Client AAA Authentication Failure
Hi, I have configured a WLAN for AAA authentication and have configured AAA/Radius authentication on the WLC, however the clients don't get authenticated when they try to join. I have run a debug and I am getting an authentication rejected message from the radius server. Below is the output.
Access-Challenge received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Processing Access-Challenge for mobile x.x.x.x
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x WARNING: updated EAP-Identifier 1 ===> 27 for STA x.x.x.x
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Sending EAP Request from AAA to mobile x.x.x.x (EAP Id 27)
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAPOL EAPPKT from mobile x.x.x.x
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAP Response from mobile x.x.x.x (EAP Id 27, EAP Type 3)
*aaaQueueReader: Nov 18 15:52:47.935: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Nov 18 15:52:47.935: x.x.x.x Successful transmission of Authentication Packet (id 76) to 10.24.12.32:1812, proxy state x.x.x.x-00:00
*radiusTransportThread: Nov 18 15:52:47.938: ****Enter processIncomingMessages: response code=3
****Enter processRadiusResponse: response code=3
*radiusTransportThread: Nov 18 15:52:47.938: x.x.x.x Access-Reject received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5
Thanks for the reply, I checked the logs and it shows the correct username who has attempted to login and then for the same user it shows the machine name trying to login. Could it be something to do with the client's configuration?
Are there any specific config that needs to be made on the clients who are mostly windows based devices, the user doesn't get prompted to enter a username or password even when 802.1X is selected for the Authentication.
Similar Messages
-
I just moved from a windows 2003 IAS server over to window 2008 NPS and I am getting this message on the WLC. AAA Authentication Failure for UserName:VESLABCT10_15DO\Administrator User Type: WLAN USER. this is a test user. I double checked the password both for NPS and WLC. It worked great under windows 2003 IAS. I installed certifcates services on the windows 2008 and exported the certificate and install the certificate on the client. Any suggestions
Maybe check on the NPS logs the reason of the failure ? WLC is just a forwarder in this case :-)
-
Annoying 'fake' aaa authentication failure
Hi
Got some new 3750x running c3750e-universalk9-mz.150-2.SE5.bin. They have identical aaa configs to other switches running 15 code (4948e) doing LOCAL device user authentication for VTY SSH access.
Relevant bits are:
username xxx privilege NN secret yyy
aaa new-model
aaa authentication login VTY local
aaa authorization config-commands
aaa authorization exec VTY local
aaa authorization commands 15 VTY local
aaa session-id common
line vty 0 4
session-timeout 10
access-class 23 in
authorization commands 15 VTY
authorization exec VTY
login authentication VTY
transport input ssh
For some reason, on SSH to the device, the login banner comes up but the password: prompt takes a few seconds. At the same time some authfail logs are seen even through haven't yet had a chance to login/enter the password. Once entering the correct password, authentication is always (correctly) successfully
This does not occur on the older code (12.2) or on the 4948e with 15.0 code.
It is annoying as we collect audit syslogs and every login where local is used generates one or more fails before a success.
Is there something obscure in 15.0+ code that changes LOCAL aaa behaviour ?Telnet works differently anyway in that you login with a username/password. With ssh, I am passing the username.
I did enable telnet anyway and this works without failure
Log I get is a straightforward fail. The issue must be to do with the ssh handshake and passing of username and the behaviour has changed on some code bases. I've noticed the ASR1000 with 15.0 do the same. It is annoying due to filling up audit logs with 'rubbish'
May 13 09:58:52.926: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 09:58:52 UTC Tue May 13 2014 -
Web Auth with AAA (RAIDUS) Failure
Hi Guys,
We are having an issue with out Web Auth Using AAA Servers. We get the following error: AAA Authentication Failure for UserName:14t.park User Type: WLAN USER, This error is from the Web Interface, I have been looking at the debug settings to see if there is anything that might give me more detail of what is going on but I can see anything under the Web-Auth Debug for AAA Authentication.
I have checked on our RAIDUS Servers and I can't find any errors relating to Authentication with the NPS.
Does anyone have any suggestions?Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Aaa authentication enable default group tacacs+ enable
I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
aaa authentication enable default group tacacs+ enable
what will happen if I login via console? Will I be required to enter any username/password?
Below is my configuration
aaa new-model
aaa authentication login authvty group TACACS + local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 authvty TACACS+ local
TACACS-server host IP
Tacacs-server key key
Ip tacacs source-interface VLAN 3
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting exec authvty start-stop group tacacs+
aaa accounting commands 15 authvty start-stop group tacacs+
aaa accounting connection authvty start-stop group tacacs+
line vty 0 15
login authentication authvty
authorization commands 15 authvty
accounting connection authvty
accounting commands 15 authvty
accunting exec authvty
Any suggestion will be appreciated!It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
*** Username: cisco, Password: cisco (priv 15f - local) ****
Unauthorized use is prohibited.
Enter your name here: user1
Enter your password now:
Router#
The config more or less looks like:
aaa new-model
aaa authentication banner ^CUnauthorized use is prohibited.^C
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default group radius
aaa authentication login CONSOLE local
HTH
AK -
Hi.
I'm using SCOM 2012 R2 and have imported the Exchange server 2010 MP.
I have runned the TestCasConnectivityUser.ps1 script and almost everything is okay except for the OWA test login.
The OWA rule is working for some time until (I think) SCOM is doing a automatic password reset of the extest_ account. Then I get the OWA error below. The other test connectivity are working. Any suggestions.
One or more of the Outlook Web App connectivity tests had warnings. Detailed information:
Target: xxx|xxx
Error: The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxxx
User: extest_xxx
Details:
[22:50:08.936] : The TrustAnySSLCertificate flag was specified, so any certificate will be trusted.
[22:50:08.936] : Sending the HTTP GET logon request without credentials for authentication type verification.
[22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
[22:50:09.154] : The sign-in page is from ISA Server, not Outlook Web App.
[22:50:09.154] : The server reported that it supports authentication method FBA.
[22:50:09.154] : This virtual directory URL type is External or Unknown, so the authentication type won't be checked.
[22:50:09.154] : Trying to sign in with method 'Fba'.
[22:50:09.154] : Sending HTTP request for logon page 'https://xxx.com/CookieAuth.dll?Logon'.
[22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
[22:50:09.373] : The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxx
User: extest_xxx
[22:50:09.373] : Test failed for URL 'https://xxx/OWA/'.
Authentication Method: FBA
Mailbox Server: xxx
Client Access Server Name: xxx
Scenario: Logon
Scenario Description: Sign in to Outlook Web App and verify the response page.
User Name: extest_xxx
Performance Counter Name: Logon Latency
Result: Skipped
Site: xxx
Latency: -00:00:00.0010000
Secure Access: True
ConnectionType: Plaintext
Port: 0
Latency (ms): -1
Virtual Directory Name: owa (Default Web Site)
URL: https://xxx.com/OWA/
URL Type: External
Error:
The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxx
User: extest_xxx
Diagnostic command: "Test-OwaConnectivity -TestType:External -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true"
EventSourceName: MSExchange Monitoring OWAConnectivity External
Knowledge:
http://go.microsoft.com/fwlink/?LinkID=67336&id=CB86B85A-AF81-43FC-9B07-3C6FC00D3D42
Computer: xxx
Impacted Entities (3):
OWA Service - xxx, xxx - xxx, Exchange
Knowledge: View additional knowledge...
External Knowledge Sources
For more information, see the respective topic at the Microsoft Exchange Server TechCenter
Thanks
MHemHi,
Based on the error, it looks like an OWA authentication failure.
Have you tried post this to LYNC forums?
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
CLIENT-CERT authentication in WL7
Hi,
I'm trying to enforce two-way authentication for clients (java applications) accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With BASIC authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to the web service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
the server doesn't
produce client certificate request. May it be the cause of the problem? If so,
how can I make the server to
generate client cert request?Exactly, it was the reason. Thanks.
Marcin
On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
>
You must have been accessing the server over one-way SSL. Make sure the
two-way
ssl server attribute is set to: Client Certificate Enforced, or Client
Certificate
Requested But Not Enforced.
This should be all that is needed to make the server send the
certificate request.
With Client Certificate Enforced option you should be getting ssl
handshake failure
unless the client sends its certificate.
Pavel.
yazzva <[email protected]> wrote:
Yes, I have. If I had not done it, I couldn't have accessed the service
via https using basic authentication, and of course ssl debugging
information and server configuration show that ssl is configured
properly.
The problem is that WL7 doesn't generate client cert request. Thanks
for
an attempt to help.
Have you configured the server for two way ssl?
See
http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
for information on this.
Pavel.
"yazzva" <[email protected]> wrote:
Hi,
I'm trying to enforce two-way authentication for clients (java
applications)
accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With
BASIC
authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to theweb
service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the
handshake
procedure
the server doesn't
produce client certificate request. May it be the cause of the
problem?
If so,
how can I make the server to
generate client cert request?--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -
Authentication Failure (Password Mismatch)
Hi there.
I am having a nightmare trying to get my web server working under Snow Leopard. To cut a long story short the server died and I had to restore it using a disk image before I migrate it to a new mavericks server. For obvious reasons I'd like to get everything working before I migrate.
Whenever a users tries to access a secure page (mainly for svn access) they get rejected. If I try to access the page via safari/chrome I get a pop up window asking for a username and password. If the user enters their correct name and password it is constantly rejected (the name and password work elsewhere for email etc).
In the logs on the server I get:
[Wed Feb 05 16:34:33 2014] [error] [client 192.168.0.56] mod_auth_apple: User XXX authentication failure for "/xxx/xxxxxx": Password mismatch according to checkpw
[Wed Feb 05 16:34:33 2014] [notice] [client 192.168.0.56] mod_auth_apple: Authenticating using lookupd or checkpw failed, and no configured htaccess file (AuthUserFile)
If in Versions I try to refresh the svn repository I get:
OPTIONS of 'https://[email protected]/svn/project'://[email protected]/svn/project': authorization failed: Could not authenticate to server: rejected Basic challenge (https://server.name.com)
I am also having issues with iCal Server and AFP which makes me think there is some authorisation service which is corrupt/broken?
Any help MOST appreciated as I am tearing my hair out here!
Yours,
NicOk something I have worked out by a bit of trial and error.
NEVER run a server with two HDDs both with clones/installs of Mac OS.
My server had the internal (faulty HDD) with the original server install called Macintosh HD. The clone was on a USB drive called SnowLeopardServer_Backup.
Now for the most part the server worked (because most stuff uses Unix and proper paths). However it looks like all of apples stuff (Web services, iCal server and AFP) use the full path or at least components of them do. So because the server was originally set up on an HDD called Macintosh HD I can only suspect that it was freaking out by 1) now being on an HDD called something else and 2) that there was another HDD there called Macintosh HD.
I have now renamed my old HDD to something else and renamed all the OS folders in it to something different too. I also renamed the clone drive to Macintosh HD.
So far I turned on Web services and AFP and they work perfectly I have not turned on iCal yet as I want to ensure each service is working before turning on another.
Also finally got the holy grail of Kerberos and Open Directory triangle working. I though that the iCal/Web/AFP not working with accounts was Open Directory related so I backed it up (and WGM), change to standalone and then tried to go back to a Master. It complained about the DNS not being set up and I finally found a post saying that you need to have your DNS set to point at 127.0.0.1 in the System Preferences > Network settings. I changed that and boom no more complaints about bad DNS
Nic. -
NAS configure with 2 ip address failed on AAA authentication
I have routers configured with 2 bvi interfaces for dlsw.
When I configure NAS setting with 2 ip address, sometime the AAA authentication failed to prompt for user authentication.
Should I used ip tacacs source-interface?
If I configure only one, if that interface is down, then I will not be authentication using AAA even the second bvi interface is up.Chee
The AAA server identifies the client by a single IP address and the client always needs to use that address as the source address. If you have 2 BVI interfaces it may be that sometimes the source address is one and sometimes the source address may be the other. That would account for the fact that sometimes it promts for user authentication and sometimes it does not prompt.
If using 1 BVI as the source address creates the potential that sometimes it might not work because that interface was down but the other BVI was up, then perhaps you should consider configuring a loopback address and using the loopback address as the source address. If the loopback was the source address then it would not matter which BVI might be up and which might be down.
HTH
Rick -
AAA authentication for networking devices using ACS 4.1 SE
Hi!!!
I want to perform AAA authentication for networking devices using ACS 4.1 SE.
I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
For all users i need to have different privilege levels based upon which access will be granted.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!Pradeep,
Are you planning MAC authentication for some users while using EAP for others?
For MAC authentication, just use the following in your AP.
aaa authentication login mac_methods group radius
In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
In your SSID configuration, under client authentication settings,
check "open authentication" and also select "MAC Authentication" from the drop-down list.
If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
You will not need to change anything in XP.
NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
HTH -
AAA Authentication for Traffic Passing through ASA
I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enableyour definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL -
Mails need to be Triggerd when clients Fails authentication
CISCO 4404 ALERTS TO BE GENERATED(mail has to be triggerred) WHEN WLAN CLIENT AUTHENTICATION FAILS.
Is there are any options on WCS to enable Authentication Failure on WCS.
I have already Enabled
1.Client authentication failure Alarm and Authentication failure reported by controller & configured both severity to Critical.
we are currently Using Wireless Control System Version 5.1.64.0I assume you mean you changed the severity for "Client authentication failure" to Critical under Administration > Settings > Severity Configuration?
Did you also go to Monitor Alarms > pulldown and choose Email Notification and enable the Clients category with the checkbox and then click the Clients category and check the critical box and add your email address?
Have you verified that a test mail works from Administration > Settings > Mail server? -
Rman tivoli failure: create sequential file, Authentication Failure
New db instance, not writing to tape.
DB is 10.2.0.4
run {
allocate channel sbt_backup1 type 'SBT_TAPE' format '%U' parms 'ENV=(TDPO_OPTFILE=/usr/tivoli/tsm/client/ora
cle/bin64/tdpo_mydb.opt)';
backup tablespace users;
release channel sbt_backup1;
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on sbt_backup1 channel at 10/02/2009 11:17:42
ORA-19506: failed to create sequential file, name="0tkqpi6l_1_1", parms=""
ORA-27028: skgfqcre: sbtbackup returned error
ORA-19511: Error received from media manager layer, error text:
ANS1025E (RC137) Session rejected: Authentication failure
Settings
/usr/tivoli/tsm/client/oracle/bin64
dsm_mydb.opt
SErver_name MYDBPRD
tdpo_mydb.opt
DSMI_ORC_CONFIG /usr/tivoli/tsm/client/oracle/bin64/dsm_mydb.opt
TDPO_NODE MYDBPRD
/usr/tivoli/tsm/client/api/bin64
dsm.sys
NODENAME MYDBPRD
ERRORLOGNAME /usr/local/tsm/logs/IFSDBS_MYDBPRD_error.log
SCHEDLOGNAME /usr/local/tsm/logs/IFSDBS_MYDBPRD_sched.log
Note: Several db/clients are working on this server. This is a new setup and not working.This is not an Oracle/RMAN problem,contact your TSM administrator:
http://www-01.ibm.com/support/docview.wss?uid=swg21216057
Werner -
WAP321 Authentication failure log codes
Devices that have previoulsy connected to the WAP are still able to connect but any new device to the environment is not. If I delete the network from an existing device that device is no longer able to authenticate and connect to the WAP. Log entries below show the following errors for a single MAC. This happened once before and to solve the issue I reentered the key into the SSID setup on the WAP. All devices had to delete the existing SSID from their list of networks but then they were able to rejoin. I don't want to ask users to do that again. Any help on the log entries below is greatly appreciated!
Jul 19 2013 01:42:34
info
hostapd[1078]
wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea deauthed from BSSID c4:64:13:0c:e3:00 reason 1
Jul 19 2013 01:42:34
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 16
Jul 19 2013 01:42:32
warn
hostapd[1078]
Received invalid EAPOL-Key MIC (msg 2/4)
Jul 19 2013 01:42:32
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:31
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:30
warn
hostapd[1078]
Received invalid EAPOL-Key MIC (msg 2/4)
Jul 19 2013 01:42:30
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:30
info
hostapd[1078]
wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea associated with BSSID c4:64:13:0c:e3:00
Jul 19 2013 01:42:30
info
hostapd[1078]
wlan0: IEEE 802.11 Assoc request from 90:18:7c:b1:79:ea BSSID c4:64:13:0c:e3:00 SSID KnightIns1Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
Reason Code 16: Authentication failed due to a user credentials mismatch.
Reason-Code 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I am not sure what is causing this. However I would ask that you do two things. While everything is working normally go to Administration/Support Information and download a diagnostic file. Label it with a date WAP321 and the word "good". Save it somewhere. When this happens again, before doing anything go back in and get another diagnostic file label it the same except with the word "bad".
Call in and open a support case and have the engineer notify me that you have opened one and also give them a reference to this community support thread.
I will work with your engineer to see what is happening.
Thanks
Eric Moyers .:|:.:|:.
Cisco Small Business US STAC Advanced Support Engineer
CCNA, CCNA-Wireless
866-606-1866
Mon - Fri 09:00 - 18:00 (UTC - 05:00)
*Please rate the Post so other will know when an answer has been found. -
Aaa authentication enable console issue
I have an ASA5505 running 8.2(5). It is configured with
aaa authentication telnet console xxxxxx LOCAL
and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
Could there be something that needs to be changed on the ACS server to make this work?
Thanks.Using TACACS+
No command authorization rules are being used
When I add the aaa authentication enable console xxxxxxxx LOCAL command,
and use login instead of enable, I get Login failed if I try to use my credentials.
However, if I use login with the locally configured username and password, it lets me in.
Here is the config (without the aaa authentication enable console command):
User Access Verification
Username: xxx/xxxxxxxxxx
Password: ************
Type help or '?' for a list of available commands.
FW> en
Password: ********
FW# sh ru
: Saved
ASA Version 8.2(5)
terminal width 511
hostname xxxxxxxx
enable password *********** encrypted
passwd *********** encrypted
names
interface Ethernet0/0
switchport access vlan xxx
interface Ethernet0/1
switchport access vlan xxx
shutdown
interface Ethernet0/2
switchport access vlan xxx
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlanxxx
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
interface Vlanxxx
nameif OUtside
security-level 0
ip address x.x.x.x x.x.x.x
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
access-list Outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
ny any inactive
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
ny any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
any any inactive
access-list OUtside_access_in extended permit icmp any any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
any any
pager lines 24
logging enable
logging asdm informational
logging host inside x.x.x.x
mtu inside 1500
mtu OUtside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group OUtside_access_in in interface OUtside
route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxxxxxxx protocol tacacs+
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa authentication http console ******* LOCAL
aaa authentication ssh console ******* LOCAL
aaa authentication telnet console ******* LOCAL
aaa local authentication attempts max-fail 5
http server enable
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
snmp-server host inside x.x.x.x community ***** version 2c
snmp-server host OUtside x.x.x.x community ***** version 2c
snmp-server host inside x.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet x.x.x.x x.x.x.x inside
telnet x.x.x.x x.x.x.x inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config OUtside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
FW#
Thanks.
Maybe you are looking for
-
HP Laserjet PRO MFP125nw doesn't print Microsoft Word documents from PC
Hello. I've recently bought a brand new HP Laserjet PRO MFP125nw printer. The functions seemed really nice and the price was acceptable. I've brought it to my home, installed it following the manual, connected it to Wi-Fi etc. It generally works fair
-
Can the trim size appear on the preflight report?
I would like to make a preflight report that includes the trim size of the pdf. This is included in the results portion of the preflight under Overview, however I'm not sure if I can get this on the pdf version. Is this possible?
-
How to trace JC00 instance reboot error?
hi all, currently my JC00 instance was reboot by itself, is there anyway i can trace the error log? where is the location for the error log? thanks.
-
WiFi Adaptor problems with Windows 8.1
I have a T61 7665-AC2 with an Intel wifi link 4965 adaptor. Since I installed windows 8.1, the laptop boots with limited internet connectivity. I have to run the network diagnostics which resets the adaptor and it is fine. Until the next time I bo
-
It does not work. Everything else works fine. I tried all combinations for sync address book from MacBook Pro to iPhone and I can not do it.... I also so a cople of postings... asking if it works both ways... someone responded; Yes it works from iPho