Win7 firewall blocking radius requests

Similar Messages

• WRT330N firewall blocks AXIS 206W webcam traffic

  I upgraded my Linksys WRT54GS to the WRT330N and so far, so good. The WRT330N is really a significant improvement.
  However, I can't get my AXIS 206W webcam to work. The webcam is registered on the Axis website and creates it's own IP address. So when I try to enter the webcam over the internet, I see in my router's logfile that it blocks the request for that particular IP address. Disabling my router's firewall solves the issue but that is obviously not desirable. I never had this problem with my previous Linksys router's firewall.
  Any thoughts?

  Sorry for the delay, here it is:
  Product and software version: AXIS 206W Network Camera version 4.40 External IP address: 68.193.237.187
  It seems that if I disable Filter Internet NAT Redirection the camera works. Is that a security concern?
  Message Edited by exm on 09-15-2007 03:10 PM

• RV042 v3 - Block WAN Request - bad implemented!

  Hello,
  I would like to ask You if You have same problem as me. I would like to allow PING on RV042 from WAN side only from specific IP address, but when I set the rule, RV042 does not respond on WAN side, because Block WAN Request is Enabled.
  BUT! When I disable "Block WAN Requests", now any IP can ping my router from WAN side. Although I set access rule to Deny Ping from WAN side to anyone, it still responds.
  Do you know sollution?

  Good morning
  Thanks for using our forum
  Hi Tomas Zavodny  my name is Johnnatan and I am part of the Small business Support community
  I'm not sure if you  disable the option “Block Wan Request” your device creates  a rule in the firewall, can you check this? if your device creates the rule, follow this procedure
  In this priority order, create 2 rules in your firewall device.
  1. A rule that allow ping  your device from your specific source(s) address(es)
  2A rule that deny ping from any other source.
  3 With the lowest priority, the rule that your device creates.
  I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
  Please rate post you consider useful.
  Greetings,
  Johnnatan Rodriguez Miranda.
  Cisco network support engineer.
  Cisco has a very useful tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accesing the tool: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1 = & pid = 4 & eroute = Super, is very easy to use, just complete the 3  spaces on this way:
  Select a category: (Select the device type on request), eg Routers
  Enter model: (Type the model on request), eg RV042
  Question: (Type what  you want to know  about the device), eg VPN
  And it'll be showing all the information you need about what you wrote.

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• ISE v1.2 - Status-Server - 5405 RADIUS Request dropped

  Just a note:
  Some devices send regular RADIUS status messages;
  The ISE drops these as 
  Event: 5405 RADIUS Request dropped
  Failure Reason: 11031 RADIUS packet type is not a valid Request
  Root cause: RADIUS packet type is not a valid Request.
  Wireshark shows:-
  Code: Status-Server (12)
  Attribute Value Pairs:
  AVP: l=6  t=Service-Type(6): Shell-User(6)
  AVP: l=18  t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
  AVP: l=6  t=NAS-IP-Address(4): 10.1.1.1
  I believe that ISE should accept and respond to these messages RFC5997  up2866.
  A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port).  An Access-Challenge response is NOT RECOMMENDED.  An Access-Reject response MAY be used.

  Neno
  Nothing to do with that,
  The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.
  However they send keepalives to validate the RADIUS server is still there.  ISE doesn't implement this and ISE logs get full of rejections.  The end devices are unable to prioritise which ISE to used based on up/down.  But still work.
  This was just a note to everyone so they are aware of the issue,

• ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0

  Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
  For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
  For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
  The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
  I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
  Any help will be much appreciated.

  This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
  Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired.

• WRT1900AC: Can it block DNS requests?

  Hello,
  Can the WRT1900AC block DNS request from devices in a home network to public DNS service like GoogleDNS? Can anyone tell me what steps are necessary to accomplish this?
  I tried to follow instructions found on the web but I could not add static routes under Advanced Routing, I got errors either about the network submask or the Gateway (mine is 192.168.1.1 and is not accepted). i don't know what to enter in these fields and also what Interface to select (LAN/Wireless or Internet).
  My firmware version is 1.1.8.164461.
  I would appreciate any help.
  Thank you,
  Luiz
  Solved!
  Go to Solution.

  Hi,
  Thanks for replying. I haven't contacted support yet to confirm you suspicion, My cable modem is a Motorola SB6141. I have done some basic research that indicates that it is not capable of NAT.
  However, I was able to configure a static route in my router,using the cable modem IP asgateway. After this my ping requests to Google DNS (8.8.8.8 and 8.8.4.4) started to fail. This is probably still not what I need. I don't understand why I can't save my router's IP as gateway as indicated here: http://help.unotelly.com/support/solutions/articles/193662-setup-static-routes-on-linksys-and-cisco-... This link alerts to a bug in Linksys routers but the error message I get is not "invalid static route" as indicated.
  Thanks,
  Luiz

• 10.6 Server's Firewall Blocks It's Own Internet Connection

  I had this problem about two years ago when I was trying to run 10.6 on my home server (Mac mini) for the first time. Eventually I gave up, reverted the mini back to 10.5, and ram problem-free for years. When 10.7 came out, I tried to upgrade the mini to that. That didn't go well either, but mostly due to Lion missing many many features (suprise!). So I figured that 10.6's problems were fixed by now, and gave it another shot. It went fine and I've been running for about a month problem free (or so I thought). But now it's offline again. I finally found one other person on another forum that had the EXACT same problem as me. And reading this description, I realize that I have been having problems all long, I just assumed they were my ISP's problems, not my own.
  So here's what happens. The firewall in 10.6 server will "freak out". It will be running normally, then suddenly it will go haywire and block everything. And I mean everything. My computer won't even be able to get an IP via DHCP. Everything is blocked. But as soon as you stop the firewall, everything works normally. You can even modify the firewall rules, and set it up so there are NO deny rules, and EVERY connection to and from every host is set to allow. And the firewall still blocks everything. This is the same exact thing that happened 2 years ago when I first tried to run 10.6 Server on my mini. The difference is that back then, this would happen either immediatly, or within a day. This time around, with 10.6.8, it took about a month before suddenly, without any provocation, all internet connections stopped.
  I've had this happen on multiple computers. I don't do anything special, I just set up a basic firewall scheme where everything in the LAN range is allowed, and everything from "any" is allowed only to service ports I'm running. The basic gateway setup. Now I was running 10.6 Server on my laptop (for netbooting) and it would do the same thing. But because my laptop wasn't acting as a gateway, I could just turn the firewall off (you need the firewall for NAT). My mini server IS acting as a gateway, as was another mini I set up for a client of mine (that eventualy I changed over so they were running off an airport, and the mini server was just a client. But I don't want that setup at home, I want my mini to be the router).
  I have verizon Fios internet. 25/25, it's great. The ONT is in my basement, and it's plugged into the same fused outlet as our freezer. From time to time, when the power goes out, it trips that breaker and the outlet goes dead. My itnernet is gone and I have to go reset the outlet. Once I do, my mini won't get an IP from Verizon until I reboot the mini. Not once. Not twice. Usually 5-10 reboots, and suddenly it will get an IP. I always assumed this was a verizon problem. Until I read someone else's post about this same problem. Turns out, that's the firewall blocking DHCP again! If you turn the firewall off, you don't have to keep rebooting, it will grab an IP right away.
  At least I'm not crazy! So what is going on here? Does anyone have any idea what is going on with my firewall, or how I can fix it?
  Lastly, after 4.5 hours of complete inability to get an internet connection with the firewall on, it just started working again. I now have fully functional, normal internet. I find it hard to believe 10.6 has a firewall that is simply broken. I find it even harder to believe I'm imagining things, or that I've had fluke after fluke. Something is going on with 10.6 Server.

  The DNS skapegoat just doesn't make sense.
  Why would "improper" DNS cause OS X's firewall to block all network connections? Even the server's ability to make it's own DHCP connection?
  As far as a router, I don't want to use a cheap unreliable residential router. I have a home file server that, aside from running 10.6, makes a super reliable router. And port mapping aside, OS X Server's DHCP server is great to use. Rock solid. It makes no sense to run a cheap residential router when I have a home server. Then every 6-18 months, I get to deal with that router slowly failing, as my internet connection gets slower and slower. No thanks.
  So back to this firewall issue. I've talked to Apple aobut this before, and they give the same generic "DNS has to be right" answer to basically every problem I've ever had with 10.6 Server (hinting at endless CalDAV problems). But no one has every explained what that specifically means, or how something like wrong DNS (whatever that even means) can cause the firewall to block everything. This just makes no sense to me. And this especially does not explain why, after 10 reboots or so, everything just magically starts running normally.
  I just had an incedent today where I woke up to no internet. I rebooted 3 times. Each time, I either got a self-assigned IP address, or the ethernet interface would toggled between "unplugged" and "no-ip". I could turn the firewall off and the server would INSTANTLY start functioning normally. I'd happily run without a firewall, and just turn all services I'm not using off. However NAT needs the firewall, so without the firewall, the Server is the only Mac on the network that has an internet connection. So I kept rebooting and rebooting, and I think about 8 reboots later, like magic, the server came up, grabbed an IP, and everything started working normally.
  Also my IP through my ISP is dynamic, and that isn't going to change. So yes, I am trying to use OS X Server as my router on a dynamic internet connection. I've been doing this since the days of Mac OS X Server 10.1. Only 10.6 has had any problems at all.
  So really, "10.6 is more picky about DNS" isn't an answer to this problem. Or, at least, it's not a sufficient answer. I need much more information than that.

• Problem in ACS5.1 : "EAP session timed out", "RADIUS Request dropped "

  Hi .
  Part of my access points do not want to authenticate wi-fi users (through Radius server and Microsoft AD) .
  The scheme is: wi-fi PC-access point -ACS server 5.1 (Radius)-Microsoft AD
  After I  configured some AP, next logs we can see :
  EAP session timed out (many)
  RADIUS Request dropped (many)
  Could not establish connection with ACS Active Directory agent
  User's Groups retrieval from Active Directory failed
  The user is not found in the internal users identity store.
  Another part of devices (AP) works well.
  Anyone can help me to solve this problem please?

  Hi Nicolas.
  In logs usually we see some steps of beginning relations between devices. But here we see only one log line:
  What can it mean?
  The other messages seem to indicate that there is a problem with your AD. Did you test the bind ? Can you retrieve the AD groups list from ACS ?
  Yes, we tested relations between AD and ACS, AD groups list retrieve fine from AD. In addition half of devices in network works fine: wi-fi devices authenticates excellent .
  Do you use AD with the ACS for another part of your network that would be working fine ?
  Yes, there is single AD and ACS.

• ISE PSN rejecting RADIUS request

  Hi,
  We have a distributed ISE infrastructure version 1.3.
  We begin noticing the following problem.
  Randomly the PSN's started dropping radius requests.
  Basically they didn't serviced any client.
  It looked like this bug:
  ISE PSN rejecting RADIUS request; deadlocks found @ catalina.out
  CSCur43427
  Symptom:
  ++ CU runs distributed deployment; 2PSN +MnT +PMN;
  ++ PSN "node status were up during the issue;
  ++ PSNs were rejecting RADIUS request; ICMP reachability to PSN were OK;
  ++ both wired and wireless are affected
  ++ removing accounting from both foreign/anchor did not fix the issue;
  Conditions:
  ++ ISE 1.2.0.p10
  ++ happens every 2-3 weeks;
  Workaround:
  ++ restart ISE services;
  So we installed patch 2.
  But now we got the same problem and there is no newer patch.
  Did anyone encountered this also?
  thanks,
  laszlo

  We've also encountered this with 1.3 and logged a TAC case but unfortunately they weren't able to determine the cause due to not enough detail. They suggested changing the log level for runtime-AAA and prrt-JNI to debug temporarily and when it happens again, before restarting the PSN, download the logs from it to supply to TAC.
   

• ACS 5.2 Error message: 5405 RADIUS Request dropped

  The error message "5405  RADIUS Request dropped", what does it meen ?.
  We have implemented 802.1X on a C4506 switch running IOS 12.2(53), it has worked fine for about 3 months but now I get users not able to authenticate. In the loggs on the ACS I get the obove message.
  ACS 5.2 is running 5.2.0.26 Build 3075.
  Has anyone have hade the same problem ?

  It's fixed in 5.3...
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html
  ...or stop/start ACS as a workaround till it's happen again.
  Kind regards,
  Ron

• WDS including infrastructure AP IP address in RADIUS request

  Hi Cisco community,
  Is there any way that an access point configured as a WDS pass information about the infrastructure access point to the RADIUS server where it is authenticating. So I basically need the IP address of the AP where the client is authenticating. Is there a RADIUS attribute to enable? I know that WLCCP debug messages include the IP of the AP authenticating to the WDS, but how can I forward that IP to the RADIUS request. Or is there a way to have a WDS authenticate as the infrastructure AP.
  Thanks,
  Manny

  Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
  What hardware is this concerning? Within Small Business, there are none that I am aware of that can do this. This sounds like it would be better served in one of the Enterprise threads. I can assist you getting there once I know which hardware you have.
  Thanks
  Eric Moyers
  Cisco Network Support Engineer
  SBSC Wireless and Surveillance SME
  CCNA, CCNA-Wireless
  1-866-606-1866

• Firewall blocks web sharing

  2 computers, laptop with Snow Leopard, large web site in ~/Sites/htdocs, with .shtml files and an SSI file to add text common to all .shtml files. I'd like to see this on the desktop computer as it appears to others , but Firewall blocks web sharing on laptop. How do I  fix Firewall?

  System Preferences>Sharing.  Is File Sharing selected? 

• SQL access to interface port descriptions or via radius request?

  Does anyone know how to include port descriptions within a radius request or of a database that I can pull the information from a Using a SQL statement. We have Cisco CER, Cisco works, Cisco prime or am looking to populate my own database. Thanks

  Q: Do I simply install calls to the entry points in the RS-232 Library using COM6 as the port ID?
  A: Yes
  Q: I guess I also want to know if the RS232 Library functions all interface to the hardware through the Windows API?
  A: Yes
  Keep in mind that the objective of any Virtual COM Port Driver is to mimic a native com port. If you ever run into the situation where the native com port works, but your converter's com port doesn't, you should contact the manufacturer. This of course refers to calls to the Windows serial API, direct writes to memory are not included in this statement.