Authentication Configuration Help
All,
Can anyone help me configure user authentication for my WAP. I have an Aironet 1242 and all the documentation I come across is showing me how to configure it for administration purposes. I have a Radius server up and running but I can't get the config right to have users authenticate to it when they access the WAP.
Below is my config.
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname 4TH_FLOOR_CONF
enable secret xxx
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
ip domain name sba.gov
ip dhcp excluded-address 165.110.30.1 165.110.30.229
ip dhcp excluded-address 165.110.30.240 165.110.30.254
ip dhcp pool atlantis
network 105.120.35.0 255.255.255.0
ip dhcp-server 105.120.35.252
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid airbender
dot11 ssid avatar
authentication open
guest-mode
power inline negotiation prestandard source
username Cisco password xxx
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid airbender
ssid avatar
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
ssid avatar
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 105.120.35.219 255.255.255.0
no ip route-cache
ip default-gateway 105.120.35.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
nas 105.120.35.12 key xxx
radius-server attribute 32 include-in-access-req format %h
radius-server host 165.110.30.215 auth-port 1812 acct-port 1646 key xxx
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
sntp server 105.120.35.253
end
You are missing half of the config for security:
you still need to setup the ssid
read here:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
Similar Messages
-
SOAP Web Service Authentication configuration
Hello,
I've got a little problem with Web Service authentication configuration.
I'm working on the SAP NetWeaver CE EHP1 7.11. I also have a XMII application deployed on the server and there are some SOAP Web Services(over XMII Transactions) that require basic authentication.
I use all Web Services in the EJB layer. So, I've generated proxy using SAP NetWeaver as a Web Service Runtime for generation. And Iuse an injection mechanism to get a service implementation:
@WebServiceRef(name="GetBatchListService")
private XacuteWS batchListWS;
In this case I could use Single Service Administration application in the NetWeaver Administrator@SOA Management@Application and Scenario Communication to configure basic authentication for EVERY Web Service. And this configuration disappears after every redeploy.
The question is how and where could I configure authentication for all web services?
I've read a lot of documentation, but, unfortunately, I haven't found needed one. I could see 2 direction of searching now, it might help:
1) Destination: Configure HTTP Destination or Web Service Template Destination and use it in all Web Services proxies somehow.
2) Find Configuration way: Create a configuration group or anything else to configure all services from one screen.
Best Regards,
DmitryDimtris,
If your WSDL url is pointing to the URL of the Adapter Engine as shownin the Hot to Use the SOAP adapter there is no option. You cannot add it to the SOAP Url.
But, if you change the SOAP Url to the Url shown in this blog by Stefan Grube then you can add the user id and pasword to the url by adding sap- user=userid and sap-password = password.
The optin shown ion the blog by Grube can be used as long as you do not have to use SOAP attachments and in this case you would not need both sender SOAP adapter and a sender agreement.
/people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
Regards
Bhavesh
Regards
Bhavesh -
Open LDAP Authenticator Configuration on WLSSP5
I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organization
o: MYABC, Inc
dn: cn=Manager, dc=my-domain,dc=com
userPassword:: c2VjcmV0
objectClass: person
sn: Manager
cn: Manager
dn: cn=myabcsystem, dc=my-domain,dc=com
userPassword:: dmVuZGF2b3N5c3RlbQ==
objectClass: person
sn: myabcsystem
cn: myabcsystem
dn: cn=Philippe, dc=my-domain,dc=com
userPassword:: UGhpbGlwcGU=
objectClass: person
sn: Philippe
cn: Philippe
dn: cn=mlrick, dc=my-domain,dc=com
userPassword:: bWxyaWNr
objectClass: person
sn: mlrick
cn: mlrick
All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
Inspite of me not having any groups in the ldap as indicated in ldif contents.
While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
<weblogic.security.providers.authentication.OpenLDAPAuthenticator
AllGroupsFilter="objectclass=*"
Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
GroupBaseDN="dc=my-domain,dc=com"
GroupFromNameFilter="(cn=%u)"
Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
Principal="cn=myabcsystem,dc=my-domain,dc=com"
Realm="Security:Name=MYABCAuthentication"
StaticGroupDNsfromMemberDNFilter=""
StaticGroupNameAttribute="" StaticGroupObjectClass=""
StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?Hi Amol,
I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
I was not aware you could install the service with that command.
I used the below command instead:
sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
Regards,
-John -
1941W configuration help needed
Our Deployment Scenario:-
1941W Gigabit Ethernet 0/0 is connected to the PPOE connection of the ISP.
Gigabit Ethernet 0/1 is connected to the wired LAN
I have created 2 wireless radio Cisco_Kamran_BGN which is operating at 2.4 Ghz Devices and Cisco_Kamran_A which is operating at 5Ghz Devices.
I have created 2 VLans for the Wireless.
Vlan 10 for Cisco_Kamran_A 192.168.10.x
Vlan 11 for Cisco _Kamran_BGN 192.168.11.X
The problem is the Wireless users are not getting the IP address from the respective DHCP server which has been configured on the Router.
Can please any from the community help me and show me where I am missing the configuration.
Please find my router & ap configuration below.
Router Configuration
Router#
sh run
Building configuration...
Current configuration : 3022 bytes
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable secret 5 $1$TdQt$npYeaf/W0kRElcfMggzJ31
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.11.1 192.168.11.10
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 195.229.241.222 213.42.20.20
ip dhcp pool Cisco_Kamran_A
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 195.229.241.222 213.42.20.20
ip dhcp pool Cisco_Kamran_BGN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 195.225.241.222 213.42.20.20
multilink bundle-name authenticated
crypto pki token default removal timeout 0
license udi pid CISCO1941W-E/K9 sn FCZ1553C1VK
hw-module ism 0
redundancy
bridge irb
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered GigabitEthernet0/0
arp timeout 0
no mop enabled
no mop sysid
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group DSL_ACCESSLIST in
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.11.1 255.255.255.0
ip access-group DSL_ACCESSLIST in
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxxxxx password 0 xxxxxx
ppp ipcp route default
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
ip access-list extended DSL_ACCESSLIST
permit ip 192.168.0.0 0.0.255.255 any
control-plane
line con 0
password xxxxxx
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password xxxxxx
login
transport input all
scheduler allocate 20000 1000
end
Router#
Router#
Router#
Access Point Configuration
ap#
ap#
ap#
sh run
Building configuration...
Current configuration : 2603 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$JxdQ$a2/00bWJuhUKP9QLC94YD/
no aaa new-model
dot11 syslog
dot11 ssid Cisco_Kamran_A
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 1045081417161C5A555C7A7B
dot11 ssid Cisco_Kamran_BGN
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 020D05561907017015165949
username Cisco password 7 14341B180F0B
bridge irb
interface Dot11Radio0
description 802.11bgn radio
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
broadcast-key change 3600
ssid Cisco_Kamran_BGN
antenna gain 0
station-role root
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio1
description 802.11a radio
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid Cisco_Kamran_A
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.10
description 802.11a bridge
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0.11
description 802.11bgn bridge
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
no activation-character
line vty 0 4
login local
end
ap#
ap#
ap#Hi Stepehen,
Did the configuration as per your advice but i am getting the below mentioned error which i have highlighted it in red. Please advice what needs to be done.
Home
Re: 1941W configuration help needed
created by Stephen Rodriguez in Getting Started with Wireless - View the full discussion
conf t
interface Dot11Radio0
no ssid Cisco_Kamran_BGN
no encryption mode ciphers aes-ccm
exit
interface Dot11Radio1
no encryption mode ciphers aes-ccm
no ssid Cisco_Kamran_A
exit
dot11 ssid Cisco_Kamran_A
vlan 10
dot11 ssid Cisco_Kamran_BGN
vlan 11
exit
interface Dot11Radio0
encryption vlan 11 mode ciphers aes
ssid Cisco_Kamran_BGN
exit
interface dot11radio0.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio 0.11
encapsulation dot1q 11
bridge-group 11
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
exit
interface Dot11Radio1
encryption vlan 10 mode ciphers aes-ccm
ssid Cisco_Kamran_A
interface dot11radio1.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio1.10
encapuslation dot1q 10
bridge-group 10
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
end
wr
Reply to this message by going to Home
Start a new discussion in Getting Started with Wireless at Home -
ACS Server: External Authentication configuration error
Hi ALL
I have installed the ACS server and configure properly and it works fine.
But whenever i restart the machine, following error message appears on the external database configuration wizard.
External Authentication Configuration Error
ACS has encountered a problem while attempting to process your request. This could be due to one of the following:
An incorrect installation or configuration of the third-party DLLs required to support this External Database
A corrupt ACS configuration
So after i found this error, i just restart all the seven services and every things works fine.
I always encountered the same error message after restarting the machine each time.
Can any body recomend the solution or can help me to resolve the issue.
ThanksHi,
Please try the following workaround.
1. Go to Start > Programs > Administrative Tools > Services.
2. Stop the following services in the following order.
CSAuth
CSDbSync
CSLog
CSMon
CSRadius
CSTacacs
CSAdmin
3. After stopping the following services, start them all again in the following order.
CSAdmin
CSAuth
CSDbSync
CSLog
CSMon
CSRadius
CSTacacs
Please let me know if this was able to help.
If the above doesn't help, please reinstall the ACS as the dll files that are being used
by the ACS have been corrupted, before uninstalling and reinstalling, do take a
backup of ACS server database from System Configuration > ACS backup > Backup Now.
Also make sure that the ACS is installed on the default drive.
tnx
somishra -
Cisco 3650 Converged LAN/WLAN Design: Radius Authentication configuration example needed
Hello Cisco-Experts,
one of our customers would like to deploy Cisco3650-switches with integrated WLC-functionality.
The platform is new to me and I have started to configure some basic settings.
Unfortunately I cannot find information on how to implement 802.1x Radius authentication.
Do You know, where I can find detail information or an example how to implement this ?
Thank You
WiniHello Rasika,
thank You very much for link to Your 802.1x authentication configuration
on similar 3850 platform.
Very useful stuff.
Is it possible to setup the Radius -Server function on the switch itself ?
I'm asking because I would like to test the setup in our office before rollout to customer.
Kind regards
Wini -
Need configuration help on producing dial tone
Hello Experts,
I have a Cisco 2921 router with VWIC3-2MFT-T1/E1 card. On this card we have T1-CAS digital line connected. We have been provided with a set of DID numbers. We have a requirement where, when we dial a DID, the router should provide a dial tone, and should allow the user to dial to extension numbers. Not sure if this is feasible. If at all possible, will need to some configuration help.
Thanks
ArabindaSure it's possible. What's the T1 connected to? The router will offer two-stage dialing (aka dial tone) when the incoming POTS dial-peer does not have the 'direct-inward-dial' command on it. The router will accept any input and search for an outbound dial-peer (or ephone-dn for locally registered DNs) to match. Be careful if the T1 is connected to the PSTN as this is a toll fraud risk. You need to use CoR to reign in what outbound dial-peers are available to it.
Dial Peer Basics:
http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a008010ae1c.shtml
Class of Restrictions:
http://www.cisco.com/en/US/tech/tk652/tk90/technologies_configuration_example09186a008019d649.shtml
Please remember to rate helpful responses and identify helpful or correct answers. -
Multiple ethernet network adaptors + MySQL/php5: configuration help needed
I would be grateful if someone could give me some advice on how to configure multiple ethernet adapters under OS X 10.5.6
I have set up my system to work nicely with two ethernet network adapters, each with its own fixed IP. This bit works just fine. The machine supports two separate servers - a mail server and the OS X Apache2 server. I have configured the mail server to only listen to one of the IPs, and the Apache2 server to listen to the other (via httpd.conf). The system also has MySQL and php5 installed / enabled, and these services are only used by the Apache2 server.
The problem I have is that when I start the machine, initially the php5 system cannot connect reliably to the MySQL database system. The fix I have found is to temporarily make the ethernet adapter connected to the mail server 'inactive'. While this is so, the php5/MySQL connection to Apache2 works. Curiously, once an initial connection between php5 and MySQL has been made, subsequently I can make the mail server's ethernet adapter active again without further problems.
I initially thought this might be due to 'service order' issues - but changing the service order (e.g. putting the Apache adapter 'above' the mail adapter in the service order does not help. The fix only works by making the mail adapter inactive temporarily.
I suspect that there is some configuration change I can make to clarify the setup I have. The MySQL and Apache installations only need to talk to the Apache server - but I am not sure how to record this configuration in the OS X system.
Thanks in advance for any assistance that you can provide.
Message was edited by: Gavin LawrieHi Stepehen,
Did the configuration as per your advice but i am getting the below mentioned error which i have highlighted it in red. Please advice what needs to be done.
Home
Re: 1941W configuration help needed
created by Stephen Rodriguez in Getting Started with Wireless - View the full discussion
conf t
interface Dot11Radio0
no ssid Cisco_Kamran_BGN
no encryption mode ciphers aes-ccm
exit
interface Dot11Radio1
no encryption mode ciphers aes-ccm
no ssid Cisco_Kamran_A
exit
dot11 ssid Cisco_Kamran_A
vlan 10
dot11 ssid Cisco_Kamran_BGN
vlan 11
exit
interface Dot11Radio0
encryption vlan 11 mode ciphers aes
ssid Cisco_Kamran_BGN
exit
interface dot11radio0.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio 0.11
encapsulation dot1q 11
bridge-group 11
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
exit
interface Dot11Radio1
encryption vlan 10 mode ciphers aes-ccm
ssid Cisco_Kamran_A
interface dot11radio1.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio1.10
encapuslation dot1q 10
bridge-group 10
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
end
wr
Reply to this message by going to Home
Start a new discussion in Getting Started with Wireless at Home -
Quick upload not configured Help
Quick upload not configured Help Why and how do I configure? Host ?, username, password?
I have exactly the same question, using almost the same system: MacBook Pro, OS X Mountain Lion (10.8.3).
What to do? I cannot find an answer for how do I configure? Host, Username? Password? -
SFTP adapter Configuration help:
Dear All,
I am trying to configure SFTP (seeburger) in sap PI.
I want to know how to connect SFTP adapter of seeburger with an SSH sever. (I have installed free SSH Server in my laptop).
How to connect using SFTP SETTING as
AUTHENTICAION Method: Private Key authorisation
how to generate/use private key.
Please Advice,
Prakash
Edited by: senthilprakash selvaraj on Jan 20, 2010 6:42 AMDear All,
I have installed SSH server and genreated the RSA key in Visual admin and i have configured the SFTP adater properly.
Now i have a different issue.
In Communication channel monitoring once i start the channel(SFTP) i am not getting any message. Its just saying Channel started and thats it. nothin else is coming. not even throwing any error. what should i do. why its happing like that.
I Tried with Authentication mode as Private Key as well as Password. in both configurations are proper.
also i tried refreshing the cache..no use.
Please help,
Senthilprakash -
Basic Internet Routing Configuration Help -- Cisco 2811
Hi everyone,
I want to start by saying that I brought a Cisco 2811 Router to use at home and to practice advanced networking with. So far, I believe I've configured everything as it should be, however, I am not getting any internet connection.
DHCP is set up and working properly, I can lease addresses without issue.
Both interfaces are configured, fe0/1 with a static IP, and fe0/0 as a DHCP client.
I have connected fe0/0 directly to the Cable modem and it acquires an IP without issue. Connecting my laptop directly into fe0/1 allows my laptop to lease an IP from the router's DHCP server. So I know everything up to there is working properly. I've set up NAT as best I can with what I know, but I am still not getting the router to provide internet access.
The following is my Router's Configuration. Does anything seem to be missing? I used Configuration Professional to set it up.
------------Begin Configuration-------------
Building configuration...
Current configuration : 2570 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Network
boot-start-marker
boot-end-marker
security authentication failure rate 10 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 $1$4FJS$RQUEiWuTaMOAGhVx1O1Du0
enable password 7 046F03070C291D175F40
aaa new-model
aaa authentication login local_auth local
aaa session-id common
dot11 syslog
no ip source-route
no ip routing
no ip gratuitous-arps
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1
ip dhcp pool Network
import all
network 192.168.100.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.1
lease 7
no ip bootp server
ip domain name Network
ip name-server 4.2.2.2
ip name-server 4.2.2.1
login block-for 5 attempts 5 within 1
multilink bundle-name authenticated
voice-card 0
no dspfarm
username Admin password 7 1526035D5D7C72252B3B
archive
log config
hidekeys
interface FastEthernet0/0
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex full
speed auto
no mop enabled
interface FastEthernet0/1
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex full
speed auto
no mop enabled
ip forward-protocol nd
ip http server
no ip http secure-server
ip nat pool Network 192.168.100.1 192.168.100.254 netmask 255.255.255.0
ip nat inside source list 101 interface FastEthernet0/0 overload
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 101 remark INTERNET ACCESS THROUGH NAT
access-list 101 remark CCP_ACL Category=2
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
control-plane
banner motd ^C Welcome! ^C
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 107D0C1A10051B1F15
login authentication local_auth
transport input telnet
scheduler allocate 20000 1000
end
------------------End Configuration-------------------
Does anything seem amiss? Thank you all in advance for your help!
JohnHi Again,
I sent
dhcp pool Network
default-router 192.168.100.1
to the router and wrote it to config. I still didn't have internet access at first, so I followed John's tip and hooked up my machine to an old Catalyst 2849G switch I had laying around. The switch has no settings, just gets an ip from the router and does its own thing. After doing so, I do now have internet access. I'm using it to post this reply in fact.
Here are the results of ipconfig /all on my Ethernet NIC on my machine before even having the switch:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : hsd1.ut.comcast.net.
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : 54-EE-75-27-6F-06
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7cdd:83b5:e603:127e%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.100.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, October 02, 2014 7:57:10 AM
Lease Expires . . . . . . . . . . : Thursday, October 09, 2014 7:57:10 AM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.100.1
DHCPv6 IAID . . . . . . . . . . . : 290778741
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-B2-3D-AF-54-EE-75-27-6F-06
DNS Servers . . . . . . . . . . . : 75.75.76.76
75.75.75.75
NetBIOS over Tcpip. . . . . . . . : Enabled
It seems everything was working as it should, but I didn't have internet access and windows still reported it as an unknown network.
After hooking up my Switch, Windows reported seeing 'Network' (From my router's host name, I presume?) and once I reset the modem, I had internet access.
This was a huge learning experience and I am glad to have help from all of you. Is there anything else I can to do optimize my configurations? Also, why didn't I have internet access when directed hooked up to FastEthernet0/1 even though my machine acquired IP's and DNS info?
Here is another copy of the running config with today's changes:
---------------------Begin Configuration------------------------
Building configuration...
Current configuration : 2401 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Network
boot-start-marker
boot-end-marker
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$4FJS$RQUEiWuTaMOAGhVx1O1Du0
enable password 7 046F03070C291D175F40
aaa new-model
aaa authentication login local_auth local
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1
ip dhcp pool Network
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
lease 7
no ip bootp server
ip domain name Network
login block-for 5 attempts 5 within 1
multilink bundle-name authenticated
voice-card 0
no dspfarm
username Admin password 7 1526035D5D7C72252B3B
archive
log config
hidekeys
interface FastEthernet0/0
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
interface FastEthernet0/1
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
no ip http secure-server
ip nat pool Network 192.168.100.1 192.168.100.254 netmask 255.255.255.0
ip nat inside source list 10 interface FastEthernet0/0 overload
logging trap debugging
logging facility local2
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
control-plane
banner motd ^C Welcome! ^C
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 107D0C1A10051B1F15
login authentication local_auth
transport input telnet
scheduler allocate 20000 1000
end
--------------------------End Configuration-------------------------
Let me know if there is anything else you guys need or I should do, I'll be back after classes today. Thanks again!
-John -
WDS - Client Configuration Help
Hi All,
I have many ap1252ap's, I have configured WDS on the one ap and it authenticate to itself OK - to the locally configured radius server.
state = wlccp_ap_st_registered
The problem is that I do not know where to go from here.
I have followed the docs (Fast Roaming, WDS) but I cannot get very far, in fact I do not think that my clients are even attempting to authenticate with my AP. I have modified the following taken from the sraom doc,
AP# configure terminal
AP(config)# dot11 ssid fastroam
AP(config-ssid)# authentication network-eap eap_methods
SSID CONFIG WARNING: [fastroam]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.
AP(config-ssid)# authentication key-management cckm
AP(config-ssid)# exit
AP(config)# interface dot11radio0
AP(config-if)# encryption mode ciphers ckip-cmic
AP(config-if)# ssid fastroam
AP(config-if)# exit
AP(config)# end
But something is still not right or missing. I have added users (or at least I think I have from an authentication point of view) with the username and password as the MAC of the clients to the local radius server, using command
ap(config-radsrv)#user xxx password xxx
But i do not understand how this links in with the client, basically how do I configure a client to attach using cckm, where do i put in a username and password for the network profile, if i pick leap, then I am prompted for the username/password, but what username/password is this, is it the username/password entered with
ap(config-radsrv)#user xxx password xxx
Any help would be much appreciated.
RegardsHi,
Thankyou for reading my Post, I have managed to work out how to configure my WDS with usernames and passwords, if anybody else is interested, this is what I did.
dot11 ssid fastroam
authentication open eap method_clients
authentication network-eap method_clients
authentication key-management wpa
(method_client is basically a list pointing with IP of server providing WDS/Radius)
Interface dot11radio 0
ssid fastroam
encryption mode ciphers tkip
no shut
To configure user/passowords
conf t
radius local-server
user testing password testing123
then on client
athentication:
configure LEAP
user: testing
password: testing123
encryption:
tkip
the client should now authenticate to AP/WDS.
The only thing I have not worked out yet is how to configure a backup WDS. nor do I quite understand which of the authentication methods the client is using when it succesfully connects.
Please can you advise: When you have a username/password on the radius server, does it mean that any/or all clients can use the same username/password.
or will the radius server detect that the login is already is use and prevent another attempt. reason behind my question is that if the username/password gets into the wrong hands.
Thanks and Regards -
WRT400N Network Configuration Help
I need some help. I have a little above average knowledge about networking, I was asked by a friend to help here set up a wireless network in a low income senior housing building. This building has three floors. The person who asked me to help had purchased a WRT400N and two Wireless-G Range Expanders (WRE54G). I have tried several times to configure both of the expanders and can only get one connected and working. Even though the one is working it does not really do the job, plus as I have read using two expanders greatly reduces your signal strength. I am looking here for some input on setting this up with the right equipment, using the WRT400N, but not the two expanders. What equipment and how should I set this up? Thanks in advance for your time.
A couple of things to know first off. The Range expanders only work with "G" routers - they will not work with "N" routers. WPA security must be used (not WPA2). Additionally, you'll need to ensure encryption is set to TKIP not AES. All settings on the extender must match the router exactly (SSID, Channel, WPA Key, TKIP, gateway of extender = router IP address).
Also, the extenders are super flakey during setup, especially if you have one of the old ones that can only be setup wirelessly and does not have the ethernet port. Follow these directions exactly. When and how you turn off/on the router and extender makes a difference because of the initial authentication methods when using encryption.
1) Usually to get it to connect you first need to turn off your router (make sure you know all of the settings you'll need for your extender before you do this....SSID, Channel, WPA key, TKIP, gateway of extender = IP address).
2) Then plug in your extender and follow these directions to set it up.
Click Here
3) Then turn off the extender once it has been setup and the configurations have been saved.
4) Then turn the router back on... wait for it to fully boot up (about 2 minutes).
5) Then turn your extender on while it is close to the router (at least the first time).
If you have everything configured exactly the same, they should synch up. You can now unplug the extender and move it wherever you want (so long as it is still in range of the router). Test connecitivity by pinging 192.168.1.240. If the extender light is blue and you can ping it you are in business.
Message Edited by bobbodavis on 06-17-2009 05:14 AM -
Hi All,
I have managed to configure to configure a 857W - it connects to the internet and everything is good - except that I can't ping the ethernet group or make any connection from either the WAN - > inside or Inside -> WAN.
I think I have mis-configured the ethernet side. Can anyone spot my obvious mistakes or please help point me in the right direction please? I'm starting to struggle and not getting anywhere fast.
Thanks.
Current configuration : 6485 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
no service dhcp
hostname router
boot-start-marker
boot-end-marker
logging buffered 51200 debugging
no aaa new-model
resource policy
clock timezone AEST 10
clock summer-time DST recurring 1 Sun Oct 2:00 last Sun Mar 2:00
no ip source-route
ip cef
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip tcp selective-ack
ip tcp timestamp
no ip bootp server
no ip domain lookup
ip domain name local
crypto pki trustpoint TP-self-signed-3456743647
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3456743647
revocation-check none
rsakeypair TP-self-signed-3456743647
crypto pki certificate chain TP-self-signed-3456743647
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343536 37343336 3437301E 170D3032 30333031 30343135
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353637
34333634 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C8C0 2F0C226E A39016D8 181C8C7C 1C09F3DE 66966027 145CE938 87817DF4
FD578BB8 6C1C119A B59DC9B8 EBA15A77 04112226 CC9AFBEE D14769A2 C298709F
613B3A81 666F9C33 65C29F18 90DB8438 D7BE7747 0551B783 2DC7440F CD0F3C02
D9F3A660 EC5F348C 85124AF4 8847B5CA E1173318 902C4AD3 A368E8DD 0B14AF26
AA2B0203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C726F75 7465722E 6C6F6361 6C301F06 03551D23 04183016
801414F2 F8EA9260 969F01A7 6D984B07 025A3EB8 BE0E301D 0603551D 0E041604
1414F2F8 EA926096 9F01A76D 984B0702 5A3EB8BE 0E300D06 092A8648 86F70D01
01040500 03818100 99BAF8D2 E94CAEF5 3DF534DF 18693926 4C66C54E 93CD2394
F4028A65 8F310381 0A0429C6 137E5D4A CFC8E3C1 97B5C0AA 7F7016F7 1A4EFE6F
9CE37C5D 90CAB283 CDE109C0 60642357 E9E8C181 F85EE9C3 9E34E854 81889917
1E9E92F1 DFA840A2 5A7E287C 1595B5CB EF20CB63 EC4462C4 EDADDA56 9028C8E8
AE81924B D967A5C1
quit
file verify auto
username admin privilege 15 secret 5 blah.
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache policy
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
description $ES_WAN$
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
ip address 192.168.10.251 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip inspect firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username blah blah
ppp ipcp dns request
ppp ipcp route default
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.10.31 3389 interface Dialer0 3389
access-list 1 remark The local LAN.
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.10.251
access-list 102 deny ip any host 192.168.10.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 102 deny tcp any any eq 445 log
dialer-list 1 protocol ip permit
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 2 in
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
endThanks John,
Thanks for your reply I saw the gateway problem earlier but it didn't help much- here is my current config. Still can't seem to connect to things.
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
no service dhcp
hostname router
boot-start-marker
boot-end-marker
logging buffered 51200 debugging
no aaa new-model
resource policy
clock timezone AEST 10
clock summer-time DST recurring 1 Sun Oct 2:00 last Sun Mar 2:00
no ip source-route
ip cef
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip tcp selective-ack
ip tcp timestamp
no ip bootp server
no ip domain lookup
ip domain name local
crypto pki trustpoint TP-self-signed-3456743647
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3456743647
revocation-check none
rsakeypair TP-self-signed-3456743647
crypto pki certificate chain TP-self-signed-3456743647
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343536 37343336 3437301E 170D3032 30333031 30343135
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353637
34333634 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C8C0 2F0C226E A39016D8 181C8C7C 1C09F3DE 66966027 145CE938 87817DF4
FD578BB8 6C1C119A B59DC9B8 EBA15A77 04112226 CC9AFBEE D14769A2 C298709F
613B3A81 666F9C33 65C29F18 90DB8438 D7BE7747 0551B783 2DC7440F CD0F3C02
D9F3A660 EC5F348C 85124AF4 8847B5CA E1173318 902C4AD3 A368E8DD 0B14AF26
AA2B0203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C726F75 7465722E 6C6F6361 6C301F06 03551D23 04183016
801414F2 F8EA9260 969F01A7 6D984B07 025A3EB8 BE0E301D 0603551D 0E041604
1414F2F8 EA926096 9F01A76D 984B0702 5A3EB8BE 0E300D06 092A8648 86F70D01
01040500 03818100 99BAF8D2 E94CAEF5 3DF534DF 18693926 4C66C54E 93CD2394
F4028A65 8F310381 0A0429C6 137E5D4A CFC8E3C1 97B5C0AA 7F7016F7 1A4EFE6F
9CE37C5D 90CAB283 CDE109C0 60642357 E9E8C181 F85EE9C3 9E34E854 81889917
1E9E92F1 DFA840A2 5A7E287C 1595B5CB EF20CB63 EC4462C4 EDADDA56 9028C8E8
AE81924B D967A5C1
quit
file verify auto
username admin privilege 15 secret 5 blah
bridge irb
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache policy
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
description $ES_WAN$
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
encryption mode ciphers tkip
ssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip inspect firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username blah
ppp ipcp dns request
ppp ipcp route default
interface BVI1
ip address 192.168.10.251 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.10.31 3389 interface Dialer0 3389
access-list 1 remark The local LAN.
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.10.251
access-list 102 deny ip any host 192.168.10.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 102 deny tcp any any eq 445 log
dialer-list 1 protocol ip permit
control-plane
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 2 in
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
end
router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, BVI1
S* 0.0.0.0/0 is directly connected, Dialer0
router#
Murray -
ADFS Claims Authentication, Configuring UPA and People Picker
Hi,
I am just trying to get my head around setting up ADFS to authenticate users along with allowing UPA (My Sites) and People Picker to work.
So, my environment is a WFE and an SQL Server offsite and my AD and ADFS 2.0 server onsite. We have configured SharePoint as below and applied the Claims Provider to my Intranet web app and My Sites web app and I can login in with my
account as [email protected] (UPN)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("E:\ADFS_SelfSigned.cer")
New-SPTrustedRootAuthority -Name "ADFS Self Signed” -Certificate $cert
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Account ID" –SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$realm = “https://intranet.domain.com.au/_trust/”
$signinurl = “https://adfs01.domain.com.au/adfs/ls/”
$ap = New-SPTrustedIdentityTokenIssuer –Name "SAML Provider" -Description "My Custom Identity Provider" –Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 –SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
$uri = new-object System.Uri("https://adfs01.domain.com.au/adfs/ls/")
$ap.ProviderRealms.Add($uri, " https://mysites.domain.com.au/_trust/")
$ap.Update()
iisreset
When trying to configure a new synchronisation connection> Activery Directory Import under the User Profile Service Application, I get an error saying it can't connect to the Domain Controller which would make sense as they are not on the
same domain.
I believe that MS have a sync utility that works with Office365/MS Cloud - is there a similar solution available for my configuration?AD import still uses LDAP/ADSI... ADFS cannot be used DIRECTLY as a sync source, since it is NOT a QUERYABLE technology. It is an AUTHENTICATION technology. UPS syncs to a QUERYABLE data source like LDAP/ADSI, and maps one of the properties to the ADFS login
(most people choose email or UPN, though I tend to recommend SID for various reasons).
Also, since people picker displays a SEARCH window, and since ADFS is not a QUERYABLE technology, the people picker (by default) ASSUMES that whatever you type in will be VALID. You can SEARCH the UPS, but if you type an email address or something of that
nature, it is NOT going to SEARCH your directory! To address this, you need to install a custom Identity Provider... one is available on CodePlex, which performs an LDAP search against the domain controller... if that's not an option, you need a custom coded
solution.
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs
Maybe you are looking for
-
Make a item flexfield mandatory at running time
Hi everybody, I am going to ask something that maybe is not very normal, but, my client really want it. I have a descriptive flexfield with several itmes. We want to make one ot these items mandatory at running time based on one condition but in the
-
Iphone no longer syncing with computer
I've had my Iphone 4 for several months and sync it daily with my computer. For some reason the phone is no longer syncing with the computer. There is no reason for this to happen so I was hoping someone could help me figure this out. Thanks, pamel
-
Windows 8.1 Spawing Multiple copies of Sdclt.exe After Upgrade from 8 to 8.1
I have a single user here at work whom we upgraded from Windows 8 to 8.1. Since them, Windows Backup (SDCLT.EXE) spawns over and over. I have to go in and TASKKILL it every day and it comes back, either by itself or when the user logs in or reboots.
-
Create a second instance by DBCA
I have a simple RHEL3 box with 1 G memory, I had used the DBCA to install a database, 10g r2, on it. How can I use the DBCA to create a second instance on the same DB? Someone´s thread said it can, But when I run the dbca, there is no place I can pic
-
Hi, I created an audio podcast on iweb 08 with my mobile me account. The podcast appears in itunes as a video podcast? Can anyone help me with that? How can i edit the rss feed in iweb in order to have better tags on my podcast? If smeone has an answ