Misconfiguration of Management ACL on AP541N-A-K9
Hello community,
I hope one of you can help, I mistakenly mis-configured "Management ACL mode" on my AP541N.
Administration>Administration Access Control>Managment ACL Mode
I set this to "Enabled", the problem is I only entered 1 IP address, and that IP address is the SAME IP as the AP's own internal interface. I was not thinking and entered that IP out of habit when I meant to enter my workstation's IP. The FW does not have a safeguard against this.
So, as you can see, this is a big problem, because now I have completely cut off all access (That I can think of) to the router. I can never access the AP as that IP because if I set my workstation to that IP, 1) There will be an address conflict, 2) My computer won't route traffic to the AP out its NIC because it recognizes that IP as itself.
Do any of you have any ideas of how I can get into the AP to correct this issue short of completely resetting the thing?
Thanks,
-Tim
Unfortunately no, the reset is the only way to access the AP since the IP is overlapping.
-Tom
Please rate helpful posts
Similar Messages
-
Manage ACL's for different versions...
Hi
We have several sites, some with BM39SP2 and some with older versions.
Some sites have multiple BM servers, so Access Rules are managed via the container object.
The issue we now have is inability to manage the older BM access rules...
Management for the 'new' servers on the main site is ok (ish... well, as ok as battling with imanager can be ;-)
However when we try and manage the container rules for the other sites we can't manage by either NwAdmin or iManager...
NWAdmin reports:
"RESTRICT: You can not configure or modify Access Rules through NWAdmin. Instead use iManager."
iManager reports:
"Either you have selected the wrong object or the migration is not done properly (Please run the fillattr manually )"
...rock and hard place... It's not possible to get the other servers updated anytime soon, so are the any attributes I can modify or delete to let me use good old nwadmin to manage my 'legacy' bm acls??
Cheers
DavidHi,
djbrightman wrote:
>
> Hi
> We have several sites, some with BM39SP2 and some with older versions.
> Some sites have multiple BM servers, so Access Rules are managed via
> the container object.
>
> The issue we now have is inability to manage the older BM access
> rules...
All you need to do is use a Nwadmin32 with BM3.8 (not 3.9) snapins to
manage your old ACLs.
CU,
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de -
Managing ACLs (7600, CRS IOS-XR, GSR) – advise on automation tools for SP
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
Hello All,
There are many wonderful Service Provider infrastructure hardening documents available from Cisco CCO and CiscoPress.
I have seen many over my life. Sample documents are:
Mannaging ACLs (7600, CRS IOS-XR, GSR) - automation tools, Document ID: 13608
Network Core Infrastructure Best Practices, Yusuf Bhaiji
Cisco Guide to Harden Cisco IOS XR Devices
Each service provider is recommended to enable and configure rACLs, CoPP, block unnecessary control protocols over the edge, Protect BGP peering with interface ACLs and many many more. Unfortunately there is no tool available from Cisco to configure and maintain all those features.
I would like to ask question to NetPro community. Have you seen any working products from Cisco or Cisco partners for ACL management. Lets keep Cisco Security Manager (CSM) aside. CSM is enterprise oriented tool and supporting routers up to 6500/7600.
I’m looking for this tool for few years already. Looks like other Service Providers are using home made developments. Google recently partially published own tool capirca to a public domain (do search on “ACL Management @ Google” or capirca). This is good start but I is missing ACL deployment module (it is not released by google).
Please share you experience!
Cheers! -
I have a T61p running Vista Home Premium and recently noticed that Windows Update has been trying to install a driver every single day for the last 6 days and it always fails to install. It reads like this:
"Lenovo - Other hardware - ThinkPad PM Device
Type: Recommended.
Published: 8/25/2008."
But I wonder why Windows keeps trying to update a piece of software about which Windows itself reports the following:
"Update Drive Software - ThinkPad PM Device: The best driver software for your device is already installed. Windows has determined the driver software for your device is up to date."
What am I missing?
A check with PC Doctor for Windows detects a "Misconfigured" Power Management Driver and adds that this driver is either not installed or installed incorrectly.
Meanwhile, I completely uninstalled the seemingly faulty driver and all its components. However, when I check the list under Device Manager, the "ThinkPad Power Management" file remains listed. And when I check under "C:\DRIVERS\VISTA\x64" I find these three files:
"ibmpmdrv.sys"
"ibmpmsvc.exe"
"TpInsPM.dll"
Also under "C:\DRIVERS\VISTA\x86" I find those exact three filenames with exactly the same details.
I feel like I may be roaming around the beast but can't see it... Just the fact that these same 3 files are kept under two different folders under the VISTA common puzzles me. (And do those folder names "x64" and "x86" actually have any meaning?)
Can anyone help me try to make some sense of all this?Any help will be appreciated.
Thanks.You might install istat from http://www.islayer.com/apps/istatpro/ to see what your actual temps are. Either there is not enough airflow and the system is overheating or there could be a sensor failure.
Ensure the air vents at the base are clear. One person's were clogged with cat hair because the cat slept next to the mini.
You can run the Apple hardware test to see if there is a problem with a sensor. Find your original OS X disks that came with the system, insert the disk that says 'AHT Version x.x' in small print on the label, reboot holding the alt/option key down, choose the Apple hardware test, and when prompted choose the extended test. -
Traditional ACL vs Zone Based FW
I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config. We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco. Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with?
If there was the option to use a Zone based FW or just straight access lists then surely the Zone based FW would be considered a better option as it has more features than just permit or deny. The Zoned based FW will also inspect traffic and block any traffic with malicous code for example. I am not an expert in this arena, but based on Security exam topics and other publications, the FW approach seems to be gaining traction versus managing ACLs alone. Although, ACLs will always have their place in the network...
The choice is based on your comfort level, but both are viable options...
BR,
Cary
Sent from Cisco Technical Support iPad App -
RDBMSRealm ACL why if in deployment descriptors?
I was planning on using deployment descriptors for my ACL. I have users and
groups in my database and this maps just fine for the RDBMS schema. Why then
do I need ACLs in the schema? I have them in my deployment descriptors! I'm
getting errors like column not found, etc when it tries to load my realm
(obviously, I don't have ACL set up in database). Is there a way around
this?
thanks,
Mike Lee
Architect
AfterBOT
[email protected]
Just remove nospam_ to email meYou can not do this. Per J2EE is exactly how WLS works under the hood for
ACL deployment descriptors. It does not use container managed ACL through
RDBMSRealm for anything that a deployment descriptor can do (ie: ejb-jar.xml
and web.xlm security-contraint)
Michael Lee
"Michael Lee" <[email protected]> wrote in message
news:3d6d0765$[email protected]..
It turns out that it just wants an entry in the schema in the RDBMS setup.I
created a table that mapped to it just to be safe. If there are no entries
in the ACL table then thats ok, it just means that there are no ACL
constraints (outside of what you put on deployment descriptors of course).
This is all working now! Yay!
Now I'm looking at taking the ACL information out of the deployment
descriptors (web.xml and ejb-jar.xml) and putting them in the ACL_ENTRIESin
the RDBMSRealm. I don't know if this can be done but if it can it would be
very nice for configurability. I could then write JSPs for the customer to
change the security of the system.
Michael Lee
"Michael Lee" <[email protected]> wrote in message
news:[email protected]..
I was planning on using deployment descriptors for my ACL. I have usersand
groups in my database and this maps just fine for the RDBMS schema. Whythen
do I need ACLs in the schema? I have them in my deployment descriptors!I'm
getting errors like column not found, etc when it tries to load my realm
(obviously, I don't have ACL set up in database). Is there a way around
this?
thanks,
Mike Lee
Architect
AfterBOT
[email protected]
Just remove nospam_ to email me -
Instant Access - static sharing of ACLs
Hello
I'm looking to deploy 802.1x/mab on an Instant Access 1000 interface deployment. PACLs/dACLs will be used for security. Many of these ACLs will be identical and I found the following document on static sharing of ACLs to keep tcam utilization down:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html#wp1133455
Instant Access parent switch is a C6807-XL (151-2.SY4a) VSS pair using WS-X6904-40G for the IA FEX links
The 6807 doesn't have the commands below (referenced in above document)
mls acl tcam share-acl
platform hardware acl downloadable setup static
I have found the following command on the 6807:
platform feature-manager acl downloadable setup static
Is there an equivalent of "mls acl tcam share-acl" on the C6807-XL (151-2.SY4a) to enable static sharing of ACLs?
Thanks
AndyHello.
My understanding is traffic from the inside to lower security interfaces does not require the access-list and access-group command.
That said removing an entire acl removers the access-group command.
apply
access-group acl_inside in interface inside.
I'm not sure if the same applies for other interfaces wishing to access lower security interfaces.
You can consider yourself lucky :)
Tim -
CSM - does it support ACLs on a Cisco Catalyst 6500
Hi,
Does anyone know if CSM Enterprise Standard can be used to manage ACLs (standard and extended) on a Catalyst 6500?
Regards,
PiarasHi,
Just insert the blade and the switch should recognize it. For the 6500 series the blades are hot swap able.
HTH -
Hi,
I'm working on a DMS implementation project and trying to understand the scope of Access control management( ACL & ACC)
can any one tell me what will be the drawbacks or difficulties of implementaing ACL in large project or is it better to limit to groups in organisation.
Thanks In advance
Regards,
BabuHello,
In my project we have used ACLs.
Its particularly more useful for Folder level authorizations in easy DMS.
Regards
Prasad K -
ACL practices when modifying and applying new policies
Folks:
I am studying for my CCNA , and I am confused at how to manage ACL lists that are already applied to an interface.
For example: I have an ACL already applied to S0; however, I need to modify it. Cisco recommends that you disable the list first with the no ip access-group command; however, from my understanding, if I remove the list – traffic will be unfiltered. How do I modify an applied ACL and still filter traffic? Do I create another ACL to black all traffic until I modify my selected ACL?
Thank youIf you want to change an access-list that is already applied to an interface, you need to consider where to place your additions.
You can do this:
internetrouter#show access-lists
Standard IP access list 2
10 permit 172.16.1.1
20 permit 172.16.1.2
30 deny 172.16.1.0, wildcard bits 0.0.0.255
In this ACL I have permitted 172.16.1.1 and .2
However the last entry (line 30) I have denied the rest of the network. What if I wanted to add .3 and allow that??
Well if we add .3 to the bottom of the ACL then .3 would be denied by line 30.
I.e. if you do
Conf t
Ip access-list standard 2
Permit 172.16.1.3
Your ACL would look like this:
internetrouter#show access-lists
Standard IP access list 2
10 permit 172.16.1.1
20 permit 172.16.1.2
30 deny 172.16.1.0, wildcard bits 0.0.0.255
40 permit 172.16.1.3
This won't work because of the order, the network is denied by line 30 so line 40 will have no effect, hence instead you can do this:
Conf t
Ip access-list standard 2
25 Permit 172.16.1.3
Which would place this above line 30.
If we do a show access-list again:
internetrouter#show access-lists
Standard IP access list 2
10 permit 172.16.1.1
20 permit 172.16.1.2
25 permit 172.16.1.3
30 deny 172.16.1.0, wildcard bits 0.0.0.255
Now .3 will be permitted and so too .1 and 2 with the rest of the network being denied. So it's important to check traffic flows and the placement of your ACLs.
Likewise with removing ACL's with a 'no #' with the # being the line of the ACL entry.
Having ACLs on an interface is good for security but can be devastating when you are editing them in a live config if you get it wrong.
I recommend doing any changes to ACLs out of hours in an enterprise environment with a 'reload in 5' which gives me 5mins to make the change. If it goes well then I can cancel the reload and save the config. If I end up locking myself out, the router or device will reload in 5mins anyway so you can get the router back with the original config.
Or as mentioned previously, create an entire new ACL altogether with your changes, then apply that to your interface. But even then you could get the ACL wrong, hence a reload in might be useful ;-)
Hope this helps
Sent from Cisco Technical Support iPhone App -
hi Gurus,
We are in the process of integrating DMS with Portal.
we need to build a Portal screen where in a User would be able to load some documents directly on to DMS.
We have incorporated the mySAP ERP DMS Connector for KM.
we feel something is missing out in our configuration steps.
has any one done this configiration, your help is appreciated.
Thanks in advance.
regards,
krisCheck Business package of DMS Connector, you can download it from SAP Service Market Place and you'll have to install it on to Portal Server. Once successfully installed you will find DMSRM in Repository Managers. There you need to create repository and also maintain System to Access R/3 from Portal.
Finally as per the variant created in SAP R/3 DMS CV04N you'll able to see the folders and DMS Documents.
http://help.sap.com/saphelp_erp2005/helpdata/en/da/e40d3dbd82fe2fe10000000a114084/frameset.htm
have to create DMSRM Repository after installing DMS Connector for KM
Name: DMSRM
Description : DMS Repository Manager
Prefix:/dmsrm
Active:yes
Hide in Root Folder:no
Services Property Search Manager :
Versioning Manager:
Security Manager:
ACL Manager Cache :
Windows Landscape System:
Send Events:yes
Lock Manager:com.sap.pct.plm.dmsrmconnectorforkm.DMSRMMutableLockManager
ReadOnly: yes
ShowClassification:yes
ShowObjectsLinks:yes
ResourceValidity:30000
StorageCategory:ZDMS (Storage category for DMS in R/3 or Content Server)
SystemAlias:SAP_KM_ECC (Create one R/3 System for accessing DMS Documents)
VariantPrefix:KM
You need to create one system for SAP R/3 access and maintain user mapping in User Admin for System Access
Create variant in CV04n Tcode variant should start from KM_*
For Further Details Refer:
http://forums.sdn.sap.com/thread.jspa?messageID=7884645#7884645
AND
http://help.sap.com/saphelp_erp60_sp/helpdata/EN/42/d259f55d745043e10000000a1553f6/frameset.htm -
API for modifying rep:Policy nodes
The JCR API does not work when we are trying to modify/create rep:policy nodes.
I tried to have a look at the CqActionsServlet and CQActions class but could not make much progress on understanding the implementation.
Is there any API documentation on how to do this.
Basically the idea is to have a package of permission nodes (rep:policy) in the svn. As part of build process, we want to read the rep_policy.xmls and configure the corresponding permissions in CQ using RMI.Could you explain what you mean by the JCR API? While JCR 1.0 didn't have any API for managing access control policies, JCR 2.0 does.
I don't know think AccessControlManager works over RMI. The JIRA issue is still open: https://issues.apache.org/jira/browse/JCR-2113
There is a Sling bundle which you can install to manage ACLs via HTTP: http://sling.apache.org/site/managing-permissions-jackrabbitaccessmanager.html. Search this forum for prior discussions.
For the use case you describe, you should be able to do that with content packages. -
Hi,
I have just started out with EJB & weblogic security. I want to make a RDBMS realm in weblogic that connects to oracle dBase. Since I am new to security, I was wondering if anyone out there knew what fields would be added to a table that manages user?. Also how does a table manage ACLs? And last but not least, I noticed that when I was creating a RDBMS realm in weblogic console there is a tab that mentions that I have to write schema properties...what is this and what do I place in it. I have read all of the weblogic docs and there is nothing that addresses theses questions. I would really appreciate any help I can get.
Thank you,
Jay.
P.S I am using weblogic 6.0 with sp1Is this a continuation of http://forum.java.sun.com/thread.jsp?forum=60&thread=159878
It sure looks like it.
Have you read this weblogic doc http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1052867 -
SRW2048 Firmware 1.2.2 DHCP Forwarding Problem?
Is there a known issue with firmware 1.2.2 forwarding dhcp request? I had my tech support reporting that some users were unable to get assign DHCP addresses till a release and renew was performed.
regards,This is the release notes of
SRW2048 Firmware Revision History Software version 1.2.2 01/01/2007
Boot version 1.0.0.04 08/09/2005
Known Issues
=========
1. ACL --> MAC Based ACL
Creating a MAC ACL with to permit ethertype 0800 causes all traffic to be forwarded. Configuring a MAC ACL to permit ethertype 86DD causes all traffic to be denied.
Recommended Workaround: To avoid these situations, add a rule to deny any any.
2. Admin --> Cable Test
When testing cable with advanced test only (without simple test before), the results are incorrect.
3. QoS --> Advanced Mode
When configuring a policy with police - exceeded action - out of profile dscp, the policy must have an action: trust cos-dscp or set dscp. If you configure a policy with police - exceeded action - out of profile dscp without an action - the device configures the action to trust cos-dscp. If you configure a policy with police - exceeded action - out of profile dscp with an action set cos/queue, the device configures the action to set dscp 0.
4. Setup --> Time
The prioritization between servers is not maintained when two servers are configured simultaneously.
5. SNMP --> Group Membership
It is not possible to modify the user name after it has been entered.
Recommended Workaround: Delete the user and reconfigure.
6. VLAN Management
When a port is a member of Dynamic VLANs and Static VLANs, there may be errors in configuration using the Join VLAN pop up.
Recommended Workaround: Use the Ports to VLAN screen to join ports to VLANs.
7. Timestamps
(a) The order of the month and day in the dates presented in syslog messages is the European fromat (dd/mm/yy), and not the US format.
(b) SNMP traps are sent with a timestamp different from the actual time on the device, since the timestamp depends on the NMS configuration. The sequence is preserved.
8. HTTP port configuration
It is possible to modify the HTTP port to an already used port (e.g., 443). No error message is generated at this point.
9. Illegal characters in web inteface
Use of the following characters should be avoided when configuring using the web based interface: \ / : * ? < > |
10. Menu CLI
(a) Disable Active Management Access Profile - this software version does not support Management ACL, so this option is irrelevant to the user. It is reserved for future use.
"disable active mgmt access profile" is not working in menu console
(b) One cannot change the "admin" password in the Web GUI, but through menu CLI it is available.
GUI doesn't work only if there is only one user "Admin"
If you change the username to Admin1 or anything else, it works.
If you have another user name or names in addition to Admin, then it works too.
It could be more likely the computer issue. -
Hi all,
I'm looking for a tool - or technique - that will allow me to view and generate a printable document of folder/file permissions within a shared volume. This would include POSIX and/or ACLs and include all enclosed folders as well. I don't need to change anything - just view and print the results. Running ls -le essentially gives me what I need but I'm hoping for something that will generate a more readable list of the entire share in one fell swoop. Thanks for any insight you folks might have.
FrankI don't know if there's a single tool that will do everything you want. My suggestion, if you have Unix scripting skills, would be to postprocess the output delivered by ls -le into a prettier form. You could use lex or awk or other tools for that task.
acltotext (3) and aclfromtext (3) are standard C library calls, but not directly user accessible. You'd need to write code to wrap around them, and then what you end up with might be pretty much the same as ls -le.
I also took a quick look at ACLbit; a Linux tool for managing ACLs which also has the ability to bulk dump / backup / restore ACLs. It's written in PHP and since Linux and OS X probably both obey POSIX ACL rules, it might be pretty close to working order for OS X. I downloaded it and ran it, and then didn't investigate any time into why I was getting run-time errors.
Hopefully these suggestions help!!
Maybe you are looking for
-
Best way to handle multiple currencies
I have a requirement that users should be able to report against an OLAP cube in a currency of their choice (from a list of about 20) and was wondering what the best way to handle this might be. One option would be to have a currency dimension contai
-
Hi I'm using pap2t for my voip CIA/3WEB in canada / ontario provider. I do use their linksys voip profile with a modification for usage behind the router. The problem i get is every time I reset the adapter and program it for my VoIP provider the uni
-
Tiger to Leopard and new Mac...
Hey there, So far I´m working with my Powerbook and Tiger installed but soon I´ll get a Macbook with Leopard. Here it starts.... I´ve to get all of my files, settings and what ever over to the new Macbook.... What do I´ve to do? I´ve searched already
-
FCP X unable to scale any still image beyond 400%-why???
Just wondering if anyone else has run into this problem. If I try to scale any image in the Inspector window, FCP X doesn't let me scale beyond 400%. Why does FCP X place this limit? And is there any way it can be bypassed?
-
How to create Dynamic Table Control
Hi How to create Dynamic Table control , The field names and values to be displayed in table control are to be fetched from Add-on Tables. Regards Prasath