Authentication Configuration Help

Similar Messages

• SOAP Web Service Authentication configuration

  Hello,
  I've got a little problem with Web Service authentication configuration.
  I'm working on the SAP NetWeaver CE EHP1 7.11. I also have a XMII application deployed on the server and there are some SOAP Web Services(over XMII Transactions) that require basic authentication.
  I use all Web Services in the EJB layer. So, I've generated proxy using SAP NetWeaver as a Web Service Runtime for generation. And Iuse an injection mechanism to get a service implementation:
  @WebServiceRef(name="GetBatchListService")
  private XacuteWS batchListWS;
  In this case I could use Single Service Administration application in the NetWeaver Administrator@SOA Management@Application and Scenario Communication to configure basic authentication for EVERY Web Service. And this configuration disappears after every redeploy.
  The question is how and where could I configure authentication for all web services?
  I've read a lot of documentation, but, unfortunately, I haven't found needed one. I could see 2 direction of searching now, it might help:
  1) Destination: Configure HTTP Destination or Web Service Template Destination and use it in all Web Services proxies somehow.
  2) Find Configuration way: Create a configuration group or anything else to configure all services from one screen.
  Best Regards,
  Dmitry

  Dimtris,
  If your WSDL url is pointing to the URL of the Adapter Engine as shownin the Hot to Use the SOAP adapter there is no option. You cannot add it to the SOAP Url.
  But, if you change the SOAP Url to the Url shown in this blog by Stefan Grube then you can add the user id and pasword to the url by adding sap- user=userid and sap-password = password.
  The optin shown ion the blog by Grube can be used as long as you do not have to use SOAP attachments and in this  case you would not need both sender SOAP adapter and a sender agreement.
  /people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
  Regards
  Bhavesh
  Regards
  Bhavesh

• Open LDAP Authenticator Configuration on WLSSP5

  I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
  dn: dc=my-domain,dc=com
  dc: my-domain
  objectClass: dcObject
  objectClass: organization
  o: MYABC, Inc
  dn: cn=Manager, dc=my-domain,dc=com
  userPassword:: c2VjcmV0
  objectClass: person
  sn: Manager
  cn: Manager
  dn: cn=myabcsystem, dc=my-domain,dc=com
  userPassword:: dmVuZGF2b3N5c3RlbQ==
  objectClass: person
  sn: myabcsystem
  cn: myabcsystem
  dn: cn=Philippe, dc=my-domain,dc=com
  userPassword:: UGhpbGlwcGU=
  objectClass: person
  sn: Philippe
  cn: Philippe
  dn: cn=mlrick, dc=my-domain,dc=com
  userPassword:: bWxyaWNr
  objectClass: person
  sn: mlrick
  cn: mlrick
  All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
  Inspite of me not having any groups in the ldap as indicated in ldif contents.
  While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
  <weblogic.security.providers.authentication.OpenLDAPAuthenticator
  AllGroupsFilter="objectclass=*"
  Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
  GroupBaseDN="dc=my-domain,dc=com"
  GroupFromNameFilter="(cn=%u)"
  Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
  Principal="cn=myabcsystem,dc=my-domain,dc=com"
  Realm="Security:Name=MYABCAuthentication"
  StaticGroupDNsfromMemberDNFilter=""
  StaticGroupNameAttribute="" StaticGroupObjectClass=""
  StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?

  Hi Amol,
  I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
  I was not aware you could install the service with that command.
  I used the below command instead:
  sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
  Regards,
  -John

• 1941W configuration help needed

  Our Deployment Scenario:-
  1941W Gigabit Ethernet 0/0 is connected to the PPOE connection of the ISP.
  Gigabit Ethernet 0/1 is connected to the wired LAN
  I have created 2 wireless radio Cisco_Kamran_BGN which is operating at 2.4 Ghz Devices and Cisco_Kamran_A which is operating at 5Ghz Devices.
  I have created 2 VLans for the Wireless.
  Vlan 10 for Cisco_Kamran_A        192.168.10.x
  Vlan 11 for Cisco _Kamran_BGN   192.168.11.X
  The problem is the Wireless users are not getting the IP address from the respective DHCP server which has been configured on the Router.
  Can please any from the community help me and show me where I am missing the configuration.
  Please find my router  & ap configuration below.
  Router Configuration
  Router#
  sh run
  Building configuration...
  Current configuration : 3022 bytes
  ! No configuration change since last restart
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$TdQt$npYeaf/W0kRElcfMggzJ31
  no aaa new-model
  service-module wlan-ap 0 bootimage autonomous
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 192.168.1.1 192.168.1.50
  ip dhcp excluded-address 192.168.10.1 192.168.10.10
  ip dhcp excluded-address 192.168.11.1 192.168.11.10
  ip dhcp pool DHCP
  network 192.168.1.0 255.255.255.0
  default-router 192.168.1.1
  dns-server 195.229.241.222 213.42.20.20
  ip dhcp pool Cisco_Kamran_A
  network 192.168.11.0 255.255.255.0
  default-router 192.168.11.1
  dns-server 195.229.241.222 213.42.20.20
  ip dhcp pool Cisco_Kamran_BGN
  network 192.168.10.0 255.255.255.0
  default-router 192.168.10.1
  dns-server 195.225.241.222 213.42.20.20
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  license udi pid CISCO1941W-E/K9 sn FCZ1553C1VK
  hw-module ism 0
  redundancy
  bridge irb
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered GigabitEthernet0/0
  arp timeout 0
  no mop enabled
  no mop sysid
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface Wlan-GigabitEthernet0/0
  description Internal switch interface connecting to the embedded AP
  switchport mode trunk
  no ip address
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 192.168.10.1 255.255.255.0
  ip access-group DSL_ACCESSLIST in
  ip nat inside
  ip virtual-reassembly in
  interface Vlan11
  ip address 192.168.11.1 255.255.255.0
  ip access-group DSL_ACCESSLIST in
  ip nat inside
  ip virtual-reassembly in
  interface Dialer1
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxx password 0 xxxxxx
  ppp ipcp route default
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
  ip access-list extended DSL_ACCESSLIST
  permit ip 192.168.0.0 0.0.255.255 any
  control-plane
  line con 0
  password xxxxxx
  login
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line 67
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  line vty 0 4
  password xxxxxx
  login
  transport input all
  scheduler allocate 20000 1000
  end
  Router#
  Router#
  Router#
  Access Point Configuration
  ap#
  ap#
  ap#
  sh run
  Building configuration...
  Current configuration : 2603 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$JxdQ$a2/00bWJuhUKP9QLC94YD/
  no aaa new-model
  dot11 syslog
  dot11 ssid Cisco_Kamran_A
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 1045081417161C5A555C7A7B
  dot11 ssid Cisco_Kamran_BGN
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 020D05561907017015165949
  username Cisco password 7 14341B180F0B
  bridge irb
  interface Dot11Radio0
  description 802.11bgn radio
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  broadcast-key change 3600
  ssid Cisco_Kamran_BGN
  antenna gain 0
  station-role root
  bridge-group 11
  bridge-group 11 subscriber-loop-control
  bridge-group 11 block-unknown-source
  no bridge-group 11 source-learning
  no bridge-group 11 unicast-flooding
  bridge-group 11 spanning-disabled
  interface Dot11Radio1
  description 802.11a radio
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid Cisco_Kamran_A
  antenna gain 0
  no dfs band block
  channel dfs
  station-role root
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface GigabitEthernet0
  description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
  no ip address
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.10
  description 802.11a bridge
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface GigabitEthernet0.11
  description 802.11bgn bridge
  encapsulation dot1Q 11
  no ip route-cache
  bridge-group 11
  bridge-group 11 subscriber-loop-control
  bridge-group 11 block-unknown-source
  no bridge-group 11 source-learning
  no bridge-group 11 unicast-flooding
  bridge-group 11 spanning-disabled
  interface BVI1
  ip address dhcp client-id GigabitEthernet0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  no activation-character
  line vty 0 4
  login local
  end
  ap#
  ap#
  ap#

  Hi Stepehen,
  Did the configuration as per your advice  but i am getting the below mentioned error which i have highlighted it in red. Please advice what needs to be done.
  Home
  Re: 1941W configuration help needed
  created by Stephen Rodriguez in Getting     Started with Wireless - View the full discussion
  conf t
  interface     Dot11Radio0
  no ssid     Cisco_Kamran_BGN
  no encryption mode     ciphers aes-ccm
  exit
  interface     Dot11Radio1
  no encryption mode     ciphers aes-ccm
  no ssid     Cisco_Kamran_A
  exit
  dot11 ssid     Cisco_Kamran_A
  vlan 10
  dot11 ssid     Cisco_Kamran_BGN
  vlan 11
  exit
  interface     Dot11Radio0
  encryption vlan 11     mode ciphers aes
  ssid     Cisco_Kamran_BGN
  exit
  interface     dot11radio0.1
  encapsulation     dot1q 1 native
  bridge-group 1
  interface     dot11radio 0.11
  encapsulation     dot1q 11
  bridge-group 11
  Configuration of     subinterfaces and main interface
  within the same bridge     group is not permitted
  exit
  interface     Dot11Radio1
  encryption vlan 10     mode ciphers aes-ccm
  ssid     Cisco_Kamran_A
  interface     dot11radio1.1
  encapsulation     dot1q 1 native
  bridge-group 1
  interface     dot11radio1.10
  encapuslation     dot1q 10
  bridge-group 10
  Configuration of subinterfaces and main     interface
  within the same bridge     group is not permitted
  end
  wr
  Reply to this message by going to Home
  Start a new discussion in Getting Started with Wireless at Home

• ACS Server: External Authentication configuration error

  Hi ALL
  I have installed the ACS server and configure properly and it works fine.
  But whenever i restart the machine, following error message appears on the external database configuration wizard.
  External Authentication Configuration Error
  ACS has encountered a problem while attempting to process your request. This could be due to one of the following:
  An incorrect installation or configuration of the third-party DLLs required to support this External Database
  A corrupt ACS configuration
  So after i found this error, i just restart all the seven services and every things works fine.
  I always encountered the same error message after restarting the machine each time.
  Can any body recomend the solution or can help me to resolve the issue.
  Thanks

  Hi,
  Please try the following workaround.
  1. Go to Start > Programs > Administrative Tools > Services.
  2. Stop the following services in the following order.
  CSAuth
  CSDbSync
  CSLog
  CSMon
  CSRadius
  CSTacacs
  CSAdmin
  3. After stopping the following services, start them all again in the following order.
  CSAdmin
  CSAuth
  CSDbSync
  CSLog
  CSMon
  CSRadius
  CSTacacs
  Please let me know if this was able to help.
  If the above doesn't help, please reinstall the ACS as the dll files that are being used
  by the ACS have been corrupted, before uninstalling and reinstalling, do take a
  backup of ACS server database from System Configuration > ACS backup > Backup Now.
  Also make sure that the ACS is installed on the default drive.
  tnx
  somishra

• Cisco 3650 Converged LAN/WLAN Design: Radius Authentication configuration example needed

  Hello Cisco-Experts,
  one of our customers would like to deploy Cisco3650-switches with integrated WLC-functionality.
  The platform is new to me and I have started to configure some basic settings.
  Unfortunately I cannot find information on how to implement 802.1x Radius authentication.
  Do You know, where I can find detail information or an example how to implement this ?
  Thank You
  Wini

  Hello Rasika,
  thank You very much for link to Your 802.1x authentication configuration
  on similar 3850 platform.
  Very useful stuff.
  Is it possible to setup the Radius -Server function on the switch itself ?
  I'm asking because I would like to test the setup in our office before rollout to customer.
  Kind regards
  Wini

• Need configuration help on producing dial tone

  Hello Experts,
  I have a Cisco 2921 router with VWIC3-2MFT-T1/E1 card. On this card we have T1-CAS digital line connected. We have been provided with a set of DID numbers. We have a requirement where, when we dial a DID, the router should provide a dial tone, and should allow the user to dial to extension numbers. Not sure if this is feasible. If at all possible, will need to some configuration help.
  Thanks
  Arabinda

  Sure it's possible. What's the T1 connected to? The router will offer two-stage dialing (aka dial tone) when the incoming POTS dial-peer does not have the 'direct-inward-dial' command on it. The router will accept any input and search for an outbound dial-peer (or ephone-dn for locally registered DNs) to match. Be careful if the T1 is connected to the PSTN as this is a toll fraud risk. You need to use CoR to reign in what outbound dial-peers are available to it.
  Dial Peer Basics:
  http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a008010ae1c.shtml
  Class of Restrictions:
  http://www.cisco.com/en/US/tech/tk652/tk90/technologies_configuration_example09186a008019d649.shtml
  Please remember to rate helpful responses and identify helpful or correct answers.

• Multiple ethernet network adaptors + MySQL/php5: configuration help needed

  I would be grateful if someone could give me some advice on how to configure multiple ethernet adapters under OS X 10.5.6
  I have set up my system to work nicely with two ethernet network adapters, each with its own fixed IP. This bit works just fine. The machine supports two separate servers - a mail server and the OS X Apache2 server. I have configured the mail server to only listen to one of the IPs, and the Apache2 server to listen to the other (via httpd.conf). The system also has MySQL and php5 installed / enabled, and these services are only used by the Apache2 server.
  The problem I have is that when I start the machine, initially the php5 system cannot connect reliably to the MySQL database system. The fix I have found is to temporarily make the ethernet adapter connected to the mail server 'inactive'. While this is so, the php5/MySQL connection to Apache2 works. Curiously, once an initial connection between php5 and MySQL has been made, subsequently I can make the mail server's ethernet adapter active again without further problems.
  I initially thought this might be due to 'service order' issues - but changing the service order (e.g. putting the Apache adapter 'above' the mail adapter in the service order does not help. The fix only works by making the mail adapter inactive temporarily.
  I suspect that there is some configuration change I can make to clarify the setup I have. The MySQL and Apache installations only need to talk to the Apache server - but I am not sure how to record this configuration in the OS X system.
  Thanks in advance for any assistance that you can provide.
  Message was edited by: Gavin Lawrie

  Hi Stepehen,
  Did the configuration as per your advice  but i am getting the below mentioned error which i have highlighted it in red. Please advice what needs to be done.
  Home
  Re: 1941W configuration help needed
  created by Stephen Rodriguez in Getting     Started with Wireless - View the full discussion
  conf t
  interface     Dot11Radio0
  no ssid     Cisco_Kamran_BGN
  no encryption mode     ciphers aes-ccm
  exit
  interface     Dot11Radio1
  no encryption mode     ciphers aes-ccm
  no ssid     Cisco_Kamran_A
  exit
  dot11 ssid     Cisco_Kamran_A
  vlan 10
  dot11 ssid     Cisco_Kamran_BGN
  vlan 11
  exit
  interface     Dot11Radio0
  encryption vlan 11     mode ciphers aes
  ssid     Cisco_Kamran_BGN
  exit
  interface     dot11radio0.1
  encapsulation     dot1q 1 native
  bridge-group 1
  interface     dot11radio 0.11
  encapsulation     dot1q 11
  bridge-group 11
  Configuration of     subinterfaces and main interface
  within the same bridge     group is not permitted
  exit
  interface     Dot11Radio1
  encryption vlan 10     mode ciphers aes-ccm
  ssid     Cisco_Kamran_A
  interface     dot11radio1.1
  encapsulation     dot1q 1 native
  bridge-group 1
  interface     dot11radio1.10
  encapuslation     dot1q 10
  bridge-group 10
  Configuration of subinterfaces and main     interface
  within the same bridge     group is not permitted
  end
  wr
  Reply to this message by going to Home
  Start a new discussion in Getting Started with Wireless at Home

• Quick upload not configured Help

  Quick upload not configured Help Why and how do I configure? Host ?, username, password?

  I have exactly the same question, using almost the same system: MacBook Pro, OS X Mountain Lion (10.8.3).
  What to do? I cannot find an answer for how do I configure? Host, Username? Password?

• SFTP adapter Configuration help:

  Dear All,
  I am trying to configure SFTP (seeburger) in sap PI.
  I want to know how to connect SFTP adapter of seeburger with an SSH sever. (I have installed free SSH Server in my laptop).
  How to connect using SFTP SETTING as
  AUTHENTICAION Method: Private Key authorisation
  how to generate/use private key.
  Please Advice,
  Prakash
  Edited by: senthilprakash selvaraj on Jan 20, 2010 6:42 AM

  Dear All,
  I have installed SSH server and genreated the RSA key in Visual admin and i have configured the SFTP adater properly.
  Now i have a different issue.
  In Communication channel monitoring once i start the channel(SFTP) i am not getting any message. Its just saying Channel started and thats it. nothin else is coming.  not even throwing any error. what should i do. why its happing like that.
  I Tried with Authentication mode as Private Key as well as Password. in both configurations are proper.
  also i tried refreshing the cache..no use.
  Please help,
  Senthilprakash

• Basic Internet Routing Configuration Help -- Cisco 2811

  Hi everyone,
  I want to start by saying that I brought a Cisco 2811 Router to use at home and to practice advanced networking with. So far, I believe I've configured everything as it should be, however, I am not getting any internet connection.
  DHCP is set up and working properly, I can lease addresses without issue.
  Both interfaces are configured, fe0/1 with a static IP, and fe0/0 as a DHCP client.
  I have connected fe0/0 directly to the Cable modem and it acquires an IP without issue. Connecting my laptop directly into fe0/1 allows my laptop to lease an IP from the router's DHCP server. So I know everything up to there is working properly. I've set up NAT as best I can with what I know, but I am still not getting the router to provide internet access. 
  The following is my Router's Configuration. Does anything seem to be missing? I used Configuration Professional to set it up.
  ------------Begin Configuration-------------
  Building configuration...
  Current configuration : 2570 bytes
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Network
  boot-start-marker
  boot-end-marker
  security authentication failure rate 10 log
  security passwords min-length 6
  no logging buffered
  logging console critical
  enable secret 5 $1$4FJS$RQUEiWuTaMOAGhVx1O1Du0
  enable password 7 046F03070C291D175F40
  aaa new-model
  aaa authentication login local_auth local
  aaa session-id common
  dot11 syslog
  no ip source-route
  no ip routing
  no ip gratuitous-arps
  no ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.100.1
  ip dhcp pool Network
     import all
     network 192.168.100.0 255.255.255.0
     dns-server 4.2.2.2 4.2.2.1 
     lease 7
  no ip bootp server
  ip domain name Network
  ip name-server 4.2.2.2
  ip name-server 4.2.2.1
  login block-for 5 attempts 5 within 1
  multilink bundle-name authenticated
  voice-card 0
   no dspfarm
  username Admin password 7 1526035D5D7C72252B3B
  archive
   log config
    hidekeys
  interface FastEthernet0/0
   description $ETH-WAN$
   ip address dhcp client-id FastEthernet0/0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat outside
   ip virtual-reassembly
   no ip route-cache
   duplex full
   speed auto
   no mop enabled
  interface FastEthernet0/1
   ip address 192.168.100.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   ip virtual-reassembly
   no ip route-cache
   duplex full
   speed auto
   no mop enabled
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip nat pool Network 192.168.100.1 192.168.100.254 netmask 255.255.255.0
  ip nat inside source list 101 interface FastEthernet0/0 overload
  logging trap debugging
  logging facility local2
  access-list 100 permit udp any any eq bootpc
  access-list 101 remark INTERNET ACCESS THROUGH NAT
  access-list 101 remark CCP_ACL Category=2
  access-list 101 permit ip 192.168.100.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  snmp-server community public RO
  no cdp run
  control-plane
  banner motd ^C Welcome! ^C
  line con 0
   login authentication local_auth
   transport output telnet
  line aux 0
   exec-timeout 15 0
   login authentication local_auth
   transport output telnet
  line vty 0 4
   password 7 107D0C1A10051B1F15
   login authentication local_auth
   transport input telnet
  scheduler allocate 20000 1000
  end
  ------------------End Configuration-------------------
  Does anything seem amiss? Thank you all in advance for your help!
  John

  Hi Again,
  I sent
  dhcp pool Network
  default-router 192.168.100.1
  to the router and wrote it to config. I still didn't have internet access at first, so I followed John's tip and hooked up my machine to an old Catalyst 2849G switch I had laying around. The switch has no settings, just gets an ip from the router and does its own thing. After doing so, I do now have internet access. I'm using it to post this reply in fact.
  Here are the results of ipconfig /all on my Ethernet NIC on my machine before even having the switch:
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . : hsd1.ut.comcast.net.
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
     Physical Address. . . . . . . . . : 54-EE-75-27-6F-06
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::7cdd:83b5:e603:127e%13(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.100.2(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Thursday, October 02, 2014 7:57:10 AM
     Lease Expires . . . . . . . . . . : Thursday, October 09, 2014 7:57:10 AM
     Default Gateway . . . . . . . . . :
     DHCP Server . . . . . . . . . . . : 192.168.100.1
     DHCPv6 IAID . . . . . . . . . . . : 290778741
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-B2-3D-AF-54-EE-75-27-6F-06
     DNS Servers . . . . . . . . . . . : 75.75.76.76
                                         75.75.75.75
     NetBIOS over Tcpip. . . . . . . . : Enabled
  It seems everything was working as it should, but I didn't have internet access and windows still reported it as an unknown network.
  After hooking up my Switch, Windows reported seeing 'Network' (From my router's host name, I presume?) and once I reset the modem, I had internet access. 
  This was a huge learning experience and I am glad to have help from all of you. Is there anything else I can to do optimize my configurations? Also, why didn't I have internet access when directed hooked up to FastEthernet0/1 even though my machine acquired IP's and DNS info?
  Here is another copy of the running config with today's changes:
  ---------------------Begin Configuration------------------------
  Building configuration...
  Current configuration : 2401 bytes
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Network
  boot-start-marker
  boot-end-marker
  security authentication failure rate 10 log
  security passwords min-length 6
  logging buffered 4096
  logging console critical
  enable secret 5 $1$4FJS$RQUEiWuTaMOAGhVx1O1Du0
  enable password 7 046F03070C291D175F40
  aaa new-model
  aaa authentication login local_auth local
  aaa session-id common
  dot11 syslog
  no ip source-route
  no ip gratuitous-arps
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.100.1
  ip dhcp pool Network
     import all
     network 192.168.100.0 255.255.255.0
     default-router 192.168.100.1 
     lease 7
  no ip bootp server
  ip domain name Network
  login block-for 5 attempts 5 within 1
  multilink bundle-name authenticated
  voice-card 0
   no dspfarm
  username Admin password 7 1526035D5D7C72252B3B
  archive
   log config
    hidekeys
  interface FastEthernet0/0
   description $ETH-WAN$
   ip address dhcp client-id FastEthernet0/0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat outside
   ip virtual-reassembly
   duplex full
   speed auto
   no mop enabled
  interface FastEthernet0/1
   ip address 192.168.100.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   ip virtual-reassembly
   duplex full
   speed auto
   no mop enabled
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip http server
  no ip http secure-server
  ip nat pool Network 192.168.100.1 192.168.100.254 netmask 255.255.255.0
  ip nat inside source list 10 interface FastEthernet0/0 overload
  logging trap debugging
  logging facility local2
  access-list 10 permit 192.168.100.0 0.0.0.255
  access-list 100 permit udp any any eq bootpc
  dialer-list 1 protocol ip permit
  snmp-server community public RO
  no cdp run
  control-plane
  banner motd ^C Welcome! ^C
  line con 0
   login authentication local_auth
   transport output telnet
  line aux 0
   exec-timeout 15 0
   login authentication local_auth
   transport output telnet
  line vty 0 4
   password 7 107D0C1A10051B1F15
   login authentication local_auth
   transport input telnet
  scheduler allocate 20000 1000
  end
  --------------------------End Configuration-------------------------
  Let me know if there is anything else you guys need or I should do, I'll be back after classes today. Thanks again!
  -John

• WDS - Client Configuration Help

  Hi All,
  I have many ap1252ap's, I have configured WDS on the one ap and it authenticate to itself OK - to the locally configured radius server.
  state = wlccp_ap_st_registered
  The problem is that I do not know where to go from here.
  I have followed the docs (Fast Roaming, WDS) but I cannot get very far, in fact I do not think that my clients are even attempting to authenticate with my AP. I have modified the following taken from the sraom doc,
  AP# configure terminal
  AP(config)# dot11 ssid fastroam
  AP(config-ssid)# authentication network-eap eap_methods
  SSID CONFIG WARNING: [fastroam]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.
  AP(config-ssid)# authentication key-management cckm
  AP(config-ssid)# exit
  AP(config)# interface dot11radio0
  AP(config-if)# encryption mode ciphers ckip-cmic
  AP(config-if)# ssid fastroam
  AP(config-if)# exit
  AP(config)# end
  But something is still not right or missing. I have added users (or at least I think I have from an authentication point of view) with the username and password as the MAC of the clients to the local radius server, using command
  ap(config-radsrv)#user xxx password xxx
  But i do not understand how this links in with the client, basically how do I configure a client to attach using cckm, where do i put in a username and password for the network profile, if i pick leap, then I am prompted for the username/password, but what username/password is this, is it the username/password entered with
  ap(config-radsrv)#user xxx password xxx
  Any help would be much appreciated.
  Regards

  Hi,
  Thankyou for reading my Post, I have managed to work out how to configure my WDS with usernames and passwords, if anybody else is interested, this is what I did.
  dot11 ssid fastroam
  authentication open eap method_clients
  authentication network-eap method_clients
  authentication key-management wpa
  (method_client is basically a list pointing with IP of server providing WDS/Radius)
  Interface dot11radio 0
  ssid fastroam
  encryption mode ciphers tkip
  no shut
  To configure user/passowords
  conf t
  radius local-server
  user testing password testing123
  then on client
  athentication:
  configure LEAP
  user: testing
  password: testing123
  encryption:
  tkip
  the client should now authenticate to AP/WDS.
  The only thing I have not worked out yet is how to configure a backup WDS. nor do I quite understand which of the authentication methods the client is using when it succesfully connects.
  Please can you advise: When you have a username/password on the radius server, does it mean that any/or all clients can use the same username/password.
  or will the radius server detect that the login is already is use and prevent another attempt. reason behind my question is that if the username/password gets into the wrong hands.
  Thanks and Regards

• WRT400N Network Configuration Help

  I need some help. I have a little above average knowledge about networking, I was asked by a friend to help here set up a wireless network in a low income senior housing building. This building has three floors. The person who asked me to help had purchased a WRT400N and two Wireless-G Range Expanders (WRE54G). I have tried several times to configure both of the expanders and can only get one connected and working. Even though the one is working it does not really do the job, plus as I have read using two expanders greatly reduces your signal strength. I am looking here for some input on setting this up with the right equipment, using the WRT400N, but not the two expanders. What equipment and how should I set this up? Thanks in advance for your time.

  A couple of things to know first off.  The Range expanders only work with "G" routers - they will not work with "N" routers. WPA security must be used (not WPA2).  Additionally, you'll need to ensure encryption is set to TKIP not AES.  All settings on the extender must match the router exactly (SSID, Channel, WPA Key, TKIP, gateway of extender = router IP address).
  Also, the extenders are super flakey during setup, especially if you have one of the old ones that can only be setup wirelessly and does not have the ethernet port.  Follow these directions exactly.  When and how you turn off/on the router and extender makes a difference because of the initial authentication methods when using encryption.
  1) Usually to get it to connect you first need to turn off your router (make sure you know all of the settings you'll need for your extender before you do this....SSID, Channel, WPA key, TKIP, gateway of extender = IP address). 
  2) Then plug in your extender and follow these directions to set it up. 
  Click Here
  3) Then turn off the extender once it has been setup and the configurations have been saved. 
  4) Then turn the router back on... wait for it to fully boot up (about 2 minutes). 
  5) Then turn your extender on while it is close to the router (at least the first time). 
  If you have everything configured exactly the same, they should synch up.  You can now unplug the extender and move it wherever you want (so long as it is still in range of the router).  Test connecitivity by pinging 192.168.1.240.  If the extender light is blue and you can ping it you are in business.
  Message Edited by bobbodavis on 06-17-2009 05:14 AM

• 857W - Configuration Help

  Hi All,
  I have managed to configure to configure a 857W - it connects to the internet and everything is good - except that I can't ping the ethernet group or make any connection from either the WAN - > inside or Inside -> WAN.
  I think I have mis-configured the ethernet side.  Can anyone spot my obvious mistakes or please help point me in the right direction please?  I'm starting to struggle and not getting anywhere fast.
  Thanks.
  Current configuration : 6485 bytes
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  service sequence-numbers
  no service dhcp
  hostname router
  boot-start-marker
  boot-end-marker
  logging buffered 51200 debugging
  no aaa new-model
  resource policy
  clock timezone AEST 10
  clock summer-time DST recurring 1 Sun Oct 2:00 last Sun Mar 2:00
  no ip source-route
  ip cef
  ip inspect name firewall tcp
  ip inspect name firewall udp
  ip inspect name firewall cuseeme
  ip inspect name firewall h323
  ip inspect name firewall rcmd
  ip inspect name firewall realaudio
  ip inspect name firewall streamworks
  ip inspect name firewall vdolive
  ip inspect name firewall sqlnet
  ip inspect name firewall tftp
  ip inspect name firewall ftp
  ip inspect name firewall icmp
  ip inspect name firewall sip
  ip inspect name firewall esmtp max-data 52428800
  ip inspect name firewall fragment maximum 256 timeout 1
  ip inspect name firewall rtsp
  ip inspect name firewall pptp
  ip tcp selective-ack
  ip tcp timestamp
  no ip bootp server
  no ip domain lookup
  ip domain name local
  crypto pki trustpoint TP-self-signed-3456743647
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3456743647
  revocation-check none
  rsakeypair TP-self-signed-3456743647
  crypto pki certificate chain TP-self-signed-3456743647
  certificate self-signed 01
    30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33343536 37343336 3437301E 170D3032 30333031 30343135
    35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353637
    34333634 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C8C0 2F0C226E A39016D8 181C8C7C 1C09F3DE 66966027 145CE938 87817DF4
    FD578BB8 6C1C119A B59DC9B8 EBA15A77 04112226 CC9AFBEE D14769A2 C298709F
    613B3A81 666F9C33 65C29F18 90DB8438 D7BE7747 0551B783 2DC7440F CD0F3C02
    D9F3A660 EC5F348C 85124AF4 8847B5CA E1173318 902C4AD3 A368E8DD 0B14AF26
    AA2B0203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
    551D1104 10300E82 0C726F75 7465722E 6C6F6361 6C301F06 03551D23 04183016
    801414F2 F8EA9260 969F01A7 6D984B07 025A3EB8 BE0E301D 0603551D 0E041604
    1414F2F8 EA926096 9F01A76D 984B0702 5A3EB8BE 0E300D06 092A8648 86F70D01
    01040500 03818100 99BAF8D2 E94CAEF5 3DF534DF 18693926 4C66C54E 93CD2394
    F4028A65 8F310381 0A0429C6 137E5D4A CFC8E3C1 97B5C0AA 7F7016F7 1A4EFE6F
    9CE37C5D 90CAB283 CDE109C0 60642357 E9E8C181 F85EE9C3 9E34E854 81889917
    1E9E92F1 DFA840A2 5A7E287C 1595B5CB EF20CB63 EC4462C4 EDADDA56 9028C8E8
    AE81924B D967A5C1
    quit
  file verify auto
  username admin privilege 15 secret 5 blah.
  interface ATM0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache policy
  ip route-cache flow
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  description $ES_WAN$
  no snmp trap link-status
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  shutdown
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Vlan1
  ip address 192.168.10.251 255.255.255.0
  ip access-group 102 in
  ip nat inside
  ip virtual-reassembly
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dialer0
  ip address negotiated
  ip access-group 101 in
  no ip redirects
  no ip unreachables
  ip inspect firewall out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp pap sent-username blah blah
  ppp ipcp dns request
  ppp ipcp route default
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 192.168.10.31 3389 interface Dialer0 3389
  access-list 1 remark The local LAN.
  access-list 1 permit 192.168.10.0 0.0.0.255
  access-list 2 remark Where management can be done from.
  access-list 2 permit 192.168.10.0 0.0.0.255
  access-list 101 remark Traffic allowed to enter the router from the Internet
  access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
  access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
  access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
  access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
  access-list 101 deny   ip any host 255.255.255.255
  access-list 101 permit tcp any any eq 1723
  access-list 101 permit gre any any
  access-list 101 deny   icmp any any echo
  access-list 101 deny   ip any any log
  access-list 102 remark Traffic allowed to enter the router from the Ethernet
  access-list 102 permit ip any host 192.168.10.251
  access-list 102 deny   ip any host 192.168.10.255
  access-list 102 deny   udp any any eq tftp log
  access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
  access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
  access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
  access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
  access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
  access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
  access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
  access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
  access-list 102 deny   udp any any eq 135 log
  access-list 102 deny   tcp any any eq 135 log
  access-list 102 deny   udp any any eq netbios-ns log
  access-list 102 deny   udp any any eq netbios-dgm log
  access-list 102 permit ip 192.168.10.0 0.0.0.255 any
  access-list 102 permit ip any host 255.255.255.255
  access-list 102 deny   ip any any log
  access-list 102 deny   tcp any any eq 445 log
  dialer-list 1 protocol ip permit
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  access-class 2 in
  privilege level 15
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  end

  Thanks John,
  Thanks for your reply I saw the gateway problem earlier but it didn't help much- here is my current config.  Still can't seem to connect to things. 
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  service sequence-numbers
  no service dhcp
  hostname router
  boot-start-marker
  boot-end-marker
  logging buffered 51200 debugging
  no aaa new-model
  resource policy
  clock timezone AEST 10
  clock summer-time DST recurring 1 Sun Oct 2:00 last Sun Mar 2:00
  no ip source-route
  ip cef
  ip inspect name firewall tcp
  ip inspect name firewall udp
  ip inspect name firewall cuseeme
  ip inspect name firewall h323
  ip inspect name firewall rcmd
  ip inspect name firewall realaudio
  ip inspect name firewall streamworks
  ip inspect name firewall vdolive
  ip inspect name firewall sqlnet
  ip inspect name firewall tftp
  ip inspect name firewall ftp
  ip inspect name firewall icmp
  ip inspect name firewall sip
  ip inspect name firewall esmtp max-data 52428800
  ip inspect name firewall fragment maximum 256 timeout 1
  ip inspect name firewall rtsp
  ip inspect name firewall pptp
  ip tcp selective-ack
  ip tcp timestamp
  no ip bootp server
  no ip domain lookup
  ip domain name local
  crypto pki trustpoint TP-self-signed-3456743647
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3456743647
  revocation-check none
  rsakeypair TP-self-signed-3456743647
  crypto pki certificate chain TP-self-signed-3456743647
  certificate self-signed 01
    30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33343536 37343336 3437301E 170D3032 30333031 30343135
    35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353637
    34333634 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C8C0 2F0C226E A39016D8 181C8C7C 1C09F3DE 66966027 145CE938 87817DF4
    FD578BB8 6C1C119A B59DC9B8 EBA15A77 04112226 CC9AFBEE D14769A2 C298709F
    613B3A81 666F9C33 65C29F18 90DB8438 D7BE7747 0551B783 2DC7440F CD0F3C02
    D9F3A660 EC5F348C 85124AF4 8847B5CA E1173318 902C4AD3 A368E8DD 0B14AF26
    AA2B0203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
    551D1104 10300E82 0C726F75 7465722E 6C6F6361 6C301F06 03551D23 04183016
    801414F2 F8EA9260 969F01A7 6D984B07 025A3EB8 BE0E301D 0603551D 0E041604
    1414F2F8 EA926096 9F01A76D 984B0702 5A3EB8BE 0E300D06 092A8648 86F70D01
    01040500 03818100 99BAF8D2 E94CAEF5 3DF534DF 18693926 4C66C54E 93CD2394
    F4028A65 8F310381 0A0429C6 137E5D4A CFC8E3C1 97B5C0AA 7F7016F7 1A4EFE6F
    9CE37C5D 90CAB283 CDE109C0 60642357 E9E8C181 F85EE9C3 9E34E854 81889917
    1E9E92F1 DFA840A2 5A7E287C 1595B5CB EF20CB63 EC4462C4 EDADDA56 9028C8E8
    AE81924B D967A5C1
    quit
  file verify auto
  username admin privilege 15 secret 5 blah
  bridge irb
  interface ATM0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache policy
  ip route-cache flow
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  description $ES_WAN$
  no snmp trap link-status
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  encryption mode ciphers tkip
  ssid
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Vlan1
  no ip address
  ip nat inside
  ip virtual-reassembly
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dialer0
  ip address negotiated
  ip access-group 101 in
  no ip redirects
  no ip unreachables
  ip inspect firewall out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp pap sent-username blah
  ppp ipcp dns request
  ppp ipcp route default
  interface BVI1
  ip address 192.168.10.251 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 192.168.10.31 3389 interface Dialer0 3389
  access-list 1 remark The local LAN.
  access-list 1 permit 192.168.10.0 0.0.0.255
  access-list 2 remark Where management can be done from.
  access-list 2 permit 192.168.10.0 0.0.0.255
  access-list 101 remark Traffic allowed to enter the router from the Internet
  access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
  access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
  access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
  access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
  access-list 101 deny   ip any host 255.255.255.255
  access-list 101 permit tcp any any eq 1723
  access-list 101 permit gre any any
  access-list 101 deny   icmp any any echo
  access-list 101 deny   ip any any log
  access-list 102 remark Traffic allowed to enter the router from the Ethernet
  access-list 102 permit ip any host 192.168.10.251
  access-list 102 deny   ip any host 192.168.10.255
  access-list 102 deny   udp any any eq tftp log
  access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
  access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
  access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
  access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
  access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
  access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
  access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
  access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
  access-list 102 deny   udp any any eq 135 log
  access-list 102 deny   tcp any any eq 135 log
  access-list 102 deny   udp any any eq netbios-ns log
  access-list 102 deny   udp any any eq netbios-dgm log
  access-list 102 permit ip 192.168.10.0 0.0.0.255 any
  access-list 102 permit ip any host 255.255.255.255
  access-list 102 deny   ip any any log
  access-list 102 deny   tcp any any eq 445 log
  dialer-list 1 protocol ip permit
  control-plane
  bridge 1 route ip
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  access-class 2 in
  privilege level 15
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  end
  router#sh ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 0.0.0.0 to network 0.0.0.0
  C    192.168.10.0/24 is directly connected, BVI1
  S*   0.0.0.0/0 is directly connected, Dialer0
  router#
  Murray

• ADFS Claims Authentication, Configuring UPA and People Picker

  Hi,
  I am just trying to get my head around setting up ADFS to authenticate users along with allowing UPA (My Sites) and People Picker to work.
  So, my environment is a WFE and an SQL Server offsite and my AD and ADFS 2.0 server onsite.  We have configured SharePoint as below and applied the Claims Provider to my Intranet web app and My Sites web app and I can login in with my
  account as [email protected] (UPN)
  $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("E:\ADFS_SelfSigned.cer")
  New-SPTrustedRootAuthority -Name "ADFS Self Signed” -Certificate $cert
  $map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Account ID" –SameAsIncoming
  $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
  $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
  $realm = “https://intranet.domain.com.au/_trust/”
  $signinurl = “https://adfs01.domain.com.au/adfs/ls/”
  $ap = New-SPTrustedIdentityTokenIssuer –Name "SAML Provider" -Description "My Custom Identity Provider" –Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 –SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
  $uri = new-object System.Uri("https://adfs01.domain.com.au/adfs/ls/")
  $ap.ProviderRealms.Add($uri, " https://mysites.domain.com.au/_trust/")
  $ap.Update()
  iisreset
  When trying to configure a new synchronisation connection> Activery Directory Import under the User Profile Service Application, I get an error saying it can't connect to the Domain Controller which would make sense as they are not on the
  same domain.
  I believe that MS have a sync utility that works with Office365/MS Cloud - is there a similar solution available for my configuration? 

  AD import still uses LDAP/ADSI... ADFS cannot be used DIRECTLY as a sync source, since it is NOT a QUERYABLE technology. It is an AUTHENTICATION technology. UPS syncs to a QUERYABLE data source like LDAP/ADSI, and maps one of the properties to the ADFS login
  (most people choose email or UPN, though I tend to recommend SID for various reasons).
  Also, since people picker displays a SEARCH window, and since ADFS is not a QUERYABLE technology, the people picker (by default) ASSUMES that whatever you type in will be VALID. You can SEARCH the UPS, but if you type an email address or something of that
  nature, it is NOT going to SEARCH your directory! To address this, you need to install a custom Identity Provider... one is available on CodePlex, which performs an LDAP search against the domain controller... if that's not an option, you need a custom coded
  solution.
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs