Potential Security Hole with 802.1x and Voice VLANs?

Similar Messages

• 802.1x and Voice VLAN

  I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
  I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
  interface GigabitEthernet9/48
  description temporary port
  switchport
  switchport access vlan 12
  switchport mode access
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  CIG01-ENT-SW1(config-if)#switchport voice vlan 14
  Command rejected: Gi9/48 is Dot1x enabled port.

  Using IEEE 802.1x Authentication with Voice VLAN Ports
  A voice VLAN port is a special access port associated with two VLAN identifiers:
  ?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
  ?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
  In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
  A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
  When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
  Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
  interface FastEthernet0/1
  switchport access vlan 3
  switchport mode access
  switchport voice vlan 2
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  end
  Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
  under the interface configure "dot1x host-mode multi-host"
  Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform.

• I have a problem with the sound and voice communication programs amplifier

  I have a problem with the sound and voice communication programs amplifier

  Define "voice of the device." 
  Are you referring to the ear speaker or main speaker?  Phone calls?  Rings/alerts? Music?
  What troublshooting steps did you take?

• SG300 with 802.1x and wake on lan

  Hi,
  is there a way to support wake on lan on SG300 with 802.1x ports and dynamic vlan?
  thanks,
  maart2012

  Hi,
  Depends on the authentication. If you have mac or login authentication there is no traffic allowed neither direction before successful authentication. However you may use Guest VLAN concept for WOL packets.  With web portal authentication some traffic is allowed but as far I as know it is only arp, bootp so again maybe Guest vlan concept would be the solution.
  Regards,
  Aleksandra

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• Severe Security Issue with Sharing Permissions and Windows

  I recently discovered a severe Security issue with the windows sharing an permission settings:
  I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
  1. I set the Drive checkbox "ignore ownership" off.
  2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
  3. I apply to enclosed Items
  4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
  5. I apply to enclosed Items
  6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
  7. I delete all previous shares
  8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
  9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
  10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
  BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
  TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

  I recently discovered a severe Security issue with the windows sharing an permission settings:
  I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
  1. I set the Drive checkbox "ignore ownership" off.
  2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
  3. I apply to enclosed Items
  4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
  5. I apply to enclosed Items
  6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
  7. I delete all previous shares
  8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
  9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
  10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
  BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
  TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

• Secure Proxy with user name and password.

  I'm trying to develop a tool that can go out to the internet through a secure proxy with username and password, and download a file from a secured site, (https). Anyone have any experince with this, I've looked at a few things but nothing has really been helpful.

  Do you have an http proxy that requires authentication? If so, what type of authentication? Basic? Digest? NTLM if your proxy is on IIS?

• AirPort Express Base Station with 802.11n and AirTunes

  http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?mco=951 C2DAD&fnode=home/shopmac/mac_accessories/airportwireless&nplm=MB321LL/A
  before i buy it i wanna understand exactly what this does.. if say i go to my friends house who has no wireless network with just this and my macbook and plug this in will it give me internet access?

  nobody???

• DHCP and voice vlan on Cisco 3560 switch

  Greetings,
  I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
  1. Using the Cisco 3560 as a DHCP server - Config examples.  Do I need to use different subnets for the voice and data vlans?
  2. Layer 2 CoS QoS  - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
  Your assistance will be appreciated.

  Hi ,
  Cisco recommends that you have a separate vlan for  voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
  Here is the config guide for setting up IOS DHCP server:
  http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
  Here is the LAN qos recommendations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009

• Security report with native roles and the roles they have access to.

  We need a security report that shows the Native/Custom Roles and the roles that they have access to.
  So, an example would be the role US_Acct, and the report would show what roles that has access to (Post Journals, Consolidate, etc).Can this be done?

  Export the Provision report from Shared Services.
  Upload report to Excel or Access.
  Build Tables to show what tasks each Role has access to.
  Build a report that links the provision report and the xref tables.
  You should also do this with Security Classes.

• Security issue with NetStream.appendBytes() and BitmapData.draw()

  Iuse appendBytes to continuously and seamlessly stream video data into a netStream. since we're NOT playing the video files directly from a web domain, there is no meaning to the checkPolicyFile property of our netStream object and therefore - we cannot BitmapData.draw() our Video instance with the netStream attached.
  Is there any possibility to get images from the netStream in order to manipulate them on-the-fly?

  I ran into the same problem.  Have you managed to find a solution to get around the security violation?

• Security issue with the SGA and multiple installation group.

  Hi,
  Documentation ARE WRONG:
  http://download.oracle.com/docs/cd/E11882_01/rac.112/e10743/preparing.htm#TDPRC131
  # useradd -u 1100 –g oinstall -G dba -d /home/oracle -r oracle
  http://download.oracle.com/docs/cd/E11882_01/install.112/e10816/typinstl.htm#CWSOL156
  # useradd -u 1100 -g oinstall -G dba oracle
  The "-g" and "-G" must be exchange!
  In an advanced installation with multiple Oracle users call them ( ora1, ..., orai, ..., oran )
  with multiple OSdba group defined users call them ( dba1, ..., dbai, ..., dban)
  Associate each oracle user to a dba group with the same number and the install group as oracle told it.
  User ora1 group dba1
  User orai group dbai
  User oran group dban
  Now make the software installationS with the group OSinstall ( install) as written in the documentation, in 3 Oracle_home
  Call the oracle_home1, oracle_home2, oracle_home3
  Now check semaphores, Sharedmemory and files!
  ipcs -msa
  IPC status from <running system> as of Thu Apr 29 12:14:06 CEST 2010
  T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH SEGSZ CPID LPID ATIME DTIME CTIME
  Shared Memory:
  m 16777246 0x6525858 rw-rw-- oracle2 install oracle2 install 36 5368725504 3479 4298 12:10:01 12:10:31 16:30:45
  T ID KEY MODE OWNER GROUP CREATOR CGROUP NSEMS OTIME CTIME
  Semaphores:
  s 50331701 0xb7892c1a ra-ra-- oracle2 install oracle2 install 202 16:30:47 16:30:45
  s 50331700 0xb7892c19 ra-ra-- oracle2 install oracle2 install 202 no-entry 16:30:45
  s 50331699 0xb7892c18 ra-ra-- oracle2 install oracle2 install 202 12:13:48 16:30:45
  ls -l $OSD/oradata/*/*/* | sed s/oracle/oracle2/
  -rw-r----- 1 oracle2 install 11600384 Apr 14 18:30 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wcsdcfh_.chg
  -rw-r----- 1 oracle2 install 11600384 Apr 15 15:08 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wf7787k_.chg
  -rw-r----- 1 oracle2 install 11600384 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wg8jggf_.chg
  -rw-r----- 1 oracle2 install 16695296 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/controlfile/o1_mf_5wg4j9go_.ctl
  -rw-r----- 1 oracle2 install 524296192 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_aud__dol_5wg4mntr_.dbf
  -rw-r----- 1 oracle2 install 104865792 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_aud__dol_5wg4mp3v_.dbf
  -rw-r----- 1 oracle2 install 209723392 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_example_5wg4ml5z_.dbf
  -rw-r----- 1 oracle2 install 419438592 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_stat_dba_5wg4mmhg_.dbf
  -rw-r----- 1 oracle2 install 2097160192 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sys_undo_5wg4kf8n_.dbf
  -rw-r----- 1 oracle2 install 2097160192 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sys_undo_5wg4lss2_.dbf
  -rw-r----- 1 oracle2 install 1363156992 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sysaux_5wg4k1xf_.dbf
  -rw-r----- 1 oracle2 install 1048584192 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_system_5wg4jp26_.dbf
  -rw-r----- 1 oracle2 install 209723392 Apr 28 22:01 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_temp0_5wg4l302_.tmp
  -rw-r----- 1 oracle2 install 209723392 Apr 15 16:06 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_temp1_5wg4lsod_.tmp
  -rw-r----- 1 oracle2 install 104865792 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_users_5wg4l33f_.dbf
  -rw-r----- 1 oracle2 install 104858112 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_1_5wg4jb44_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 28 21:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_2_5wg4jdn6_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 28 22:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_3_5wg4jgw8_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 29 03:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_4_5wg4jk64_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 29 13:01 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_5_5wg4jmcd_.log
  ls -l $OH/bin/oracle | sed s/oracle/oracle2/
  -rwsr-s--x 1 oracle2 install 256263032 Apr 14 13:54 /app1/oracle/product/11.2.0_64/db_1/bin/oracle*
  That the evidence the documentation provide you a wrong way to do it!
  François LANGE

  The right document syntax for this is:
  UNIX: Do I Need To Use The "oinstall" Group? (Doc ID 463052.1)
  FRançois

• Security flaw with E1200 router (and surely more)

  After tinkering around with my E1200, I have found that if someone was to crack an access point's pre-shared key, such as mine, they would also have the ability to crack the routers webpage as well. By downloading the Linksys Connect application, entering the SSID and PSK, you have complete controll over the entire network. 
  I am not sure if this is what is supposed to be intended, but I can see it going a lot of bad ways if someone was to brick a businesses AP at the press of a button. 
  Spoiler (Highlight to read)

  I agree that it is possible. You can change the router administrator password manually on the router UI. When I did that before, it caused the Cisco Connect to fail, which I believe the reason is because the settings are no longer the same in the UI and in the Cisco Connect. I found out that you can go customize the router password on the router's interface. Then, go to Administration tab and customize the router password. Save it and the admin password should be overridden.

• AirPort Express Base Station with 802.11n and AirTunes Questions

  My internet comes in to one room in my house. All that is in there is a cable modem and a Linksys wireless router. All computers in my house access the web wirelessly through this modem.
  In another room I have an iMac, that is my main computer and has my music on it.
  Across the room from that computer is my stereo. There is no ethernet connectivity near the stereo.
  I want to play my iTunes through my stereo and use my iPhone as a remote, but I am happy with my current router.
  My questions are:
  1. Can I buy one AE Base w/iTunes and use it as a link between my iMac and my stereo without using it for Internet access?
  2. Do I have to buy two AE Bases and use one to replace my current router?
  I live in a small town, no Apple store. I called Apple support yesterday but nobody I talked to seemed to be able to answer my questions.
  Any light that anyone can shed on this for me would be much appreciated.
  Scott

  you can use the express near the receiver and connected to it then if the range is acceptable have it join the linksys network. you can set it up no internet just stream music. it may give you some grief to set it up but with patience and logic its doable.

• Security issue with a website and java

  I am having trouble getting Java to work on a website, the message tells me that I have a security issue  but I don't know how to fix it??

  The site may be sending Firefox for Android a page that is not correctly formed.
  We have a feature in Firefox 39 which will allow the request desktop site menu item to show the full desktop site.