AD authentication for routed local subnet

Similar Messages

• IPV6 DHCP stateful doesn't insert local subnet in route table

  I am setting up IPV6 on a LAN using satic IPs for Win2008 servers and DHCP stateful mode for Win7 clients.  All static assigned servers can ping each other and if I setup a static on the Win7 clients they can also ping the servers.  However when I assign DHCP stateful mode IP to the clients they lose the ability to ping the servers.  I think that was is going on is that when the Win7 machines get IP via DHCP they do not get a route in the routing table for the local subnet.  I have included IP info for static and DHCP clients in attachments.
  I figure if I could add the fd:0:0:1::/64 subnet to the DHCP client it would work but I haven't been able to find the correct syntax to add an "on-link" router.  Furthermore, this would kind of defeat the purpose of DHCP if I had to manually add routes to clients.
  I have a UC520 that is the default gateway on the LAN and seems to support IPV6.  Maybe this guy can help me out?
  Thanks in advance.

  Alain,
  I disagree about the /128.  If you look at the static host it also has a /128 route pointing to itself.  Also the IPV4 also shows /32 routes pointing to the local IP.  The static host has one additional route not found on the DHCP client which is the /64 route to the local subnet pointing to "on-link". It is not clear how to add an "on-link" route using netsh but my point is that DHCP should provide all info and relying on manually adding routes is not the optimal solution.
  The UC520 does not have any IPV6 on it.  I only mentioned it because usually I use Windows for DHCP but in this case Windows is giving me this weird behaviour.  I would rather get Windows DHCP to solve the problem but if it can't I would use the UC520 as a backup option.
  Thanks for your input.
  Rgds,
  Diego

• Help with configuring AP-1240AG as local authenticator for EAP-FAST client

  Hi,
  I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
  dot11 lab_test
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     infrastructure-ssid
  radius-server local
    eapfast authority id 0102030405060708090A0B0C0D0E0F10
    eapfast authority info lab
    eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
    user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
  Here is the Windows XP client configuration:
  Authentication: Open
  Encrpytion WEP
  Disable Cisco ccxV4 improvements
  username: georges
  password: georges
  Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
  *Mar  4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
  *Mar  4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
  *Mar  4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
  *Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: ssid              [263] 19
  *Mar  4 01:16:56.701: RADIUS:    [lab_test]
  *Mar  4 01:16:56.701: RADIUS:   65                                               [e]
  *Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: interface         [156] 4
  *Mar  4 01:16:56.701: RADIUS:   38 32                                            [82]
  *Mar  4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
  *Mar  4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
  *Mar  4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
  *Mar  4 01:16:56.702: RADIUS(00001F5C): sending
  *Mar  4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
  *Mar  4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
  It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
  Thanks

  Hi Stephen,
  I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
  Thanks for your help
  Stephane
  Here is the complete configuration:
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Lab
  ip subnet-zero
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 lab_test
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     infrastructure-ssid
  power inline negotiation prestandard source
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid lab_test
  traffic-metrics aggregate-report
  speed basic-54.0
  no power client local
  channel 2462
  station-role root
  antenna receive right
  antenna transmit right
  no dot11 extension aironet
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  dfs band 3 block
    speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  channel dfs
  station-role root
  no dot11 extension aironet
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface BVI1
  ip address 10.5.104.22 255.255.255.0
  ip default-gateway 10.5.104.254
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server local
    eapfast authority id 000102030405060708090A0B0C0D0E0F
    eapfast authority info LAB
    eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
    user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

• PBR for a locally configured router IP address

  Hello community !
  I am trying to perform a very specific thing.
  I would like to perform a PBR for a subnet range located remotely. However one of the IP of this subnet is configured locally on the router (interface IP @) !
  I know that PBR takes precedence on a directly connected subnet, but what about if I want to perform PBR redirection for one of the IP directly configured on the router ?
  If you take a look on the network diagram, I can perform PBR and reach the IP 10.10.10.2 and 10.10.10.3, but the PbR does not work for 10.10.10.1 (loal IP @).
  I tried with 'set ip next-hop' and 'set interface' but no luck => The router (C881-K9 - 15.2.4M6a) handles the packet and answers anyway.
  If you have any idea or suggestion feel free to answer !
  Thanks in advance.
  Oliv.

  John, thanks for your inputs.
  Indeed I understand what you say. In fact the reason is simple : An error occured on subnets allocation.
  An already used range (subnets used to address some specific GRE tunnel interfaces on multiple routers [subnet in Orange on the diagram]) has been implemented elsewhere in a DC.
  PBR works well and overrides the routing table for this directly connected subnet except for the locally configured IP @ (and I perfectly understand why the router answers on its IP).
  This is problematic when a station from the LAN wants to communicate with a resource in the DC which is already used (interface detail).
  I understand the simplest solution would be to re-address but it is too much heavy at the time being.
  Any suggestion regarding this local host route overriding would be appricated !
  Thanks !

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Is it possible in IOS to have two static routes for the same subnet, one a higher priority and "failover" between the 2?

  Hi All
  Is it possible in IOS to have for a particular subnet:
  a) Two static routes?
  b) Make one static route a higher priority than the other?
  c) If one static router "goes down", failover to the lower priority static route?
  We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
  Again, many thanks in advance for all responses!
  Thanks
  John

  Hi John,
  Hope the below explaination will help you...
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
  The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
  In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
  Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
  IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
  R1(config)# ip sla 1
  R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
  R1(config)# timeout 1000
  R1(config)# threshold 2
  R1(config)# frequency 3
  R1(config)# ip sla schedule 1 life forever start-time now
  The above configuration defines and starts an IP SLA probe.
  The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
  Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
  Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
  After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
  R1(config)# track 1 ip sla 1 reachability
  The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
  To verify the track status use the use the “show track” command as shown below:
  R1# show track
  Track 1
  IP SLA 1 reachability
  Reachability is Down
  1 change, last change 00:03:19
  Latest operation return code: Unknown
  The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
  Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
  Tracking
  Return Code
  Track State
  Reachability
  OK or over threshold
  (all other return codes)
  Up
  Down
  The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
  Please rate the helpfull posts.
  Regards,
  Naidu.

• I have a WiFi home connection. It works on my laptop but has stopped working on my iPad, which I tried resetting but it didn't help. It recognises the SSID but then asks for IP Address, Subnet Mask, Router etc. Any ideas on what to do?.

  I have a WiFi home connection. It works on my laptop but has stopped working on my iPad, which I tried resetting but it didn't help. It recognises the SSID but then asks for IP Address, Subnet Mask, Router etc. Any ideas on what to do?.

  1. Turn router off for 30 seconds and on again
  2. Settings>General>Reset>Reset Network Settings

• Connecting Outlook 2013 for a local user

  We’re having trouble connecting a users connecting a domain user’s Outlook 2013 to our Exchange 2013 server. The user has a domain user account, and an Exchange mailbox.
  However;
   The user in question uses a PC that is physically connected to the network, but isn’t a domain-joined machine. The user is using a locally-provisioned account on the PC.
  The machine can query internal DNS servers, and has network connectivity through to the Exchange server.
  The user can successfully log in to OWA, where everything functions as normal. The user wishes to use Outlook 2013 for archiving of PST files.
  We are having issues creating a mail profile for the user, whether manually configuring or utilising autodiscover.
  With autodiscover, the user enters her name, email address and password in the initial wizard in Outlook 2013. 2 of the 3 steps succeed, before ‘The action cannot be completed. The name cannot be matched to a name in the address list’ error window is displayed.
  Is this because Exchange is having issues with the account being used to create the profile (the local user account on the PC)?
  Now what’s really odd, is that when using Outlook 2013 away from the network (at home), with any PC, the autodiscover method succeeds. What is causing it to fail internally?
  So, with the autodiscover method out of the window, we turned to manually configuring the profile.
  The local name of the Exchange server is entered for the server name, with the user’s email address for the username.
  In ‘More Settings’, the connection tab is configured to ‘Connect to Microsoft Exchange using HTTP’.
  The URL used to connect the proxy server for Exchange, is the external name used for OWA. This is the same address used when the user is using OWA internally/externally, which works without issue.
  Options ‘Connect using SSL only’, along with ‘Only connect to proxy servers that have this principal name in their certificate’ are selected with
  msstd:<external FQDN name> being entered.
  Basic Authentication is selected for the proxy authentication settings section.
  The user is then prompted for credentials. The following formats have been attempted;
  Domain.local\username
  Email Address
  [email protected]
  The correct password is used, but nothing is accepted.
  How can we get Outlook 2013 configured for this non-domain joined PC?
  Many thanks.

  We’re having trouble connecting a users connecting a domain user’s Outlook 2013 to our Exchange 2013 server. The user has a domain user account, and an Exchange mailbox.
  However;
   The user in question uses a PC that is physically connected to the network, but isn’t a domain-joined machine. The user is using a locally-provisioned account on the PC.
  The machine can query internal DNS servers, and has network connectivity through to the Exchange server.
  The user can successfully log in to OWA, where everything functions as normal. The user wishes to use Outlook 2013 for archiving of PST files.
  We are having issues creating a mail profile for the user, whether manually configuring or utilising autodiscover.
  With autodiscover, the user enters her name, email address and password in the initial wizard in Outlook 2013. 2 of the 3 steps succeed, before ‘The action cannot be completed. The name cannot be matched to a name in the address list’ error window is displayed.
  Is this because Exchange is having issues with the account being used to create the profile (the local user account on the PC)?
  Now what’s really odd, is that when using Outlook 2013 away from the network (at home), with any PC, the autodiscover method succeeds. What is causing it to fail internally?
  So, with the autodiscover method out of the window, we turned to manually configuring the profile.
  The local name of the Exchange server is entered for the server name, with the user’s email address for the username.
  In ‘More Settings’, the connection tab is configured to ‘Connect to Microsoft Exchange using HTTP’.
  The URL used to connect the proxy server for Exchange, is the external name used for OWA. This is the same address used when the user is using OWA internally/externally, which works without issue.
  Options ‘Connect using SSL only’, along with ‘Only connect to proxy servers that have this principal name in their certificate’ are selected with
  msstd:<external FQDN name> being entered.
  Basic Authentication is selected for the proxy authentication settings section.
  The user is then prompted for credentials. The following formats have been attempted;
  Domain.local\username
  Email Address
  [email protected]
  The correct password is used, but nothing is accepted.
  How can we get Outlook 2013 configured for this non-domain joined PC?
  Many thanks.
  The first problem is, if this Exchange 2013 then the server name in Outlook isn't really a server name, it is in actuality the ExchangeGUID of the mailbox.  
  Since you are trying to access the mailbox from a machine that is not on the domain you will need to make sure the externalURLs resolve properly internally.  Meaning either the user can access them by going out to the internet and getting routed back
  in (not ideal) or you configure them to resolve to the internal IPs on your internal DNS servers.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
  Thank you for your reply.
  As I mentioned, this machine can query internal DNS servers without issue. Autodiscover is working in a fashion, as the name of the mail server is hashed. 
  In an update to the post, I have exported a working profile from the registry of the machine for a domain user, and have imported for a local user. This actually works, but I'd still like to know the reason for not being able to configure it in the first
  instance.

• ASA - cut through proxy authentication for RDP?

  I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
  OUTSIDE to INSIDE RDP is currently working.
  I have 2 servers I want RDP open for..
  [*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
  [*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
  What's required for OUTSIDE users  to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
  Here is my current config.
  [code]
  ASA Version 8.2(5)
  hostname ASA5505
  names
  name 10.10.0.0 LANTraffic
  name 10.10.30.0 SALES
  name 10.10.40.0 FoodServices
  name 10.10.99.0 Management
  name 10.10.20.0 Office
  name 10.10.80.0 Printshop
  name 10.10.60.0 Regional
  name 10.10.70.0 Servers
  name 10.10.50.0 ShoreTel
  name 10.10.100.0 Surveillance
  name 10.10.90.0 Wireless
  interface Ethernet0/0
  description TO INTERNET
  switchport access vlan 11
  interface Ethernet0/1
  description TO INSIDE 3560X
  switchport access vlan 10
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  security-level 50
  no ip address
  interface Vlan10
  description Cisco 3560x
  nameif INSIDE
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Vlan11
  description Internet Interface
  nameif OUTSIDE
  security-level 0
  ip address 1.1.1.1 255.255.255.224
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup OUTSIDE
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 4.2.2.2
  domain-name test.local
  access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
  access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
  pager lines 24
  logging enable
  logging timestamp
  logging trap warnings
  logging device-id hostname
  logging host INSIDE 10.10.70.100
  mtu INSIDE 1500
  mtu OUTSIDE 1500
  ip verify reverse-path interface OUTSIDE
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (OUTSIDE) 1 interface
  nat (INSIDE) 1 LANTraffic 255.255.0.0
  static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
  static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
  access-group RDP-INBOUND in interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
  route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http Management 255.255.255.0 INSIDE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 10.10.70.100 255.255.255.255 INSIDE
  ssh Management 255.255.255.0 INSIDE
  ssh 0.0.0.0 0.0.0.0 OUTSIDE
  ssh timeout 5
  ssh version 2
  console timeout 0
  threat-detection basic-threat
  threat-detection scanning-threat shun
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  username scott password CNjeKgq88PLZXETE encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
  : end
  [/code]

  You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
  There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

• Radius or LDAP (not Oracle LDAP) authentication for GridControl

  I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
  I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
  However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
  Questions for all:
  Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
  I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
  Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
  I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?

  <QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
  Amen.
  Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
  I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
  At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
  Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
  The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
  In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
  I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
  Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
  In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
  I'll keep the thread updated if I see results from our SR.

• ASA enable authentication for AD user by ACS TACACS fails

  In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.
  It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.
  So, how to setup enable authorization for AD user?
  Or is there a way to drop a user directly into level 15 on ASA just like it on router?
  below is the debug info.(I'm sure the password is the one I set in ACS)
  LABASA1(config)# AAA API: In aaa_open
  AAA session opened: handle = 884
  AAA API: In aaa_process_async
  aaa_process_async: sending AAA_MSG_PROCESS
  AAA task: aaa_process_msg(d45bd5c8) received message type 0
  AAA FSM: In AAA_StartAAATransaction
  AAA FSM: In AAA_InitTransaction
  Initiating authentication to primary server (Svr Grp: TACACS)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server: 192.168.1.221
  AAA FSM: In AAA_SendMsg
  User: fostco\user1
  Resp:
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 884, pAcb = d5b193e0
  aaa_backend_callback: Error:
  Incorrect password.
  AAA task: aaa_process_msg(d45bd5c8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8
  AAA API: In aaa_close
  AAA task: aaa_process_msg(d45bd5c8) received message type 3
  In aaai_close_session (884)

  I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.
  I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

• "Team Foundation Server" is preventing authentication for whole team !!

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st
  Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception.
  More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd
  Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant
  Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)
  from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other
  Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Amr,
  For your first error, you can change the "Diagnostic Logging" path, aslo change the path of the usage and health data connection the same with your ULS log location. Check this
  blog for more detils and make sure you follow the instructions. Restart SharePoint tracing service after the operations. You can also check this
  thread for more references. If you still have any other concerns about SharePoint, you can open a new thread in SharePoint forum for a better response.
  About the second error, seems it's not related to TFS. You can also run TFS best practice analyzer to check if there any configuation issues on your application tier server. However, you can also refer to this
  blog
  to get this issue resolved. If the problem persists, you can elaborate more details about your scenario and the reproduce steps or open a new thread related forum.
  Best regards,

• Open Authentication for Wireless Access

  Hello,
  The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
  What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
  The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
  Thanks,
  Kevin

  Hi Kevin,
  Using WPA we can configure  either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
  if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
  EAP is more secured auth compared to PSK..
  Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
  in the nut shel we have 3 kinds of auth..
  1> open - Dot11 auth
  2> Shared - Nothing but WEP
  3> 802.1X suite - EAP
  again, the below link may give you some insights as well!!
  http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• Sharing sites in home folder beyond 'local subnet'

  Essentially I would like to make my computer a web server. But, I can't get past the local subnet option in the Sharing Preferences.
  How do I set up my web sharing preferences so sites in my home sites folder be visible by anyone?
  933 MHZ Quicksilver   Mac OS X (10.4.5)
  933 MHZ Quicksilver   Mac OS X (10.4.2)  

  Hey Michael.
  this CAN be done, but I'd need more info before I can help you.
  Generally speaking, when you connect to the internet(either dial up or modem) you computer as an IP address. If you use dial up, that IP address most likely changes everytime you dial in. If you have DSL or Cable, your IP address may change every few days or so. Just be aware that your IP address is the location of your computer on the internet.
  But basically speaking, if you don't have a router, and you know your IP address, then they correct URL is this:
  http://xxx.xxx.xxx.xxx/~username/ where xxx.xxx.xxx.xxx is the IP address of your computer, and ~username is obviously your user name(be sure to include the "~", or it won't work.
  This will allow access to your Sites folder in your home folder.
  Now a list of exceptions:
  1. your computer must be connected directly to the internet.. no router
  2. your ISP doesn't block Port 80, which is the port web services are hosted on. (most home ISP's DO block port 80, to cut down on the upstream data flow)
  There are ways around both of those exceptions... but you'd need to tell me more about how your computer is connected to the internet before I can tell you exactly how to get it to work.
  Now as to the subnet, that shouldn't make any difference. Generally speaking you won't be able to enter the URL isted above on the computer that is hosting your web site and have it appear.
  Quad 2.5   Mac OS X (10.4.3)  

• Radius authentication for the browser-based webtop

  Hiya all,
  With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
  SSGD version:
  Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
  Architecture code: i3so0510
  This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
  I have the radius-module running for authentication of a single directory with the apache-config-lines:
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch "/secure">
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthName "Radius authentication for SGD"
  Authtype Basic
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 540
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
  When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
  The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
  Changing the JkLogLevel to debug gives the following info in the JkLogFile:
  Radius authentication:
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
  With the password-authentication file:
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
  It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
  Any help will be usefull since I am allready stuck on this problem for a couple of days :(
  Thanks,
  Remold | Everett

  I got response from the Fat Bloke on the mailing list.
  Adding the following line in the apache httpd.conf seams to help and resolved my problem:
  Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  Thanks The Fat Bloke !!
  - Remold
  These instructions are for a 4.2 SGD installation using SGD's third
  party web authentication with mod_auth_radius.so (www.freeradius.org).
  With 4.2 Sun didn't distribute enough of the Apache configured tree
  to enable the use of axps to build the mod_auth_radius module, 4.3 is
  better - Sun now install a modified axps and include files, I haven't
  tried this with 4.3 yet though.
  I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
  So, this is how we got this working with Radius (tested with SBR
  server and freeradius.org server.)
  Install SGD in the usual way.
  Enable 3rd party authentication:
  According to:
  http://docs.sun.com/source/819-4309-10/en-us/base/standard/
  webauth_config_browser.html
  Configure the Tomcat component of the Secure Global Desktop Web
  Server to
  trust the web server authentication. On each array member, edit the
  /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
  following attribute to the connector element (<Connector>) for the
  Coyote/JK2 AJP 1.3 Connector:
  tomcatAuthentication="false"
  # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
  conf/server.xml
  <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" minProcessors="5" maxProcessors="75"
  tomcatAuthentication="false"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="0"
  useURIValidationHack="false"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
  "By default, for security reasons, Secure Global Desktop
  Administrators can't
  log in to the browser-based webtop with web server authentication.
  The standard
  login page always displays for these users even if they have been
  authenticated
  by the web server. To change this behavior, run the following command:"
  # tarantella config edit --tarantella-config-login-thirdparty-
  allowadmins 1
  Without this, after authenticating via webauth, the user will be
  prompted for a
  second username and password combination.
  # /opt/tarantella/bin/tarantella objectmanager &
  # /opt/tarantella/bin/tarantella arraymanager &
  In Array Manager:
  Select "Secure Global Desktop Login" on left side and click
  "Properites" at bottom
  Under "Secure Global Desktop Login Properties"
  cd /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
  edit httpd.conf:
  ### For SGD Apache based authentication
  Include conf/httpd4radius.conf
  at the end of httpd.conf add:
  Alias /sgd "/opt/tarantella/webserver/tomcat/
  5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  # cat httpd4radius.conf
  LoadModule radius_auth_module libexec/mod_auth_radius.so
  AddModule mod_auth_radius.c
  # Add to the BOTTOM of httpd.conf
  # If we're using mod_auth_radius, then add it's specific
  # configuration options.
  <IfModule mod_auth_radius.c>
  # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
  # Use localhost, the old RADIUS port, secret 'testing123',
  # time out after 5 seconds, and retry 3 times.
  AddRadiusAuth radiusserver:1812 testing123 5:3
  # AuthRadiusBindAddress <hostname/ip-address>
  # Bind client (local) socket to this local IP address.
  # The server will then see RADIUS client requests will come from
  # the given IP address.
  # By default, the module does not bind to any particular address,
  # and the operating system chooses the address to use.
  # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
  # the special value of 0 (zero) means the cookie is valid forever.
  AddRadiusCookieValid 5
  </IfModule>
  <LocationMatch /radius >
  Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch /sgd >
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  Put appropriate mod_auth_radius.so into
  /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
  # mkdir /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
  # cat /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
  <HTML>
  <HEAD>
  <TITLE> Test Page for RADIUS authentication </TITLE>
  </HEAD>
  <BODY>
  <B> You have reached the test page for RADIUS authentication.
  </BODY>
  </HTML>
  I hope this helps!
  -FB