Basic Administration Radius configuration on the PIX using 6.2
I am looking for a real basic Radius login configuration for the PIX running 6.2. I just want to be able to have the Radius Server (Steel-Belted) authenticate and account for administrators that access the PIX for doing changes.
Thanks for any help in this issue.
Scott
Here is how I did it in our Cisco 520 PIX firewalls:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 0
aaa-server RADIUS (inside) host radius_server_ip radius_secret_key timeout 5
aaa-server LOCAL protocol local
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
username admin password very_secret_password encrypted privilege 15
Of course, replace radius_server_ip with your own and radius_secret_key with a real one.
In the RADIUS server (I'm using IAS built-in in Windows 2000/2003 servers) I just defined a policy to allow only the group "Domain Admins" and added the firewall as clients with their own ip address and secret key.
Don't forget to add a username and a password, should your RADIUS server become unavailable, that will be your last resort to get in the PIX.
Catalin.
Similar Messages
-
Hotmail Security, the default configuration through the wizard uses SSL?
I was wondering if there is a way to check the server settings used by the default wizard when you add an hotmail account to your device (iPad , iPhone or others). The main concern is if it uses actually the SSL encryption or not. I think so and I hope so but I'm not sure 100%. If you go to check it there's not an advanced tab under Mail/Account/nameofaccount/ so you can't see that. Thanks to everyone!
Should this be a security concern that I am using the
default keystore that comes with the JVM. Is my data
still be encrypted?When you say, "default keystore", I assume that you mean the "cacerts" file. If so, you're OK. "cacerts" identifies root CAs that your client is willing to trust. Web sites whose site-certs are signed by one of the root CA in cacerts (i.e., Verisign, Thawte, et. al.) will be trusted by JSSE.
SSL generates shared-keys anew for each new session. The data used to generate this "shared secret" is protected; unless the Bad Boy between you and the server has access to the SERVER's private key, that info is safe. Your data is encrypted over the wire, and only the destination web-server will be able to decrypt it.
Grant -
Problem in Configuring Dynamic VPN in the pix
Hi All,
I am having a problem in configuring a dynamic VPN in my pix which has the 7.2 version of ios but i am able to work with same configuration in the pix whch has 6.3 version i just want a user from outside my network using the vpn client access the resource inside my network below is my configuration is it ok are should i need to do anything more? please advice me.
ip local pool vpnpool1 192.168.170.1-192.168.170.254
crypto dynamic-map map2 20 set transform-set guatemala1
crypto map map1 20 ipsec-isakmp dynamic map2
crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Guatemalavpn address-pool vpnpool1
vpngroup Guatemalavpn split-tunnel inside_nat0_outbound
vpngroup Guatemalavpn idle-time 36000
vpngroup Guatemalavpn password xxxxxxx
access-list outside_acl permit tcp 192.168.170.0 255.255.255.0 172.19.10.0 255.255.255.0
route outside 192.168.170.0 255.255.255.0 200.30.222.65
access-list inside_nat0_outbound extended permit ip any 192.168.170.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list 102 permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outboundTry it and tell me if works:
ip local pool vpnpool1 192.168.170.1-192.168.170.254
access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list acl-inside extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
access-group acl-inside in interface inside
nat (inside) 0 access-list inside_nat0_outbound
group-policy Guatemalavpn internal
group-policy Guatemalavpn attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
default-domain value mydomain.com
crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 20 set transform-set guatemala1
crypto map map1 20 ipsec-isakmp dynamic map2
crypto map map1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group Guatemalavpn type ipsec-ra
tunnel-group Guatemalavpn general-attributes
address-pool vpnpool1
default-group-policy Guatemalavpn
tunnel-group Guatemalavpn ipsec-attributes
pre-shared-key *
route outside 192.168.170.0 255.255.255.0 200.30.222.65 -
NFS protocol across the Pix firewall
I have a Pix 515E running PixOS version 8.0.4 with two interfaces, inside and outside.
On the inside interface, I have a Redhat Enterprise Linux 5.4 64 bits machine as an NFS server version 4 (NFSv4).
On the outside interface, I have three (3) Redhat Enterprise Linux 5.4 64 bits as NFS clients.
I have the following configuration on the Pix:
static (inside,outside) 192.168.1.1 4.2.2.2 netmask 255.255.255.255
access-list external permit icmp any any log
access-group external in interface outside
At the moment, none of the Linux client machines can mount a share on the NFS server because
my ACL is too restrictive. I would like to be able to open the firewall so that Linux client
machines can mount the NFS server using NFS over UDP or NFS over TCP.
I am looking for the exact UDP and TCP ports to be added to the ACL in order to accomplish
this, from someone who have done this before.
Anyone know how to do this?
Thanks,I think I just answer my own post. Just need to add about three lines to the configuration:
access-list external permit tcp any host 4.2.2.2 eq 111 log
access-list external permit udp any host 4.2.2.2 eq 111 log
fixup protocol sunrpc 111
Now I can mount the NFS server from my linux machines -
I purchased a 3TB Airport Time Capsule to use with my Mac running latest Maverics. After 8 hours been able to configure the box using Ethernet connection but now I want to move my current backups from my small driveand it wants authentication but no box is available to provide my administrator name can anyone help ?
I overcame the permissions by allowing both paths to have read and write access to anyone but that didnt solve it until I copied it into the DATA directory which I created on the Airport Time Capsule.
I had already discovered the TIME MACHINE How to transfer backups but I am struggling still with the item and cannot currently get it to work. My setup seems to have created a wireless link to my router which is what I wanted and in that set up there are three options. I have simply gone for the extension of my network. I ignored the other option there which I cannot remember something like DNS? That may be the problem becasuse when I remove the Ethernet connector it just doesnt go anywhere.
I have also found I cannot update my TIME MACHINE software (currently 1.3) as although Apple tell me I should be able to set backups hourly daily or weekly I have only ever been able to run it hourly when i would prefer longer intervals so thought an update might be necssary.
Also tried to get an update for my Airport Utility (Currently 6.3.2 but cannot find one even though I have read there might be one available and again this might be the problem.
Have reset the Time Capsule now about a dozen times.
Following the instructions and trying to copy my existing backup it suggests you need to copy it to the root directory but that is when I get some sort of security issue and I found I could only get it to accept if I dragged my .backupdb to the DATA directory on the Time Capsule. I dont even know if I do this it will work when I come to use it.
I therefore found your reply of no more help than i had discovered but I hope you return to read this note because I really do need some help.
I am intending starting again in the next couple of days and fully documenting what I do and what I see and then as I suspect it will be no different and I will then seek an appointment at the Apple Store in Trafford Centre and if that proves unsuccessful then I still have time to return and become a dissatisfied customer with Apple for the first time in a long experience with Apple. I have noticed frightening notes on the conversations which point to problems of Mavericks working with Airport Time Machine!! So in the end it might not be me doing anything wrong. Unfortunately you do feel left out in the dark sometimes that is why I hope you can respond with a solution? -
Hi
Here is the situation:
I have a Farm with 3 servers W2012R2 in a Domain
Server1 Server 2
Server3
RDSession Host RDSession Host
RDSession Host
Connection Broker Connection Broker (Passive)
RD Web Access
2 DNS Alias : - poc.mydomain.local (Use for the RD Web Access and points to Server1
-poccb.mydomain.local (Use for the Connection Broker and points to Server1)
I have setup the Connection broker in HA with Server2 as Passive Server : DNS Round Robin poccb.mydomain.local (Server1)
The certificate Manager has generated 2 CA certificates :
- 1 for the RD Web Acc (poc.mydomain.local
-1 for Connection Broker SSO and for publishing
I have created 1 Group Policy for these 3 servers and 1 GP for my client Windows 7 SP1.
Server GPO :
Computer/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
Always prompt for password upon connection=Disabled
Require use of specific security layer for remote (RDP) connections : SSL (TLS 1.0)
Set client connection encryption level : High Level
Client GPO
Computer/Administrative Templates/System/Credentials Delegation = Allow delegating default credentials (Concatenate OS defaults with input above)
TERMSRV/POCCB.mydomain.local
I use no Gateway and in my collection,I have activated SSL (Like in my Server GPO)
I have now problem with SSO.
Connection with remote desktop client with server name = poccb.mydomain.local
Your system administrator does not allow you the use of default credentials to log on to the remote computer poccb.mydomain.local because its identity is not fully verified
If in my client GPO I add the physical name of the 3 servers, it works :
TERMSRV/Server1
TERMSRV/Server2
TERMSRV/Server3
Open RDP Files with server name = poccb.mydomain.local
if my connection broker connects me on Server1 , no problem
But If I arrive on Server2 & Server 3=
Your system administrator does not allow the use of default credentials to log on to Work Resources
I have searched on internet. No result for " to log on to Work Resources"
Any idea ? Thanks for your helpHi,
Thank you for posting in Windows Server Forum.
Firstly check that, your user is using domain\username to enter the credential in the dialog box.
Now for a try, you can edit .rdp file with notepad and just place “enablecredsspsupport:i:0” line in it, save it an launch to check whether you are facing same issue.
As you are using windows 7 then upgrade to RDP 8.1. Also as you have already enter the FQDN name of server under “Allow delegating default credentials”. For a try please enable and configure for all the remaining settings as follow and check the result.
Start / Run / gpedit.msc / Computer Configuration / Administrative Templates / System / Credentials Delegation, and make sure you have the following four options enabled and configured:
Allow Delegating Default Credentials with NTLM-only Server Authentication
Allow Delegating Default Credentials
Allow Delegating Saved Credentials
Allow Delegating Saved Credentials with NTLM-only Server Authentication
Finally, open a command prompt and use “gpupdate /force” command to apply the policy directly.
More information:
Remote desktop credentials did not work
Hope it helps!
Thanks.
Dharmesh Solanki -
I am trying to install the OS Mavericks upgrade on my MAC and it requests for me to enter an administrator password. I do not use an an administrator password on the machine. Any ideas how to resolve this?
If you bought the machine new yourself, and did not enter a password when configuring it, leave the field blank.
If you bought it used, then you need to reset the password, as described here:
Apple Article to reset the password -
Use case of FQDN parameter in CPPM -- Administration -- Server Configuration
Q: What is the difference between 'FQDN' & 'Hostname' parameter available in the ClearPass Server configuration?
A: The FQDN parameter is primarily used for SSO functionality with any external IDP servers. We can configure the VIP hostname of a ClearPass cluster to be the FQDN.
'Hostname' parameter in the Administration --> Server Configuration, does not need to be an FQDN. We can specify any user defined names. If we need to join the ClearPass cluster members to the same Active directory domain, then hostname should be different. Otherwise, it will create duplicate computer/machine accounts for ClearPass Server in the Domain Controller and may lead to PEAP-EAP-MSCHAPv2 authentication issues/failures for the clients against Active Directory.You could use regular expressions to try to strip the "+" from your form variables but wouldn't it be easier to just have the select field display +5 and then just pass "5" and not use the plus character in your database or in your passed variables? Special characters in your passed variables is always a potential headache.
Lawrence *Adobe Community Expert*
www.Cartweaver.com
Complete Shopping Cart Application for
Dreamweaver, available in ASP, PHP and CF
www.twitter.com/LawrenceCramer -
Hi
In BO 4.0 SP 9 when a administrator tries to schedule a report via CMC there is no error
But when a user schedules a report and the destination is FTP location -> Use default settings he gets following error
Destination disabled. []: [CrystalEnterprise.Ftp]. Please note the name of the job server used for your request and contact your system administrator to make sure the specified destination is enabled. (FWB 00031)
There is only one Job Server and the destinations are enabled in it
There is no Job server for Crystal Reports Job Server
Do i need to create it and how.Please check if you have proper rights to schedule to FTP. You can create a new job server, whenever you schedule it, there are multiple job servers, it will handle based on the load. But it is not mandatory, depends on the load.
-
I have SLS 10.6 running on my local network with DNS configured.
I can access the server from a client on the lan using server.local or server.domain where domain name is my publically registered domain,
From the internet I can access my server using the registered domain name i.e. www.domain.com.
Is it possible to set my server up so that www.domain.com also reaches the server when used by a client locally? At present I get a page not found error.The configuration you're aiming for is called split-horizon or split-brain DNS, and it's quite possible. It can get slightly hairy when you have different stuff using the same host name for different purposes, for instance, and you'll need to track all external DNS entries in your internal DNS server when you're running "split".
Here is how to set up DNS services. Split-horizon is one of the options listed there.
My preference is to use a different domain or subdomain within the network, and to avoid using split-horizon where I can reasonably manage it. One domain name is configured for and reachable outside and is effectively public, and the other domain (or a subdomain) is inside and private and only reachable directly or via VPN, for instance. -
Revision: 3519
Author: [email protected]
Date: 2008-10-08 04:17:40 -0700 (Wed, 08 Oct 2008)
Log Message:
Fix typo in error string for situations where there are advanced messaging configuration settings from LCDS used in the configuration files but no AdvancedMessagingSupport service. The error string said that there was no flex.messaging.services.AdvancedMessagingService registered but it is the flex.messaging.services.AdvancedMessagingSupport service that needs to be registered.
Add configuration test that starts the server with a destination that has the reliable property set which is an advanced messaging feature but there is no AdvancedMessagingSupport service registered.
Modified Paths:
blazeds/trunk/modules/common/src/flex/messaging/errors.properties
Added Paths:
blazeds/trunk/qa/apps/qa-regress/testsuites/config/tests/messagingService/ReliableDestina tionWithNoAdvancedMessagingSupport/
blazeds/trunk/qa/apps/qa-regress/testsuites/config/tests/messagingService/ReliableDestina tionWithNoAdvancedMessagingSupport/error.txt
blazeds/trunk/qa/apps/qa-regress/testsuites/config/tests/messagingService/ReliableDestina tionWithNoAdvancedMessagingSupport/services-config.xmlHi,
Unfortunately I already tried all kinds of re-installs (the full list is in my original message). The only one remaining is the reinstall of Windows 8 itself, which I would really like to avoid.
What I find really strange is the time it takes for the above error message to appear. It's like one hour or even more (never measured exactly, I left the computer running).
What kind of a timeout is that? I would expect that, if ports are really used by some other application, I get the message in less than a minute (seconds, actually). To me this looks like the emulator itself for some reason believes there's a problem with
some port while in reality there isn't.
I'll eventually contact Microsoft Support, thanks for the suggestion.
▼
▲ -
Anyone succesfully configured a LinkSys WRT54G using a G5 tower for the IPh
Hi,
Anyone succesfully configured a LinkSys WRT54G using a G5 tower for the IPhone?
If so please, could you give megive me the router configurations?
As my wi-fi network won't even showup on IPhone.
Thanx
SvKI have that same router and the iPhone found it with no prolblem..
I wish I could be mroe of a help try accessing your routers settings. -
If iPad mini has the basic iPad 2 hardware, why can't use Siri on iPad 2?
If iPad mini has the basic iPad 2 hardware, why can't use Siri on iPad 2?
Wrong on all counts. Well except for the A5 post.
The 3rd Generation iPad and iPhone 4s both have an Audience chipset for noise suppression/voice recognition that the iPad 2 et. al. do not have. The iPhone 5, 5th Generation iPod Touch, 4th Generation iPad and iPad Mini are using a different type of hardware based noise suppression/voice recognition that is an improvement over the Audience chipset (hope you didn't have Audience stock). -
How can I configure Mac Mail to use the correct SMTP server?
I have successfully set up Mac Mail to use a new e-mail account. Inbound and outbound mail is working just fine. However, I am seeing something odd when I create a new message or reply to an existing message. The outbound account that shows is not that which has been configured for the account. I can manually select the correct outbound account.
What are my troubleshooting steps?One of the first things to check in Mail Preferences, Composing:
-
Is it possible to delete message in the server using Mail configured using IMAP?
Is it possible to delete message in the server using Mail configured using IMAP?
Currently when I delete the message in Mail, the server still keep a copy of it, which means it is not deleted on the server. I know that POP can do this but I still want the option of being able to access it from other computers.
My server has only a small size, so I hope that I can just delete it from my Mail instead of having to log in to the server and delete it again.
Thank you.yxchng wrote:
Is it possible to delete message in the server using Mail configured using IMAP?
Yes, but doing so will remove it from everything else.
Maybe you are looking for
-
Intercepting the addition of a new item on a system document form
Hello all, When a new item is added on the Quotation form, I need to perform some additional calculations on the new line, but when I intercept the et_CHOOSE_FROM_LIST event in "AfterAction" (!BeforeAction), the ItemCode in still not entered into col
-
New iPad PDF won't open in iBooks from Safari
I found the PDF in the Federal Regester I needed in Safari it offered me the option to open in iBooks, iBooks opens but the PDF is not there. I've done a search to make sure I didn't miss it. This is the first time I've ever had a issue with this pro
-
My 2009-ish 15" Macbook Pro's trackpad has stopped responding.
My trackpad started being selected all the time, so that instead of being able to click on folders or programs, I was only able to draw rectangles on the background. I can sometimes get it to select something if I click repeatedly, but most of the ti
-
Defaulting the decimal ntoation for all internet webshop users
Hi, is there any way (other than su01-as BASIS has not given any of us access to this transaction) to control the default decimal notation that the users see in transactions? As of now, the default decimal notation of 1.234.567,89 visible to the user
-
when i connect my nano to itunes it says i am in recovery mode. it told me to restore so i did and it still is in recovery mode and i lost everything on my ipod. what do i do to get it out of recovery mode?