cancel
Showing results for 
Search instead for 
Did you mean: 

Answer Questions

  • PEAP and Mac OSX Panther - ( 12-04-2003 )
  • Wireless Security and Network Management
  • Just received our first Panther laptop and I am trying to get authenticated using PEAP to our 1200 series access point. I am curious if anyone has got this working and if so what radius server are you using. We are using 2003 Server IAS and my PC clients authenticate just fine.ThanksDon Hickey
    View more
12-04-2003
Cancel Post

12-03-2003
Cancel Post

  • IAS Windows Server 2003 - ( 12-01-2003 )
  • Wireless Security and Network Management
  • I am using PEAP mschapv2 with Windows 2003 Server IAS and I get these errors, sometimes last 5 minutes, other 10 minutes and other just connects right away. I have enable computer authentication, to logon to the Domain. I am using an 1100 with the latest IOS and the latest ACU.User ADXTECH1\xxxxx was denied access. Fully-Qualified-User-Name = adxtech.loc/Employees/xxxxxx NAS-IP-Address = 192.168.9.6 NAS-Identifier = ADXAP1 Called-Station-Identifier = 0001.8a97.c22d Calling-Station-Identifier = 0002.50cb.1710 Client-Friendly-Name = AP Client-IP-Address = 192.168.9.6 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 445 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = PEAP and this alsoAccess request for user ADXTECH1\xxxxx was discarded. Fully-Qualified-User-Name = <undetermined> NAS-IP-Address = 192.168.9.6 NAS-Identifier = ADXAP1 Called-Station-Identifier = 0001.8a97.c22d Calling-Station-Identifier = 0002.50cb.1710 Client-Friendly-Name = AP Client-IP-Address = 192.168.9.6 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 458 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Reason-Code = 1 Reason = An internal error occurred. Check the system event log for additional information.
    View more
12-01-2003
Cancel Post

  • CSA problems with SAV - ( 12-01-2003 )
  • Other Collaboration Subjects
  • I have CSA installed on my Unity 4.0.3 server (as posted on the CCO but later pulled?), but SAV 8.0 is tripping it up all the time with it's real time scan. Indeed, SAV is not qualified for use with the CSA agent so this makes sense.Is there going to be a new release or does anyone know of a workaround to get SAV working in this configuration?Thanks!
    View more
12-01-2003
Cancel Post

  • WLSE screen shot - ( 11-28-2003 )
  • Wireless Security and Network Management
  • Hi,Could someone possibly take 1-2 original screen shots of rogue AP detection from WLSE engine? No longer have access to one, would greatly appreaciate it. kanclirz@makesecure.com if you can help.Thanks.
    View more
11-28-2003
Cancel Post

  • Sig 4003, firing on UDP ports 1026 - 1031 - ( 11-27-2003 )
  • Other Security Subjects
  • Hi, allI started seeing strange traffic on Nov.25 with what appeared to be NMAP port scans of our network on ports 1026 - 1031 UDP coming from multiple external hosts. Signature: 4003, Sub-Signature: 0 on 2003/11/27 at 21:17:40, GMT: 1069996660Source Address: xxx.xxx.xxx.249, Source Port: 2258, Destination Address: xxx.xxx.xxx.88, Destination Port: 1031Then SANS/DSheild released today:Request for Packets: Port 1026-1031 (Johannes B. Ullrich)----------------------------------------------------------------------Message: 1Date: Tue, 25 Nov 2003 22:16:38 -0500From: "Johannes B. Ullrich" <jullrich@sans.org>Subject: [Dshieldannounce] Request for Packets: Port 1026-1031To: dshieldannounce@dshield.orgMessage-ID: <1069816597.16842.774.camel@bart>Content-Type: text/plain; charset="us-ascii"We are currently tracking some increase in port 1025-1031 activity. The question is if this is a use of a new exploit or just a new version of popup spam.For continuing updates, see:http://isc.sans.org/diary.html?date=2003-11-25We are currenlty looking for more data to investigtate this issue. One important hint is the change in source ports. As of Nov. 21st, most port 135 reports came from a source port of 666 or 4177, indicating that they where crafted. However, more recently (e.g. Nov. 25th), more reports originate from the default source ports (1024 and up). This is illustracted in this graphic:http://isc.sans.org/images/1026spdistribution.gif Not shown in the graphic is a second peak for the Nov. 25th data around source port 60,000. This data may be associated with hosts behind NAT devices. Current possibilities: (1) Popup Spam: It is possible to reach the Windows Messenger service via these ports. This bypasses UDP 135, which is frequently blocked by firewalls. However, most popup spam originates from a small number of sources (2) Windows Messenger Worm/Bot On October 15th, Microsoft released Bulletin MS03-043. This bulletin warns of a buffer overflow for the Microsoft Messenger Service http://www.microsoft.com/technet/security/bulletin/MS03-043.asp This vulnerability could be used to gain access to a system, or to launch self replicating code. The malware comunity is actively working on related exploits. My questions:Has anyone seen this traffic? If so has anyone analyzed this traffic?
    View more
11-27-2003
Cancel Post

  • Unity Dual Integration with NEC 2400 - ( 11-26-2003 )
  • Other Collaboration Subjects
  • Planning on installing Unity 4.0 in dual integration mode. CCM--Unity--NEC 2400. The PBX tech claims that the voicemail ports on the NEC are digital. (It is currently using Repartee). If that is true, how do I integrate with Unity as a Dialogic card is analog?
    View more
11-26-2003
Cancel Post

  • Reflexive ACLs - ( 11-26-2003 )
  • Other Security Subjects
  • Hello,Couple of questions re Reflecive ACLs.Firstly, Why do I need the evaluate ACL. Cant I just use the "inbound" ACL on the access-group on the interface, (The actual reflexive access-list) rather than the "inbound-eval" the acl with the evaluate command in?Secondly, What about packets generated from the actual router, ie, eigrp, ospf, BGP etc etc for routing protocols. Thesepackets as they are not transient to the router dont seem to get thru. Is it becuase they are originated fromthe router processor itself?Many thx indeed,KenMMmR01#MMmR01#!interface Vlan50 ip address 30.96.100.18 255.255.255.252 ip access-group inbound-eval in ip access-group outbound out ip pim sparse-dense-mode!MMmR01#MMmR01#Reflexive IP access list inbound permit tcp host 30.96.100.17 eq telnet host 30.96.100.62 eq 63489 (32 matches) (time left 1) permit icmp host 30.96.100.1 host 30.96.100.42 (12 matches) (time left 206) permit udp host 224.0.1.40 eq pim-auto-rp host 30.96.100.25 eq pim-auto-rp (3 matches) (time left 277) permit udp host 30.96.100.1 eq snmp host 30.96.100.42 eq 60114 (11 matches) (time left 189) permit udp host 30.96.100.2 eq snmp host 30.96.100.42 eq 60114 (62 matches) (time left 288) permit icmp host 30.96.100.17 host 30.96.100.62 (26 matches) (time left 227) permit icmp host 30.96.100.17 host 30.96.100.42 (12 matches) (time left 138) permit udp host 224.0.1.39 eq pim-auto-rp host 30.96.100.25 eq pim-auto-rp (7 matches) (time left 268) permit udp host 30.96.100.17 eq snmp host 30.96.100.42 eq 60114 (114 matches) (time left 288)!Extended IP access list inbound-eval evaluate inbound!Extended IP access list outbound permit ip any any reflect inboundMMmR01#
    View more
11-26-2003
Cancel Post

  • Wireless PDA and EAP ? - ( 11-24-2003 )
  • Wireless Security and Network Management
  • Is Wireless secure solutions exists like LEAP on cards such as Secure Digital or another ?I would like to use a Pocket PC or Palm on WLAN which support LEAP or PEAP, but i don't know what i have to do/choose ... I know that PCMCIA is available and Cisco distribute drivers for Pocket PC, but PCMCIA for PDA ... This is not a good solution.Any idea ?Stephane.
    View more
11-24-2003
Cancel Post

  • cisco and old radius ascend compatibility - ( 11-21-2003 )
  • Network Access Control
  • Hi all,In the context of migration we change an Ascend router by a Cisco.Before the ascend router could communicate easily with the ascend radius.Now the cisco is not able to work with Ascend radius.How to make cisco router and old radius server from Ascend work together?Is there minimum configuration on the cisco to do, or use avpair ?Regards
    View more
11-21-2003
Cancel Post

  • SDH and DSLAM - ( 11-21-2003 )
  • Metro
  • Hi,Anybody know about the Huawei SDH networks (OptiX 2500+ or other)?I need information about the modules that works on their systems for STM-1 and STM-4 (modules name and number ports per their cards).I would be grateful if you help me.Kind Regards,M.Arshad Rad
    View more
11-21-2003
Cancel Post

  • Another VPN Client Connection Issue - ( 11-19-2003 )
  • VPN
  • Hello,we have a consultant at a remote site trying to use our VPN connection that can authenticate/connect, but no traffic is coming across. I have read through the forums and did some searching about this, but nothing really resolved this issue. I have the routes before and after connecting to the VPN. I am not too familiar with Windows to know what to look for. Does anything here raise any flags to anyone?Thanks in advance,John.Before VPN:================================================Interface List0x1 ........................... MS TCP Loopback interface0x2 ...44 45 53 54 77 77 ...... NTS PPPoE Adapter #10x3 ...00 10 a4 93 c9 c6 ...... Xircom CardBus Ethernet 10/100 Adapter0x4 ...44 45 53 54 42 00 ...... UKNOWN NOC Extranet Access Adapter================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric0.0.0.0 0.0.0.0 170.248.56.13 170.248.56.57 1127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1170.248.56.0 255.255.255.0 170.248.56.57 170.248.56.57 1170.248.56.57 255.255.255.255 127.0.0.1 127.0.0.1 1170.248.255.255 255.255.255.255 170.248.56.57 170.248.56.57 1224.0.0.0 224.0.0.0 170.248.56.57 170.248.56.57 1255.255.255.255 255.255.255.255 170.248.56.57 2 1Default Gateway: 170.248.56.13================================================Persistent Routes: NoneAfter VPN:=================================================Interface List0x1 ........................... MS TCP Loopback interface0x2 ...44 45 53 54 77 77 ...... NTS PPPoE Adapter #10x3 ...00 10 a4 93 c9 c6 ...... Xircom CardBus Ethernet 10/100 Adapter0x4 ...44 45 53 54 42 00 ...... UKNOWN NOC Extranet Access Adapter0x1000006 ...00 05 9a 3c 78 00 ...... CVirtA38 Cisco Systems VPN Adapter======================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric0.0.0.0 0.0.0.0 10.11.224.1 10.11.224.1 10.0.0.0 0.0.0.0 170.248.56.13 170.248.56.57 210.0.0.0 255.0.0.0 10.11.224.1 10.11.224.1 110.11.224.1 255.255.255.255 127.0.0.1 127.0.0.1 110.255.255.255 255.255.255.255 10.11.224.1 10.11.224.1 1127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1170.248.56.0 255.255.255.0 170.248.56.57 170.248.56.57 1170.248.56.0 255.255.255.0 10.11.224.1 10.11.224.1 1170.248.56.57 255.255.255.255 127.0.0.1 127.0.0.1 1170.248.71.22 255.255.255.255 170.248.56.13 170.248.56.57 1170.248.255.255 255.255.255.255 170.248.56.57 170.248.56.57 1207.218.14.100 255.255.255.255 170.248.56.13 170.248.56.57 1224.0.0.0 224.0.0.0 10.11.224.1 10.11.224.1 1224.0.0.0 224.0.0.0 170.248.56.57 170.248.56.57 1255.255.255.255 255.255.255.255 170.248.56.57 2 1Default Gateway: 10.11.224.1==================================================Persistent Routes: None
    View more
11-19-2003
Cancel Post

  • Linux Vpn Client and smartcard - ( 11-19-2003 )
  • VPN
  • Hello,The "Cisco VPN Client user guide for Linux" says that it has the ability to authenticate using smart cards (page 1-6 for release 4.0).However, I did not see any information about this and read in the administation guide configuration information only for Windows.So, is it possible or not to authenticate VPn users using smartcards?If not, is it possible to provide the certificate password in a script (that would read it in a smart card for example)? Indeed, it seems that the only argument for certificates is only "nocertpwd".Thanks.Bertrand.
    View more
11-19-2003
Cancel Post

  • LEAP authentication failover - ( 11-17-2003 )
  • Wireless Security and Network Management
  • Im currently trying to setup LEAP, we have one RADIUS server (ACS 3.1). I can get the clients to login with no problem, however Im working on what to do when the RADIUS server fails. I wrote this into the config:aaa authentication login eap_methods group rad_eap noneoraaa authentication login eap_methods group rad_eap localAs I would like it to either just let the person in or use the local database. However neither none or local will authenticate them if I disable the radius server. Any ideas?Cheers
    View more
11-17-2003
Cancel Post

  • ATM DS-3 framing PLCP vs. ADM (HEC-direct mapping) - ( 11-17-2003 )
  • Other Network Architecture Subjects
  • Anyone know of a downside to using HEC/cbitadm (direct ATM cell mapping/HEC cell delineation) vs. PLCP when configuring IGX DS-3 (ATM) trunks and/or IGX lines/ports feeding DS-3 ATM PVCs to co-located 7206 routers using enhanced ATM DS-3 port adapters?With PLCP giving 96,000 cps vs. HEC giving 104,268 cps, it would seem to always be preferable to go with the latter, unless there are possible ramifications/pitfalls in using HEC/cbitadm DS-3 framing.
    View more
11-17-2003
Cancel Post

  • EAP association BREAKs for ALL devices - ( 11-17-2003 )
  • Wireless Security and Network Management
  • I have MS IAS 2003 and Cisco 1200 IOS doing PEAP authentication. I have this working OK however, during the day the clients who have been associated lose their association mid-day. I finally replicated this! When I logged on as a local admin who is not in the MS group to allow wireless access, it broke all of the APs associated clients and sent them into a 0.0.0.0 Association processing state. Upon logging off the local admin user all clients re-authenticated and re-associated with the AP. Does any one know how to correct this problem? Any help would be great.PK
    View more
11-17-2003
Cancel Post

11-14-2003
Cancel Post

11-13-2003
Cancel Post

11-12-2003
Cancel Post

  • privilege level question - ( 11-11-2003 )
  • Network Security
  • Hi theremy customer ask me to provide him a priv. level where he could use all "crypto" commands in config mode. Is this possible without writing each command line by line into the config?something like thispriviliege configure level 1 crypto * IOS does unfortunately not undestand the * :-(my second question, my CU would like to reconfigure all preshared key's by him self all the time.i try this oneprivilege configure level 1 crypto isakmp key i can enter the command with a keystring but i can't enter the peer address at the end of the line. Does anybody now how to solve this issue?I am running IOS 12.3 T4
    View more
11-11-2003
Cancel Post

  • Router problem - ( 11-10-2003 )
  • Other Network Architecture Subjects
  • I have 2621 router.When I connect to console, I amgetting ASCII unreadable characters rather than normal login prompt.I guessed the console baud speed problem. I tried to change to different one baud rate. It did not workeither.Can anyone let me know what could be wrong on that router which is giving strange characters on startupThanks/RegardsAmir
    View more
11-10-2003
Cancel Post

  • EAP authentication MS IAS RADIUS across Subnets without DC - ( 11-10-2003 )
  • Wireless Security and Network Management
  • I have 2 sites set up using MS IAS 2003 RADIUS server and Cisco 1230 APs. Both site that I have configured have MS DCs local and both sites perform USER and HOST based authentication. I have attempted to set up a third site, but this site is unique b/c it does not have a DC local. At this site the authentication apears to be timing out even though I set all timeouts to the highest intervals. I need the PC to be authenticated at the Windows login screen, then I need the usercredentials passed to a DC, then I need them to be allowed access to the Network. THe device is requiring a local cached user to gain access then it is authenticating and assigning an IP. However, I need this all to happen at the loginscreen prior to loggin in b/c I do not allow local cached profiles. I had this simmilar problem at a nother site and adjusting the timeouts corrected that but a DC was also local.Any ideas are appreciated
    View more
11-10-2003
Cancel Post

  • Activating Additional IP addresses from ISP - ( 11-05-2003 )
  • Other Network Architecture Subjects
  • At our company We use Cisco Routers for production and for our LAN! but I have the following issue with a Cayman router (suks). Connection to ISP is PPPoE. IP address is static but not programmed into the router. It is assigned to the router by the ISP at connection time. ISP has issued additional IP addresses but no assistance in router configuration to "activate" additional IP addresses Initially, Cayman was setup to use NAT internally to 192.168.1.0/24 with .254 as the router address. My objective: Disable NAT, assign additional Public IP addresses so that they are usable on the LAN side of the Cayman & install Watchguard Firewall to handle security & traffic routing. Sounds simple enough. I have followed Cayman's config instructions to the letter, however I cannot seem to route inbound traffic to the public IPs. The current state of play… I have managed to get the additional Public IPs assigned to the LAN side of the Cayman, but these addresses are inaccessible from the outside world. I looked around & discovered that NAT was still switched on. When I switched it off, ALL internet traffic stopped. As a workaround, I setup a route in the Cayman to pass all traffic from the External IP, to ONE of the internal IPs…. Essentially setting up a 1-to-1 NAT… which we were trying to get rid of in the first place. Is there anyone who might have some insight on this Cayman routers?
    View more
11-05-2003
Cancel Post

  • 1220 AP IOS and 12.2.13 and IAS - ( 11-05-2003 )
  • Wireless Security and Network Management
  • Just an FYI for those that might skip release notes :-)Cisco changed the NAS-port-type to the same RADIUS value as access point running VxWorks...This means you will need to change the remote access policy on your IAS server when you go from previous versions of IOS to the latest and greatest.Don
    View more
11-05-2003
Cancel Post

  • find fake some companies do fake cisco - ( 11-05-2003 )
  • Other Network Architecture Subjects
  • I found some fake cisco company ,can anyone forward below info to cisco brandprotection office?Thank you very much.http://www.memorydealers.com/ciscogbics.htmlhttp://www.zycko.com/welcome.asp?http://www.memx.de/shop/cisco_gbic.htmlhttp://www.tecowin.de/html/en/index_eng.htm
    View more
11-05-2003
Cancel Post