Cut-through/direct authentication connection being denied

Similar Messages

• ASA - cut through proxy authentication for RDP?

  I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
  OUTSIDE to INSIDE RDP is currently working.
  I have 2 servers I want RDP open for..
  [*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
  [*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
  What's required for OUTSIDE users  to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
  Here is my current config.
  [code]
  ASA Version 8.2(5)
  hostname ASA5505
  names
  name 10.10.0.0 LANTraffic
  name 10.10.30.0 SALES
  name 10.10.40.0 FoodServices
  name 10.10.99.0 Management
  name 10.10.20.0 Office
  name 10.10.80.0 Printshop
  name 10.10.60.0 Regional
  name 10.10.70.0 Servers
  name 10.10.50.0 ShoreTel
  name 10.10.100.0 Surveillance
  name 10.10.90.0 Wireless
  interface Ethernet0/0
  description TO INTERNET
  switchport access vlan 11
  interface Ethernet0/1
  description TO INSIDE 3560X
  switchport access vlan 10
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  security-level 50
  no ip address
  interface Vlan10
  description Cisco 3560x
  nameif INSIDE
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Vlan11
  description Internet Interface
  nameif OUTSIDE
  security-level 0
  ip address 1.1.1.1 255.255.255.224
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup OUTSIDE
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 4.2.2.2
  domain-name test.local
  access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
  access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
  pager lines 24
  logging enable
  logging timestamp
  logging trap warnings
  logging device-id hostname
  logging host INSIDE 10.10.70.100
  mtu INSIDE 1500
  mtu OUTSIDE 1500
  ip verify reverse-path interface OUTSIDE
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (OUTSIDE) 1 interface
  nat (INSIDE) 1 LANTraffic 255.255.0.0
  static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
  static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
  access-group RDP-INBOUND in interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
  route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http Management 255.255.255.0 INSIDE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 10.10.70.100 255.255.255.255 INSIDE
  ssh Management 255.255.255.0 INSIDE
  ssh 0.0.0.0 0.0.0.0 OUTSIDE
  ssh timeout 5
  ssh version 2
  console timeout 0
  threat-detection basic-threat
  threat-detection scanning-threat shun
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  username scott password CNjeKgq88PLZXETE encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
  : end
  [/code]

  You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
  There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

• Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

  Hi,
  We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
  What we want:
  ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
  policy for that user.
  Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
  Thanks
  Lovleen

  Please refer to below step by step config guide for security group access policies
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html

• ASA Cut Through (Authentication) Proxy for a Single ACL

  I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ.  I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ?  Is there a way to only authenticate users accessing one server?

  Hi,
  Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.
  For example if its a browser based connection then you could configure
  username password privilege
  access-list PROXY-AUTH extended permit tcp any host eq http
  access-list PROXY-AUTH extended permit tcp any host eq https
  access-list PROXY-AUTH extended deny ip any any
  aaa authentication match PROXY-AUTH LAN LOCAL
  I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL
  Where "LAN" is my interface "nameif" connect to my LAN network.
  To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.
  Have a look at this document for some help
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
  Hope this helps
  - Jouni

• Cut-through authentication vs. virtual telnet/http

  Hi,
  I'm having difficulties understanding the meaning of the virtual telnet/http commands on the ASA.
  I have configured an ASA and defined an access-list with all the traffic which is to be authenticated. These are protocols like RDP, which can't be intercepted by the ASA, but also HTTP and HTTPS which can indeed be intercepted (this is also referred as cut-trough authentication).
  The setup principially works. Then a few consultants came and checked my config for errors. They also performed a portscan, where they found out that all protected services (which should only work after authenticating) were answered by the ASA (a tcp-session was started), so an attacker would know what potential services are behind the firewall.
  The customer (and me) disliked this behaviour, and I thought this could be solved by using the virtual http feature. Define a seperate IP-Adress, to which you can connect via HTTPs and authenticate, after which you can reach all other services.
  Can this be done with this feature? My testresults showed just the behaviour, that you can authenticate at the virtual http-address, but the cut-through authentication is still active, so that's not the solution.
  To be honest, I even believe that the virtual telnet/http feature is completely useless! Why? Because to make it work, you have to
  1) allow the ip an the inbound ACL
  2) add the ip in the ACL where the authenticated traffic is defined
  3) configure a NAT for this ip to be routed inside
  I don't really see a practical reason for this command - Thanks for your thought...
  Florian

  Hi Florian / Jeff
  I agree largely with what you are saying and have found similiar issues with it. if you are already authenticating to a web service the additional config of a virtual http service seems unnecessary.
  But i think one instance where virtual telnet is useful is if you have services such as RDP etc. that you need to authenticate but you don't have a web server or telnet server to authenticate against.
  Without virtual telnet i'm not sure how you could setup access to these services so you would need virtual telnet in this case.
  Where i find the command particularly useless is that i want to authenticate people accessing for example terminal servers on a particular subnet. This subnet is also running web servers.
  Now say i want to do this via http authentication. I'm trying to authentciate them because i don't know their IP addresses. So i enter an authentication command for http but now everyone who wants to use http has to authenticate and not just people who are going to be using terminal services.
  Regards

• JDBC connection Oracle through OS Authentication

  We are doing some testing to use jdbc to connect to oracle db through OS Authentication, it got some errors, any one can help us ? thanks a lot !
  our DB version is Oracle 10g [Enterprise Edition Release 10.1.0.4.0]
  we can login through the unix using OS Authentication by : sqlplus /
            try {
                 String url = "jdbc:oracle:thin:@svzinder.gon.zuerich.ubs.ch:49173:JKR";
                 Driver driver = new oracle.jdbc.OracleDriver();
                 DriverManager.registerDriver(driver);
                 Properties props = new Properties();
                 props.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_VSESSION_OSUSER, "unix_user1");
                 Connection conn = DriverManager.getConnection(url, props);
                 String SQL = "select * from JKR_V_EMP";
                 try {
                 PreparedStatement sql = conn.prepareStatement (SQL);
                 ResultSet results = sql.executeQuery ();
                 if (results.next () == false) {
                      System.out.println ("No rows");
                 } // if
                 System.out.println (results.getString ("result"));
                 } catch (Exception e) {
                 System.err.println ("Failed to execute");
                 e.printStackTrace ();
                 return;
                 } // catch
            } catch (Exception e) {
                 e.printStackTrace();
  Exception in thread "main" java.lang.UnsatisfiedLinkError: no ocijdbc11 in java.library.path
  at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1682)
  at java.lang.Runtime.loadLibrary0(Runtime.java:822)
  at java.lang.System.loadLibrary(System.java:993)
  at oracle.jdbc.driver.T2CConnection$1.run(T2CConnection.java:3159)
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.jdbc.driver.T2CConnection.loadNativeLibrary(T2CConnection.java:3155)
  at oracle.jdbc.driver.T2CConnection.logon(T2CConnection.java:233)
  at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:508)
  at oracle.jdbc.driver.T2CConnection.<init>(T2CConnection.java:133)
  at oracle.jdbc.driver.T2CDriverExtension.getConnection(T2CDriverExtension.java:53)
  at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510)
  at java.sql.DriverManager.getConnection(DriverManager.java:525)
  at java.sql.DriverManager.getConnection(DriverManager.java:140)
  at com.ubs.swidJKR.v1.tms.batch.calculation.TmsDataSourceTest.main(TmsDataSourceTest.java:44)
  exit_code=1

  The name of this group is Recovery Manager(RMAN).
  How does any of this relate to RMAN?
  How does any of this related to the Oracle Database and it does what version and edition?
  Please edit the subject of your original post and change it to "Please Ignore."
  Then post your inquiry in the right forum for the right product.
  Thank you.

• Cannot connect to RDP farm through Direct Access

  Hey everyone, hope you can help/
  I have an issue connecting to the RD Farm when connected through Direct Access. I have tried specifying the RD Gateway to no avail. Cannot ping RD farm or session hosts through v4 but can v6. The address comes back as the 6to4 address and is different for
  each ping to each session host.
  When trying to RDP to the farm (or directly to a SH) certificate trust comes up so confirm that i am happy to trust the certificate for the connection, and it goes through to the point of initiating remote connection and then fails with the standard "Remote
  Desktop cant connect to the remote computer..." message.
  I am not entirely sure where or how to troubleshoot this first. Users local side of the wan are ok, its only external. 
  Apparently after numerous attempts the connection works but I am yet to witness this.

  Russel,
  the problem has been solved now! The final thing missing was just a check in a  checkbox.
  Below a comprehensive explanation that may help others.
  We basically did what you proposed:
  We sent a ping from one of the DA-Clients to the TS-Farm members. Since we got replies, we knew that IPv6 communication generally is okay. The answer received was an IPv6. In this scenario we had not yet given any IPv6 to the farm-members! Thus we knew it must
  be comming from the DA DNS-Proxy. There are a number of DA-GPOs and one of them is dictating the net portion of the IPv6 to be used in DA-communication, appended by a hex-translation of the target computers IPv4. Therefore the DA DNS-Proxy is taking the GPO-set
  IPv6-value, adds the IPv4 in hex and sends it  back as an ICMP echo.
  With this in place and working correctly one can ping any domain host from any DA-Client. This is configured when initially setting up DA and is handled by the wizzard. Once DA is installed this should all be in place without extra user interaction.
  We then took those IPv6 answeres and turned them into fixed IPv6es of the farm-members (each member its own IPv6). So far so good, but this is where it still did not work. Evaluation of the Connection Broker log showed that the redirect reply still included
  only the IPv4 of the target farm-member. With that (after a short while) we realized that one has to set a
  check in the Connection Brokers Settings, so that the IPv6 LAN-Connection will be used for redirects as well and not only the IPv4 LAN-connection..... How stupid is that? :-)
  But as we all know - in dealing with server configuration - you should always "know before you go". But even though you may think you do, when finally arriving you know you didn't.... And that's what we call experinece.
  Thanks to Russel for your interest and help.
  Brgds Ralf

• IPhone 5 not being recognized in iTunes (Mac). I have the latest Software update for iTunes, my iPhone, and my Mac. I have gone through the iTunes connectivity troubleshooting, no luck. Any suggestions/solutions?

  The reason I found this problem is that I did a complete reset of my iPhone, so it reset all the content, through settings on the phone. That ended up deleting the ringtones I had. I tried searching up the same tones, however you can't "Install" already purchased stuff like you can in the AppStore.
  I can't "iTunes wifi-sync" because you need to have connected at least once to the computer before you can wifi-sync, but because I reset my phone, it doesn't "remember" it once synced with my Mac cause I reset it.
  I have gone through the "iTunes connectivity troubleshooting", nothing worked.
  http://www.apple.com/support/iphone/assistant/itunes/#section_1
  My iPhone charges fine with the USB-Wall outlet adapter, so its not the lightning connector or the USB connector on the other end of the cord.
  All the USB ports on my Mac are functionning (working with other cords for printers, etc.), but still the iPhone persists not to be recognized in iTunes.
  So I am guessing iTunes is the problem.
  Any Help, Solutions, Suggestions, would be appreciated.
  Thanks.

  I had not tried that article, however I already went throught the troubleshooting assistant, which covers everything that article has.
  I am about to try to delete and re-install iTunes though, which was mentioned in your artile link.
  Thanks for the help.
  I'll post my findings/results.

• Pix cut-through proxy

  a quick question since I do not have access to a pix I can not confirm it
  say, I want to do pix cut-through proxy and authenticate access via tacacs on per user basis.
  I want the user to access smtp user inside the pix will go through tacacs authentication.
  my question is "do I need a statement for http on the access-list ?"
  thank you.
  here is the config
  PIX-525# wr t
  PIX Version 6.3(1)
  access-list 100 permit tcp any host 155.1.1.4 eq http
  access-list 100 permit tcp any host 155.1.1.4 eq smtp
  access-list 150 permit tcp any host 155.1.1.4 eq http
  access-list 150 permit tcp any host 155.1.1.4 eq smtp
  access-group 100 in interface outside
  static (inside,outside) 155.1.1.4 192.168.1.4 netmask 255.255.255.255 0 0
  aaa-server AUTHEN protocol tacacs
  aaa authentication match 150 outside AUTHEN

  Cut-through proxy is a feature unique to PIX Firewall that allows user-based authentication of inbound or outbound connections. A proxy server analyzes every packet at layer seven of the OSI model, which is a time- and processing-intensive function. By contrast, the PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly.
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

• Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

  I love iTap Mobile.  Paid for the app.  Sorry to see them discontinue it, but now I know why.  Microsoft bought them out!  But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access
  Policy (TS_RAP). Please contact your server administrator. (2147965402).  I worked with iTap to fix this so I guess they sold Microsoft their older buggy code...  Microsoft, please fix!
  PS: This is the Android version.  Mac and iOS are both okay.
  EDIT:  After an update a few months ago, iOS is no longer working.  Not sure if the problem is related to the Android MSRDP issue.
  UPDATE - Relevant posts (need Android RDP software engineer to fix):
  Event Viewer Log when using Android client:
  The user
  "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
  is most likely for logging into RD Web - icons shows up).
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
  The following error occurred: "23002".  (This is after clicking on any
  of the icons).
  I
  think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
   It should be the RD Connection Broker's hostname, I believe.
  Here's what it should look like (connected using a Windows PC going
  through the RD Web portal via Internet Explorer):
  The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection
  authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
  The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource
  authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
  The user "DOMAIN\testuser", on client computer "10.x.x.x", connected
  to resource "rdsfarm.domain.com".
  Stephan,
  Do you have any way to contact the software engineer who worked on the Android version of the RDP client?  Please
  have them read this thread.  They need to fix the hard coded "localhost" resource to be a variable (namely whatever the user put in for the server).
  This is why the MS RDP app is failing in situations where the FQDN for the RD Gateway and Connection Broker uses
  the same host name.
  Again, this is not a configuration problem on our end as it works as intended with the native Windows RDP client
  as well as the Mac and iOS version of the mobile RDP client (all based on iTap Mobile's RDP app).
  This is a problem specific to the Android RDP app.
  PS: No matter how hard I try, the WYSIWYG editor is not very WYSIWYG at all, and so everything here looks messed up even though it looked right when I posted it (it is deleting new blank lines I'm inserting to make it spaced out and easier to read). See
  below to read the post in context.

  Thanks for the bumps, everyone.  I haven't check this thread in a while because I basically gave up on Microsoft's ability to respond.  Unlike paid apps, there's no number to call or ticket to open when an app like this malfunctions.
  Just to give you an update, iOS users started having issues connecting a few months ago.  I don't remember what version started this.  I'm not sure if it's the same problem.
  Also, the newest version now gives a slightly different error message:  RpcOverHttpEndpointException: 2, Your connection was denied because of a Resource Access Policy (TS_RAP).  Please contact your server administrator.
  For Android users, I am starting to recommend Xtralogic Remote Desktop Client.  It's a paid app, but it works great.  I don't know of any alternative for iOS.
  MSRDP for Mac OSX (was also an iTap application) continues to work throughout the many updates.
  We need a software engineer from MS to read my first post.  All the information that will point to a fix is there.  I strongly believe someone hardcoded the string "localhost" instead of using a variable to point to the FQDN of the rdsfarm
  name.
  Here's that info again (copied/pasted).  It doesn't take an engineer to understand the issue.  If you know how to decipher Event Logs, you can see where the problem is.
  Event
  Viewer Log when using Android client:
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
  is most likely for logging into RD Web - icons shows up).
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
  The following error occurred: "23002".  (This
  is after clicking on any of the icons).
  I
  think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
   It should be the RD Connection Broker's hostname, I believe.
  Here's
  what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  connected to resource "rdsfarm.domain.com".

• Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

  Hi Folks,
  I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
  Authenticator.setDefault(new ReportAuthenticator());
  HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
  As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
  Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
  When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
  Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
  Any help is greatly appreciated.
  P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
  best regards
  Dushy

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2

• SMTP Send Mail - too many authenticated connection...

  Using Outlook on a MAC, and within this last week I have started to get this error when sending mail. I have read all the forum posts and help documents on this issue and ensured that my settings are as described and yet I am still having this problem.
  Should I be switching to IMAP to avoid this problem, and if so how do I do that without losing all my SMTP downloaded email?
  Thanks for any insight - it is causing me real issues now as I'm job hunting and can't reply to job emails!!!!

  Yes same problem for me. In the last three days, or so, I will get the random "too many authenticated connections" message. I have just phoned BT twice this afternoon and had great trouble understanding both Indian guys. One suggested he's fixed it by adjusting things at BT to accept "S Client Mail", whatever that means! That however didn't fix it. The second suggested I needed to reset password (easy option that one), until I pointed out that I am having no trouble with password use on the BT webmail page or through my phone. He then said I'd have to reload Outlook to solve the problem. Yeah right, like I'm gonna loose all my emails, settings and calendar to satisfy his theory of "if it doesn't work then reload it". There is clearly a server problem somewhere and OH, how I would love to speak to someone, (anyone), at BT who actually knows what they are talking about from a network/server angle. Anyone worth their salary in networks could trace my activity online and find out what was going on and why it was failing.
  Setting POP3 and all others checked by BT as being correct.

• Help with PC- Time Capsule direct ethernet connection

  First let me say that PCs are a total mystery to me - I am a Mac person all the way. That being said, I do own a PC for the occasional situation where I can't do what I need to do on a Mac (something that is happening less and less these days).
  I just got a TIme Capsule that I configured through my MacBook and which is working fine. I am trying to hook up my PC (which does not have wireless capability) via a direct ethernet connection. The PC seems to recognize that it's on a local network, but cannot connect to the Internet. I have tried going through the various network configuration wizards on the PC and nothing seems to be what I need. Help has been useless. Can anyone help give me some hints about what I need to do to get the PC to recognize that there is an Internet on the other side of the Time Capsule connection?

  I am still interested, thanks! Just couldn't get to things during the week. I am running WIndows XP Home Edition. I have to ask you to spell out things a little bit more. To start with setting DHCP - I am not sure how to do that. I tried using Help and it gives me nothing useful.
  When I run Network Connections I see a Local Area Connection listed. Type: LAN or High-Speed Internet. Status: Connected: Device Name: Broadcom 440x 10/100 Integrated Controller. Phone # or Host Address: <blank> Owner: System.
  Double click it, get Status: Connected, Duration: <counting up> Speed: 100.0 Mbps.
  Under Support, Connection Status, everything is blank (Address Type, IP Address, Subnet Mask, Default Gateway). This does not seem good. But I am not allowed to enter anything on this screen. If I click Repair, it says "Window could not finish repairing the problem because the following action cannot be completed: Failed to query TCP/IP settings of the connection. Cannot proceed. For assistance, contact the person who manages your network. (LOL - that would be me)"
  There's a control panel for the Broadcom Advanced Control Suite. The IP Address is 192.168.0.101. I don't see anything there about DHCP or TCP/IP.
  There's an "Internet Options" controller, where I found an Internet Connections Wizard, but that doesn't seem to do it. I say I want to connect to the internet using an ethernet connection, and then it says "Your broadband connectiion should already be configured and ready to use. If your connection is not working properly, click the following link. (Which is "Learn more about broadband connections"). This is a help page that sends me back to Network Connections (where I started).
  Nowhere have a found a place to set DHCP or addresses.
  Please, if you can, tell me where to look to adjust these settings. Thanks very much for your help.

• Strange problem with cut-through proxy

  hi
  i have configured cut- through proxy on the router with acs.i am facing a strange problem .
  my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
  my routers' e2/0 interface is connected a server running a website .
  int e2/0
  no shutdown
  ip add 20.1.1.1/24
  exit
  the webserver is running on 20.1.1.2
  my router's config
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authorization auth-proxy default group tacacs+
  aaa authorization exec default group tacacs+
  tacacs-server host 10.1.1.2
  tacacs-server key cisco
  ip http server
  ip http authentication aaa
  ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
  ip auth-proxy name auth http
  int e3/0
  no shutdown
  ip add 10.1.1.1/24
  ip access-group 101 in
  ip auth-proxy auth
  exit
  on the acs server in the tacacs+ ios
  i have selected auth-proxy in the services for users and groups
  i have created a user john with privilege level 15
  have selected auth-proxy and custom attributes
  proxyacl#1=permit tcp any any priv-lvl=15
  i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
  after putting the login credentials i get authentication failed
  i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
  AUTH-PROXY PROTOCOL NOT CONFIGURED.
  could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
  am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
  sebastan

  Check out the following link...
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html

• ASA cut through proxy with RADIUS challenge response?

  Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)
  Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...
  It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?
  What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)
  Date: 15/11/2010
  Time: 3:53:57 PM
  Type: Information
  Source: Server
  Category: RADIUS
  Code: I-006001
  Description: A RADIUS Access-Request has been received.
  AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
  Details:
  Source Location : 10.xx.21.24
  Client Location : 10.xx.21.230:1025
  Request ID : 31
  Password Protocol : PAP
  Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
  Action : Process
  What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)
  Date: 17/11/2010
  Time: 2:29:31 PM
  Type: Warning
  Source: Server
  Category: RADIUS
  Code: W-006001
  Description: An invalid RADIUS packet has been received.
  AMID: 0xC19D988F83365F20151C3F6339DEC74B
  Details:
  Source Location : 10.xx.21.24:1812 (Authentication)
  Client Location : 10.xx.21.230:1025
  Reason : The sub-protocol of the received RADIUS packet cannot be determined
  Request ID : 33
  Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
  Request Type : Access-Request
  Thanks in advance
  IB

  Hi Ian,
  sorry for the late reaction - do you still need help with this?
  The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2
  So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:
  aaa-server () host
  no mschapv2-capable
  Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.
  Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).
  hth
  Herbert