Comodo Default Deny

Similar Messages

• How can I reboot a default install of arch remotely?

  I set up an arch box at school today, and it was the last day of school. I got it all set up the way I wanted, including openssh and the proper entry in rc.conf.
  Imagine my expression when I realized that I forgot to start sshd, and didn't reboot the box.
  I would like a way to use another box at school to reboot the arch box. I removed the default deny all in hosts.deny, and installed some stuff. I didn't reboot the box or start the daemons. Everything I need to start is in rc.conf, so a reboot is all that should be necessary.
  Is there a security hole that I can use in the default install that will allow me to reboot the box?
  School's out for summer break and I can't get back to the server room for a while.

  You will have to use the social conditioning security hole for this one.  Call up the secretary/janitor/security person and ask them to power cycle the box.

• ASA 5505 site to site RTP traffic is hitting deny all rule

  Hello,
  Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
  Currently the rules are as follows
  Incoming External
  allow ip any any
  allow tcp any any
  allow udp any any
  default deny
  Incoming Internal
  allow ip any any
  allow tcp any any
  allow udp any any
  default deny
  It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

  Hi Daniel,
  I guess there is support feature issue with the ASA sending VOIP traffic over VPN
  The ASA Phone Proxy does not  support inspection of packets from phones connecting to it over a VPN  tunnel. Therefore, sending phone proxy traffic through a VPN tunnel is  not supported.
  Note The ASA 5500 appliances running version 8.4 can support the Phone Proxy feature when integrated with Unified CM 8.0(x) but do not support Phone Proxy with Unified CM versions 8.5(x) and 8.6(x).
  Please do rate if the given information helps.
  By
  Karthik

• Default Device Admin (Tacacs+)

  ACS 5.1
  Default Device Admin
  Identity:
  Single Result (internal list and AD1)
  Group Mapping:
  Rule1:(anyone in AD/Administrators=Group/AdminGroup)
  Default: Standard user
  Authorization:
  Rule1: (anyone in Group/AdminGroup, permit all commands)
  Default: Deny All Commands
  Here's my situation:
  User1 (AD/Administrator)
  UserBob (NOT in AD/Administrator)
  User1 Logs into a switch, types "enable" is asked to authenticate again, and can then run all commands (this is what i'm looking for, though i dislike the second login)
  UserBob Logs into a switch, types "enable" is asked to authenticate again, but gets error "% Error in Authentication" (i do not want UserBob to even be able to log into the switch to begin with)
  So my question is:
  How do i keep UserBob from being able to log into the switch?
  How do I get User1 to enter level 15 (Switch# instead of Switch>) automatically without being prompted to enter their password a second time after typing "enable"?
  As i understand it, "Default Device Admin" is different than "Default Network Access" which i liken to "logging into switches" vs. "authenticating against VPN server or Wireless" respectively.  So i should be able to restrict users from logging into switches, but still allow them to authenticate for access to things like VPN, so i don't think what i'm asking above will keep me from being able to do that.
  Ideas?

  Hello
  Q1 : How do i keep UserBob from being able to log into the switch?
       Configure NAR [network access restriction] and restrict the user to "not-to" access switch.
  Q2 : How do I get User1 to enter level 15 (Switch# instead of Switch>)  automatically without being prompted to enter their password a second  time after typing "enable"?
       You need to configure exec authorization on switch and push "privlege level = 15" to make User1 fall on switch# mode.
  The command on switch will be :
       aaa authorization exec default group tacacs local
  Let me know if it helps.
  thanks
  Devashree

• Cut-through/direct authentication connection being denied

  I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.
  Here's what I've got:
  aaa authentication match authmatch outside LOCAL
  aaa authentication listener http outside port 5555
  access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391
  access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555
  static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255
  I can connect to the web page and authenticate successfully.
  6          Aug 21 2012          06:00:33                    222.222.222.146          0 222.222.222.146          0          Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside
  But, when I try to RDP in on 3391, it's not hitting the authmatch access list.   It's hitting the outside_access_in access list and it's denied by the default deny.
  4          Aug 21 2012          06:04:26 222.222.222.146          50414 111.111.111.162          3391          Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]
  Why won't it hit the correct access-list?
  Thanks,
  - Marc

  Hello Marc,
  What Karthik is telling you is the following:
  -The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.
  So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect
  Regards,
  Remember to rate all the helpful posts
  Julio
  CCSP

• Cisco ASA 5510 site to site VPN only

  Hi,
  Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

  Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
  So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
  As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

• SRP547W, How to use multiple WAN IPs for port forwarding?

  Hi folks,
  We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
  What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
  Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
  We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
  a.b.c.208     Network Address (/29 subnet)
  a.b.c.209     ISP Gateway
  a.b.c.210     IP1
  a.b.c.211     IP2
  a.b.c.212     IP3
  a.b.c.213     IP4
  a.b.c.214     IP5
  a.b.c.215     Broadcast Address
  On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
  VLAN ID:               4000 (Chosen arbitrarily)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.211
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  When we try to do so however we get:
  Fail!
  Conflict with Ether_WAN2 interface address type
  I should mention at this point that we're running on firmware version 1.02.01 (023).
  Any suggestions on how we can proceed?
  Is there a CLI or other method of configuration that might work if the web interface won't?
  Thanks,
  Tim.

  OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
  As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  We'd now like to expose a server function on IP2, let's say LAN details for this server are:
  VLAN:                  3000
  VLAN IP Range:         192.168.1.1/24
  Server IP:             192.168.1.10
  Server Port:           80
  So first we turn on Software DMZ:
  Status:                Enabled
  Public IP:             a.b.c.211
  Private IP:            192.168.1.10
  WAN Interface:         Ether_WAN2
  My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
  Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
  In Interface (WAN):    All
  Out Interface (LAN):   VLAN.3000
  Source IP:             0.0.0.0
  Source Subnet:         0.0.0.0
  Destination IP:        192.168.1.10
  Destination Subnet:    255.255.255.255
  Protocol:              TCP
  Source Port:           Any
  Destination Port:      Single:80
  Action:                Permit
  Schedule:              Everyday
  Times:                 24 Hours
  Still no dice. What am I missing?
  Cheers,
  Tim.

• ARD over internet to multiple macs using the same connection

  Hi, I know the topic has been covered to enable ARD over the net, however all the solutions I see require port forwarding which in essence makes only one computer using the internet connection available, how do you make it so multiple macs can use the one internet connection to send/receive ARD requests? is there a way to change the port ARD uses on individual macs and then forward the ports ? or do I have to go down the VPN path ? or is there a better solution for this kind of setup, thanks Ash

  Precisely.
  Cheers, Joel
  \[ Note, the reason I didn't use 5900 and 5901 was for clarity to make it obvious that they are arbitrary choices on the external side, but also because sometimes using 5901+ gets confusing. Depending on your VNC server software, which port on the internal side that you choose to use between 5900-5920 actually means something (resolution, color depth, etc) to the server software. If you can keep it all straight in your head though, and point them all to the right internal port (5900 usually), no harm in it. If you don't mind adding some awful "security through obscurity," you probably shouldn't have VNC service open to the internet on 5900 anyway. Either way, you should also probably limit connections to those internal machines now that they are "directly reachable" from the 'net. In your firewall they should both have default-deny policies for incoming requests unless they're from your known-safe external addresses.]
  Message was edited by: Joel D. Reid

• ISE 1.1 - switch ignores "Session-Timeout"

  hi all,
  I'm playing around with ISE guest service and have some difficulty with Time Profiles.
  After guest logs in, Radius attributes are sent to the switch (3750G) one of them is Session-Timeout which should be similar to 1h (DefaultOneHour)
  According to ISE logs and switch debugs, ISE did it well and this attribute was sent  but it seems that the switch simply ignores it.
  May 24 07:03:11.658: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied udp 10.1.100.194(1029) -> 10.1.100.2(389), 1 packet19:46:57: RADIUS: COA  received from id 36 10.1.100.6:64700, CoA Request, len 18319:46:57: RADIUS/DECODE: parse unknown cisco vsa "reauthenticate-type" - IGNORE19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid19:46:57: RADIUS(00000000): sending19:46:57: RADIUS(00000000): Send CoA Ack Response to 10.1.100.6:64700 id 36, len 3819:46:57: RADIUS:  authenticator 0B 30 6E 9B DF 97 0D A0 - D9 8B A5 5A 11 39 3E 4119:46:57: RADIUS:  Message-Authenticato[80]  18 19:46:57: RADIUS:   11 42 82 E2 52 68 DF 28 CD 43 AE 88 0C 5D 91 10            [ BRh(C]]19:46:57: RADIUS/ENCODE(00000026):Orig. component type = Dot1X19:46:57: RADIUS(00000026): Config NAS IP: 0.0.0.019:46:57: RADIUS(00000026): Config NAS IPv6: ::19:46:57: RADIUS/ENCODE(00000026): acct_session_id: 2719:46:57: RADIUS(00000026): sending19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:57: RADIUS(00000026): Send Access-Request to 10.1.100.6:1812 id 1645/25, len 26719:46:57: RADIUS:  authenticator 6D 92 DC 77 87 47 DA 8E - 7D 6B DD DD 18 BE DC 3319:46:57: RADIUS:  User-Name           [1]   14  "0016d329042f"19:46:57: RADIUS:  User-Password       [2]   18  *19:46:57: RADIUS:  Service-Type        [6]   6   Call Check                [10]19:46:57: RADIUS:  Vendor, Cisco       [26]  31 19:46:57: RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"19:46:57: RADIUS:  Framed-IP-Address   [8]   6   10.1.100.194 19:46:57: RADIUS:  Framed-MTU          [12]  6   1500 19:46:57: RADIUS:  Called-Station-Id   [30]  19  "00-24-F9-2D-83-87"19:46:57: RADIUS:  Calling-Station-Id  [31]  19  "00-16-D3-29-04-2F"19:46:57: RADIUS:  Message-Authenticato[80]  18 19:46:57: RADIUS:   AD EB 99 4A F2 B9 4E BB 2E B3 E2 04 BE 5B 0C 72             [ JN.[r]19:46:57: RADIUS:  EAP-Key-Name        [102] 2   *19:46:57: RADIUS:  Vendor, Cisco       [26]  49 19:46:57: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A01280100000016043E0D23"19:46:57: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]19:46:57: RADIUS:  NAS-Port            [5]   6   50107 19:46:57: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/7"19:46:57: RADIUS:  Called-Station-Id   [30]  19  "00-24-F9-2D-83-87"19:46:57: RADIUS:  NAS-IP-Address      [4]   6   10.1.100.1 19:46:57: RADIUS(00000026): Sending a IPv4 Radius Packet19:46:57: RADIUS(00000026): Started 5 sec timeout19:46:57: RADIUS: Received from id 1645/25 10.1.100.6:1812, Access-Accept, len 27219:46:57: RADIUS:  authenticator F1 5F 57 72 FD 80 95 20 - 46 47 B5 CE DF 63 6E 1A19:46:57: RADIUS:  User-Name           [1]   19  "[email protected]"19:46:57: RADIUS:  State               [24]  40 19:46:57: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41  [ReauthSession:0A]19:46:57: RADIUS:   30 31 32 38 30 31 30 30 30 30 30 30 31 36 30 34  [0128010000001604]19:46:57: RADIUS:   33 45 30 44 32 33            [ 3E0D23]19:46:57: RADIUS:  Class               [25]  49 19:46:57: RADIUS:   43 41 43 53 3A 30 41 30 31 32 38 30 31 30 30 30  [CACS:0A012801000]19:46:57: RADIUS:   30 30 30 31 36 30 34 33 45 30 44 32 33 3A 69 73  [00016043E0D23:is]19:46:57: RADIUS:   65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 37   [ e/124036791/297]19:46:57: RADIUS:  Session-Timeout     [27]  6   2940 19:46:57: RADIUS:  Termination-Action  [29]  6   0 19:46:57: RADIUS:  Message-Authenticato[80]  18 19:46:57: RADIUS:   26 46 2C B6 75 95 AF 37 E6 3B B1 CB F2 70 E0 8D           [ &F,u7;p]19:46:57: RADIUS:  Vendor, Cisco       [26]  72 19:46:57: RADIUS:   Cisco AVpair       [1]   66  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS:  Vendor, Cisco       [26]  42 19:46:57: RADIUS:   Cisco AVpair       [1]   36  "profile-name=Microsoft-Workstation"19:46:57: RADIUS(00000026): Received from id 1645/2519:46:57: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNOREMay 24 07:03:19.132: %MAB-5-SUCCESS: Authentication successful for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23May 24 07:03:19.132: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23May 24 07:03:19.140: %EPM-6-POLICY_REQ: IP 10.1.100.194| MAC 0016.d329.042f| AuditSessionID 0A01280100000016043E0D23| AUTHTYPE DOT1X| EVENT APPLYMay 24 07:03:19.165: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-ACL-4fbcd736| EVENT DOWNLOAD-REQUEST19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid19:46:57: RADIUS(00000000): Config NAS IP: 0.0.0.019:46:57: RADIUS(00000000): sending19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:57: RADIUS(00000000): Send Access-Request to 10.1.100.6:1812 id 1645/26, len 14419:46:57: RADIUS:  authenticator 1A 52 18 C5 25 A7 5C DC - 29 C9 5C 7C C5 B3 FC 5819:46:57: RADIUS:  NAS-IP-Address      [4]   6   10.1.100.1 19:46:57: RADIUS:  User-Name           [1]   38  "#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS:  Vendor, Cisco       [26]  32 19:46:57: RADIUS:   Cisco AVpair       [1]   26  "aaa:service=ip_admission"19:46:57: RADIUS:  Vendor, Cisco       [26]  30 19:46:57: RADIUS:   Cisco AVpair       [1]   24  "aaa:event=acl-download"19:46:57: RADIUS:  Message-Authenticato[80]  18 19:46:57: RADIUS:   2B 6B 13 37 0D 25 11 E9 6A 56 35 D8 91 9F EF F0           [ +k7?jV5]19:46:57: RADIUS(00000000): Sending a IPv4 Radius Packet19:46:57: RADIUS(00000000): Started 5 sec timeoutMay 24 07:03:19.191: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp 10.1.100.194(2125) -> 10.1.100.6(8443), 1 packet19:46:57: RADIUS: Received from id 1645/26 10.1.100.6:1812, Access-Accept, len 35919:46:57: RADIUS:  authenticator 31 B0 73 93 CA 0E 5C 7C - 11 29 AA 57 6C A1 53 D819:46:57: RADIUS:  User-Name           [1]   38  "#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS:  State               [24]  40 19:46:57: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]19:46:57: RADIUS:   30 31 36 34 30 36 30 30 30 30 30 30 35 44 34 46  [0164060000005D4F]19:46:57: RADIUS:   42 44 44 44 33 37            [ BDDD37]19:46:57: RADIUS:  Class               [25]  49 19:46:57: RADIUS:   43 41 43 53 3A 30 61 30 31 36 34 30 36 30 30 30  [CACS:0a016406000]19:46:57: RADIUS:   30 30 30 35 44 34 46 42 44 44 44 33 37 3A 69 73  [0005D4FBDDD37:is]19:46:57: RADIUS:   65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 38   [ e/124036791/298]19:46:57: RADIUS:  Termination-Action  [29]  6   1 19:46:57: RADIUS:  Message-Authenticato[80]  18 19:46:57: RADIUS:   80 EF 5B 80 76 F1 C9 37 0B 25 34 37 10 57 CC 44          [ [v7?47WD]19:46:57: RADIUS:  Vendor, Cisco       [26]  47 19:46:57: RADIUS:   Cisco AVpair       [1]   41  "ip:inacl#1=permit udp any any eq domain"19:46:57: RADIUS:  Vendor, Cisco SW3750-1# [26]  48 19:46:57: RADIUS:   Cisco AVpair       [1]   42  "ip:inacl#2=permit ip any host 10.1.100.6"19:46:57: RADIUS:  Vendor, Cisco       [26]  57 19:46:57: RADIUS:   Cisco AVpair       [1]   51  "ip:inacl#3=deny ip any 10.0.0.0 0.255.255.255 log"19:46:57: RADIUS:  Vendor, Cisco       [26]  36 19:46:57: RADIUS:   Cisco AVpair       [1]   30  "ip:inacl#4=permit ip any any"19:46:57: RADIUS(00000000): Received from id 1645/26May 24 07:03:19.216: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-ACSW3750-1#SW3750-1#SW3750-1#L-4fbcd736| EVENT DOWNLOAD-SUCCESSMay 24 07:03:19.216: %EPM-6-POLICY_APP_SUCCESS: IP 10.1.100.194| MAC 0016.d329.042f| AuditSessionID 0A01280100000016043E0D23| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-Contractors-ACL-4fbcd736| RESULT SUCCESSMay 24 07:03:20.147: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D2319:46:58: RADIUS/ENCODE(00000026):Orig. component type = Dot1X19:46:58: RADIUS(00000026SW3750-1#SW3750-1#SW3750-1#SW3750-1#): Config NAS IP: 0.0.0.019:46:58: RADIUS(00000026): Config NAS IPv6: ::19:46:58: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:58: RADIUS(00000026): Sending a IPv4 Radius Packet19:46:58: RADIUS(00000026): Started 5 sec timeout19:46:58: RADIUS: Received from id 1646/35 10.1.100.6:1813, Accounting-response, len 38SW3750-1#
  SW3750-1#sh authe sess int g 1/0/7 Interface:  GigabitEthernet1/0/7 MAC Address:  0016.d329.042f IP Address:  10.1.100.194 User-Name:  [email protected] Status:  Authz Success Domain:  DATA Security Policy:  Should Secure Security Status:  Unsecure Oper host mode:  multi-auth Oper control dir:  both Authorized By:  Authentication Server Vlan Group:  N/A ACS ACL:  xACSACLx-IP-Contractors-ACL-4fbcd736 Session timeout:  N/A Idle timeout:  N/A Common Session ID:  0A01280100000016043E0D23 Acct Session ID:  0x0000001B Handle:  0x2F000017Runnable methods list: Method   State mab      Authc Success dot1x    Not runSW3750-1#
  Has anyone encountered similar thing?
  I tried 12.2(58) and now Im testing
  Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(1)SE2, RELEASE SOFTWARE (fc3)
  but in both cases it is similar.
  regards
  Przemek

  Hi Sebastian,
  thx a lot those 2 commands solved the issue, my mistake. Now I can see remaining time for the session
  SW3750-1#sh auth sess int g1/0/7 Interface:  GigabitEthernet1/0/7 MAC Address:  0016.d329.042f IP Address:  10.1.100.194 User-Name:  [email protected] Status:  Authz Success Domain:  DATA Security Policy:  Should Secure Security Status:  Unsecure Oper host mode:  multi-auth Oper control dir:  both Authorized By:  Authentication Server Vlan Group:  N/A ACS ACL:  xACSACLx-IP-Contractors-ACL-4fbcd736 Session timeout:  28800s (server), Remaining: 28780s Timeout action:  Terminate Idle timeout:  N/A Common Session ID:  0A012801000000221DE0F555 Acct Session ID:  0x0000002B Handle:  0x99000023Runnable methods list: Method   State mab      Authc Success dot1x    Not run
  regards
  Przemek

• Howto: Zones in private subnets using ipfilter's NAT and Port forwarding

  This setup supports the following features:
  * Requires 1 Network interface total.
  * Supports 1 or more public ips.
  * Allows Zone to Zone private network traffic.
  * Allows internet access from the global zones.
  * Allows direct (via ipfilter) internet access to ports in non-global zones.
  (change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
  Network setup:
  iprb0 65.38.103.1/24
  defaultrouter 65.38.103.254
  iprb0:1 192.168.1.1/24 (in global zone)
  Create a zone on iprb0 with an ip of 192.168.1.2
  ### Example /etc/ipf/ipnat.conf
  # forward from a public port to a private zone port
  rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
  # force outbound zone traffic thru a certain ip address
  # required for mail servers because of reverse lookup
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
  map iprb0 192.168.1.2/32 -> 65.38.103.1
  # allow any 192.168.1.x zone to use the internet
  map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
  map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
  Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
  Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
  Create /etc/init.d/zone_route_hack
  Link this file to /etc/rc3.d/S99zone_route_hack.
  #/bin/sh
  # based on information found at
  # http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
  # http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
  fake_router=192.168.1.254
  public_net=65.38.103.0
  router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
  # send some data to the real network router so we look up it's arp address
  ping -sn $router 1 1 >/dev/null
  # record the arp address of the real router
  router_arp=`arp $router | nawk '{print $4}'`
  # delete any existing arp address entry for our fake private subnet router
  arp -d $fake_router >/dev/null
  # assign the real routers arp address to our fake private subnet router
  arp -s $fake_router $router_arp
  # route our private subnet through our fake private subnet router
  route add default $fake_router
  # Can't create this route until the zone/interface are loaded
  # Adjust this based on your hardware and number of zones
  sleep 300
  # Duplicate this line for every non-global zone with a private ip that
  # will have ipfilter rdr (redirects) pointing to it
  route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
  The following /etc/ipf/ipf.conf defaults to deny.
  # ipf.conf
  # IP Filter rules to be loaded during startup
  # See ipf(4) manpage for more information on
  # IP Filter rules syntax.
  # INCOMING DEFAULT DENY
  block in all
  block return-rst in proto tcp all
  # two open ports one of which is redirected in ipnat.conf
  pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
  pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
  # INCOMING PING
  pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
  # INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
  #pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
  # OUTGOING RULES
  block out all
  # ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
  # remove/edit as needed to actually talk to local private physical networks
  block out quick from any to 192.168.0.0/16
  block out quick from any to 172.16.0.0/12
  block out quick from any to 10.0.0.0/8
  block out quick from any to 0.0.0.0/8
  block out quick from any to 127.0.0.0/8
  block out quick from any to 169.254.0.0/16
  block out quick from any to 192.0.2.0/24
  block out quick from any to 204.152.64.0/23
  block out quick from any to 224.0.0.0/3
  # Allow traffic out the public interface on the public address
  pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
  # Allow traffic out the public interface on the private address (needs nat and router arp hack)
  pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
  # INCOMING TRACEROUTE FIX PART 2
  #pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.

  Instead of using the script as a legacy_run script, set it up in SMF.
  First create the file /var/svc/manifest/system/ip-route-hack.xml with
  the following
  ---Start---
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM
  "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
  ident "@(#)ip-route-hack.xml 1.0 09/21/06"
  -->
  <service_bundle type='manifest' name='NATtrans:ip-route-hack'>
  <service
  name='system/ip-route-hack'
  type='service'
  version='1'>
  <create_default_instance enabled='true' />
  <single_instance />
  <dependency
  name='physical'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/physical:default' />
  </dependency>
  <dependency
  name='loopback'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/loopback:default' />
  </dependency>
  <exec_method
  type='method'
  name='start'
  exec='/lib/svc/method/svc-ip-route-hack start'
  timeout_seconds='0' />
  <property_group name='startd' type='framework'>
  <propval name='duration' type='astring'
  value='transient' />
  </property_group>
  <stability value='Unstable' />
  <template>
  <common_name>
  <loctext xml:lang='C'>
  Hack to allow zone to NAT translate.
  </loctext>
  </common_name>
  <documentation>
  <manpage
  title='zones'
  section='1M'
  manpath='/usr/share/man' />
  </documentation>
  </template>
  </service>
  </service_bundle>
  ---End---
  then modify /var/svc/manfiest/system/zones.xml and add the following
  dependancy
  ---Start---
  <dependency
  name='inet-ip-route-hack'
  type='service'
  grouping='require_all'
  restart_on='none'>
  <service_fmri value='svc:/system/ip-route-hack' />
  </dependency>
  ---End---
  Finally create the file /lib/svc/method/svc-ip-route-hack with the
  contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
  'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
  import /var/svc/manifest/system/zones.xml'.
  This will guarantee that ip-route-hack is run before zones are started,
  but after the interfaces are brought on line. It is worth noting that
  zones.xml may get overwritten during a patch, so if it suddenly stops
  working, that could be why.

• Gnome-network-manager & XFCE 4.4

  Hey guys, someone know if gnome-network-manager also run on XFCE 4.4?
  It won't run on my XFCE
  Solutions to problem?
  Bye,
  Riccardo

  Captain Spaulding wrote:
  OK, open NetworkManager.conf and search for the line
  <policy at_console="true">
  and add this line:
  <allow own="org.freedesktop.NetworkManagerInfo"/>
  That, at least, should fix your initial issue. I have only just begun to learn more about dbus, so I have no clue about the second problem.
  Mmmmm no entries as <policy at_console="true"> in my NetworkManager.conf....
  So here we are my NetworkManager.conf:
  <!DOCTYPE busconfig PUBLIC
  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
  <busconfig>
  <policy user="root">
  <allow own="org.freedesktop.NetworkManager"/>
  <allow send_destination="org.freedesktop.NetworkManager"/>
  <allow send_interface="org.freedesktop.NetworkManager"/>
  </policy>
  <policy group="users">
  <allow send_destination="org.freedesktop.NetworkManager"/>
  <allow send_interface="org.freedesktop.NetworkManager"/>
  </policy>
  <policy user="hal">
  <allow send_destination="org.freedesktop.NetworkManager"/>
  <allow send_interface="org.freedesktop.NetworkManager"/>
  </policy>
  <policy context="default">
  <deny own="org.freedesktop.NetworkManager"/>
  <deny send_destination="org.freedesktop.NetworkManager"/>
  <deny send_interface="org.freedesktop.NetworkManager"/>
  </policy>
  </busconfig>

• Htaccess configuration

  Hello
  I have been trying to configure .htaccess properly but for some reason the redirect which i am giving in .htaccess is not working. i have configured as per the instruction in SUN. Can any one help me on this one.
  further the instance which i was trying .htaccess to make work is not getting started it says CORE3185 invalid configuration. i have been working to .htaccess since one week.
  Thanks

  here is one approach
  OPTION 1:
  - edit your <virtual server corresponding obj.conf> under config (https-<hostname>/config/*obj.conf) and do something like
  <Object name="default>
  <If $ip ne "provide the first ip address" or $ip ne "provide 2nd ip address" >
  PathCheck fn="deny-existence"
  </If>
  .. (rest of the configuration).
  OR
  OPTION 2
  - create a file (say deny_ip.conf) under https-<hostname>/config/deny_ip.conf and add entries like 'name value' pair where in both contains the IP address that you want to allow
  for example,
  cat > https-<hostname>/config/deny_ip.conf
  192.18.120.213 192.18.120.213
  192.18.120.214 192.18.120.214
  <save this file>
  - now edit your <virtual server corresponding obj.conf> under config (https-<hostname>/config/*obj.conf) and do something like
  <Object name="default>
  # Deny based on IP
  <If $ip ne lookup('deny.conf',ip) >
  Pathcheck fn="deny-existence"
  </If>
  <advantage of doing this way is that you can simply edit your deny_ip.conf to add more IP addresses to allow access to your machine>
  hope this helps

• What are the minimum permissions to publish a report to users' inbox?

  We want to be able to publish or send WebI documents to users' InfoView Inboxes.  So far the only way I found I can do this is:
  >> The document publisher/scheduler ( sender ) needs to have View permissions of each user's Inbox.  This causes a problem.  Either the admin gives sender view permissions to all Inboxes in CMC or the admin has to give view permissions on each individual user's Inbox...this option can be painful if there are many users.
  So, as I currently see it, either sender can see all users' Inboxes in the CMC or the admin has to go into each user's Inbox and give sender view permissions.
  Is there an easier/simpler way around this?

  MHO Only....  this subject on sending / publishing rights is horrible, sending to a users inbox ishould be a default and we should only have to either allow or deny users or groups,    not have go through steps 1-7 for part1 and 1-9 for part 2.!
  that being said,
  For XI31,
  Getting the users to see the user list when sending documents to the inbox.
  Resolution:
  1. Login to CMC using administrator account.
  2. Navigate to Users and Groups page in CMC.
  3. Select the user list and click on the Manage .
  4. From the Drop down menu for Manage tab , select Top Level Security -> All Users -> Everyone -> Assign Security -> Access levels -> Assign View access level -> Apply -> Ok.
  5. Now Users can view the users list when sending the reports to other users# inbox.
  Second issue was that the users could send documents, but they would never show up in their recipient's inbox:
  At the Inbox "View Objects" should be set under "System ->Inbox", not "General->General"
  Resolution
  1. In the Central Management Console (CMC), go to "Inboxes"
  2. Go to "Manage -> Top Level Security -> All Inboxes"
  3. Select "Everyone" and choose "Assign Security"
  4. Click the "Advanced" tab then "Add\Remove Rights"
  5. On the left hand side, "General" is selected. The only thing that should be specified here is:
  Grant: "Add objects to folder"
  Deny: "Delete Objects" (default)
  Deny: "Edit Objects" (default)
  6. Make sure you set "View Objects" to "Not specified" if selected at this level.
  7. On the Left pane, Expand "System" and choose "Inbox"
  8. In the right side, set the following:
  Check "Override General Global"
  Grant: "View Objects"
  Deselect "Apply to object"
  9. Click "OK", then "OK" again.
  there is also also a KB 1363269:
  Hope this helps!

• Application Control Policies - Is that it?

  Restrictions based on executable name only seems very restrictive, maybe I came in with the wrong mindset. I was looking at this been an SRP like replacement but the inability to do path based rules or default deny all but allowed programs. Been executable name only without a default deny would mean simple executable rename defeats the policy.
  Can someone enlighten me, have I just totally missed the point?

  Originally Posted by bbeachem
  Application "white listing", which is what you're really requesting is on our roadmap for a future product version.
  Is there a current time frame on the whitelist feature? Also do you know if path based rules will be included as part of that feature?

• Cisco ISE version 1.2.1.198 distribution deployment issue

  Dear All, I am having 3 ISE (Admin, PSN & MNT node) running on version 1.2.1.198 with no patch. My MNT node is not sync. with admin node. I need to apply a certificate but getting error. I am unable to deregister it. I have tried to push the patch 3 by installing same on Admin node but it is not getting push to either MNT or PSN node. I am attaching the screen-shots for your reference. Please let me know if you need any input from my side.

  Hi, I have made PSN as monitor Primary, then de-registered the Monitor node & registered it back & made it monitor primary. Now all nodes are syncing properly. But after this my call flow is breaking. All user request are going for default deny, i.e. access reject & drop. Earlier it was working properly, users were able to connect / authenticated & authorized also access the websites properly. Earlier only monitor node was not syncing , but now although it is syncing but call flow is breaking & there is no change in configuration. I have updated the ISE version 1.2.1.198 with only a patch , i.e. patch 3 on all 3 nodes i.e. admin, PSN & monitor. Please suggest also let me know incase you need more info.