GD Starsign Crypto USB Token

Dear All,
My GD Starsign Crypto USB Token no longer works after the upgrade to Yosemite. Anyone with the same problem? Hints on how to solve this issue?
Thanks in advance for your Help.

first, i apologize for the late response.
Safenet support says that:
" the Ikey Java sample delivered with Ikey 1000 SDK 2.2.0 was for Internet Explorer works only with J2RE 1.3.0, but does not work with J2RE 1.4.0. If you choose to rebuild the Java sample, then you must have Microsoft SDK for Java 4.0 in order to use the make file that was provided by SafeNet. These samples are not distributed and supported by SafeNet any more. "
Not very comprehensible if you read the description of the problem
Edited by: fuimens on May 25, 2009 5:01 AM

Similar Messages

Why Hit "No Token Present" error even the USB token has been inserted?

Hi,
I am totally new to programming with cryptographic token.
When i try to login my secure token after inserted it into the USB port, my program throws "No Token Present" error.
I confirmed that the USB token is inserted properly because i can login the token with the Token Admin app installed on my system.
I have also installed the Provider successfully dynamically in my code.
Can anyone give me some idea or solution?
Thanks very much.
I program based on JDK 6 update 7 on Windows XP SP2 and the USB Secure Token (ST 2) is from SecureMetrics.
The error message is as shown as below:
Please kindly help to take a look at my code.
Use Provider: SunPKCS11-FeitianPKCS
Version: 1.600000
Info: SunPKCS11-FeitianPKCS using library D:\Develop\JavaPKCS11\ST2pkcs11v10.dll
Services: 0
{color:#999999}{color:#ff0000}javax.security.auth.login.LoginException: No token{color}{color}{color:#ff0000} present{color}{color:#ff0000}
{color}at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1044)
// Main code
String configName = "D:\\Develop\\JavaPKCS11\\pkcs11.cfg";
Provider p = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(p);
Provider[] ps = Security.getProviders();
System.out.printf("Total providers %d\n\n", ps.length);
for (int i=0; i<ps.length;i++) {
System.out.printf("Provider[%d]: %s\n",i, ps.getName());
//Create the provider we defined
Provider p = Security.getProvider("SunPKCS11-FeitianPKCS");
System.out.printf("\nUse Provider: %s\n", p.getName());
System.out.printf("Version: %f\n", p.getVersion());
System.out.printf("Info: %s\n", p.getInfo());
//List all the services it supports
System.out.printf("Services: %d\n", p.getServices().size());
Set ss = p.getServices();
Iterator ii = ss.iterator();
Service s;
while (ii.hasNext()) {
s = (Service) ii.next();
System.out.printf("Service: %s - %s - %s \n", s.getType(), s.getAlgorithm(), s.getClassName());
try {
MyGuiCallbackHandler mcb = new MyGuiCallbackHandler();
Subject token = new Subject();
AuthProvider aprov = (AuthProvider) p;
//Login the token
aprov.login(token, mcb);
Config:
name = FeitianPKCS#11
library = D:\Develop\JavaPKCS11\ST2pkcs11v10.dll

Hi Martin,
Thanks very much for your kind help and sharing of experience.
Below is my complete code and also the exceptions that i get.
Program output + exceptions
Java PKCS#11 Demo
Load library success
Total providers: 10
Provider[0]: SUN
Provider[1]: SunRsaSign
Provider[2]: SunJSSE
Provider[3]: SunJCE
Provider[4]: SunJGSS
Provider[5]: SunSASL
Provider[6]: XMLDSig
Provider[7]: SunPCSC
Provider[8]: SunMSCAPI
Provider[9]: SunPKCS11-FeitianPKCS
Use Provider: SunPKCS11-FeitianPKCS
Version: 1.6
Info: SunPKCS11-FeitianPKCS using library D:\\Develop\\JavaPKCS11\\ngp11v211.dll
javax.security.auth.login.LoginException: No token present
    at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1044)
    at javapkcs11.Main.main(Main.java:112)Main.java
// Main.java
package javapkcs11;
import java.security.*;
import java.security.Provider.*;
import javax.security.auth.*;
import java.util.*;
import java.lang.*;
import javax.crypto.*;
import javax.crypto.spec.*;
//import sun.misc.*;
* @author
public class Main {
    /** Creates a new instance of Main */
    public Main() {
     * @param args the command line arguments
    public static void main(String[] args) {
        System.out.println("Java PKCS#11 Demo\n\n");
        //Load the configuration file
        if (Main.configProvider())
            System.out.println("Load library success\n\n");
        else {
            System.out.println("Load library failed\n\n");
            return;
        //List all the providers
        Provider[] ps = Security.getProviders();
        System.out.println("Total providers: " + ps.length);
        for (int i=0; i<ps.length;i++) {
          // System.out.printf("Provider[%d]: %s\n",i, ps.getName());
System.out.println("Provider[" + i + "]: " + ps[i].getName());
//Create the provider we defined
Provider p = Security.getProvider("SunPKCS11-FeitianPKCS");
//System.out.printf("\nUse Provider: %s\n", p.getName());
System.out.println("\nUse Provider: " + p.getName() );
//System.out.printf("Version: %f\n", p.getVersion());
System.out.println("Version: " + p.getVersion() );
//System.out.printf("Info: %s\n", p.getInfo());
System.out.println("Info: " + p.getInfo() );
//List all the services it supports
//System.out.printf("Services: %d\n", p.getServices().size());
Set ss = p.getServices();
Iterator ii = ss.iterator();
Service s;
while (ii.hasNext()) {
s = (Service) ii.next();
// System.out.printf("Service: %s - %s - %s \n", s.getType(), s.getAlgorithm(), s.getClassName());
System.out.println("Service: " + s.getType() + " " + s.getAlgorithm() + " " + s.getClassName());
try {
     char pin[] = "99999999".toCharArray();
MyGuiCallbackHandler mcb = new MyGuiCallbackHandler();
Subject token = new Subject();
AuthProvider aprov = (AuthProvider) p;
//Login the token
aprov.login(token, mcb);
} catch (Exception e) {
e.printStackTrace();
public static boolean configProvider() {
//Here defines the path of configuration file, you could change it
String configName = "D:\\Develop\\JavaPKCS11\\pkcs11.cfg";
try {
Provider p = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(p);
} catch (Exception e) {
e.printStackTrace();
return false;
return true;
}PKCS11 Configname = FeitianPKCS
library = D:\\Develop\\JavaPKCS11\\ngp11v211.dll
slot = 3

Pkcs#11: store data in usb token

Hi,
can the pkcs#11 be used to store data on a usb token? For example storing an id?
Thanks

Hi,
can the pkcs#11 be used to store data on a usb token? For example storing an id?
Thanks

Pkcs#11:store data in usb token (marked as q)

Hi,
can the pkcs#11 be used to store data on a usb token? For example storing an id?
Thanks
PS: What is this "mark as question" thing?
Edited by: uig on Oct 26, 2007 1:51 AM

Thanks.
for the sake of the record I fixed this by specifying a METHOD_DATA and DIRECTORY in sqlnet.ora like in
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=HSM)(METHOD_DATA=
(DIRECTORY=/app/oracle/admin/SID1/wallet)))
where the directory exists, as opposed to just
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
as it says in the doco...
I have a new issue, which I'll start a new thread for.

Hyper-V 2012 R2 USB Token for guest

I have a piece of software that uses a USB token for licensing purposes. I'm attempting to virtualize the server with the software, but I can't get the USB token over to the VM. I've seen guides about mounting USB drives to VMs, but the token doesn't present itself as a drive. When plugged in, Windows goes through the normal procedure for recognizing a new device and then places it under "other devices" in the device manager. Is there a way I can make this device available to the VM Guest?
This topic first appeared in the Spiceworks Community

Hi Andre,
I would suggest you to install the supported Linux guest OS on hyper-v , please refer to following link:
http://technet.microsoft.com/en-US/library/dn531030.aspx
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

A new type of activeKey USB token problems.

My activeKey USB token worked until recently. I did this: https://discussions.apple.com/thread/2526943 and I installed the package: http://smartcardservices.macosforge.org. Once I renewed, the usb key doesn't show up in my keychain. This isn't a cache thing, as we tested a coworker's activKey which worked, then we updated it and it also doesn't show up in the key chain.
Linux pcscd daemons don't pick it up either.
Oooh, quick note: my company apparently had to do something recently because the activKeys weren't working on Windows 7. Is there a new type of activeKey that's been installed onto the card? (This stuff is mostly black magic to me.)
Any help?

I have exactly the same problem - tried deleting the cache - tried reinstalling the smart card services - no success yet
This is a real problem as it leaves me dead for native Mac OS/X to access certain corporate web sites - have to use Parallels / Windows instead :-(

How to "convert" a PC/SC spec Smart Card (usb token) to a Java Card?

Hi experts,
I've got a usb token from OEM and the only thing they told me is that the token is manufactured according to PC/SC spec. OEM didn't say anything about the proccessor, memory, etc. I'm no expert in hardware. But according to what I read on the web, a Java Card must have JCVM in the on-card memory. I'm wondering if there is a way to initialize a JCVM in this PC/SC usb token?
Any help will be much appreciated!
Z.Zen

"PC/SC compatible" is about software on the card as much as "PC compatible" is about the software in your computer. PC/SC deals with sending bytes to and from the token whereas JavaCard deals with working with those byte packets. Unless the token is a JavaCard, there's not much you can do. You need to get the ATR of the token via PC/SC, maybe that gives more information.

Detecting when the user is inserting a USB token

Dear Forum,
From a Java GUI application I'm trying to detect when a USB token (CrypToken from Marx) is inserted.
When I run the program below with the USB token inserted it works fine. If I start the program and then inserts the USB token I keep getting a ProviderException.
Any help is greatly appreciated.
Kind regards,
Morten Bruun
The exception I get:
java.security.ProviderException: Initialization failed
     at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:186)
     at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:76)
     at tryout.TestInsertToken.getProvider(TestInsertToken.java:38)
     at tryout.TestInsertToken.actionPerformed(TestInsertToken.java:47)
     at javax.swing.Timer.fireActionPerformed(Unknown Source)
     at javax.swing.Timer$DoPostEvent.run(Unknown Source)
     at java.awt.event.InvocationEvent.dispatch(Unknown Source)
     at java.awt.EventQueue.dispatchEvent(Unknown Source)
     at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
     at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
     at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
     at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.security.ProviderException: slotListIndex is 0 but token only has 0slots
     at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:171)
     ... 12 moreMy test program looks like this:
package tryout;
import java.awt.FlowLayout;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.security.Provider;
import javax.swing.JFrame;
import javax.swing.JLabel;
import javax.swing.SwingUtilities;
import javax.swing.Timer;
public class TestInsertToken extends JFrame implements ActionListener {
     private Timer timer;
     private JLabel label;
     TestInsertToken() {
          this.setLayout(new FlowLayout());
          this.setDefaultCloseOperation(EXIT_ON_CLOSE);
          label = new JLabel("Insert token");
          this.add(label);
          timer = new Timer(1000, this);
          timer.start();
          this.setSize(300, 200);
          this.setVisible(true);
     private Provider getProvider() {
          try {
               return new sun.security.pkcs11.SunPKCS11("pkcs11.cfg");
          } catch (Exception e) {
               System.out.println("Got exception: " + e.getMessage());
               e.printStackTrace();
               return null;
     public void actionPerformed(ActionEvent e) {
          Provider provider = getProvider();
          if(provider != null) {
               this.label.setText("USB token detected: " + provider.getName());
               this.timer.stop();
     public static void main(String[] args) {
          SwingUtilities.invokeLater(new Runnable() {
               public void run() {
                    new TestInsertToken();
}Edited by: Hr.Bruun on Nov 10, 2008 2:13 PM

Thanks for replying, Andy!
I know that if I point my gateway at 2013, I should be fine. You mentioned that in this article:
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f622ff81-0d97-44d3-9051-f22c381fe188/exchange-2010-and-um-on-exchange-2013?forum=exchangesvrunifiedmessaging
"Once the SIP connection is pointed to 2013, it will handle both the 2013 and 2010 Mailboxes in the Dial Plan" which I found and which was helpful.
But, in the TechNet walkthrough:
http://technet.microsoft.com/en-us/library/dn169226(v=exchg.150).aspx
And the checklist too:
http://technet.microsoft.com/en-us/library/dn169228(v=exchg.150).aspx
It's having us move the UM enabled users before we repoint the IP gateway, which is one of the final steps. Since we're just in pilot mode right now, we'd prefer to not re-point that just yet. Do you expect it shouldn't work? Is TechNet wrong or
am I misreading it or missing something else?

Sign a pdf using usb token

I am using below code to sign a pdf using itextsharp version 5.5.1.0 . It works fine. But itextsharp 5.5.1.0
is having AGPL and i think it cannot be used in my application freely. But by using version below 4.1.6 which has GPL licence the same code does not work. So is there any alternative?
using System;
using System.Windows.Forms;
using System.IO;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using iTextSharp.text.pdf;
using iTextSharp.text.pdf.security;
namespace SignPdf
public partial class Form1 : Form
public Form1()
InitializeComponent();
private SecureString GetSecurePin(string PinCode)
SecureString pwd = new SecureString();
foreach (var c in PinCode.ToCharArray()) pwd.AppendChar(c);
return pwd;
private void SignWithThisCert(X509Certificate2 cert)
string SourcePdfFileName = textBox1.Text;
string DestPdfFileName = textBox1.Text + "-Signed.pdf";
Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[] { cp.ReadCertificate(cert.RawData) };
IExternalSignature externalSignature = new X509Certificate2Signature(cert, "SHA-1");
PdfReader pdfReader = new PdfReader(SourcePdfFileName);
FileStream signedPdf = new FileStream(DestPdfFileName, FileMode.Create); //the output pdf file
PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfReader, signedPdf, '\0');
PdfSignatureAppearance signatureAppearance = pdfStamper.SignatureAppearance;
//here set signatureAppearance at your will
signatureAppearance.Reason = "Because I can";
signatureAppearance.Location = "My location";
signatureAppearance.SignatureRenderingMode = PdfSignatureAppearance.RenderingMode.DESCRIPTION;
MakeSignature.SignDetached(signatureAppearance, externalSignature, chain, null, null, null, 0, CryptoStandard.CMS);
//MakeSignature.SignDetached(signatureAppearance, externalSignature, chain, null, null, null, 0, CryptoStandard.CADES);
MessageBox.Show("Done");
private void Form1_Load(object sender, EventArgs e)
private void button1_Click_1(object sender, EventArgs e)
//Sign with certificate selection in the windows certificate store
X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = null;
//manually chose the certificate in the store
X509Certificate2Collection sel = X509Certificate2UI.SelectFromCollection(store.Certificates, null, null, X509SelectionFlag.SingleSelection);
if (sel.Count > 0)
cert = sel[0];
else
MessageBox.Show("Certificate not found");
return;
SignWithThisCert(cert);

hi.
you may return to the iTextshap version to 5.3.3, it works fine to sign a PDF using external USB token.
free C#
Excel component being evaluated, any other recommendation is appreciated.
Thanks and Regards.
But version 5.3.3 is also having AGPL licence, As i said in question
version below 4.1.6 has GPL licence.

How to sign PDF with a smart card or USB token in C# through IAC ?

Hi,
My goal is to apply a certification signature (MDP) to a PDF document with a smart card (Belgium identity card) from a C# application.
I start Acrobat through IAC.
The JavaScript object apparently can only sign with PKCS12 file (.pfx)...
To sign a PDF with a smart card I need to develop a plug-in if I am right?
The samples in the SDK are to get a certificate from the windows certificate store or to write a Third party handler.
I already get the certificate context (an HCRYPPROV object from windows certificate store)
How can I create a signature field but mostly sign it? With DigSig I guess, but I’m lost in the API… does
I have to use DigSigSignDoc ?
Syntax : void DigSigSignDoc(PDDoc pdDoc, CosObj sigField, ASAtom filterKey)
The filterKey value for the windows certificate store is “Adobe.PPKMS” but how can I choose my certificate?
I also have to build a signature reference dictionary i guess?
What does i have to do and in which order? I can't find any documentation on this.
There is a more simple way?
Thank you,
Goffin
Fabian

Hi,
-download the JDK sample "sdkAddSignature.js"
-change the sign methode like this :
Sign = app.trustedFunction (
    function( sigField, DigSigHandlerName )
   try {
   app.beginPriv();
   //the diSigHandler is "Adobe.PPKLite"
   var myEngine = security.getHandler(DigSigHandlerName);
   var ids = myEngine.digitalIDs;
   //choose an id which is installed in the microsoft store
var oCert = ids.certs[3];
// for (var i=0; i<ids.certs.length; i++)
// console.println("certificat n°"+ i + " " +ids.certs[i]);
var oParams = {cPassword:"0000" , oEndUserSignCert:oCert }
if(myEngine.login({cPassword:"0000",oParams:oParams,bUI:false}))
   console.println("OK");
else
   console.println("Error");
console.println("sigfield :" + sigField);
sigField.signatureSign({oSig: myEngine,oInfo: { password: "0000",reason: ACROSDK.sigReason,location: ACROSDK.sigLocation,contactInfo: ACROSDK.sigContactInfo}});
app.endPriv
   } catch (e) {
   console.println("An error occurred: " + e);
-perform some test using the javascript debugger
-and finally use IAC to execute the script

How can reload pkcs#11 (digital signature) ?

Hi Iam working on DigitalSignature.
Iam using Aladdin eToken pro32k
Initially Iam able to load usb tokens through application and sign the pdf documents.
1) Iam giving right password and able to do sign on pdf document through crypto usb token.
After this i didn't disconnected my usb token and try to sign another pdf doc but at this time
Iam giving wrong password(PIN) to usb token but it is going to sign successfully.
Here is the code for load a usbtoken through application.
// The cfg file contains name = GNFCeToken
//library = c:\WINDOWS\system32\eTpkcs11.dll
String configName = "C:/pkcs11.cfg";
Provider provider = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(provider);
KeyStore keyStore = null;
keyStore = KeyStore.getInstance("PKCS11",provider);
keyStore.load(null,tokenPassword);
provider = keyStore.getProvider();
For signing a pdf doc second time I need to reload the usb token every time.
So how can I reload usb token through programatically?
Any replys will appriciate greatly.

"Registering" the credentials is something that is vendor middleware specific. It has nothing to do with Java code. An example of a passing mention of it is on this page: http://www.bestoken.com/support.html - "But the main function for it is that it can detect plug/unplug of
hardware, and automatically read the certificates in hardware and
register it to certificate storage section of the system." Some middlewares can do it automatically if you enable the option, some you must do it manually all the time.
Well, it looks like the MSCAPI support works a little smoother with software-based credentials. I wrote the following test:
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
public class CAPITest {
public static void main(String[] args){
    try {
      KeyStore ks = KeyStore.getInstance("Windows-MY");
      ks.load(null, null) ;
      Enumeration en = ks.aliases() ;
      while (en.hasMoreElements()) {
        String alias = (String) en.nextElement();
        X509Certificate c = (X509Certificate) ks.getCertificate(alias);
        PrivateKey key = (PrivateKey) ks.getKey(alias, null);
        if (key != null) {
          System.out.println(c.getSubjectDN().getName() + " has private key");
        else {
          System.out.println(c.getSubjectDN().getName());
    } catch (Exception ex) {
      ex.printStackTrace();
}When I ran it I got a listing of 9 certs, 4 having private keys. No password popups or anything. 3 of the certs were on a currently inserted smartcard. When I removed the smartcard and ran it again I got a dialog belonging to my middleware asking me to insert my smartcard but even after I did, the OK button was disabled and I couldn't proceed.
You've mentioned eToken a few times. If that is the only hw token you are supporting then I would reccommend using the SunPKCS11 provider directly rather than letting Microsoft CAPI get in the way. Using the SunPKCS11 provider will sidestep the certificate registration issue.
You mention " The problem i am facing is say a system is used by 1000 user with there own eToken" as a possible use situation. Is this some sort of kiosk machine with a single shared account or each user has their own user account? If each user has their own account then their credentials won't mix. If they're all using the same account then again, I think you're better off using the SunPKCS11 provider and going directly to the eToken pkcs11 interface. That way you limit the list of certs to whatever is on the currently inserted token (which you should further inspect and limit to ones that have the digitial signature key usage bit set).

Does Java Card require a USB CCID-compliant smart card reader?

Hi experts,
Does Java Card require a USB CCID-compliant smart card reader? I'm currently working with PC/SC usb token and it requires usb CCID-compliant smart card reader, which seems very inconvenient for my clients and I'm wondering if Java Card has the same issue? (I'm thinking about switching the project to Java Card)
Any help will be much appreciated!
Z.Zen

Hi,
You will still need to install drivers for some card readers to function correctly. I know some work out of the box on Windows and OS X (10.5+ at least) ships with the pcsclite CCID driver from the Muscle card project. When I view my reader in Windows device manager the Manufacturer is "USB CCID Compliant".
The only real difference between what you are doing with the USB CCID token and Java Card is that the card and reader are separate in the Java Card option where as the USB token has the reader and chip in one package.
Cheers,
Shane

Generate certificates valid for smart card (Windows logon) with third party PKI (not Microsoft)

Hello everyone
today I am working on a mounted on a Red Hat Enterprise PKI
Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
Card to make the login of users on computers.
On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
Greetings and I hope for you response.
TechCach

> It is for Windows 2012.
nothing changed since Windows Server 2003. Here is a KB article:
http://support2.microsoft.com/kb/281245
> Is
the
scenario
supported
by
microsoft?
yes, of course. See KB article above.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

Issues using 887 when authenticating with MER on a Fibre connection

Hello All
I've been battling for a week now to get the config correct for Cisco 887VA.
I understand Sky use MER to authenticate, however, in order to create the PPP connection, I am using PPPoE without passing any authentication, other than the username|password through option 61 (and vendor information on option 60).
I have Wiresharked the provided Sky router SR102 to obtain DHCP option 60 and 61 information and have entered these as hex values in the dialer interface.
I have also spoofed the SR102 MAC address on the dialer interface.
I have created a sub interface on e0, using dot1q to tag traffic to VLAN 101
I can indeed see traffic on interface e0.101 but the dialer receives NO ip address.
I can also see the modem is connected and in sync.
Am I correct in assuming the e0.101 interface is equivalent to the WAN connection on a seperate modem?
Config is below - please ignore local IPs, etc
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ******-ADSL
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 *********
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
memory-size iomem 10
clock timezone BST 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1112313640
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1112313640
revocation-check none
rsakeypair TP-self-signed-1112313640
crypto pki certificate chain TP-self-signed-1112313640
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip source-route
ip cef
ip domain name vdsl.******.net
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
username admin privilege 15 secret 5 *********
controller VDSL 0
no ip ftp passive
ip ssh authentication-retries 5
ip ssh version 2
interface Ethernet0
no ip address
interface Ethernet0.101
encapsulation dot1Q 101
pppoe-client dial-pool-number 1
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 1.1.1.1 255.255.0.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Dialer1
mac-address ****.****.**38
mtu 1492
ip dhcp client request classless-static-route
ip dhcp client client-id hex <<HEX STRING>>
ip dhcp client class-id hex <<HEX STRING>>
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
ip route-cache policy
dialer pool 1
dialer-group 1
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
router ospf 1
router-id 1.1.0.1
network 1.1.0.1 0.0.0.0 area 0
default-information originate
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 9
ip flow-export destination 1.1.1.1 9991
ip flow-export destination 1.1.1.1 9991
ip nat inside source list NATACL interface Dialer1 overload
ip access-list standard NATACL
permit 1.0.0.0 0.255.255.255
logging esm config
access-list 1 permit 1.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
control-plane
banner motd ^CCCCCCCCC
*****************AUTHORISED USERS ONLY*****************
^C
line con 0
password 7 ***************
line aux 0
password 7 ***************
line vty 0 4
session-timeout 10
exec-timeout 0 0
timeout login response 300
transport input ssh
scheduler max-task-time 5000
end
Many thanks

Chris,
Just wondering if you managed to get anywhere with this, or just gave up? I'm a Sky Fibre user, sadly using the bundled "Sky Hub" (aptly named, as I consider "Layer 1 Network Hubs" to be just as gash as this ), and have battled with the MER DHCP-based authentication before.
Previously, I was experimenting using a Cisco Linksys E2400 (or E4200, I forget) running Tomato USB Firmware and was getting frustrated with the hex settings.
I notice in your configs you posted the following strings, which look like they are trying to send the DHCP Vendor ID/Options that MER needs:
ip dhcp client client-id hex <<HEX STRING>>
ip dhcp client class-id hex <<HEX STRING>>
For your specified <<HEX STRING>> were you also appending the necessary "0x3d" (61) to your custom-generated User+Pass hex (i.e. full string reads "0x3d<<USER+PASS HEX>>")?
Sources as below, but curious if this could fix it?
Sources
http://www.skyuser.co.uk/forum/technical-discussion/46464-skys-mer-why-does-not-work-other-routers-22.html
https://www.cm9.net/skypass/index.cgi

Port Forwarding for RDP 3389 is not working

Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny   ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny   ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
   functions svc-enabled
   svc address-pool "sat-ipsec-vpn-pool"
   svc default-domain "domain.com"
   svc keep-client-installed
   svc split dns "domain.com"
   svc split include 10.0.0.0 255.0.0.0
   svc split include 192.168.0.0 255.255.0.0
   svc split include 172.16.0.0 255.240.0.0
   svc dns-server primary 10.20.30.20
   svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
end

Hi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni

GD Starsign Crypto USB Token

Similar Messages

Maybe you are looking for