Freaky Issue With Radius In Cisco 7206
yesterday I faced a weird issue in 7200 router. It was configured as LNS using its loopback for radius authnetication. But when I checked the logs on radius it is getting the physical interface ip. After that I configured my source as physical interface authentication process completed.
Can anyone tell me why it is not getting source as loopback. On other routers it is working fine.
regards
shivlu jain
Shivlu,
Glad it is now working. I think it could be related to CSCsq32625, which is a duplicate of CSCse02550, which was indeed fixed in 12.2(31)S13.
CSCsq32625
ip radius source-int not working inside aaa group server config
Symptom: Only Global setting for the AAA Radius server source interface is functioning. Setting the source-interface in the AAA Group configuration has no effect. Conditions: This condition is visible when a router must use more than one source-interface designation for communicating with the RADIUS servers serving it. For example, if there are two groups of servers, and one group uses a Loopback for the source interface, and second group uses the management FastEthernet interface as the source interface. Workaround: All radius servers need to be able to respond to a single source interface, as multiple sources distinguished by AAA Groups are not functioning. Further Problem Description: None
Regards
Similar Messages
-
Auto-Signon issue with RADIUS authentication
Hi all, i post again a question Posted by ronin2307 on Nov 27, 2007, 9:40am PST
I HAVE THE SAME ISSUE WITH 8.0.3 release!
Hi,
we have a fairly simple configuration running on our ASA and try to make use of the webvpn on occasion. The feature used to work great with 7.2, but after we upgraded to 8.0 we started having problems.
Basically an user (network admin) can log in through the webvpn interface (authenticated by a RADIUS server) and see the links to network shares we provide, click on them and at that point the user is promptedfor credentials again. upon entering them then message comes up that the access to the resources has been blocked due to security reasons.
Now to me that makes no sense whatsoever. I have already run the following command:
auto-signon allow ip 192.168.1.0 255.255.255.0 auth-type ntlm
to try to prevent the second credentials prompt but to doesn't do anything.
I also tried to capture the webvpn traffic, according to the user manual, but now i have a zip file that contains bunch of files, I cannot read (except notepad, but that doesn't help a lot). Ethereal will not open the files. I couldn't get to display the capture in the browser as described in the manual.
can anybody give me an idea on what to do to troubleshoot this problem? Thank you very much.For single sign on using NTLM on a webVPN set up, you need to ensure you configure it through the command line. Did you use the ASDM for this single sign on? To configure auto-signon for all WebVPN users to servers with IP addresses ranging from
10.1.1.0 to 10.1.1.255 using NTLM authentication, for example, enter the following
commands:
hostname(config)# webvpn
hostname(config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm
http://www.cisco.com/en/US/docs/security/asa/asa71/asdm51/selected_procedures/asdmsso.html -
Hello,
I have the following strange behavior:
my WLCs connects to RADIUS server using the IP address of a dynamic interface instead of using the management interface's IP address.
Tha dynamic interface is on the same subnet/vlan of the RADIUS server.
which is the best interface to use for RADIUS authentications?
And how can I decide which interface shuold be the IP radius-source interface for connecting with my radius servers?
Thanks everybody
JohnnyIf you have the Radius server on a subnet in which you have any interface on the wlc on, you will see the wlc using that interface ip address. The AAA client ip address you should use is the dynamic interface ip address. The only time you will see the wlc use its management interface is when your wired and wireless (dynamic interfaces) are on different subnets.
-
Issue with certifcate on Cisco ACS
We are wanting to authenticate our internal wireless users using our Cisco ACS running 5.3. The ACS will poll our Active Directory environment for the username and password provided. I created a CSR on the ACS and provided it to Entrust. They provided me with a root, chain and server certificate. I binded the server certificate to the CSR under System Administration>Local Server Certificates>Local Certificates. I then added the chain and root certificates to the location Users and Identity Stores>Certificate Authorities. When I try to connect on a client laptop it asks for a username and password but after entering that information I am presented with the below certificate warning. This certificate is from Entrust and I see the root certificate in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have any answers. They say it is a client machine problem.
From the problem description, it's clear that you're attempting to connect user on a wireless network via peap. From the ACS stand point, your configuration looks good. However, I'd like to know what all certificate have you installed on the client side. Do we have complete chain installed on the client that includes Root CA and intermediate (if any). Would you mind emailing me your complete certificate chain for my reference?
Also, let me know what OS and supplicant are we running on end client?
~BR
Jatin Katyal
**Do rate helpful posts** -
Freaky issue with 10.6.1
Basically where my name is on the top bar, half has been cut up since I install 10.6.1??
http://yfrog.com/13screenshot20091004at120pBarry Hemphill wrote:
Hello b:
Since name on the menu bar is not a feature of OS X 10.6, I am assuming you have installed some sort of third party hack. Remove it and you will not have a problem.
Barry
Sorry, but that's wrong. It has been there for several versions of OS X. It's called Fast User Switching and is activated via System Preferences/Accounts/Login Options
I would try to disable and then reenable it there. You can also set it to only show the icon or your short username instead of your full name. I prefer the icon for example...
Björn -
hi all,
i've got an issue with a new cisco 3650 48 port wherein older AP 1231 keeps on disconnecting.
the connection is just a simple trunk.
#sh run int g1/0/47
Building configuration...
Current configuration : 62 bytes
interface GigabitEthernet1/0/47
switchport mode trunk
end
1231 is working fine on a 3560.
could someone advice if anything else need to do on 3650?
*Apr 21 09:32:33.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to down
*Apr 21 09:32:34.255: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to down
*Apr 21 09:32:37.369: %ILPOWER-7-DETECT: Interface Gi1/0/47: Power Device detected: IEEE PD
*Apr 21 09:32:40.406: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/47: PD removed
*Apr 21 09:32:40.407: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi1/0/47: Power given, but Power Controller does not report Power Good
*Apr 21 09:32:48.994: %ILPOWER-7-DETECT: Interface Gi1/0/47: Power Device detected: Cisco PD
*Apr 21 09:32:49.473: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/47: Power granted
*Apr 21 09:32:53.355: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to up
*Apr 21 09:32:55.356: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to up
*Apr 21 09:34:27.142: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/47: PD removed
*Apr 21 09:34:27.142: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi1/0/47: Power Controller reports power Imax error detected
*Apr 21 09:34:27.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to down
*Apr 21 09:34:28.855: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to down
*Apr 21 09:34:39.384: %ILPOWER-7-DETECT: Interface Gi1/0/47: Power Device detected: Cisco PD
*Apr 21 09:34:40.235: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/47: Power granted
*Apr 21 09:34:43.875: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to up
*Apr 21 09:34:45.874: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to uppre,
i don't think it's a cable issue. correction on the working AP, it's supposed to be a AIR-SAP1602E.
this AP is working on the 3650.
i've searched and i think the AIR-AP1231 isn't supported on this switch platform.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3e/release_notes/OL3264701.html#18425
this new switch isn't friendly. first, i had the issue with PVLAN and now this :( -
Cisco PI 1.3 - Internal Server Error with RADIUS-authentication
Hi,
I have a problem with a Cisco Prime Infrastructure 1.3 (Appliance, fully patched) that I'm trying to authenticate against a Radiator RADIUS-server.
From the RADIUS-server's point of view it looks fine, but I just get an HTTP Status 500 internal error (see attached image) when trying to log in.
I'm not the one managing the RADIUS-server but I got the following debug sent from them:
Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
*** Received from 10.36.0.132 port 17235 ....
Code: Access-Request
Identifier: 102
Authentic: REMOVED
Attributes:
User-Name = "test-user"
User-Password = REMOVED
NAS-IP-Address = 10.36.0.132
Message-Authenticator = REMOVED
Wed Oct 30 08:52:06 2013: DEBUG: Handling request with Handler 'Client-Identifier=/^prime[.]net[.]REMOVED[.]se$/', Identifier 'Network-Prime-AAA'
Wed Oct 30 08:52:06 2013: DEBUG: Deleting session for test-user, 10.36.0.132,
Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthUNIX:
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX looks for match with test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX ACCEPT: : test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: AuthBy UNIX result: ACCEPT,
Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthFILE:
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE looks for match with test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE ACCEPT: : test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: AuthBy FILE result: ACCEPT,
Wed Oct 30 08:52:06 2013: DEBUG: Access accepted for test-user
Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
*** Sending to 10.36.0.132 port 17235 ....
Code: Access-Accept
Identifier: 102
Authentic: REMOVED
Attributes:
cisco-avpair = "NCS:virtual-domain0=ROOT-DOMAIN"
cisco-avpair = "NCS:role0=Admin"
cisco-avpair = "NCS:task0=View Alerts and Events"
cisco-avpair = "NCS:task1=Device Reports"
..the rest of the AV-pairs removed
Does anyone have any idea on what the the problem is, or some tips on how to troubleshoot? (rebooting and ncs stop/start has no impact on the issue)
//CharlieI ran into a similar issue this morning in my lab. After I issued ncs status - the database service came back as not running. I stop/started the Prime services and it came up. Once all the services were running my WLC imported with no issues. I also deployed another server for another lab and it had issues with the clocking being out of sync.
-
NAC guest server with RADIUS authentication for guests issue.
Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin WoodhouseWell I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion. -
Hi Experts,
We have a VPN setup between a Cisco 871 router and a Cisco 7206 VXR router.
The 7206 is a HUB location and the 871 is one of the spokes.
The 871 uses a DSL connection to connect to the internet.
Today we've been getting a large amount of logs on the 7206, logs are as below-
Dec 14 17:47:48.326 est: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <IP> failed its sanity check or is malformed
Dec 14 17:48:57.078 est: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <IP> failed its sanity check or is malformed
Dec 14 17:50:33.191 est: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <IP> failed its sanity check or is malformed
Dec 14 17:51:47.383 est: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <IP> failed its sanity check or is malformed.
Can someone advise if there may be a problem with the DSL connection or if this indicates something else.Hi MJ,
Sorry about earlier, it did turn out to be a Crypto Key issue. But I didnt understand how the tunnels were showing in QM_IDLE state een when the keys didnt match.
Anyway thanks for your help on this.
Regards,
Imran. -
Is there any known issues with Cisco Meraki APs with client devices which publish PMF support in probe requests ? We are seeing connectivity issues with Cisco Meraki MR12,MR16 and MX80 models . Please update if there are any known issue with these APs.
Thanks for your thoughts, Nathan. We do actually have the "Enable Fast Reconnect" option selected on our wireless profile. Good idea, though.
We did also (originally) have 2 RADIUS servers defined within our wireless network. What we discovered was that each Meraki AP will try each one in order, top-to-bottom, and then primarily use the server that responded to it first. So, if for any reason you have a short-lived issue with your local RADIUS server responding to requests, and the AP is able to talk to a remote RADIUS server (in our case, one on the other side of the world) instead, the AP will elect to use the remote RADIUS server instead. In our case, the latency is high enough between these APs and this remote RADIUS server that while a client is roaming between APs, and having to re-authenticate, the entire process breaks down because (1) the client is moving between APs faster than the remote RADIUS server can authenticate the client, and (2) the entire exchange and communication ends up timing out -- thus forcing a manual re-connect. This is not a common occurrence by any means, but I just wanted to share what made us later choose to define only 1 RADIUS server, in the network settings. Surely our circumstance here is rather unique, but I thought it might be worth mentioning. Having only 1 RADIUS server defined forces ALL of our APs to use the same RADIUS server, regardless of anything else. It has resulted in a much smoother re-auth process for our clients.
I appreciate the link you sent, however. If I come across anything else that is helpful, I'll certainly post it back here. I appreciate your input once again! -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
Calling issue with Cisco 7937 conference station
Hi Friends,
I am facing issue wiht Cisco 7937 conference station, our customer have various branch offices accross the world. All branches are connected over MPLS through service provider( SIP service provider) . there is a centralized CUCM and remote office have SIP Voice gateways .
When making calls from once remote site to another using Cisco 6921 phones calls working fine
When making calls from once remote site to another using Cisco 7937 conference station to make call any phone at remote office, calls are getting disconneted, remote phone rings when calls, but its gets fast busy tone when other party picks up the phone and not able to talk.
I suspect the issue with Codec but we have configured transcoders in VG and registered with CUCM
Please help me if any one experience such issue earlier.
Regards
Sivahi Basant,
1. Actually tow phones A and B are registerd with centralized CUCM, A and B are located in two different locations, RTP traffic between And B pass through service provider.
Call Flow --> Phone A ---->CUCMRouterpattern--> SIP trunk ----> Voice gateway--->Service provider cloud---> Respective Voice Gateway---> CUCM -- Phone B
Show Run
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.27 15:14:52 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 12139 bytes
! Last configuration change at 06:35:59 UTC Tue Feb 25 2014
! NVRAM config last updated at 11:16:38 UTC Mon Feb 24 2014 by administrator
! NVRAM config last updated at 11:16:38 UTC Mon Feb 24 2014 by administrator
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname eucamvgw01
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M5.bin
boot-end-marker
card type e1 0 0
logging buffered 51200 warnings
no logging console
no aaa new-model
no network-clock-participate wic 0
no ipv6 cef
ip source-route
ip traffic-export profile cuecapture mode capture
bidirectional
ip cef
ip multicast-routing
ip domain name drreddys.eu
ip name-server 10.197.20.1
ip name-server 10.197.20.2
multilink bundle-name authenticated
stcapp ccm-group 2
stcapp
stcapp feature access-code
stcapp feature speed-dial
stcapp supplementary-services
port 0/1/0
fallback-dn 5428025
port 0/1/1
fallback-dn 5428008
port 0/1/2
fallback-dn 5421462
port 0/1/3
fallback-dn 5421463
isdn switch-type primary-net5
crypto pki token default removal timeout 0
voice-card 0
dsp services dspfarm
voice call send-alert
voice call disc-pi-off
voice call convert-discpi-to-prog
voice rtp send-recv
voice service voip
ip address trusted list
ipv4 10.198.0.0 255.255.255.0
ipv4 152.63.1.0 255.255.255.0
address-hiding
allow-connections sip to sip
no supplementary-service h225-notify cid-update
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
fax-relay ans-disable
sip
rel1xx supported "track"
privacy pstn
no update-callerid
early-offer forced
call-route p-called-party-id
voice class uri 100 sip
host 41.206.187.71
voice class codec 10
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 ilbc
codec preference 4 g729r8
codec preference 5 g729br8
voice class codec 20
codec preference 1 g729br8
codec preference 2 g729r8
voice moh-group 1
moh flash:moh/Panjo.alaw.wav
description MOH G711 alaw
multicast moh 239.1.1.2 port 16384 route 10.198.2.9
voice translation-rule 1
rule 1 /^012237280\(..\)/ /54280\1/
rule 2 /^012236514\(..\)/ /54214\1/
rule 3 /^01223651081/ /5428010/
rule 4 /^01223506701/ /5428010/
voice translation-rule 2
rule 1 /^00\(.+\)/ /+\1/
rule 2 /^0\(.+\)/ /+44\1/
rule 3 /^\([0-9].+\)/ /+\1/
voice translation-rule 3
rule 1 /^9\(.+\)/ /\1/
rule 2 /^\+44\(.+\)/ /0\1/
rule 3 /^\+\(.+\)/ /00\1/
voice translation-rule 4
rule 1 /^54280\(..\)/ /12237280\1/
rule 2 /^54214\(..\)/ /12236514\1/
rule 3 /^\+44\(.+\)/ /\1/
rule 4 /^.54280\(..\)/ /12237280\1/
rule 5 /^.54214\(..\)/ /12236514\1/
voice translation-rule 9
rule 1 /^\(....\)/ /542\1/
voice translation-rule 10
voice translation-rule 11
rule 1 /^\+44122372\(....\)/ /542\1/
rule 2 /^\+44122365\(....\)/ /542\1/
voice translation-rule 12
voice translation-rule 13
rule 1 /^\([18]...\)/ /542\1/
voice translation-rule 14
voice translation-profile MPLS-incoming
translate calling 10
translate called 9
voice translation-profile MPLS-outgoing
translate calling 11
translate called 12
voice translation-profile PSTN-incoming
translate calling 2
translate called 1
voice translation-profile PSTN-outgoing
translate calling 4
translate called 3
voice translation-profile SRST-incoming
translate calling 14
translate called 13
license udi pid CISCO2921/K9 sn FGL145110RE
hw-module ism 0
hw-module pvdm 0/0
username administrator privilege 15 secret 5 $1$syu5$DsxdOgfS7Wltx78o4PV.60
redundancy
controller E1 0/0/0
ip tcp path-mtu-discovery
ip scp server enable
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description internal LAN
ip address 10.198.2.9 255.255.255.0
duplex auto
speed auto
interface ISM0/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.198.2.8 255.255.255.0
!Application: CUE Running on ISM
service-module ip default-gateway 10.198.2.9
interface GigabitEthernet0/1
description to TATA NGN
ip address 115.114.225.122 255.255.255.252
duplex auto
speed auto
interface GigabitEthernet0/2
description SIP Trunks external
ip address 79.121.254.83 255.255.255.248
ip access-group SIP-InBound in
ip traffic-export apply cuecapture size 8000000
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
shutdown
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.198.2.1
ip route 10.198.2.8 255.255.255.255 ISM0/0
ip route 41.206.187.0 255.255.255.0 115.114.225.121
ip route 77.37.25.46 255.255.255.255 79.121.254.81
ip route 83.245.6.81 255.255.255.255 79.121.254.81
ip route 83.245.6.82 255.255.255.255 79.121.254.81
ip route 95.223.1.107 255.255.255.255 79.121.254.81
ip route 192.54.47.0 255.255.255.0 79.121.254.81
ip access-list extended SIP-InBound
permit ip host 77.37.25.46 any
permit ip host 83.245.6.81 any
permit ip host 83.245.6.82 any
permit ip 192.54.47.0 0.0.0.255 any
permit icmp any any
permit ip host 95.223.1.107 any
deny ip any any log
control-plane
voice-port 0/1/0
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/1
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/2
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/3
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
no ccm-manager fax protocol cisco
ccm-manager music-on-hold bind GigabitEthernet0/0
ccm-manager config server 152.63.1.19 152.63.1.100 172.27.210.5
ccm-manager sccp local GigabitEthernet0/0
ccm-manager sccp
mgcp profile default
sccp local GigabitEthernet0/0
sccp ccm 10.198.2.9 identifier 3 priority 3 version 7.0
sccp ccm 152.63.1.19 identifier 4 version 7.0
sccp ccm 152.63.1.100 identifier 5 version 7.0
sccp ccm 172.27.210.5 identifier 6 version 7.0
sccp
sccp ccm group 2
bind interface GigabitEthernet0/0
associate ccm 4 priority 1
associate ccm 5 priority 2
associate ccm 6 priority 3
associate ccm 3 priority 4
associate profile 1002 register CFB_UK_CAM_02
associate profile 1001 register XCODE_UK_CAM_02
associate profile 1000 register MTP_UK_CAM_02
dspfarm profile 1001 transcode
codec ilbc
codec g722-64
codec g729br8
codec g729r8
codec gsmamr-nb
codec pass-through
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 18
associate application SCCP
dspfarm profile 1002 conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 2
associate application SCCP
dspfarm profile 1000 mtp
codec g711alaw
maximum sessions software 200
associate application SCCP
dial-peer cor custom
name SRSTMode
dial-peer cor list SRST
member SRSTMode
dial-peer voice 100 voip
description *** Inbound CUCM ***
translation-profile incoming PSTN-incoming
incoming called-number .
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 500 voip
description *** Inbound TATA MPLS ***
translation-profile incoming MPLS-incoming
session protocol sipv2
session target sip-server
incoming called-number ....
incoming uri from 100
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 510 voip
description *** Outbound TATA MPLS ***
translation-profile outgoing MPLS-outgoing
destination-pattern 54[013-9]....
session protocol sipv2
session target ipv4:41.206.187.71
session transport udp
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 520 voip
description *** Outbound TATA MPLS ***
translation-profile outgoing MPLS-outgoing
destination-pattern 5[0-35-9].....
session protocol sipv2
session target ipv4:41.206.187.71
session transport udp
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 200 voip
description *** Inbound M12 *** 01223651081, 01223651440 - 01223651489
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 0122365....
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 201 voip
description *** Inbound M12 *** 012237280XX
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 012237280..
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 202 voip
description *** Inbound M12 *** 01223506701
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 01223506701
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 210 voip
description *** Outbound M12 ***
translation-profile outgoing PSTN-outgoing
destination-pattern +...T
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 211 voip
description *** Outbound ISDN for SRST and emergency ***
translation-profile outgoing PSTN-outgoing
destination-pattern 9.T
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 212 voip
description *** Outbound ISDN for emergency ***
translation-profile outgoing PSTN-outgoing
destination-pattern 11[02]
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 2000 voip
description *** Outbound to CUCM Primary ***
preference 1
destination-pattern 542....
session protocol sipv2
session target ipv4:152.63.1.19
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 2001 voip
description *** Outbound to CUCM Secondary ***
preference 2
destination-pattern 542....
session protocol sipv2
session target ipv4:152.63.1.100
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 2002 voip
description *** Outbound to CUCM Teritiary ***
preference 3
destination-pattern 542....
session protocol sipv2
session target ipv4:172.27.210.5
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 999010 pots
service stcapp
port 0/1/0
dial-peer voice 999011 pots
service stcapp
port 0/1/1
dial-peer voice 999012 pots
service stcapp
port 0/1/2
dial-peer voice 999013 pots
service stcapp
port 0/1/3
sip-ua
no remote-party-id
gatekeeper
shutdown
call-manager-fallback
secondary-dialtone 9
max-conferences 4 gain -6
transfer-system full-consult
ip source-address 10.198.2.9 port 2000
max-ephones 110
max-dn 400 dual-line no-reg
translation-profile incoming SRST-incoming
moh flash:/moh/Panjo.ulaw.wav
multicast moh 239.1.1.1 port 16384 route 10.198.2.9
time-zone 22
time-format 24
date-format dd-mm-yy
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 131
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 60
exec-timeout 60 0
privilege level 15
login local
transport input all
line vty 5 15
session-timeout 60
exec-timeout 60 0
privilege level 15
login local
transport input all
scheduler allocate 20000 1000
ntp server 10.1.30.1
end
eucamvgw01#
Sh SCCP
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.03.03 17:57:44 =~=~=~=~=~=~=~=~=~=~=~=
SCCP Admin State: UP
Gateway Local Interface: GigabitEthernet0/0
IPv4 Address: 10.198.2.9
Port Number: 2000
IP Precedence: 5
User Masked Codec list: None
Call Manager: 10.198.2.9, Port Number: 2000
Priority: 3, Version: 7.0, Identifier: 3
Call Manager: 152.63.1.19, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 4
Trustpoint: N/A
Call Manager: 152.63.1.100, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 5
Trustpoint: N/A
Call Manager: 172.27.210.5, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 6
Trustpoint: N/A
MTP Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1000
Reported Max Streams: 400, Reported Max OOS Streams: 0
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
TLS : ENABLED
Transcoding Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1001
Reported Max Streams: 36, Reported Max OOS Streams: 0
Supported Codec: ilbc, Maximum Packetization Period: 120
Supported Codec: g722r64, Maximum Packetization Period: 30
Supported Codec: g729br8, Maximum Packetization Period: 60
Supported Codec: g729r8, Maximum Packetization Period: 60
Supported Codec: gsmamr-nb, Maximum Packetization Period: 60
Supported Codec: pass-thru, Maximum Packetization Period: N/A
Supported Codec: g711ulaw, Maximum Packetization Period: 30
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: g729ar8, Maximum Packetization Period: 60
Supported Codec: g729abr8, Maximum Packetization Period: 60
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
Conferencing Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1002
Reported Max Streams: 16, Reported Max OOS Streams: 0
Supported Codec: g711ulaw, Maximum Packetization Period: 30
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: g729ar8, Maximum Packetization Period: 60
Supported Codec: g729abr8, Maximum Packetization Period: 60
Supported Codec: g729r8, Maximum Packetization Period: 60
Supported Codec: g729br8, Maximum Packetization Period: 60
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
TLS : ENABLED
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070080
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070081
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070082
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070083
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
eucamvgw01# -
Directory Caching issue with Cisco Jabber client for Windows
Hi ,
I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
Is there any automated way to remove the cache file?
Here is the detail of CUCM,Presence and Jabber.
CUCM version: 9.1.x
Presence : 9.1.X
Jabber : 10.5 and 10.6Hello
On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
Network Device Enrollment Service.
Our certificate for the CUPS were generated on this Certification Authority too.
I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
Enterprise Trust store for the users.
But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
Our partner left us alone with that unfortunately.
Florent
EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment. -
Issues with cisco 1242 aironets
We are currently experiencing and issue with the 1242 AG Wireless Access Points. We have have them configured as 1 Root Access point and 3 Repeaters. The repeaters seem to be experiencing frequency interference issues. The Root AP is using antenna model 2506 and the repeaters 1728's.
What happens is when the repeaters are first started up, they see / communicate to the root access point fine, but within 5 minutes they stop communicating. If we manually set the channel to something different, they see each other for 5 - 10 minutes then eventually disappear and cannot be ping'd or seen with a sh cdp nei.
We have tried various combinations of settings so far. Have tried channel 1 - 13 and the least conjested frequency mode. It usually settles on channel 8 when we put it in that mode. But it is the same sceneario each time. All 3 repeaters show up almost instantly after a channel change, but slowly disappear in less than 10 minutes.
Here is our config:
Version
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 16-Sep-09 19:06 by prod_rel_team
ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
ROOTAP uptime is 2 days, 3 hours, 14 minutes
System returned to ROM by power-on
System image file is "flash:/c1240-k9w7-mx.124-21a.JA1/c1240-k9w7-mx.124-21a.JA1"
cisco AIR-AP1242AG-E-K9 (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
Processor board ID FCZ112782K9
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:1C:58:B1:72:2E
Part Number : 73-10256-06
PCA Assembly Number : 800-26918-05
PCA Revision Number : A0
PCB Serial Number : FOC11262N5Z
Top Assembly Part Number : 800-29233-01
Top Assembly Serial Number : FCZ112782K9
Top Revision Number : A0
Product/Model Number : AIR-AP1242AG-E-K9
Configuration register is 0xF
Root AP Config
Current configuration : 1987 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROOTAP
no aaa new-model
dot11 syslog
dot11 activity-timeout client maximum 120
dot11 activity-timeout repeater maximum 300
dot11 ssid WIRELESS
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid
username user privilege 15 secret 5 password
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid WIRELESS
antenna gain 5
parent timeout 10000
channel 2417
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.2.10 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
privilege level 15
logging synchronous
login local
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
stopbits 1
line vty 5 15
privilege level 15
logging synchronous
login local
stopbits 1
end
Repeater Config
Current configuration : 1764 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname REPEATER03
no aaa new-model
dot11 syslog
dot11 ssid WIRELESS
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid
username user privilege 15 secret 5 password
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid WIRELESS
antenna gain 5
parent timeout 10000
station-role repeater
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.2.13 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
privilege level 15
logging synchronous
login local
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
stopbits 1
end
We are wondering if you have any tips to get around this.
Also, should these access points be able to handle ~200 clients? How close to the root access point should the repeaters be placed? I basically just go until my signal gets low and put a repeater within that range. Could vary from 30-60 meters away.
ThanksAlso, should these access points be able to handle ~200 clients?
APs, in theory, can handle >1,200 clients. In theory. In practice, Cisco recommends between 12-25 clients. Imagine if you have, say, 50 clients and they are trying to access the network on a 100 Mbps FastEthernet connection. That slows them down, right? But consider wireless as a broadcast. One talks and the rest listens. -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John
Maybe you are looking for
-
Iphone 5C wifi greyed out and screen going crazy
Hi I bought my iPhone back in October in Us from Tmobile, since December the wifi greyed out and hasn't worked once (been living on data) now recently the screen goes crazy, it types by its self unlocks the phone (dont have a password) sometimes call
-
I just bought an ATI Rage 128 Pro 32MB PCI video card for my early quicksilver G4 (733 MHz, 1GB RAM). The idea was to add a second monitor to my 15" Apple Studio Display connected to the AGP card (ATI Rage 128 Pro with ADC and VGA). Doesn't work thou
-
Consolidation in SAP B1 2005 patch level 36
Hello Everyone I want to know is Database Consolidation possible in SAP B1. If yes how? For Example: >> i am maintaining Two companies say XYZ Ltd. and ABC Ltd. with two different databases say XYZ and ABC, --> now when i am posting
-
I wanna convert a byte to 8-bits and store them in a bit array. any API method I could use or how to write it by myself? 8bits-to-byte method is needed as well Thanks! Message was edited by: xixiao
-
Oracle DB on Redhat 5 connectivity with MS sql Server
Dear All, Env. Oracle EBS R12 – DB 10gR2 with RAC on Redhat linux 5 We want to connect OracleDB10gR2 to MS sql Server 2000/2005 on Windows 2003. What is the way or which utility(ODBC) can be used to do this, anybody help us with detail?? Regards