Prime Infrastructure vulnerable to ShellShock?

Similar Messages

• ISE 1.2.0.899 vulnerable to Shellshock?

  Hi, I just saw that version 1.2(0.747) is vulnerable. How about 1.2.0.899?
  https://tools.cisco.com/bugsearch/bug/CSCur00532
  KR

  I've asked the PSIRT Team and they confirmed that ISE is vulnerable.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  (Prime Infrastructure is vulnerable as well but is not yet mentioned in the advisory.  It will be added in an upcoming revision.)

• Consultations on Cisco Prime Infrastructure 2.2

  I recently installed Cisco Prime Infrastructure 2.2 and I have 2 questions regarding configuration:
  1. What configurations should run for vulnerability when some event occurs on a switch an alarm is lifted in the Cisco Prime Infrastructure 2.2?
  2. Is there any way to put a device into maintenance mode in the web interface of Cisco Prime Infrastructure 2.2, so that can not be spoiled reports regarding equipment availability during the execution of maintenance?

  1. If you configure PI as an SNMP and syslog server for your devices and have enabled logging traps etc., PI's alarm browser will show the alarms. If you want them to be sent to you via email, you can do that under the Admin menu for setting up your Mail server and clicking the link to "Configure email notification for individual alarm categories." (see below - open in new tab to zoom). It's not completely customizable but what you see there is the current product capabilities in that regard.
  2. No, this is not currently an available feature in PI 2.2.

• Cisco Prime Infrastucture vulnerability SSL RC4 Cipher Suites Supported

  Hi All,
  I have a question on how to disable RC4 Cipher Suites Supported on Cisco Prime Infrastructure Platform.
  My Client have use Nessus Software to scan on prime. and found on below vulnerability
  SSL RC4 Cipher Suites Supported
  Cisco prime infrastructure deploy on latest 2.1
  we have gain the root access and modifier the ssl.conf and restart the service also unable to solve.
  /opt/CSCOlumos/httpd/ssl/backup/ssl.conf
  /opt/CSCOlumos/httpd/ssl/ssl.conf
  C:\Program Files\Tenable\Nessus>nessuscmd -v -p 443 -i 21643 192.168.1.55
  Starting nessuscmd 5.2.7
  Scanning '192.168.1.55'...
  Host 192.168.1.55 is up
  Discovered open port https (443/tcp) on 192.168.1.55
  [i] Plugin 21643 reported a result on port https (443/tcp) of 192.168.1.55
  + Results found on 192.168.1.55 :
     - Port https (443/tcp) is open
       [i] Plugin ID 21643
        | Here is the list of SSL ciphers supported by the remote server :
        | Each group is reported per SSL Version.
        | SSL Version : TLSv1
        |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
        |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
        | C(56)          Mac=SHA1
        |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=MD5
        |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=SHA1
        |
        | SSL Version : SSLv3
        |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
        |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
        | C(56)          Mac=SHA1
        |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
        | C(56)          Mac=SHA1
        |   High Strength Ciphers (>= 112-bit key)
        |       EDH-RSA-DES-CBC3-SHA         Kx=DH          Au=RSA      Enc=3DES(
        | 68)            Mac=SHA1
        |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=MD5
        |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=SHA1
        | The fields above are :

  Hi ,
  "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
  CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
  Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
  Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• Cisco Prime Infrastructure 1.2 is not working https & ncs

  Hi, I have just deploy Cisco Prime Infrastructure 1.2 in a virtual appliance (Vmware Esxi 5.1). Console is ok & setup is also completed. but there is no NCS application. only app is shwoing: NCSPNP
  Cannot access from https also.
  Please suggest how to Starting Prime Infrastructure Serve

  From what you describe, it sounds like you have installed the Plug and Play (PNP) ova image. You need to install the Prime Infrastructure image.
  See the screenshot below for details (click to enlarge):

• Ask the Expert: One Management with Prime Infrastructure 1.2

  With Tejas Shah
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Tejas Shah on One Management with Prime Infrastructure 1.2 Combining the wireless functionality of Cisco Prime Network Control System (NCS) with the wired functionality of Cisco Prime LAN Management Solution (LMS),  Cisco Prime Infrastructure simplifies and automates many of the day-to-day tasks associated with maintaining and managing the end-to-end network infrastructure from a single pane of glass. The new converged solution delivers all of the existing wireless capabilities for RF management, user access visibility, reporting, and troubleshooting along with wired lifecycle functions such as discovery, inventory, configuration and image management, automated deployment, compliance reporting, integrated best practices, and reporting.
  Tejas Shah is a senior technical marketing engineer for Cisco Prime Infrastructure and Collaboration products. He has deployed Cisco Prime Collaboration Manager at various customer sites to help customers monitor and troubleshoot their video infrastructure. In addition, he is part of the Network Operations Center team at Cisco Live events for six years. Shah joined Cisco in 1995 and was in the Technical Assistance Center team supporting various network management system products for more than six years.
  Remember to use the rating system to let Tejas know if you have received an adequate response. 
  Tejas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless Mobility sub-community discussion forum shortly after the event. This event lasts through Sept 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Raun, please see my responses inline:
  Can you go over the licensing method with Prime Infrastructure 1.2 please? 
  Raun, you can check out the following link for ordering guide at
  http://www.cisco.com/en/US/products/ps12239/products_data_sheets_list.html
  I currently have NCS and do NOT currently have LMS.  I know I can move to Prime Infrastructure through Cisco Product Upgrade Tool.  However, what I am confused about is do I still have to buy LMS to have LMS functionality in Prime Infrastructure 1.2? 
  ==> Not at all.  The converged product will give you basic management capability for routers and switches that LMS provided in this release.   Feature/Functionality will keep on growing with upcoming releases.
  If not, do the licenses I transfer into Prime Infrastructure 1.2 from NCS also work for devices to work under LMS? 
  ==> Licensing is different than NCS or LMS.  You don't have to transfer the license.  Each install of Prime Infrastructure will have a unique UID string on which the licenses are based.  A new license will be applied to the product.
  Mean, can my currently 350 licenses be used for AP's as in NCS and routers in the LMS portion of Prime Infrastructure 1.2?
  ==> I would recommend getting a total count of your wired and wireless devices and match the right SKU based on that.
  Hope this helps.. Let me know if you have any further questions,
  Tejas

• What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP's?

  What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP’s?

  • PI provides visibility for autonomous  clients within the same list view as lightweight and wired clients (client list  page).
  • Rogue AP detection for autonomous AP's is not supported (it's  supported in CUWN). 
  • Alarms/events for client authentication issues (e.g.  authentication failure) are displayed in PI.
  • Config management for  autonomous AP's is via CLI template.  Config comparison and archiving  functionality in PI leverages these same features that were brought in from LMS,  so need to defer to others in terms of whether this is a cross-platform feature  in PI or is only supported on a subset of platforms.  Config comparison/archive  is supported in CUWN.PI supports both infrastructure (e.g. AP Tx Power and  Channel, busiest AP, AP utilization, etc.) and client (e.g. client count, client  sessions, etc.) reports, and there are extensive reports for CUWN

• Prime Infrastructure 2.1.1 cannot add more than two interfaces in Dynamic Interface Controller Templates

  Cisco Prime Infrastructure is a damned nightmare of browser bugs (some features work in IE8, some in IE9, and some only in Firefox).  And I am not sure if what I am experiencing is a browser bug - or a real bug - or something that I was able to do before and can't any more?  I would love for someone to either explain why this is happening to me, or reproduce the bug!
  I'm running Prime 2.1.1.  I am doing this ...
  Configure > Controller Template Launchpad
  System > Dynamic Interface
  Select a command > Add interface (GO)
  Enter all the properties - roll to the bottom of the page, and click Apply to Controllers
  I have four controllers.  And normally I would add an interface for each controller.  But I can only create two out of the four.  It doesn't matter which two I choose.  When I click Add under Manage Interfaces for the third controller, I cannot click the Done button to apply it (see screenshot, attached).  I have found that if I change the VLAN to something else, it will let me save it.  But ... why?  I went back and reviewed all of my existing interface templates and I am not doing anything different.  Although, they were all created a long while ago using WCS 7.x.
  Any help, guidance, or confirmation of insanity would be appreciated.
  -Steve Ballantyne

  I doubt I will get any hits on this here but I always try.  I opened a TAC case.  I will come back and comment on whatever they find.

• Upgrade Prime Infrastructure v1.2.1.012 to v1.3.0.20

  Hi,
  is there any patch for upgrade from v1.2.1.012 to v1.3.0.20?
  Or I can install upgrade directly?
  St.

  But there is:
  IMPORTANT: You MUST patch your existing system prior to using this upgrade installer. See appropriate patches under Prime Infrastructure Patches.
  And in the table:
  f your existing system is...
  Download this point patch file
  Cisco Prime Network Control System 1.1.0 (1.1.0.58)
  ncs_patch-1.1.0.58-upgrade-12.tar.gz
  Cisco Prime Network Control System 1.1.1 (1.1.1.24)
  ncs_patch-1.1.1.24-upgrade-12.tar.gz
  Prime Infrastructure 1.2 (PI 1.2.0.103)
  pi_1.2.1.12_update.tar.gz
  Last row doen't match current version (1.2.1.012)
  St.

• Prime Infrastructure 1.2 Syslog

  Hi,
  We are currently working on a solution comprising Cisco Prime Infrastructure 1.2 and we can't understand if Prime Infrastructure can work as a syslog collector, since we can't get it to show us any syslog messages sent from the network devices in its the Alarms & Events section. Is this a normal behavior? Is it necessary to use a remote syslog collector on another machine?
  Best regards!

  You can edit the file in vi if you're handy with that text editor. I find it much easier to just create a new file like aijaz described above (copied below here) using your favorite local text editor (I use notepad++ in Windows) and name it syslog_sev_filter.xml.
  Once you have that, copy it onto the PI server using ftp. You can then drop into the shell rename the current file syslog_sev_filter.xml.old and then copy the new syslog_sev_filter.xml file from your ftp repository to the /opt/CSCOlumos/conf/ directory.
  Follow all that with popping back up out of the shell and do "ncs stop" followed with "ncs start" to restart the server and you should now be getting all severity syslog messages in your application.
  /opt/CSCOlumos/conf/syslog_sev_filter.xml file (Bold lines have been added here):

• Prime Infrastructure 2.1 Client Statistic Report Issues

  Hello Community,
  I hope you can help with a couple of issues I am seeing on Prime Infrastructure 2.1, running an evaluation 60 day license.
  My PI 2.1 build is currently managing a WLC 5508 running 7.4.121.0, which has been added successfully. No configuration changes were applied to the WLCs, other than SNMP community. No AVC or medianet configuration is applied.
  When looking in the 'Operate>Client and Users' dashboard; I can see connected clients and if I select one of them, I can see further details like session, security and client statistics (showing traffic and 802.11 metrics). These are the table views that show current values, however, further down I see graphs but they do not contain any information for RSSI, SNR or traffic sent & received (packets or bytes).
  Question: Should I see this information under an evaluation license and if so, what could be stopping it?
  Also, when I run the reports 'Report>Report Launch Pad' and select 'Client>Client Traffic' or 'Client>Client Throughput' the resulting report contains 0 bps, when I select 'Report By' AP by Floor Area. I have created a single floor area and placed three access points into it.
  Out of interest if I do a report of the same type using 'Report By' All or AP by Controller, I do see traffic graphs for 3 out of 333 access points. Just not the access points that are in my floor area. Also the amount of traffic utilization is tiny (less than a kbps) for a WLC with 800 users.
  For a 'Client>Client Count' report using AP by Floor Area, I do see the client numbers connected to the WLC/APs in my configured floor area.
  Question: Should I see reports for client traffic and throughput under an evaluation license for floor areas and if so, what could be stopping it?
  I have checked the background task and the 'Client Statistics' task is enabled and run time is being updated.
  Kind regards,
  Ian

  Hi,
  here is an update:
  There are more than one Report you need to start to get data for Device, FAN, Power Supply, Module - look at these reports:
  Report > Report Launch Pad > Device > Inventory
  Report > Report Lauch Pad > Device > Wired Detailed Device Inventory
  Report > Report Lauch Pad > Device > Wired Module Detail > Wired Module Detail Report Details
  SFPs and GBICs cannot be reported til now - there are working on it.
  br,
  chris

• Error in Prime Infrastructure 2.0 after Controller upgrade

  Hello
  I've got two WiSM and Prime Infrastructure 2.0. Last week I upgraded one WiSM to 7.0.250.0, plus a third controller. That worked fine, but since then, my PI shows one of the two controllers of the second WiSM as "Unreachable". I rebooted the PI and also rebooted the controller again, to no avail.
  I tried now to update the snmp v2c credentials in PI, but receive an error.
  The error message shown when I try to update the credentials is:
  Error: Common-1: Some unexpected internal error has occurred. If the problem persists please report to the Tech Support.
  Error:Detail: errorId=6 Invalid credential name: snmp_transport.
  Any ideas?
  I can normally access the controller through its webinterface and don't see any errors that would spring to the eye.
  [edit]
  Just manualy run the Task "Controller Operational Status" and received this error:
  com.cisco.wnbu.server.common.errors.InternalException: COMMON-1
  Thanks
  Patrick

  I worked with TAC Team and the final solution was to delete all controllers and add them again. This might get fixed in a future version though.

• Migrate from WCS 7.0 to Prime Infrastructure 1.2

  Hi All,
  I am looking for advice on the licensing and upgrade path for going from WCS 7.0 to PI 1.2.
  At present I have a WCS licensed for 200 APs which is  managing one controller and 150 APs.
  I intend to use the Cisco Prime Upgrade Promotion
  to order R-W-PI12-M-K9 (WCS 7.0 to Cisco Prime Infrastructure 1.2 Migration)
  and L-W-PI12-100-M and L-W-PI12-100-M to match the number of licenses on the WCS.
  Once Prime is installed I also want to manage another 50 devices, does that mean I have to purchase the
  Cisco PI 1.2 Base License and Software (R-PI12-Base-K9) and another 50 Lifecycle licenses, or will
  my existing 200 licenses from the upgrade suffice.
  Sorry if it's confusing, but I didn't invent the licensing structure just trying to make sense of it all.
  TIA

  You'll be able to manage up to 200 devices/APs simpy using the upgrade from WCS to PI 1.2 as you described it. No need to order another base license or 50 lifecycle licenses.

• User Name and Password for Cisco Prime Infrastructure 2.1

  Hi all:
  I am stuck at the login page of Cisco Prime Infrastructure 2.1.
  I have tried using the user name root and its password (when log in with root at Vsphere Client) and also the login user name "before" get into the appliance infrastructure, all cannot work.
  Anybody knows what is the default username or password or any way to set the username and password for this Cisco Prime Infrastructure 2.1 website?
  Thanks!
  tangsuan

  Hi Tangsuan,
  Following is the documented procedure for password recovery..
  In order to modify the GUI root user password, you will need to login to the NCS CLI
  as an admin user, and enter the command
  "ncs password root password <new password>" (without the quotes)
  This should set the web interface root user password :
  http://www.cisco.com/en/US/docs/wireless/ncs/1.1/configuration/guide/manag.html#wp1268889
  If you have lost your CLI password , try the default logging that is  ,
  CLI user is admin and not root, so please try logging in as admin with
  the password that was set during setup. If that does not work , you need
  the install disk that came with the appliance to recover that password.
  Follow these steps:
  Recovering a Lost Admin Password
  If you lose or forget the admin password for NCS appliance, follow these steps.
  Step 1 Reboot the NCS appliance with the ISO DVD inserted. The Cisco Prime Network Control
  System Welcome screen appears:
  ISOLINUX 3.11 2005-09-02  Copyright (C) 1994-2005 H. Peter Anvin
               Welcome to Cisco Prime Network Control System
  To boot from hard disk, press <Enter>.
  Available boot options:
     [1] Network Control System Installation (Keyboard/Monitor)
     [2] Network Control System Installation (Serial Console)
     [3] Recover administrator password. (Keyboard/Monitor)
     [4] Recover administrator password. (Serial Console)
  <Enter> Boot existing OS from Hard Disk.
  Enter boot option and press <return>.
  boot:
  Step 2 Select the desired recovery option, 3 or 4, depending on how you
  are connected to the appliance and then follow the prompts.
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• Prime Infrastructure and WLC 2504 N+1 config syncronization

  I've setup 2 cisco 2504 WLC's in a N+1 configuration, before we purchased Prime Infrastructure.  Now I'm trying to syncronize the configurations between the two devices in PI.  I've setup a configuration group, and it seems using templates will keep the configuration syncronized between the two devices.  Is it possible for PI to automatically create the templates based on the current configuration of the device.  Plus with PI 2.1 it seems like I have to create a template for every section of the configuration, shouldn't there be just one large template that has all the configurations.

  Yes, you should be able to discover templates from the WLC
  HTH,
  Steve