Router
Hi, my name is Jim, and I was just promoted as a trainer for the company I work for. Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training. I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router. Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from. My questions are these:
1. What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
2. I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
3. In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
4. Are there helpful articles I can read that will answer some or all of these questions?
Thanks in advance,
JimHi Jim,
congratulations
Assuming a basic setup, your router will have something like this:
crypto isakmp client configuration group MyGroup
key cisco123
So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
Does this help?
Herbert -
How to survive an ACS audit with aaa-reports!
For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
Below are some additional TDA specific tips:
Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm.
-
I have setup ACS 4.2 and when I run
router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
Both options work fine
But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
My commands are :-
tacacs-server host xx.xx.xx.xx single-connection port 49
tacacs-server key xxxxxxxxxxx
aaa authentication banner ^CUnauthorized access forbidden^C
aaa authentication username-prompt "Enter Username: "
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
I dont see the banner NOR the "Enter Username:" prompt.
Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
there was "shared secret does not match", on the AAA server logs
I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
seem to understand why it fails with telnet
Any idea why this may be happning ?
ThanksI tried both the sugestion.. no luck
Below are th eoutput of debug, with some lines in BOLD to help you
find interesting lines in the log output.
Thanks
fixeddemo#sh run | inc tacacs
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
ip tacacs source-interface FastEthernet0/1
tacacs-server host 10.1.7.15
tacacs-server key xxxxxxxxxx
fixeddemo#sh debugging
General OS:
TACACS+ events debugging is on
TACACS+ authentication debugging is on
TACACS+ packets debugging is on
AAA Authentication debugging is on
AAA Subsystem debugs debugging is on
fixeddemo#
Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:15:54.674: T+: user:
Jun 17 14:15:54.674: T+: port: tty515
Jun 17 14:15:54.674: T+: rem_addr: 10.1.1.216
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.674: T+: End Packet
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
fixeddemo#
Jun 17 14:15:54.674: T+: msg: Username:
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.678: T+: End Packet
Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo#
Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Jun 17 14:15:58.794: T+: User msg:
Jun 17 14:15:58.794: T+: User data:
Jun 17 14:15:58.794: T+: End Packet
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
fixeddemo#
Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Jun 17 14:15:58.798: T+: msg: Password:
Jun 17 14:15:58.798: T+: data:
Jun 17 14:15:58.798: T+: End Packet
Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
cation
Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
D
fixeddemo#
Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
Jun 17 14:16:02.502: T+: User msg:
Jun 17 14:16:02.502: T+: User data:
Jun 17 14:16:02.502: T+: End Packet
Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
6 bytes data)
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
fixeddemo#
Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
Jun 17 14:16:02.554: T+: msg:
Jun 17 14:16:02.554: T+: data:
Jun 17 14:16:02.554: T+: End Packet
Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
fixeddemo#
[ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:16:04.558: T+: user:
Jun 17 14:16:04.558: T+: port: tty515
Jun 17 14:16:04.558: T+: rem_addr: 10.1.1.216
Jun 17 14:16:04.558: T+: data:
Jun 17 14:16:04.558: T+: End Packet
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
43 bytes data)
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Jun 17 14:16:04.562: T+: msg: 0x0A User Access Verification 0x0A 0x0A Usernam
e:
fixeddemo#
Jun 17 14:16:04.562: T+: data:
Jun 17 14:16:04.562: T+: End Packet
Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo# -
How to use 2 AAA server for different login purpose
Hello, could you help me?
This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.
The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.
! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login no_tacacs enable
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
virtual-profile virtual-template 1
virtual-profile aaa
interface Serial2/0:15
description ISDN30
no ip address
encapsulation ppp
no ip route-cache
no keepalive
dialer pool-member 10
isdn switch-type primary-net5
isdn tei-negotiation first-call
isdn caller xxxxxxx
no fair-queue
compress stac
no cdp enable
ppp authentication chap
ppp multilink
interface Virtual-Template1
ip unnumbered FastEthernet1/0
ip nat outside
ppp authentication chap
tacacs-server host 10.20.30.40 key ********
line con 0
exec-timeout 20 0
password ************
login authentication no_tacacs
transport input none
flowcontrol hardware
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
password *************
login authentication no_tacacs
transport input telnet
transport output telnet
If I just add
aaa authentication login vtymethod group tacacs+ enable
tacacs-server host 10.50.60.70 key ********
line vty 0 4
login authentication vtymethod
My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?
ThanksJens
I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:
aaa group server tacacs+ vty_TAC
server 10.50.60.70
aaa authentication login vtymethod group vty_TAC enable
tacacs-server host 10.50.60.70 key ********
I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.
Give it a try and let us know what happens.
HTH
Rick -
DCDIAG /test:dns result is pested here.
C:\Users\administrator.SUD>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MUM-ADS-01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: Connectivity
......................... MUM-ADS-01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... MUM-ADS-01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sud
Running enterprise tests on : sud.in
Starting test: DNS
Test results for domain controllers:
DC: MUM-ADS-01.sud.in
Domain: sud.in
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server:
a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server:
b.root-servers.net. (128.9.0.107)
Error: Root hints list has invalid root hint server:
c.root-servers.net. (192.33.4.12)
Error: Root hints list has invalid root hint server:
d.root-servers.net. (128.8.10.90)
Error: Root hints list has invalid root hint server:
e.root-servers.net. (192.203.230.10)
Error: Root hints list has invalid root hint server:
f.root-servers.net. (192.5.5.241)
Error: Root hints list has invalid root hint server:
g.root-servers.net. (192.112.36.4)
Error: Root hints list has invalid root hint server:
h.root-servers.net. (128.63.2.53)
Error: Root hints list has invalid root hint server:
i.root-servers.net. (192.36.148.17)
Error: Root hints list has invalid root hint server:
j.root-servers.net. (192.58.128.30)
Error: Root hints list has invalid root hint server:
k.root-servers.net. (193.0.14.129)
Error: Root hints list has invalid root hint server:
l.root-servers.net. (198.32.64.12)
Error: Root hints list has invalid root hint server:
m.root-servers.net. (202.12.27.33)
TEST: Delegations (Del)
Error: DNS server: sud-ad.sud.in. IP:<Unavailable>
[Missing glue A record]
TEST: Records registration (RReg)
Network Adapter
[00000006] Intel(R) PRO/1000 MT Network Connection:
Warning:
Missing AAAA record at DNS server 10.1.6.132:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.132:
gc._msdcs.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
gc._msdcs.sud.in
Warning: Record Registrations not found in some network adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
DNS server: 128.9.0.107 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: sud.in
MUM-ADS-01 PASS WARN FAIL FAIL PASS WARN n/a
......................... sud.in failed test DNSHi Meinolf,
Please find the IP Details as well as DNS test results.
C:\Users\Administrator.SCI>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MDCDCDNS
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: Connectivity
......................... MDCDCDNS passed test Connectivity
Doing primary tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
ERROR: NO DNS servers for IPV6 stack was found
......................... MDCDCDNS passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sci
Running enterprise tests on : sci.com
Starting test: DNS
Test results for domain controllers:
DC: MDCDCDNS.sci.com
Domain: sci.com
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Records registration (RReg)
Network Adapter
[00000009] Microsoft Virtual Network Switch Adapter:
Warning:
Missing AAAA record at DNS server 10.64.7.32:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.32:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
gc._msdcs.sci.com
Warning: Record Registrations not found in some network adapters
MDCDCDNS PASS WARN PASS PASS PASS WARN n/a
......................... sci.com passed test DNS
C:\Users\Administrator.SCI>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MDCDCDNS
Primary Dns Suffix . . . . . . . : sci.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sci.com
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : External Internal Virtual Network
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.64.7.32(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.64.7.1
DNS Servers . . . . . . . . . . . : 10.64.7.32
10.64.7.35
10.20.33.72
10.20.33.71
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TEAM : Team #1
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IPv4 Address. . : 169.254.105.163(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{2D5A4A27-298F-48E5-A376-EA886EF1E
42A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{14FA7CD4-8B69-4C86-A58B-056793B7D
901}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Please check and revert back for any queries..
Thanks...
Deva Self-trust is the first secret of success. -
How to set the Context path to AAA/BBB in Weblogic 5.1?
Hi folks,
I want to deploy a web application and set the servlet context as:
AAA/BBB. Put more simply, my application should be accessible via the
following:
http:localhost:7001/AAA/BBB/main.jsp
where http://localhost:7001/AAA/BBB maps to my document root.
One work around is to set the context to AAA:
weblogic.httpd.webApp.AAA=WebAppLocation
And in the deployment descriptor (web.xml) to register all servlets
with a BBB/ prepended to the desired alias:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>BBB/main.jsp</url-pattern>
</servlet-mapping>
But this solution does not work for me. Parts of the application refer
the context root (AAA) and create URLs relative to that. These URLs
will not have the BBB part. Searching for it in the code and replacing
it is not desirable (we do not own the code). Does anyone have any
suggestions?
Thanks in advance,
Musafir
What you have done for changing the context root to "/" is all fine but it is important to know that there is a ROOT.war in the deploy folder of JBoss which by default gets bound to "/" context. You must be getting the error message like "Web mapping already exists for deployment" when you would be starting your JBoss server after changing your context root to "/". So either you can completely remove the ROOT.war from the deploy folder or change the context-root of ROOT.war by updating its web.xml like:
<web-app>
<display-name>Welcome to JBoss</display-name>
<description>
Welcome to JBoss
</description>
*<context-param>*
*<param-name>context-root</param-name>*
*<param-value>/jboss-root</param-value>*
*</context-param>*
<servlet>
<servlet-name>Status Servlet</servlet-name>
<servlet-class>org.jboss.web.tomcat.service.StatusServlet</servlet-class>
</servlet>
</web-app>
and also update the jboss-web.xml of ROOT.war:
<jboss-web>
<security-domain>java:/jaas/jmx-console</security-domain>
*<context-root>/jboss-root</context-root>*
</jboss-web>
I hope this serves your purpose.
There can be a workaround also by modifying the index.html of ROOT.war in the deploy folder of your server and redirect request to your web application using meta refresh like:
<meta http-equiv="refresh" content="0;URL='/store'"> -
Aaa New format configuation on IOS and Nexus-OS based devices ?
Dear all,
I have been working on an assignment to get our TACACs servers standardized and to change the old format aaa configs to the new standard before the old format gets deprecated.
I have many multiple IOS based model devices such as 2350, 2821, 3650, Firewalls, Nexus based 3048s 3064s and 7010s
However, I have tried the new format on both the IOS based 2350s and also on the Nexus based 3048s which has error on both cases
our plan is to move to the new style of aaa configuration and at least to have one standard format configuration for IOS based devices and one other standard format for Nexus based devices.
•Our tacacs appliances are crashing on AD authentication on a fairly regular basis. And I was wondering as to where to get resource on Cisco.com to see if we are on the latest version. Can you point me resource where I can find the latest version so that I will be able to compare it with what we have
Also if you have a forum recommendation for me to get help on this and other related staff that will be a huge help.
probably we might need to upgrade our IOS for example the below new aaa config format didn’t work? when I tried it on 2350 based on flash:/c2350-lanlite-mz.122-46.EY/c2350-lanlite-mz.122-46 version any suggestion here?
I have attached the sample config I have been trying to use-- If you have a better configuration suggestion let me know? Thanks a million for the help!
Abe
With Regards,
AbeYes, the focus with ML is certainly on trying to get people who have iOS devices to switch to using Apple computers.
For long-time devotees of OS X like us, there's not much in it. Snow Leopard was still a far more versatile and more widely compatible OS than either 10.7 or 10.8. If you're on 10.6.8. I would think twice about upgrading.
However, I think if you're on 10.7 already, it's worth upgrading to 10.8, simply because ML seems to be more stable and more refined. They have fixed some of the annoying things in Lion (like you can now put Devices back to the top of the Finder sidebar, Resume is turned off by default, 'Save As' has been resurrected, Launchpad actually has a filter bar etc etc.). Some of the apps are better too - some nice new features in Preview for editing and Safari has an all-in-one address/search bar).
More features are advertised explained here: http://www.apple.com/osx/whats-new/features.html -
I've setup the TACACS server with two groups
-FULL admin rights
-READ only rights
Two users have been created
-admin_test
-read_test
The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?
aaa authentication login default group tacacs+ line enable
aaa authentication enable default group tacacs+ enable line
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+Privilege is not scalable in a big environment.
What you need is authorization on the ACS
server. In Cisco Freeware TACACS+ I defined
the following groups: readonly, advanced and
admin:
group = readonly {
default service = deny
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = enable { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = interface { permit .* }
group = admin {
default service = permit
As you can see, admin can access everything,
readonly can only read. Advanced can make
limited changes and admin can do everything.
On the Cisco router, I have the following
configuration:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
I find that by doing it this way, it is much
more scalable than using privilege commands
on the router itself.
David
CCIE Security -
How to stop ACS intergated AD users to login in AAA clients(network device)
I have ACS 4.2 Appliance which is integrated with Active directory.
AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
aaa group server radius rad_admin
server xxx.xxx.xxx.xxx
aaa group server tacacs+ tac_admin
server xxx.xxx.xxx.xxx
If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth). -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
Cisco 4503 "1000BaseLH" SFP light is not coming ---- Urgent
Dear Team,
I have Cisco 4503 and I have inserted 1000BaseLH and light is not coming up but for 1000BaseSX its fine.
Please suggest.
CORE#show int GigabitEthernet1/18
GigabitEthernet1/18 is down, line protocol is down (notconnect)
Hardware is Gigabit Ethernet Port, address is 001e.4aa6.b891 (bia 001e.4aa6.b891)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, Auto-speed, link type is auto, media type is 1000BaseLH
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
CORE#show inventory
NAME: "GigabitEthernet1/18", DESCR: "1000BaseLH"
PID: TRF5735AALB202 , VID: A1 , SN: OPA11241478
Thank You,
Abhisar.Dear Reza,
we connected cable and it came up. The conclusion is single m9de sfps does not show light where multimode sfp shows light when sfp is connected on switch port.
Thank you for your suggesion.
Thank You,
Abhisar.
Maybe you are looking for
-
Running a Macbook OSX 10.4.11 and trying to get iTunes 9 to work. I've re-installed several times, deleted the plists and packages. Here's the crash log: Host Name: johns-computer Date/Time: 2010-10-10 14:34:09.793 -0400 OS Version: 10.4.11 (Build 8S
-
i just bought a new ipod and connected to the computer, it said installed, but i can't see it anywhere in itunes nor my computer, now what do i do ? i've tried ALL Apple help methods and this is my last hope before i return my product.
-
Soundtrack Pro Crashes at Startup
Please Help! I can not open Soundtrack Pro. I purchased and installed the Final Cut Studio Suite 5.1 and everything has been working fine. For some reason, though, I can't get Soundtrack Pro to open when it had been working fine up to this point. I h
-
How to create fillable forms for users of reader IX or X in acrobat pro XI?
I created fillable forms in Acrobat Pro XI. How can i make them fillable also for users with Reader IX or X? As Adobe Reader für Vista or Linux is only available in version IX or X, it is not possible for these users to fill in the forms?
-
ORA-00976: Specified pseudocolumn or operator not allowed here
Hi, After 11gR2 upgrade we got error in insert statement. INSERT INTO SDE_TBL_FLEXTRIMSITROUT (BRANCHCD, SOURCECD, CURRENTNO, BATCHNO, DEPTCD, CCY, INITIATIONDATE, AMOUNT, ACCOUNT, ACCOUNTBRANCH, TXNCD, DEBITCREDIT, LCYEQUIVALENT, EXCHRATE, VALUEDATE