DHCP and Radius
Hi,
We are trying to migrate a secure wlan that uses certificates on client laptops.
The ultimate goal is point the secure wlan to a new DHCP server which also has a new Enterprise certificate. Currently, the old server provides the Enterprise certificate and the DHCP scope for the sercure wlan. When we attempted to migrate the secure wlan previously the 5508 could not perform 802.1X communcations with the new server since it didn't have the certificate.
Question: for the secure wlan can we point it at the new server for DHCP and point it at the old server for the Enterprise certificate until such time we can get the certificate on the new server?
The secure wlan does use Radius pointing to the new server.
Thanks.
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3s/DHCP_Server_RADIUS_Proxy.html#GUID-4C505B07-76D0-43D2-8FF9-2A71FB2685FC
Configuring the DHCP Server for RADIUS-based Authorization
Perform this task on the DHCP server to configure address allocation for RADIUS-based authorization of DHCP leases.
SUMMARY STEPS1. enable
2. configure terminal
3. service dhcp
4. aaa new-model
5. aaa group server radius group-name
6. server ip-address [auth-port port-number] [acct-port port-number]
7. exit
8. aaa authorization network method-list-name group group-name
9. aaa accounting network method-list-name start-stop group group-name
10. ip dhcp pool name
11. accounting method-list-name
12. authorization method method-list-name
13. authorization shared-password password
14. authorization username string
15. exit
16. interface type slot / subslot / port [. subinterface]
17. encapsulation dot1q vlan-id second-dot1q {any | vlan-id[, vlan-id[- vlan-id]]}
18. ip address address mask
19. no shutdown
20. radius-server host ip-address [auth-port port-number] [acct-port port-number]
21. radius-server key {0 string | 7 string | string}
22. exit
Similar Messages
-
WPA2 and Radius server configuration
On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
is described how to setup a WPA2 and Radius server.
If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
Normal WPA2 personal, without Radius does work.
I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
The IOS version is 12.3(8)JA2.
Does anyone know what to do?
HaikHello,
I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
But even if I fill it in correctly (copy / paste) it does not work.
So what can be wrong with this configuration?
Haik -
Multiple airport Extremes and RADIUS
I've got a rather large network of Airport Extreme Base stations. 7 to be exact. Currently they're authenticated via WPA. I'd like to upgrade them to use the RADIUS service in OS X Server. (fully up to date)
Can someone who has set this up in practice share some experience and things to watch for?
Right now, I'm using a DLink DFL-210 router, DHCP Server on the Mac OS X Server, and Open Directory, also on the Mac Server. As far as I understand, I will not be able to set up the Base Stations with this configuration as the airport needs to be set up in DHCP and NAT mode in order to perform the setup. (the server won't see the Airports unless they're in this mode)
Also, as far as I understand, it seems that I'll need to have the airport extreme also be the router!
Is it possible to set up the first or multiple ones on an "mock" network, then move it over? What will I have to watch for when I install it on the new system? Certificates are going to be an issue as well, won't they?Hi gracoat,
I've got a similar setup to you. I currently run 8 airport extreme wifi routers (various generations) at our offices and everything is behind a primary sonicwall hardwired firewall router. What you will need to do is actually activate RADIUS on the OS X server and then manually setup each airport extreme to use WPA2 Enterprise for their wifi security. Then you will enter your os x server address into each airport for the WPA2 Enterprise settings.
A great video on how to activate RADIUS on an OS X server 10.8: https://vimeo.com/53774350#
Instructions on how to configure the airports with the Airport Utility: http://support.apple.com/kb/PH5129 -
Problems setting up Verizon DSL (DHCP) and AirPort Extreme
I have Verizon DSL with DHCP and old router (Linksys WRT54G). I've bought iMac and new router (AirPort Extreme) to connect to iMac wirelessly. I have a Windows computer connected to the Linksys WRT54G. Now here is the story. I can connect verizon DSL modem (it's in bridge mode) to PC directly and connect to the Internet. When I plug AirPort between the DSL modem and PC, auto-configuration doesn't work, AirPort utility says there is problem with internet connection. Router simply can't obtain IP address from verizon's DHCP server. I've tried to copy DNS server addressed from the IP configuration in Windows, the AirPort light went green and Windows indicated connection as successful, however I still cound't browse the Internet because gateway is not set. Any ideas how to make AirPort connect to the internet using DHCP instead of manual settings? I can try to do it from the mac if needed, I don't think it would make any difference though.
Welcome to the discussions!
Sorry, I can't quite track exactly what you are trying to do.
What would the network that you are trying to set up look like?
Modem>AirPort Extreme>Computers? Are you saying that you won't be using the Linksys in the new setup?
Sounds like you need to set the Airport Extreme up to supply PPPoE service (which the Linksys is doing now-if the modem is in bridge mode), but I will wait for your response before offering specific info.
If you've been fiddling with settings, we may need to do a hard-reset on the AX to start over. You should not be fiddling with DNS, etc. Almost always, these settings are done automatically when you have the device set up correctly. -
Apple Airport Extreme Base Station for PPPoE, DHCP and NAT with ActionTec DSL modem
I just spent several hours trying to track down proper instructions for setting up my Apple AEBS to do the PPPoE, DHCP and NAT while connected to an ActionTec M1000 (no wireless module). It turns out my initial set ups on both devices were correct, but that the order for rebooting and reconnecting the two devices is critical. All of the threads I found on this forum and on many others suggested this was not possible, but it is. What I don't yet know is whether it is the best method for running my home network DSL connection to my ISP (CenturyLink).
The instructions I found that worked come courtesy of Brandon Konkle's blog and are both simple and clear: http://brandon.konkle.us/post/19637529637/centurylink-actiontec-q1000-airport-ex treme-bridge
The proper settings for the ActionTec DSL Modem can be found under Advanced Setup/IP Adressing/WAN IP Address
Click RFC 1483 Transparent Bridging then click on Apply.
(see also http://qwest.centurylink.com/internethelp/modems/m1000/pdf/M1000_BRIDGE.pdf )
To reduce time, do this BEFORE you reset your AEBS then set the AEBS so that you don't have to wait for the AEBS to reboot.
In contrast to what Brandon described for the Q1000 modem, my AEBS never reconnected to the modem (he describes his as getting an IP from his ISP, then dropping it then getting another over and over - mine never got an IP). Once you have reset both devices as described, the critical steps I have not found described elsewhere were:
1. Disconnect the power from both the modem and the Airport Extreme.
2. Disconnect the Ethernet cable between the two devices
3. Restore power to the 2 devices and allow them to fully reboot. For the ActionTec M1000, this is indicated when the lights stop blinking. (Note that the Internet light will NOT be lit in this instance since the modem is acting only as a bridge. You will NOT have an Internet connection until the AEBS is reconnected.) The AEBS will be blinking yellow.
4. Reconnect the Ethernet cable between the devices (make sure on the M1000 that you are using the connector with the circle icon over it, not the arrow icon).
Within about 60 seconds, the AEBS light went to steady green and the connection to the Internet was restored.
Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
Does anyone think or know if it will make a difference?
Message was edited by: Bud ShawNow I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
Does anyone think or know if it will make a difference?
No one can accurately predict in advance what the actual results might be. I've tried both ways with different products and cannot say that one method is better than the other. What works is best.
In theory, it is preferable to have the modem provide the PPPoE connection service since it is the device connected directly to the Internet.
In practice, results vary depending on the service provider, products used, phase of the moon, alignment of the planets, etc. -
Non-ISP DDNS with Apple DHCP and DNS Services
I have two questions about Dynamic DNS (DDNS) as it applies to Apple's DNS and DHCP services within my home network. I am not talking about DDNS in the context of making my external-facing router available by a domain name on the Internet using the dynamically-assigned IP from my ISP.
Starting with Snow Leopard Server, I attempted to use Apple's DNS and DHCP services (I have the firmware-based DHCP service in my router turned off.) The difficulty I immediately faced was that Apple's DHCP implementation didn't update the DNS service as IPs were handed out to DHCP clients. Because of this, it wasn't possible to access hosts by their hostname, since getting a DHCP-assigned dynamic IP at boot-up didn't do anything to automagically register the hostname-to-IP mapping in DNS. Manually registering the hostname in DNS was pointless, becuase over time the client IP address can and did change. I could create static IP assignments based on the MAC address, but doing that for all of the devices on my home network sort of defeated the purpose of using dynamic IPs.
The only solution I eventually found was to go out and get an open source DHCP server, compile it for my Mac, install it, and configure it. After doing this, everything worked great; every time a new host or other device was booted it got a dynamic IP through DHCP, and then the DHCP server automatically updated Apple's DNS serive with the hostname and assigned IP. I could immediately access every device on my network by hostname. As IP addresses changed over time, the hostname-to-IP mapping in DNS was automatically updated.
Except, Apple's point upgrades kept breaking my non-Apple DHCP install. Every time I applied software updates to my server I had to go back and re-finagle DHCP to get it to automatically start and run. By the time Lion Server came out, I drank the Kool-Aid and went back to Apple's DHCP implementation. I was disappointed that it still didn't seem able to update DNS with hostnames as it assigned IPs, but I was so tired of mucking about at the command prompt to fix DHCP every time Software Updates broke it, I just lived with the inconvenience of not being able to access devices on my network by hostname.
I'm sorry to say this, but Windows Server has had this capability since at least server 2003. In fact, until I dumped my Windows Server and switched to Snow Leopard Server, I was running Microsoft's DNS and DHCP services on Server 2003 and they did exactly what I'm describing brilliantly.
Can anyone offer any advice here? Does Mountain Lion's implementation of DHCP allow for DDNS updates to the DNS service? If not, how are other people handling this? Should I go back to running Windows Server for my DNS and DHCP services? My Netgear WNDR3700 router appears to have the standard, substandard DHCP server in firmware as most home routers, and no facility for DNS at all--much less the ability to update an on-site DNS sever with IP addresess it hands out. In fact, the only appliance I know of that does this is the InfoBlox my employer uses, but that's too expensive for a home solution.
As a Post Script, I'll add that I've been VERY unhappy that I lost the ability to bind Windows clients to Open Directory under Lion Server. Since I'm starting to see articles that say this capability hasn't been added back to Mountain Lion Server, I'm seriously considering implementing a Windows Server AD master and establishing a "magic triangle" or "golden triangle". If I end up having to do that, I wonder if I might as well just go back to using Microsoft's DNS and DHCP services.Hi,
Whether to move your DHCP to another server depends on the workload of your server. If there are too many clients on the network, you should move your DHCP to another server.
Did the record which owned by the machine generate before you configure the DnsUpdateProxy group? You can try to regenerate the record and check the result.
For more detailed information, you can view the link below.
DNS best practices
http://technet.microsoft.com/en-us/library/cc778439(v=ws.10).aspx
Using DNS servers with DHCP
http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx
DNS registration changes for Windows Server 2003 based DHCP Servers
http://technet.microsoft.com/en-us/library/ee441167(v=ws.10).aspx
Hope this helps.
Steven Lee
TechNet Community Support -
How to set up DHCP and NAT for QNAP NAS MyCloud service?
I have an Apple AirPort Extreme Base Station (AEBS) attached to my DSL model (no router in the modem). My QNAP NAS is attached via ethernet to the QNAP NAS. My iMac (running AirPort Utility 6.x) is connected to the AEBS via wifi.
I've found several folks who've tried this (and apparently succeeded) but I'm a networking novice and am having trouble making this work. What I did was to go into the AirPort utility and in the networking section configure "DHCP and NAT" and then called out the static IP and MAC address of the QNAP NAS (as well as the ports I'd like to remain open). However, when I did this and applied the changes, my iMac (connected to the AEBS via wifi) could no longer see the AEBS, which then required me to reset the AEBS, re-configure it back to the previous known good conifiguration and start over. After about 5 cycles of this I gave up.
So, what am I doing wrong here? Do I need to go in and configure every device that is going to access the AEBS as static and call out each device's IP and MAC address? (hopefully not, that'd be a major PITA).
Help. Anyone?When I run diagnostics with the QNAP, here is the reply I get (IPs redacted):
------ NAT PMP Diagnostics ------
initnatpmp() returned 0 (SUCCESS)
using gateway : xx.x.x.x
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : 192.168.xxx.xxx
epoch = 2621
closenatpmp() returned 0 (SUCCESS)
------ UPnP Diagnostics ------
upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://xx.x.x.x:60606/8CC1212D0C6D/Server0/ddd
st: upnp:rootdevice
desc: http://xx.x.x.x:9000/TMSDeviceDescription.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:55000/nrc/ddd.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:55000/dmr/ddd.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/4/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/2/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/0/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:8200/rootDesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49152/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49153/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49155/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:9000/TMSDeviceDescription.xml
st: upnp:rootdevice
UPnP device found. Is it an IGD ? : http://xx.x.x.x:60606/
Trying to continue anyway
Local LAN ip address : xx.x.x.xxx
GetConnectionTypeInfo failed.
Status : , uptime=3217870016s, LastConnectionError :
Time started : Wed Mar 13 17:04:03 1912
MaxBitRateDown : 7 bps MaxBitRateUp 0 bps
GetExternalIPAddress() returned -3
GetExternalIPAddress failed.
GetGenericPortMappingEntry() returned -3 ((null)) -
Is it possible to set an interface to use both DHCP and a custom MTU size by setting the value in rc.conf?
I tried using the line "eth0="dhcp mtu 9000", but that did not work.There is a hackish way to do it:
eth0="dhcp"
eth0mtu="eth0 mtu 1234"
INTERFACES=(lo eth0 eth0mtu)
It is important that eth0mtu is after eth0 in INTERFACES. -
Hello all,
So far I love the RV320 its super fast and works really good (with 2 WAN connections).
I though have a few questions hoping someone could tell me:
1) Under DHCP Server it gives the option of to use DNS from ISP or DNS Proxy, what is the main difference between those two options?
Right now I have this set to DNS from ISP.
2) What are the pros and cons of enabling IPV6 DHCP and what is the best setting for that (Yes both ISPs I have suppor IPV6)?
3) What is the best option to set as client lease time for DHCP? (its set to 1440 default).
4) On the System Summary page I see both WAN1 and WAN2 connected (i set it to
Load Balance (Auto Mode) but for WAN2 i always see: Connected (Inactive)
Why does it say inactive?
Thank you!Found answers to most things now except for:
4) On the System Summary page I see both WAN1 and WAN2 connected (i set it to
Load Balance (Auto Mode) but for WAN2 i always see: Connected (Inactive)
Why does it say inactive? -
I configured my Aironet 1262N autonomous AP to authenticate and account my users against a FreeRADIUS server. In the RADIUS server database, I saw some records like:
select username, acctauthentic, acctterminatecause, acctstarttime, acctstoptime from radacct where username='xxxxxx';| xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:32 | 2014-02-22 11:15:58 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:58 | 2014-02-22 12:16:36 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:16:37 | 2014-02-22 09:22:13 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:22:14 | 2014-02-22 09:27:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:27:35 | 2014-02-22 09:33:12 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:33:14 | 2014-02-22 09:38:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:38:35 | 2014-02-22 09:43:55 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:43:57 | 2014-02-22 09:49:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:49:18 | 2014-02-22 09:54:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:54:54 | 2014-02-22 10:00:14 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:00:14 | 2014-02-22 10:00:26 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 10:00:26 | 2014-02-22 10:06:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:06:19 | 2014-02-22 10:11:39 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:11:41 | 2014-02-22 10:17:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 14:50:41 | 2014-02-22 14:50:42 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 14:50:42 | 2014-02-22 15:01:25 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:01:26 | 2014-02-22 15:06:46 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:06:48 | 2014-02-22 15:12:08 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:12:09 | 2014-02-22 15:20:24 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:20:25 | 2014-02-22 15:28:33 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:28:35 | 2014-02-22 15:33:54 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:33:55 | 2014-02-22 15:39:15 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:39:17 | 2014-02-22 15:44:37 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:44:38 | 2014-02-22 15:49:59 || xxxxxx | Local | | 2014-02-22 15:49:59 | NULL |
As you can see, the Acct-Authentic fields contains two possible values: Local and RADIUS. I didn't create any user with name 'xxxxxx' on AP, and I configure the authentication is against the RADIUS server. Why there are so many Acct-Authentic = 'Local'?
Also, this user always lost his connection and then reconnected quickly. This user login his account in multiple devices, including smart phone and computers. All of them are experiencing the same issue. Is there anyway to debug it? Any protential reasons?
Regards,
Lingfeng XiongHi,
I have exactly the same problem with my freeradius and switchs when swiths are in IOS 15.x .
You can see the log accounting :
| 5971 | 0000007E | bde8f71b768f2785 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5972 | 0000007F | 27c15b7db52213d9 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5973 | 00000080 | 8fb0d5fe41e82d65 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:18 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5974 | 00000081 | fa753225306a1a30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:35 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5975 | 00000082 | 39b6dfcf6aa90e30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:25:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5976 | 00000083 | d7766e99f09aee2f | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-03 23:26:33 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5977 | 00000084 | 7094f61110fe4eef | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:29:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5978 | 00000085 | 66ded1d410f07c51 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:00 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5979 | 00000086 | 326144c4321e0286 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:32 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5980 | 00000087 | 01d1379a4f9c3365 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:32:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5981 | 00000088 | 91164743f562dfdb | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:34:59 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5982 | 00000089 | abf1519e403f8305 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:36:21 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5984 | 0000008B | 2e199e473e646ba4 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:21:01 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5986 | 0000008C | cb4c2e11189d484c | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:10 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5987 | 0000008D | 1e928dc7eabc1e6d | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:11 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5988 | 0000008E | f1e3754a954e6863 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:15 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5989 | 0000008F | e46d377efc8a47f8 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:00:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5990 | 00000090 | e098f1dc19bdeee2 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:01:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5991 | 00000091 | 6ae3acb7d57c9c5a | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:56:25 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5992 | 00000092 | abc974156cf20e23 | | | | 10.254.1.253 | 50021 | Ethernet | 2014-04-04 03:10:56 | NULL | 1943 | Local | | | 0 | 204825 | | | | Framed-User | | | 0 | 0 | |
| 5993 | 00000093 | be822673509843a6 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 03:51:41 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5994 | 00000094 | 0a4366a6cd9eb0c5 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 07:53:42 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5996 | 00000095 | 5d289b8db37d0c8d | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5997 | 00000096 | c4ea1e813085a6d7 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6002 | 0000009A | a82ac41b1ff5f16b | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:03:12 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6004 | 0000009B | 0719718c780250c2 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:53:30 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6005 | 0000009C | c58f9c5e30b60fb7 | | | | 10.254.1.253 | 50016 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6007 | 0000009D | f78cc71528fd7898 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6008 | 0000009E | 200a1608264cc03c | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:14 | 2014-04-04 10:30:24 | 1750 | Local | | | 114654 | 93145 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6009 | 0000009F | c5ec021f0ef399c1 | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:44 | 2014-04-04 10:30:24 | 1720 | Local | | | 109122 | 86295 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6013 | 000000A4 | 042773e07781caba | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:26 | 2014-04-04 10:39:51 | 565 | Local | | | 36891 | 39077 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6015 | 000000A5 | f6b305e3f0d6aa5a | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:56 | 2014-04-04 10:39:51 | 535 | Local | | | 31698 | 32171 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6017 | 000000A6 | ef6cad3df24ccd61 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 10:42:20 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
Someone has an idea ?
Thanks,
Best regards, -
Solaris 10 x86 u5 dhcp and jumpstart install fail
hello
I have problem in solaris 10 u5 jumpstart install.
I can use jumpstart install with dhcp and get a static ip address (assigned by dhcp server) before solaris 10 u3.
But now I can't use jumpstart install in solaris 10 u5 without setting up a static ip address in sysidcfg.
I have many x86 machines.
If I have to set up every different sysidcfg for every machine when I install a new machine.
I will get into big trouble.
here is my sysidcfg
###### sysidcfg #######
system_locale=en_US
timeserver=localhost
timezone=Asia/Taipei
terminal=sun-color
security_policy=NONE
root_password=xxxxxxxx
nfs4_domain=example.com
network_interface=primary { hostname=solaris
default_route=192.168.100.254
netmask=255.255.255.0
protocol_ipv6=no}
name_service=DNS {domain_name=example.com
name_server=192.168.100.1
search=example.com}
Edited by: cheung79 on 2008/4/19 ?? 5:29I think that you should modify the script discovery-install, so you'll be able to create the sysidcfg file dynamically. I had the same problem as you and there is a possibility to add some arguments to the boot command that you execute at the ok prompt. These arguments can be defined in the discovery-install script. It's quite easy.
Regards,
Przemek -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
I have a server setup running server 2012 R2 with DHCP and filezilla for FTP, and a desktop running windows 7. The server can ping the desktop, but
the desktop can not ping the server, however the desktop can get a DHCP address from the server. How can I get it to connect to the ftp service? I choose to use filezilla because I could not get the anonymous logon to work for IIS.Hi,
Have you checked windows firewall on the server side if allows ICMP, by default firewall is on and blocking ICMP.
http://www.sysprobs.com/how-to-enable-ping-on-windows-server-2012-r2-firewall
Also see if port 21 for FTP (assuming filezzila using default port) is allowed in firewall.
Hope this helps.
Regards,
Calin -
Hi all ,
I'm looking for some way to base the QoS in my LAN on the host's IP address . Of course , there'r many hosts in that network , some of them get their addresses from the DHCP and anyway the question is - is there any way to make the class-maps based on the host without enter the commands manually ? Maybe bind them to DHCP allocation ? Obviously , ACL will do the job but with many hosts on LAN that task becomes very complicated (to me and ,maybe the router too ... just think about many ACLs and MQC commands related to any one among these ACLs) . The perfect solution will be some sort of template , which became active for any device in the LAN ... grouping all together into some "global policy" running on the router . As it happens to be for remote-access clients (L2TP for instance) .
I'd appreciate any advice ,
have a nice day ,
Alex .Hi Alex,
I dont think so that you can make class-maps using hostname.
if there are good number of hosts, you can create a separate VLAN for them and make a ACL for that particular subnet. so this way your ACL wont grow..
hope this helps .. -
Bootpd, DHCP and OS X Server 2.2
I have a Mac Mini running OS X Server in Mountain Lion that I use for imaging via DeployStudio. A couple of days ago, I tried to boot a MacbookPro using Netboot by going to Start-up Disks, and selecting the Netboot image. When the machine restarted, it just sat at the grey screen for about a minute, then it started flashing the globe icon, as it was trying to find the Mini. After about a minute of that, it would give up and then boot back to the OS. I tried this with a NetInstall image, another NetBoot image, another machine, and so on. All of them had the same behavior.
After going through some logs and looking at the documentation, it turned out that the machines really couldn't find the Mini to boot from. Basically, if the DHCP service wasn't turned on, and configured for the same subnet that the Mini was on, then nothing could find the Mini to boot from it. This was bad, really bad, as l work for a large achadimc instatution where they run their own DHCP services for all of the subnets.
The issue turnes out to be that as of 2.2 of OS X Xerver, that the bootpd service doesn't launch by itself anymore. The DHCP service must be running for bootpd to launch. Netboot needs bootpd for the clients to find the host. The solution that I came up with was to modify the /etc/bootpd.plist file.
There are, as of when I am writting this, two versions of Netboot. Netboot 1, or old Netboot, allows the bootpd service to run without DHCP, and Netboot 2 that requires DHCP to be on for bootdp to launch. I went into the /etc/bootpd.plist file and added the following lines to the bottom, just before the closing </dict> tag:
<key>old_netboot_enabled</key>
<array>
<string>en0</string>
</array>
This turns on the old netboot so bootpd could run on its own. You'll have to restart the machine running OS X Server for the change to take affect.
There a couple of downsides to this method. One is if you turn on Internet Sharing in the Sharing system pane, or if you happen to turn on or change the DHCP settings in any way, your changes will be wipped out.
I hope this helps somebody out that that had the same issues that I had.
MicahHi Micah,
I have try your solution but it doesn't work.
First Excuse me for my english writing 'cause I'm french...
So the problem is complex, here is my Situation :
Netboot Server : A brand new mac mini server with 10.8.2 server (late 2012, macmini 6,2), 2 terabyte hard drives of each and DeployStudioServer 1.5.16
The services Netinstall, OpenDirectory (master mode) and AFP file sharing are all ok !
I have an external DHCP (linux) server. The DHCP server is on a vlan and the netboot server and netboot clients are on another clan, so I have
add ip address of my netboot server as a ip-helper address in the cisco router configuration of the dhcp server vlan.
And HERE IS MY PROBLEM :
I have used three kinds of netboot's client :
1. a macbook pro 17" (macbookpro 5,2, 17" early 2009) with mac os 10.6.8
2. a macbook pro 13" (macbookPro 9,2 13" mid 2012) with mac os 10.8.2
3. a Mac mini late 2012 ( macmini 6,1) with mac os 10.8.2
I have generate 2 DeployStudio Netboot sets, one for the macbook pro 13 " (10.8.2) and one for the mac mini late 2012 (10.8.2)
SO, It works without problem when I netboot with macbook pro 17" which use for example the netboot set of macboo pro 13" but the other machines don't net boot ! Why ???
In the netinstall logs and when I netboot with macbook pro 17 under 10.6.8, I saw the lines :
b 18 08:43:23 [my-netboot-server] bootpd[2825]: BSDP DISCOVER [en0] 1,0:26:4a:c:d1:8 NetBoot002 arch=i386 sysid=MacBookPro5,2
Feb 18 08:43:23 [my-netboot-server] bootpd[2825]: replyfile /private/tftpboot/NetBoot/NetBootSP0/mbpro-13-1082.nbi/i386/booter
Feb 18 08:43:23 [my-netboot-server] bootpd[2825]: replying to 0.0.0.0
Feb 18 08:43:23 [my-netboot-server]bootpd[2825]: BSDP OFFER sent [1,0:26:4a:c:d1:8] pktsize 360
but when I netboot with macbook pro 13" under 10.8.2, I see only the lines (for example ) :
Feb 18 09:01:07 [my-netboot-server] bootpd[2968]: service time 0.000015 seconds
Feb 18 09:01:40 [my-netboot-server] bootpd[2968]: service time 0.000015 seconds
Feb 18 09:01:40 [my-netboot-server] bootpd[2968]: service time 0.000004 seconds
Feb 18 09:01:52 [my-netboot-server] bootpd[2968]: service time 0.000015 seconds
Feb 18 09:01:52 [my-netboot-server] bootpd[2968]: service time 0.000010 seconds
Feb 18 09:02:08 [my-netboot-server] bootpd[2968]: service time 0.000015 seconds
PLEASE HELP ME, I DON'T UNDERSTAND WHY IT WORKS WITH A "10.6.8" OLD CLIENT AND NOT WITH MY NEW MACS UNDER MOUNTAIN LION ?
HAVE YOU ANY IDEA ?
THANKS IN ADVANCE TO ALL FOR YOUR HELP
BEST REGARDS
Maybe you are looking for
-
Using the same serial number on two devices, for Adobe Creative Suite 6 Master Collection
I already have Adobe Creative Suite 6 Master Collection (student version) installed on my personal home computer, but I'm looking into buying a laptop, will I be able to install the same programs and use the same serial number on my laptop as well as
-
Please tell me there is a way to remove the slide that cuts up the pictures
Ok, your slideshow, photo album template in iphoto is THE BOMB.. so cool! But, someone thought, hey lets put one that cuts all the photos up and almost surely cuts the important part of whatever the original photo was.. grr? It wouldn't be so bad, if
-
Trying to download newest version and after prompted to drag the Firefox icon into the Applications folder get message that task can't be completed bc Firefox is in use, but only use I'm making of Firefox is to have it open to download the newest ver
-
CProjects URL - to be set for use on intranet
Hi, I am to work on cProjects 4.0 and in the IMG settings I need to set the URL which I'd use to access cProjects on the browser. How do I set the URL for use in the intranet? Which transaction do I use and where exactly do I set? What is the URL str
-
Index Nth Element in XML DataSource
Hi, I'm a little new to the Crystal Reports formula syntax & I wanted to reference a specific Nth element in an XML Data source. Here's a portion of my XML: <summary> <group> <attrName>creditType</attrName> </group> <group> <attrName>ap