Everything posted by shadowmac
-
Cisco Nexus Configuration for Monitoring
Here is my SNMP configuration which works except I can not pull the Configs using Solarwinds. I may be to change to SNMP v3 which you said works. snmp-server contact MyWiseGuys Helpdesk or MyWiseGuys NOC snmp-server location 9999 Hosang Blvd,, Grand Blanc, MI, 48439, Cabinet DL07 snmp-server source-interface trap mgmt0 snmp-server user admin network-admin auth md5 0xb477afdb0a14be4b8f3adcda26cea26d priv 0xb477afdb0a14be4b8f3adcda26cea26 d localizedkey snmp-server host 199.68.86.164 traps version 1 Winter!01 snmp-server host 199.68.86.164 use-vrf management snmp-server enable traps callhome event-notify snmp-server enable traps callhome smtp-send-fail snmp-server enable traps cfs state-change-notif snmp-server enable traps cfs merge-failure snmp-server enable traps aaa server-state-change snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion snmp-server enable traps upgrade UpgradeJobStatusNotify snmp-server enable traps feature-control FeatureOpStatusChange snmp-server enable traps sysmgr cseFailSwCoreNotifyExtended snmp-server enable traps config ccmCLIRunningConfigChanged snmp-server enable traps snmp authentication snmp-server enable traps link cisco-xcvr-mon-status-chg snmp-server enable traps vtp notifs snmp-server enable traps vtp vlancreate snmp-server enable traps vtp vlandelete snmp-server enable traps poe portonoff snmp-server enable traps poe pwrusageon snmp-server enable traps poe pwrusageoff snmp-server enable traps poe police snmp-server enable traps bridge newroot snmp-server enable traps bridge topologychange snmp-server enable traps stpx inconsistency snmp-server enable traps stpx root-inconsistency snmp-server enable traps stpx loop-inconsistency snmp-server community Winter!01 group network-operator snmp-server community Freeze#01 group network-admin snmp-server community Winter!01 use-acl SNMP_Access snmp-server community Freeze#01 use-acl SNMP_Access
-
Cisco Nexus Configuration for Monitoring
Here is my SNMP configuration which works except I can not pull the Configs using Solarwinds. I may be to change to SNMP v3 which you said works. snmp-server contact MyWiseGuys Helpdesk or MyWiseGuys NOC snmp-server location 9999 Hosang Blvd,, Grand Blanc, MI, 48439, Cabinet DL07 snmp-server source-interface trap mgmt0 snmp-server user admin network-admin auth md5 0xb477afdb0a14be4b8f3adcda26cea26d priv 0xb477afdb0a14be4b8f3adcda26cea26 d localizedkey snmp-server host 199.68.86.164 traps version 1 Winter!01 snmp-server host 199.68.86.164 use-vrf management snmp-server enable traps callhome event-notify snmp-server enable traps callhome smtp-send-fail snmp-server enable traps cfs state-change-notif snmp-server enable traps cfs merge-failure snmp-server enable traps aaa server-state-change snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion snmp-server enable traps upgrade UpgradeJobStatusNotify snmp-server enable traps feature-control FeatureOpStatusChange snmp-server enable traps sysmgr cseFailSwCoreNotifyExtended snmp-server enable traps config ccmCLIRunningConfigChanged snmp-server enable traps snmp authentication snmp-server enable traps link cisco-xcvr-mon-status-chg snmp-server enable traps vtp notifs snmp-server enable traps vtp vlancreate snmp-server enable traps vtp vlandelete snmp-server enable traps poe portonoff snmp-server enable traps poe pwrusageon snmp-server enable traps poe pwrusageoff snmp-server enable traps poe police snmp-server enable traps bridge newroot snmp-server enable traps bridge topologychange snmp-server enable traps stpx inconsistency snmp-server enable traps stpx root-inconsistency snmp-server enable traps stpx loop-inconsistency snmp-server community Winter!01 group network-operator snmp-server community Freeze#01 group network-admin snmp-server community Winter!01 use-acl SNMP_Access snmp-server community Freeze#01 use-acl SNMP_Access
-
Ping Sweep using free NMAP
In that case this might be more what you are looking for netadm1n@usrn2netweb02:~$ sudo nmap -v -sn 10.6.56.130-146 | grep down Nmap scan report for 10.6.56.130 Nmap scan report for 10.6.56.131 Nmap scan report for 10.6.56.132 Nmap scan report for 10.6.56.133 Nmap scan report for 10.6.56.134 Nmap scan report for 10.6.56.136 Nmap scan report for 10.6.56.137 Nmap scan report for 10.6.56.139 Nmap scan report for 10.6.56.141 Nmap scan report for 10.6.56.142 Nmap scan report for 10.6.56.144 Nmap scan report for 10.6.56.145 Nmap scan report for 10.6.56.146 netadm1n@usrn2netweb02:~$ sudo nmap -v -sn 10.6.56.130-146 | grep up Host is up (0.00017s latency). Host is up (0.00020s latency). Host is up (0.00023s latency). Host is up (0.00019s latency). Nmap done: 17 IP addresses (4 hosts up) scanned in 0.34 seconds
-
Ping Sweep using free NMAP
In that case this might be more what you are looking for netadm1n@usrn2netweb02:~$ sudo nmap -v -sn 10.6.56.130-146 | grep down Nmap scan report for 10.6.56.130 Nmap scan report for 10.6.56.131 Nmap scan report for 10.6.56.132 Nmap scan report for 10.6.56.133 Nmap scan report for 10.6.56.134 Nmap scan report for 10.6.56.136 Nmap scan report for 10.6.56.137 Nmap scan report for 10.6.56.139 Nmap scan report for 10.6.56.141 Nmap scan report for 10.6.56.142 Nmap scan report for 10.6.56.144 Nmap scan report for 10.6.56.145 Nmap scan report for 10.6.56.146 netadm1n@usrn2netweb02:~$ sudo nmap -v -sn 10.6.56.130-146 | grep up Host is up (0.00017s latency). Host is up (0.00020s latency). Host is up (0.00023s latency). Host is up (0.00019s latency). Nmap done: 17 IP addresses (4 hosts up) scanned in 0.34 seconds
-
Configure Cisco Hardware for RADIUS
Our goal is to figure out how to utilize the Cisco ACS 5.3 as our RADIUS server to point our devices to which will use Active Directory Group membership to assign a role (ACS-ReadOnly, ACS-ReadWrite) Devices we will need to configure to point to the Cisco ACS/RADIUS/AD include : • Switch running IOS • Switch running NX-OS • Wireless Lan Controller (WLC) • Wireless Access Point (WAP) • Cisco CPT If I could configure one of each to use RADIUS in the Cisco ACS 5.3 box with Active Directory then I would be set. I just need that example and I am unable to find anything online to help me solve this. Now Cisco ACS 5.3 – TACACS – Active Directory works great for the Cisco hardware running IOS. That has been tested and verified but I heard that issues with running TACACS on NX-OS and CPT. Any help is most appreciated. My GNS lab on my Mac is limited and I can’t seem to virtualize nothing besides just IOS.
-
Configure Cisco Hardware for RADIUS
Our goal is to figure out how to utilize the Cisco ACS 5.3 as our RADIUS server to point our devices to which will use Active Directory Group membership to assign a role (ACS-ReadOnly, ACS-ReadWrite) Devices we will need to configure to point to the Cisco ACS/RADIUS/AD include : • Switch running IOS • Switch running NX-OS • Wireless Lan Controller (WLC) • Wireless Access Point (WAP) • Cisco CPT If I could configure one of each to use RADIUS in the Cisco ACS 5.3 box with Active Directory then I would be set. I just need that example and I am unable to find anything online to help me solve this. Now Cisco ACS 5.3 – TACACS – Active Directory works great for the Cisco hardware running IOS. That has been tested and verified but I heard that issues with running TACACS on NX-OS and CPT. Any help is most appreciated. My GNS lab on my Mac is limited and I can’t seem to virtualize nothing besides just IOS.
-
Configure Cisco Hardware for TACACS
Here is how you configure TACACS+ for Cisco IOS device !!!!TACACS_IOS ! !--- Enable TACACS+ on the device. aaa new-model aaa group server tacacs+ tacacs_acs aaa authentication login linecon group tacacs+ local aaa authentication login linevty group tacacs+ local aaa authorization exec default local aaa authorization exec execauthnone none aaa authorization exec execauth group tacacs+ aaa authorization commands 15 commandauthnone none aaa authorization commands 15 commandauth group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting send stop-record authentication failure aaa accounting update newinfo aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 7 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting network 15 start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting connection 15 start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common ! !--- Mention the IP address of the tacacs-servers tacacs-server host 10.43.208.11 tacacs-server host 10.47.208.11 tacacs-server directed-request tacacs-server key DPSWy1qpokXT Here is how you configure TACACS+ for Cisco Nexus (NX-OS) device !!!!TACACS_NX-OS ! !--- Enable TACACS+ on the device. feature tacacs+ tacacs-server host 10.0.0.1 key 7 DPSWy1qpokXT tacacs-server host 10.0.0.2 key 7 DPSWy1qpokXT tacacs-server directed-request !--- Provide the name of your ACS server. aaa group server tacacs+ ACS !--- Mention the IP address of the tacacs-servers !--- referred to in the "tacacs-server host" command. server 10.43.208.11 server 10.47.208.11 !--- Telnet and ssh sessions. aaa authentication login default group ACS local !--- Console sessions. aaa authentication login console group ACS local !--- Accounting command. aaa accounting default group ACS NOTE: The Nexus operating system does not use the concept of privilege levels instead it uses roles. By default you are placed in the network-operator role. If you want a user to have full permissions, you must place them in the network-admin role, and you must configure the TACACS server to push down an attribute when the user logs in. For TACACS+, you pass back a TACACS custom attribute with a value of roles="roleA". For a full access user, you use: cisco-av-pair*shell:roles="network-admin" cisco-av-pair*shell:roles="network-admin"(The * makes it optional) shell:roles="network-admin"
-
Configure Cisco Hardware for TACACS
Here is how you configure TACACS+ for Cisco IOS device !!!!TACACS_IOS ! !--- Enable TACACS+ on the device. aaa new-model aaa group server tacacs+ tacacs_acs aaa authentication login linecon group tacacs+ local aaa authentication login linevty group tacacs+ local aaa authorization exec default local aaa authorization exec execauthnone none aaa authorization exec execauth group tacacs+ aaa authorization commands 15 commandauthnone none aaa authorization commands 15 commandauth group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting send stop-record authentication failure aaa accounting update newinfo aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 7 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting network 15 start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting connection 15 start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common ! !--- Mention the IP address of the tacacs-servers tacacs-server host 10.43.208.11 tacacs-server host 10.47.208.11 tacacs-server directed-request tacacs-server key DPSWy1qpokXT Here is how you configure TACACS+ for Cisco Nexus (NX-OS) device !!!!TACACS_NX-OS ! !--- Enable TACACS+ on the device. feature tacacs+ tacacs-server host 10.0.0.1 key 7 DPSWy1qpokXT tacacs-server host 10.0.0.2 key 7 DPSWy1qpokXT tacacs-server directed-request !--- Provide the name of your ACS server. aaa group server tacacs+ ACS !--- Mention the IP address of the tacacs-servers !--- referred to in the "tacacs-server host" command. server 10.43.208.11 server 10.47.208.11 !--- Telnet and ssh sessions. aaa authentication login default group ACS local !--- Console sessions. aaa authentication login console group ACS local !--- Accounting command. aaa accounting default group ACS NOTE: The Nexus operating system does not use the concept of privilege levels instead it uses roles. By default you are placed in the network-operator role. If you want a user to have full permissions, you must place them in the network-admin role, and you must configure the TACACS server to push down an attribute when the user logs in. For TACACS+, you pass back a TACACS custom attribute with a value of roles="roleA". For a full access user, you use: cisco-av-pair*shell:roles="network-admin" cisco-av-pair*shell:roles="network-admin"(The * makes it optional) shell:roles="network-admin"
-
How to implement SSH on your Cisco IOS device
I just run the following (NOTE: You must have a K9 image) crypto key generate rsa 2048 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! show crypto key mypubkey rsa ! line vty 0 4 ! transport input ssh
-
How to implement SSH on your Cisco IOS device
I just run the following (NOTE: You must have a K9 image) crypto key generate rsa 2048 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! show crypto key mypubkey rsa ! line vty 0 4 ! transport input ssh
-
Cisco Nexus grep help
EXAMPLE of grep AND command in the linux world the command would be
-
Cisco Nexus grep help
EXAMPLE of grep AND command in the linux world the command would be
-
Ping Sweep using free NMAP
I prefer using nmap -T4 -A -v 192.168.250.192-195
-
Ping Sweep using free NMAP
I prefer using nmap -T4 -A -v 192.168.250.192-195
-
Does windows have a TCP Port limit?
These are reserved well known port range 1-1024 and anything 1025 and up to 65534 are dynamic ports. Just like you said, your first dynamic port is 1025 and with windows (yuck) you have a default limit of 4000 ports between two IP's instead of utilizing the full 65534 ports so you'll run out of dynamic ports at TCP port 5000. No server should have a limit of only 4000 tcp source ports. When a client initiates a TCP/IP socket connection to a server, the client typically connects to a specific port on the server and requests that the server respond to the client over a dynamic, or short lived, TCP or UDP port. On Windows Server 2003 and Windows XP the default range of dynamic ports used by client applications is from 1025 through 5000. Under certain conditions it is possible that the available ports in the default range will be exhausted. The symptoms of TCP/IP port exhaustion may vary from one client application to another but are typically manifested as an error indicating a failed network connection. To determine if failed network connections are being caused by TCP/IP port exhaustion, follow these steps on the client computer: On a computer running Windows XP or Windows Server 2003, click Start, click Run, type cmd, and then click OK to open a command prompt. Enter the following command in the command prompt on a Windows XP or Windows Server 2003 computer to display the active connections being used by the TCP/IP protocol on this computer: netstat -n ​This will list the TCP/IP addresses bound to the client computer and the ports on which the TCP/IP addresses are communicating with a remote server. If the listed ports consume all of the available ports then TCP/IP port exhaustion occurs. Enter the following command in the command prompt on a Windows Server 2003-based client computer to display the active connections being used by the TCP/IP protocol: netstat -b This will list the TCP/IP address bound to the client computer, the port on which the TCP/IP address are communicating with a remote server, and the application that is using the ports. This information can help determine which client applications are consuming excessive TCP/IP ports. Each port reservation that is made by a client application consumes kernel memory. If an unusually high number of client port reservations are made then Windows kernel memory use will increase accordingly. TCP/IP port exhaustion can occur on a client computer if the client computer is engaging in an unusually high number of TCIP/IP socket connections. This can occur if many client applications are initiating connections. If all of the available dynamic ports are allocated to client applications then the client experiences a condition known as TCP/IP port exhaustion. When TCP/IP port exhaustion occurs, client port reservations cannot be made and errors will occur in client applications that attempt to connect to a server via TCP/IP sockets. TCP/IP port exhaustion is more likely to occur under high load conditions than under normal load conditions. In effort to correct the issue or even avoid TCP/IP port exhaustion and its associated problems follow these steps: Verify that one or more client applications are not generating excessive TCP/IP socket connections. This can be checked by running netstat -n on Windows Server 2003 and Windows XP or by running netstat -b on Windows Server 2003 as described above. If a particular client application is engaging in an unusually high number of TCP/IP socket connections then consider redesigning the client application to make more use of TCP/IP socket connections. Note: If an unusually high number of client port reservations are allocated to an instance of the specific Application service then verify that any custom code configured to run in the Application service is not making excessive TCP/IP socket connections. If a large number of client applications are initiating the expected number of TCP/IP socket connections but there are not enough available dynamic ports to satisfy the connection requests then implement one or more of the following registry modifications. Here are some instructions on how to increase the upper range of dynamic ports that are dynamically allocated to client TCP/IP socket connections. Start Registry Editor. Browse to, and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters On the Edit menu, click New, DWORD Value, and then add the following registry value to increase the number of ephemeral ports that can by dynamically allocated to clients: Value name MaxUserPort Value data Close Registry Editor Note You must restart your computer for this change to take effect. Note Increasing the range of dynamic ports used for client TCP/IP connections consumes Windows kernel memory. Do not increase the upper limit for this setting to a value higher than is required to accommodate client application socket connections so as to minimize unnecessary consumption of Windows kernel memory.
-
Does windows have a TCP Port limit?
These are reserved well known port range 1-1024 and anything 1025 and up to 65534 are dynamic ports. Just like you said, your first dynamic port is 1025 and with windows (yuck) you have a default limit of 4000 ports between two IP's instead of utilizing the full 65534 ports so you'll run out of dynamic ports at TCP port 5000. No server should have a limit of only 4000 tcp source ports. When a client initiates a TCP/IP socket connection to a server, the client typically connects to a specific port on the server and requests that the server respond to the client over a dynamic, or short lived, TCP or UDP port. On Windows Server 2003 and Windows XP the default range of dynamic ports used by client applications is from 1025 through 5000. Under certain conditions it is possible that the available ports in the default range will be exhausted. The symptoms of TCP/IP port exhaustion may vary from one client application to another but are typically manifested as an error indicating a failed network connection. To determine if failed network connections are being caused by TCP/IP port exhaustion, follow these steps on the client computer: On a computer running Windows XP or Windows Server 2003, click Start, click Run, type cmd, and then click OK to open a command prompt. Enter the following command in the command prompt on a Windows XP or Windows Server 2003 computer to display the active connections being used by the TCP/IP protocol on this computer: netstat -n ​This will list the TCP/IP addresses bound to the client computer and the ports on which the TCP/IP addresses are communicating with a remote server. If the listed ports consume all of the available ports then TCP/IP port exhaustion occurs. Enter the following command in the command prompt on a Windows Server 2003-based client computer to display the active connections being used by the TCP/IP protocol: netstat -b This will list the TCP/IP address bound to the client computer, the port on which the TCP/IP address are communicating with a remote server, and the application that is using the ports. This information can help determine which client applications are consuming excessive TCP/IP ports. Each port reservation that is made by a client application consumes kernel memory. If an unusually high number of client port reservations are made then Windows kernel memory use will increase accordingly. TCP/IP port exhaustion can occur on a client computer if the client computer is engaging in an unusually high number of TCIP/IP socket connections. This can occur if many client applications are initiating connections. If all of the available dynamic ports are allocated to client applications then the client experiences a condition known as TCP/IP port exhaustion. When TCP/IP port exhaustion occurs, client port reservations cannot be made and errors will occur in client applications that attempt to connect to a server via TCP/IP sockets. TCP/IP port exhaustion is more likely to occur under high load conditions than under normal load conditions. In effort to correct the issue or even avoid TCP/IP port exhaustion and its associated problems follow these steps: Verify that one or more client applications are not generating excessive TCP/IP socket connections. This can be checked by running netstat -n on Windows Server 2003 and Windows XP or by running netstat -b on Windows Server 2003 as described above. If a particular client application is engaging in an unusually high number of TCP/IP socket connections then consider redesigning the client application to make more use of TCP/IP socket connections. Note: If an unusually high number of client port reservations are allocated to an instance of the specific Application service then verify that any custom code configured to run in the Application service is not making excessive TCP/IP socket connections. If a large number of client applications are initiating the expected number of TCP/IP socket connections but there are not enough available dynamic ports to satisfy the connection requests then implement one or more of the following registry modifications. Here are some instructions on how to increase the upper range of dynamic ports that are dynamically allocated to client TCP/IP socket connections. Start Registry Editor. Browse to, and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters On the Edit menu, click New, DWORD Value, and then add the following registry value to increase the number of ephemeral ports that can by dynamically allocated to clients: Value name MaxUserPort Value data Close Registry Editor Note You must restart your computer for this change to take effect. Note Increasing the range of dynamic ports used for client TCP/IP connections consumes Windows kernel memory. Do not increase the upper limit for this setting to a value higher than is required to accommodate client application socket connections so as to minimize unnecessary consumption of Windows kernel memory.
-
Troubleshooting mls qos on Cisco IOS
Thanks for uploading this information.
-
Troubleshooting mls qos on Cisco IOS
Thanks for uploading this information.
-
Cisco ACS 5 Integration with Microsoft Active Directory
Steps to integrate ACS with AD Windows Server 2008 configuration Synchronize with time server using NTP Create Cisco Administrators security group Assign users to created security group Cisco ACS configuration Synchronize with time server using NTP Define correct DNS Define AD connection and Security Group mapping Define Shell Profile Define Access Policy – Edit Default Device Admin Identity Authorization Define Access Policy – Define Service Selection Rule Cisco router configuration for AAA support Windows Server 2008 configuration - Synchronize with time server using NTP Log into your PDC Server and open the command prompt Stop the W32Time service: (C:\net stop w32time) Configure the external time sources: (c:\w32tm /config /syncfromflags:manual /manualpeerlist:â€192.168.1.5â€) Make your PDC a reliable time source for the clients (c:/w32tm /config /reliable:yes) Start the W32Time Service: (C:\net start w32time) The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: c:\w32tm /query /configuration Check the Event Viewer for any errors Windows Server 2008 configuration - Create Cisco Administrators security groupWindows Server 2008 configuration - Assign users to created security group Click on user and then click on Member of Tab Click Add Type in the created security group Click on Check Names to verify then click OK and OK again to close user. Cisco ACS configuration - Synchronize with time server using NTP enter on ACS CLI: clock timezone US/Eastern (verify by typing: show clock)US/Indiana-Starke US/Pacific US/Michigan US/Mountain US/Central US/Samoa US/Arizona US/Eastern US/Alaska US/East-Indiana US/Hawaii US/Aleutian enter on ACS CLI: ntp server 192168.1.5 (verify by typing: show ntp) Cisco ACS configuration - Define correct DNSenter on ACS CLI: ip name-server 192.168.2.6 (verify by typing: ping dc.mywiseguys.com) Cisco ACS configuration - Define AD connection and Security Group mappingbrowse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin browse to Users and Identity Stores - External Identity Stores - Active Directory Enter: General Tab: Active Directory Domain Name General Tab: Credentials used to join this machine to the AD domain (username and password) - Click Test Connection to verify (NOTE1: password must not contain certain special characters like # or $ or " , etc , which does not work on cisco devices.)(NOTE2: Predefined user in AD. AD account required for domain access in ACS should have either of the following: Add workstations to domain user right in corresponding domain OR Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain). We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.) General Tab: Click Save General Tab: Look at bottom under Connection Status and verify it says CONNECTED Directory Groups: click Select and place checkmark in created security group and click OK Directory Groups: click Save Cisco ACS configuration - Define Shell Profilebrowse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin browse to Policy Elements - Authorization & Permissions - Device Administratrion - Shell Profiles click Create General Tab: Name = ENABLE Common Tasks Tab: Default Privilege = Static Value = 15 Click Submit browse to Access Policies - Default Device Admin - Identity Click Select and choose AD1 (gets created automatically once the connection to AD was established) Click OK Click Save Changes browse to Access Policies - Default Device Admin - Authorization Click on Customize Select Compound Condition and click on arrow to move to the right (Compound Condition allows us to select AD group during policy/rule creation) Click OK Place a checkmark next to a rule and click Edit Uncheck any checkmarks and place a checkmark next to Compound Condition Now you can select AD-AD1 from the Dictionary Select attribute: External Groups Select Value: your security group you created earlier and click OK Under Current Condition Set click on Add V Under Results click Select and choose the Shell Policy you created earlier (ENABLE) and click OK and click OK again to close Click Save Changes browse to Access Policies - Service Selection Rules Select Rule based result selection and click OK to warning if it pops up Click Create (notice you only have Compound Condition) click Cancel Click Customize Click Protocol and click on the arrow to move it to the right then click OK Click Create place checkmark next to protocol, match and click Select and choose TACACS and click OK Change Results to Default Device Admin and Click OK Click Save Changes browse to Network Resources - Network Devices and AAA Clients Click Create Enter a Name Place a checkmark next to TACACS and enter shared secret Enter IP Address Click Submit Configure Cisco IOS to connect enter: aaa new-model enter: aaa authentication login default group tacacs+ local enter: aaa authorization exec default group tacacs+ local enter: aaa authorization console enter: tacacs-server host 192.168.2.201 enter: tacacs-server key cisco enter: debug aaa authentication enter: debug tacacs
-
Cisco ACS 5 Integration with Microsoft Active Directory
Steps to integrate ACS with AD Windows Server 2008 configuration Synchronize with time server using NTP Create Cisco Administrators security group Assign users to created security group Cisco ACS configuration Synchronize with time server using NTP Define correct DNS Define AD connection and Security Group mapping Define Shell Profile Define Access Policy – Edit Default Device Admin Identity Authorization Define Access Policy – Define Service Selection Rule Cisco router configuration for AAA support Windows Server 2008 configuration - Synchronize with time server using NTP Log into your PDC Server and open the command prompt Stop the W32Time service: (C:\net stop w32time) Configure the external time sources: (c:\w32tm /config /syncfromflags:manual /manualpeerlist:â€192.168.1.5â€) Make your PDC a reliable time source for the clients (c:/w32tm /config /reliable:yes) Start the W32Time Service: (C:\net start w32time) The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: c:\w32tm /query /configuration Check the Event Viewer for any errors Windows Server 2008 configuration - Create Cisco Administrators security groupWindows Server 2008 configuration - Assign users to created security group Click on user and then click on Member of Tab Click Add Type in the created security group Click on Check Names to verify then click OK and OK again to close user. Cisco ACS configuration - Synchronize with time server using NTP enter on ACS CLI: clock timezone US/Eastern (verify by typing: show clock)US/Indiana-Starke US/Pacific US/Michigan US/Mountain US/Central US/Samoa US/Arizona US/Eastern US/Alaska US/East-Indiana US/Hawaii US/Aleutian enter on ACS CLI: ntp server 192168.1.5 (verify by typing: show ntp) Cisco ACS configuration - Define correct DNSenter on ACS CLI: ip name-server 192.168.2.6 (verify by typing: ping dc.mywiseguys.com) Cisco ACS configuration - Define AD connection and Security Group mappingbrowse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin browse to Users and Identity Stores - External Identity Stores - Active Directory Enter: General Tab: Active Directory Domain Name General Tab: Credentials used to join this machine to the AD domain (username and password) - Click Test Connection to verify (NOTE1: password must not contain certain special characters like # or $ or " , etc , which does not work on cisco devices.)(NOTE2: Predefined user in AD. AD account required for domain access in ACS should have either of the following: Add workstations to domain user right in corresponding domain OR Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain). We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.) General Tab: Click Save General Tab: Look at bottom under Connection Status and verify it says CONNECTED Directory Groups: click Select and place checkmark in created security group and click OK Directory Groups: click Save Cisco ACS configuration - Define Shell Profilebrowse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin browse to Policy Elements - Authorization & Permissions - Device Administratrion - Shell Profiles click Create General Tab: Name = ENABLE Common Tasks Tab: Default Privilege = Static Value = 15 Click Submit browse to Access Policies - Default Device Admin - Identity Click Select and choose AD1 (gets created automatically once the connection to AD was established) Click OK Click Save Changes browse to Access Policies - Default Device Admin - Authorization Click on Customize Select Compound Condition and click on arrow to move to the right (Compound Condition allows us to select AD group during policy/rule creation) Click OK Place a checkmark next to a rule and click Edit Uncheck any checkmarks and place a checkmark next to Compound Condition Now you can select AD-AD1 from the Dictionary Select attribute: External Groups Select Value: your security group you created earlier and click OK Under Current Condition Set click on Add V Under Results click Select and choose the Shell Policy you created earlier (ENABLE) and click OK and click OK again to close Click Save Changes browse to Access Policies - Service Selection Rules Select Rule based result selection and click OK to warning if it pops up Click Create (notice you only have Compound Condition) click Cancel Click Customize Click Protocol and click on the arrow to move it to the right then click OK Click Create place checkmark next to protocol, match and click Select and choose TACACS and click OK Change Results to Default Device Admin and Click OK Click Save Changes browse to Network Resources - Network Devices and AAA Clients Click Create Enter a Name Place a checkmark next to TACACS and enter shared secret Enter IP Address Click Submit Configure Cisco IOS to connect enter: aaa new-model enter: aaa authentication login default group tacacs+ local enter: aaa authorization exec default group tacacs+ local enter: aaa authorization console enter: tacacs-server host 192.168.2.201 enter: tacacs-server key cisco enter: debug aaa authentication enter: debug tacacs
-
Transfer from Windows XP PC to new Windows 8 PC
Microsoft has changed the way they describe the processes by which we move from the one version of Windows to the next. In the past, we used the following terms to describe the different ways in which you could install Windows: Clean install Where you install—or reinstall—Windows from scratch. In-place upgrade Where you upgrade to a newer version of Windows from within the older version, retaining most of your settings and applications, and all of your documents and other data files. Migration By which Setup backs up your settings and/or data first, then clean installs Windows, and then reapplies your settings and/or data to the new OS. In Windows 8, these types of installs can all still occur, though they’re not all available in all circumstances. More important, Microsoft has significantly changed how it surfaces these choices in the Setup user experience. That is, if you run Windows 8 Setup from within a previously supported version of Windows—Windows XP with Service Pack 3 (SP3), Windows Vista, Windows 7, or the Windows 8 Release Preview—the choices you get will vary from OS version to OS version. These choices appear at a stage of Setup called Choose What To Keep, which occurs right after you agree to the End User License Agreement (EULA). While there are four possible choices, depending on the OS from which you’re starting, you will only see two of them if you run Windows 8 (RTM) Setup from Windows XP with Service Pack 3 (and yes, SP3 is required). Those choices are: Personal files only. Here, any documents and other files that are stored in the Users folder (C:\Documents and Settings by default) will be carried forward to the new install. So you will lose installed desktop applications (which you’ll need to manually reinstall), and any OS, app, and application settings. This type of install is considered a partial migration, since Windows settings are not carried forward. Nothing. Here, nothing is saved, and Setup will perform a clean install. Put simply, Microsoft supports migrating from Windows XP with SP3 to Windows 8, but not an in-place upgrade, which would have included installed applications and their settings. As with Windows Vista, the number of users who will upgrade from Windows XP to Windows 8 is almost certainly fairly small, and most people who were interested in upgrading off of XP would have previously upgraded to Windows 7. Furthermore, anyone who has held out with the decade-old XP is unlikely to be particularly interested in Windows 8, especially on existing PC hardware. Still, it’s important to know what your options are. Backup in Windows Get a backup drive. This can be just about any USB external hard drive, and you can get them at most electronics stores. Try to get one that has twice as much space as your computer, so you have room for multiple backups and so you have room for all the data you might get in the future. When you first plug it in, Windows will actually ask you if you want to use it as a backup. Tell it that you do. If you don't get this prompt, you can just go to the Start Menu, type "backup" in the search box, and hit Backup and Restore. From there, click the "Set Up Backup" button. Pick the external drive you plugged in and hit Next. Windows' default settings are probably fine, so you can just hit Next and the next screen too. On the last screen, hit "Save Settings and Run Backup". Windows will make its first backup of your drive, during which you don't want to turn off your computer. After that, it'll make regular backups in the background as you work—you don't need to deal with it again. If you ever need to restore a file you lost, you can just go to the Start Menu, type in "backup", and go back to "Backup and Restore". You can hit the "Restore My Files" or "Restore Users Files" buttons to get those files back. You can also try the Windows Easy Transfer: Download and install Windows Easy Transfer on your computer running Windows XP PC. XP 32bit: wet7xp_x86.zip XP 64bit: wet7xp_x64.zip First open and run Windows Easy Transfer on your computer running Windows XP. Then open and run Windows Easy Transfer on your computer running Windows 8. You can open the Windows 8 version of Windows Easy Transfer by clicking the Start button. In the search box, type “Easy Transfer†and then click Windows Easy Transfer. Follow the instructions in the wizard to select and transfer your data.
-
Transfer from Windows XP PC to new Windows 8 PC
Microsoft has changed the way they describe the processes by which we move from the one version of Windows to the next. In the past, we used the following terms to describe the different ways in which you could install Windows: Clean install Where you install—or reinstall—Windows from scratch. In-place upgrade Where you upgrade to a newer version of Windows from within the older version, retaining most of your settings and applications, and all of your documents and other data files. Migration By which Setup backs up your settings and/or data first, then clean installs Windows, and then reapplies your settings and/or data to the new OS. In Windows 8, these types of installs can all still occur, though they’re not all available in all circumstances. More important, Microsoft has significantly changed how it surfaces these choices in the Setup user experience. That is, if you run Windows 8 Setup from within a previously supported version of Windows—Windows XP with Service Pack 3 (SP3), Windows Vista, Windows 7, or the Windows 8 Release Preview—the choices you get will vary from OS version to OS version. These choices appear at a stage of Setup called Choose What To Keep, which occurs right after you agree to the End User License Agreement (EULA). While there are four possible choices, depending on the OS from which you’re starting, you will only see two of them if you run Windows 8 (RTM) Setup from Windows XP with Service Pack 3 (and yes, SP3 is required). Those choices are: Personal files only. Here, any documents and other files that are stored in the Users folder (C:\Documents and Settings by default) will be carried forward to the new install. So you will lose installed desktop applications (which you’ll need to manually reinstall), and any OS, app, and application settings. This type of install is considered a partial migration, since Windows settings are not carried forward. Nothing. Here, nothing is saved, and Setup will perform a clean install. Put simply, Microsoft supports migrating from Windows XP with SP3 to Windows 8, but not an in-place upgrade, which would have included installed applications and their settings. As with Windows Vista, the number of users who will upgrade from Windows XP to Windows 8 is almost certainly fairly small, and most people who were interested in upgrading off of XP would have previously upgraded to Windows 7. Furthermore, anyone who has held out with the decade-old XP is unlikely to be particularly interested in Windows 8, especially on existing PC hardware. Still, it’s important to know what your options are. Backup in Windows Get a backup drive. This can be just about any USB external hard drive, and you can get them at most electronics stores. Try to get one that has twice as much space as your computer, so you have room for multiple backups and so you have room for all the data you might get in the future. When you first plug it in, Windows will actually ask you if you want to use it as a backup. Tell it that you do. If you don't get this prompt, you can just go to the Start Menu, type "backup" in the search box, and hit Backup and Restore. From there, click the "Set Up Backup" button. Pick the external drive you plugged in and hit Next. Windows' default settings are probably fine, so you can just hit Next and the next screen too. On the last screen, hit "Save Settings and Run Backup". Windows will make its first backup of your drive, during which you don't want to turn off your computer. After that, it'll make regular backups in the background as you work—you don't need to deal with it again. If you ever need to restore a file you lost, you can just go to the Start Menu, type in "backup", and go back to "Backup and Restore". You can hit the "Restore My Files" or "Restore Users Files" buttons to get those files back. You can also try the Windows Easy Transfer: Download and install Windows Easy Transfer on your computer running Windows XP PC. XP 32bit: wet7xp_x86.zip XP 64bit: wet7xp_x64.zip First open and run Windows Easy Transfer on your computer running Windows XP. Then open and run Windows Easy Transfer on your computer running Windows 8. You can open the Windows 8 version of Windows Easy Transfer by clicking the Start button. In the search box, type “Easy Transfer†and then click Windows Easy Transfer. Follow the instructions in the wizard to select and transfer your data.
-
Installation of Tacacs+ on Ubuntu
Some more troubleshooting I've been doing. I have debug going on my switch to capture what the heck is going on. USER: telnet 10.6.63.70 User Access Verification Username: SWITCH: ************************************************************** USER: user4[/code] [/size] SWITCH: [/size] ************************************************************** USER: ''.str_replace(' ', '', ' loginpass').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' enable').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' enablepass').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' config t').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' int gi1/0/1').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' logout').'' SWITCH: ************************************************************** So as you can see, I still can enter configure terminal mode and configure everything even though I set the priv-lvl to less than 15. Any ideas?
-
Installation of Tacacs+ on Ubuntu
Some more troubleshooting I've been doing. I have debug going on my switch to capture what the heck is going on. USER: telnet 10.6.63.70 User Access Verification Username: SWITCH: ************************************************************** USER: user4[/code] [/size] SWITCH: [/size] ************************************************************** USER: ''.str_replace(' ', '', ' loginpass').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' enable').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' enablepass').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' config t').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' int gi1/0/1').'' SWITCH: ************************************************************** USER: ''.str_replace(' ', '', ' logout').'' SWITCH: ************************************************************** So as you can see, I still can enter configure terminal mode and configure everything even though I set the priv-lvl to less than 15. Any ideas?
-
Installation of Tacacs+ on Ubuntu
I'm having a difficult time here getting tacacs to work. I can get it to authenticate but never do any restrictions. I verified my IOS is above 11.1 (its actually 12.x) I followed these instructions which are pretty close to yours STEP 1: Login to the ubuntu server and run the command as sudo (installing dependency packages) sudo apt-get install gcc flex bison STEP 2: download the tacplus package from ftp://ftp.shrubbery.net/pub/tac_plus STEP 3: I am using the stable version tacacs+-F4.0.4.26.tar.gz transfer the file to any directory inside your ubuntu server untar the file tar xvf tacacs+-F4.0.4.26.tar.gz[/code] This creates a folder tacacs+-F4.0.4.26 STEP 4: Building tacplus First get in the directory where you extracted all those files ''.str_replace(' ', '', 'cd tacacs+-F4.0.4.26').'' Then initiate the tac plus build script ''.str_replace(' ', '', './configure').'' Then run the command that will compile tacacs source files ''.str_replace(' ', '', 'make install').'' STEP 5: Setting up the configuration files for Tac Plus Create a folder tacacs under /etc/ ''.str_replace(' ', '', 'mkdir /etc/tacacs').'' Create a file tac_plus.conf under /etc/tacacs ''.str_replace(' ', '', 'touch tac_plus.conf').'' Copy the below to your new tac_plus.conf your just created Defined 4 users 2 users with full access 1 user who will be having only read only privilege who can just run show commands 1 user with full access meanwhile having a different enable password. For all the users except user4 enable password will be the same. Update with your DES passwords by running ''.str_replace(' ', '', 'sudo /usr/local/bin/tac_pwd').'' Create a file tac_plus under /etc/init.d/ and make it executable''.str_replace(' ', '', ' touch /etc/init.d/tac_plus chmod 755 tac_plus').'' (This command will give execute previlege for the tac_plus file for the root user) Copy the below contents to /etc/init.d/tac_plus Create a file tac_plus under /etc/default''.str_replace(' ', '', ' touch /etc/default/tac_plus chmod 755 tac_plus').'' (This command will give execute previlege for the tac_plus file for the root user) Copy the contents below to /etc/default/tac_plus tac_plus options defined ''.str_replace(' ', '', ' -d Value Meaning 2 configuration parsing debugging 4 fork(1) debugging 8 authorization debugging 16 authentication debugging 32 password file processing debugging 64 accounting debugging 128 config file parsing & lookup 256 packet transmission/reception 512 encryption/decryption 1024 MD5 hash algorithm debugging 2048 very low level encryption/decryption 32768 max session debugging 65536 lock debugging').'' Create a file tacacs.log under /var/log/tac-plus to log all the aaa activities''.str_replace(' ', '', ' mkdir /var/log/tac-plus touch /var/log/tac-plus/tacacs.log').'' OTHER TAC_PLUS FILES STEP 6: Starting and Stopping Tac Plus To start tacacs: ''.str_replace(' ', '', 'sudo /etc/init.d/tac_plus start ').'' or ''.str_replace(' ', '', 'sudo tac_plus -C /etc/tacacs/tac_plus.conf').'' To stop tacacs: ''.str_replace(' ', '', '/etc/init.d/tac_plus stop').'' STEP 7: Verify tacacs is running by looking at listening on TCP Port 49? ''.str_replace(' ', '', 'sudo netstat -na | grep 49').'' Tacacs runs on TCP Port 49 and the expected output should be ''.str_replace(' ', '', 'tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN').'' log files have output ''.str_replace(' ', '', 'sudo tail -f /var/log/tac-plus/tacacs.log').'' Please go through the logs and look for tac plus software related errors STEP 8: Configure your Cisco Switches