Configuration of AAA

Hi all

I have configured aaa on my switch cisco with the following commands.

and I was told that I used a few unnecessary commands that aren't needed.

What would be the effect of suppressing the red lines?

any help will be much appreciated.

AAA new-model

AAA authentication login default local radius group

connection of AAA VTY group local RADIUS authentication

ssh group RADIUS AAA authentication login

AAA authentication ppp default if necessary to group local RADIUS

AAA authorization exec default local radius group

AAA authorization exec VTY group local RADIUS

start-stop radius group AAA accounting exec by default

Line con 0

password test

line vty 0 4

access-class 1

exec authorization VTY

transport input telnet ssh

line vty 5 15

access-class 1

exec authorization VTY

transport input telnet ssh

Thank you very much.

It would create any problems with the connection because you already "aaa authentication login default group local RADIUS" which actually applies to all lines. That you have highlighted are nothing else than just method-list you can create different lines according to your need.

You may need this command, if you have some access to the configured authentication.

AAA authentication ppp default if necessary to group local RADIUS

For example, if you want to authenticate the console session ONLY with local database and by Ray vty lines, you can add the below listed config.

local authentication connection CON of AAA.

local CON AAA authorization exec

0 line console

CON connection authentication

exec authorization CON

~ BR
Jatin kone

* Does the rate of useful messages *.

Tags: Cisco Security

Similar Questions

  • Configuration of AAA to include local auth for Console connections

    Recently, during a maintenance window, that my AAA configurations are not configured to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct configuration. Here is what I set up today:

    AAA new-model
    AAA authentication login default group Ganymede +.
    the AAA authentication enable default group Ganymede +.
    AAA authorization auth-proxy by default group Ganymede +.
    orders accounting AAA 15 by default start-stop Ganymede group.

    RADIUS-server host x.x.x.x
    RADIUS-server timeout 120
    RADIUS-server application made
    radius-server key

    Good... If you want you will need configure a fallback option when you sign in aaa and enable authentication lines. Throw a 'local' keyword on the end of those, and that you will get what you are looking for.

    I'm a little worried that the "console aaa authentication" is not appear in your configuration. It makes me think that he will not survive until the next refill.

    Are you running the latest revision of your version of IOS?

  • the AAA authentication enable default group Ganymede + activate

    I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

    the AAA authentication enable default group Ganymede + activate

    What happens if I connect via the console? I need to enter a name of user and password?

    Here is my configuration

    AAA new-model

    Group authvty of connection authentication AAA GANYMEDE + local

    the AAA authentication enable default group Ganymede + activate

    authvty orders 15 AAA authorization GANYMEDE + local

    RADIUS-server host IP

    Radius-server key

    Ganymede IP source interface VLAN 3

    AAA accounting send stop-record an authentication failure

    AAA accounting delay start

    AAA accounting exec authvty start-stop group Ganymede +.

    orders accounting AAA 15 authvty power group Ganymede +.

    AAA accounting connection authvty start-stop group Ganymede +.

    line vty 0 15

    connection of authentication authvty

    authorization orders 15 authvty

    authvty connection accounting

    accounting orders 15 authvty

    accunting exec authvty

    Any suggestion will be appreciated!

    It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

    If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

    ************************************************************

    Username: cisco, password: cisco (priv 15f - local) *.

    ************************************************************

    Any unauthorized use is prohibited.

    Enter your name here: User1

    Now enter your password:

    Router #.

    The configuration more or less looks like this:

    AAA new-model

    AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

    AAA authentication password prompt "enter your password now:

    AAA-guest authentication username "enter your name here:

    Group AAA authentication login default RADIUS

    local authentication AAA CONSOLE connection

    HTH

    AK

  • authorization AAA console

    Hello

    I want to configure authorization aaa with Ganymede + to connect to the console, but in the cisco documentation, I found the following line "" Note authorization is bypassed for authenticated users who log on by using the line of the console, even if authorization has been configured. "" "" » ??? There no way to configure the authorization to connect to the console on the right?

    THX

    Larry

    Hi Larry,

    Some additional info, maybe that's what you are experiencing.

    Console port authorization has not been added as an element until the bug No. CSCdi82030 has been put in place. Console port authorization is disabled by default to reduce the likelihood of being accidentally locked on the router. If a user has physical access to the router through the console, console port authority is not very effective. However, for images which Bug ID CSCdi82030 has been implemented, console port may be lit under line con 0 with the permission of aaa hidden command console.

    You can get specific information about a bug ID by using the Bug Toolkit, related tools and utilities.

    Thank you

    Christophe

  • AAA Cisco 600 and 700

    Cisco ACS GANYMEDE + AAA can be activated for telnet to Cisco 600 and 700 routers?

    Unfortunately you can not configure radius AAA or Ganymede in routers series 600 or 700.

  • The ISE Cisco switch configuration

    Hi experts,

    I got the following network:

    Devices-> switch access-->--> access switch central office switch-> ISE Server

    All switches are capable IOS for the 802. 1 X and configurations of AAA for ISE to manage network devices. However, I read in the guide on the configuration of the switches in preparation for the deployment of the ISE of CIsco, but I wonder what should I configure switches for access and basic switches or only configure the switches for access to EHT?

    Thanks for your time to read!

    If all clients are non-DHCP clients, then no configuration is based or distribution at all.

    But you may need to search different options of profiling, if the customers are not active DHCP. Access switch supports the function of detection IOS? Would be very useful to have such a that it would send important profiling information at ISE. You may need to use the right options for ISE of profiling to determine the details of the endpoint.

    Concerning

    Vivek

  • AAA authentication and privilege-mode

    I want to configure authentication aaa with accounts of local user on the switch. The idea is to come directly into the "privilege" without the enable command mode.

    I have configured the following commands:

    AAA new-model

    AAA authentication login default local

    What other commands (permission) are necessary to obtain the command of privilege?

    Thank you

    Pascal

    Dear Sir

    For the console you must issue to order more.

    There is a hidden within IOS command you will need to apply: "authorization aaa console.

    Who should fix it

    Kind regards

    ~ JG

    Note the useful messages

  • AAA problem in access to the switch console

    Hi all

    I have configured the aaa as orders below:

    RADIUS-server host xxxxxx
    RADIUS-server application made
    RADIUS-server key xxxxxx

    AAA new-model

    AAA new-model
    AAA authentication login default local
    AAA authentication login techop group Ganymede + local
    the AAA authentication enable default group Ganymede + activate
    AAA authorization exec default group Ganymede + local
    AAA authorization commands 1 default group Ganymede + local
    AAA authorization commands 15 default group Ganymede + local
    AAA accounting exec default start-stop Ganymede group.
    only AAA 1 default stop accounting controls group Ganymede +.
    accounting AAA commands default 15 stop only Ganymede group.
    AAA - the id of the joint session

    line vty 0 15
    connection of authentication techop

    GANYMEDE works fine for ssh, but when I am trying to switch console
    I am able to connect in exec mode but when go ask password enable
    the switch does not take any password (either Ganymede or local credentials).
    I am also able to connect via console by powers exec mode the
    and not by the credentials of the RADIUS server.

    Temp > en
    password:
    % Authentication failure.

    Hey,.

    Please share:

    Debug aaa authentication

    Debug aaa authorizarion

    debugging Ganymede +.

    Concerning

    Ed

  • access to AAA server to remote problems

    Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.

    I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.

    February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
    February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
    February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
    February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
    February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
    February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
    February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
    February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
    February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
    February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
    February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
    February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
    February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
    February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
    February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
    February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
    February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
    February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
    February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00

    Here is my config from aaa

    AAA-server protocol Ganymede MYGROUP +.
    Max - a failed attempts 4
    AAA-server host AAA_SERVER MYGROUP (inside)
    timeout 3
    Console Telnet AAA authentication LOCAL MYGROUP
    Console to enable AAA authentication LOCAL MYGROUP
    privilege MYGROUP 15 AAA accounting command

    I can ping AND trace on the RADIUS server

    ATLUSA01-FW01 # ping AAA_SERVER
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
    ATLUSA01-FW01 # trace AAA_SERVER

    Type to abort escape sequence.
    The route to 151.162.239.239

    1 17.2.2.3 0 ms 0 ms 0 ms
    2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
    3 10.4.7.1 0 0 0 ms ms ms
    4 10.4.7.13 0 0 0 ms ms ms
    5 10.4.7.193 0 0 0 ms ms ms
    6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 ms

    You'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.

    Ask him or her to do the following:

    Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.

    If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.

    I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.

    If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).

    You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)

    That's all you can do on your side, unfortunately tha ASA isn't a telnet client.

    Rgds,

    MiKa

  • ACS Cisco 1113 4.2 1113 configure auth. for Infoblox Appl.

    Hello

    I have a problem with Cisco ACS and an Infoblox appliance. We want to authenticate users, this connection on the Infoblox, through the Cisco ACS. After that the ACS should respond with authentication (RADIUS) passed and answer with an administrative groupname that the user belongs on the Infoblox. To do this, I have to import a VSA to have the option of the CSA to respond with this groupname. On the Infoblox, these groups are already done, and it must be the group that meets the CSA.

    Now I have imported the ASB and configured an AAA (infoblox) client to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting, I lit the Infoblox-Group_info attribute and filled a specific groupname the authenticated user belongs. Now, here's the part where the news of group are returned, but the appliance Infoblox gives me a RADIUS error response message. As I see in the newspapers of the ACS user authentication part is fine. So there must be between the info ACS responds with, when the user connects.

    I have attached the VSA and a *.pcap of wireshark to see what is happening.

    Can we advice to suggest any option that can make this thing work.

    With respect,

    Richard Gosen

    Hi Richard,

    Please find attached the accountsActions to remove it, and you can use your original accountsActions to readd the ASB.

    Hope that works.

  • The AAA reports

    Hi, need to provide an ACS reports that will include all orders captured on barrier-lights/switches/routers.

    Installation successfully acs for these network devices, basic AAA is work, can connect has failed/past authentications, different levels of authentication has been correctly configured, but I see only the orders that were denied in reports, (have tested different user levels). How can I configure the AAA sign orders enterend e.g. network device admins?

    Hi Ganesh, thanks for reply.
    

    Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck.  I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.
    

    This is really important to have a record who and when initiated what commands on network devices.
    

    07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1
    

    Any other suggestions?
    


    Hello
    

    If your version of ACS is 4.1 GANYMEDE + accounting command no longer works. No accounting is visible in the journal of Administration GANYMEDE + (bug CSCsg97429).
    

    Click on this link if you use ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
    

    applAcs_4.1.1.23_ACS - 4.1 - CSTacacs -CSCsg97429.zip
    

    Hope to help!
    

    Ganesh.H
    

    Don't forget to note the useful message

  • Issue of AAA NX - OS

    Hello

    I was creating a configuration of AAA on my NX - 0 (MDS9148), logged out / has attempted to connect to test the connection of the AAA, and now I can't login as administrator either time! I do not change the local account. I open the Cisco Device Manager again (in the switch fabric) and I was wondering if anyone had any idea how I fix this (AAA is not running as of yet with this switch).

    Thank you in advance,

    supercell29

    If I remember correctly, NX - OS should fall back to the local account automatically if AAA is not available. So after you enable AAA NX - OS, you might not connect with the local account? I haven't used the Device Manager, but you can try to disable aaa it and then try again. Furthermore, the link below provides the password recovery procedure.

    http://www.Cisco.com/en/us/partner/docs/switches/Datacenter/SW/password_recovery/nx_os_pw.html

  • AAA on Async lines

    Hello

    We have async lines between 2 sites in the flow of the type SCADA information

    When we applied Ganymede AAA to routers, which was no problem until the lines are reset to zero so I guess that as EXEC sets up the connection it fails as no AAA authentication.

    Due to criticallity of information I got AAA offshore of routers for now, but looking for a long-term solution.

    I can config lines to locally authenticate using name of user/local password or even for these partcicular lines do not authenticate. ?

    Any help appreciated

    I had a situation that was somehow similar to yours. Maybe the solution I found might work for your situation. I got async lines I want to authenticate to a server group that was different from what telnet/SSH authentication used. I configured the aaa authentication default to use what I wanted on asynchronous lines. In your case, it can specify a local connection to use the local ID and password, or perhaps you can specify none as the authentication method. Then I've specified a method named authentication using the other server group and named on the vty lines authentication method.

    HTH

    Rick

  • Activate the ASA system context AAA authentication

    Hello!

    We have ASA configured in multiplayer in context with 8.4 (2) software configured for AAA

    Configuration is admin context as follows:

    AAA-server TAC Protocol Ganymede +.

    host of the TAC AAA-server 10.162.2.201 (management)

    key *.

    Console to enable AAA authentication LOCAL TAC

    TAC LOCAL console for AAA of http authentication

    AAA authentication serial console LOCAL TAC

    authentication AAA ssh console LOCAL TAC

    Because of the multiple context, after the connection we enter in the system context. Console port authentication works very well except access to the privileged mode when you connect through the console port.

    After the show 'enable' command ASA accepts only configured activate secret in context and change ID of user system for enable_15, so we are unable to do accounting and authorization of user level control.

    It seems that the ASA in the context of the system is not aware of all the configurations of AAA, and it is not a command to configure AAA in the context of the system.

    Is there a way to configure enable AAA authentication in the context of the system?

    Thanks in advance!

    Hello

    It looks like you hit this known issue that follows:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw18455

    Admin context allow mode compared to the context system DB credentials

    Symptom:

    In multi-mode configuration, the user to enter privileged mode credentials
    (enable mode) via the serial console is not sent to an external server
    role of authentication.

    Conditions:

    ASA/PIX is in multi mode. serial console and activate the console authentication
    are configured to use external aaa server in the context of the admin.

    Workaround solution:

    Option 1: Configure enable password in the system context. Option 2: Avoid the use of the interface of the console series and rely on telnet
    or ssh console access.  SSH or telnet consoles, tries to enter
    active mode is authenticated as specified by the configuration of aaa in
    the context of "admin".
    Other Description of the problem:

    When authentication is enabled for the serial console and activate console in
    Executive admin via an external aaa Server (for example: radius or Ganymede +), series
    Console OmniPass is against the external aaa server, but the mode
    credentials are compared with enable db in the context of the system.

    Hope that clarifies it. Unfortunately there is no solution for this problem.

    Kind regards.

  • Based on the roles of the views of CLI with AAA method

    Hello

    I'm configuration based on the roles of views CLI on a router to limit access to users.

    My criteria:

    -There should be a local user account on the router that has the view of 'service' in the annex

    -If the router is online and can reach the radius server, people in the right group are assigned to the view 'service '.

    My configuration:

    AAA new-model

    Select the secret 1234

    username view service secret service 1234

    !

    AAA my_radius radius server group
    private-server 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 0 1234 key
    private-server 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 relay 1 0 1234 key

    !

    authorization AAA console
    AAA authentication login my_radius local group mgmt
    AAA authorization exec mgmt my_radius local group

    !
    Line con 0
    authorization exec mgmt
    Synchronous recording
    login authentication mgmt
    line vty 0 4
    authorization exec mgmt
    Synchronous recording
    login authentication mgmt
    entry ssh transport

    THE ERROR

    Now, I want to go set up the cli view "service"...

    # mode

    Password: 1234

    * 08:00:02.991 Jun 1: AAA/AUTHENTIC/SEE (0000000 D): method of picking list "mgmt".
    * Jun 1 08:00:02.991: RADIUS / ENCODE (0000000D): ask "" password: ".
    * Jun 1 08:00:02.991: RADIUS / ENCODE (0000000D): upload the package. GET_PASSWORD
    * 08:00:21.011 Jun 1: RADIUS: receipt id 1645/13 10.1.1.1:1645, Access-Reject, len 20

    Questions

    Why the view "enable" trying to choose a list of method when you need to provide secrecy to enable it to access the root view?

    You can change this behavior to always use the key to activate it?

    The TEMPORARY Solution

    If you are connected to the router via telnet or SSH, the solution or workaround for this problem is:

    local VIEW_CONFG AAA authentication login

    !

    line vty 0 4

    authentication of the connection VIEW_CONFG

    Make your view configuration and reconfigure the line to use the correct (desired) authentication method.

    ________________________________

    Thanks a lot for the suggestions

    / ENTOMOLOGIST

    Hello

    You have configured the following:

    AAA authentication login my_radius local group mgmt
    AAA authorization exec mgmt my_radius local group

    Line con 0
    authorization exec mgmt
    Synchronous recording
    login authentication mgmt
    line vty 0 4
    authorization exec mgmt
    Synchronous recording
    login authentication mgmt

    entry ssh transport

    So every time you try to connect to the console or ssh authentication will travel to the server radius because of the following command 'connection authentication mgmt '.

    You can get there. What is set on the method list mgmt first will take precedence.

    activate seceret is defined locally. but you have configured the following:

    AAA authorization exec mgmt my_radius local group

    Line con 0
    authorization exec mgmt

    line vty 0 4
    authorization exec mgmt

    So exec mode is also via the radius server.

    When you set up:

    local VIEW_CONFG AAA authentication login

    !

    line vty 0 4

    authentication of the connection VIEW_CONFG

    You do local authentication, so it works the way you want.

    In short, regardless of authentication is set 1 on the list method will take priority. the relief will be checked only if the 1st aaa server is not accessible.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

Maybe you are looking for

  • Drivers SATA for XP (solution on BSOD 0x0000007B)

    WARNING: You use this guide at your own risk. I take no responsibility for any problem. Important information! Before anything, please create a set of recovery disks. Resources: With the help of HP Backup and Recovery Manager in Vista Creation of rec

  • Dc7800 and Pentium D?

    I had a computer DC7800 USDT who came without a processor. I wonder if I can temporarily adapt a processor 3.00 GHz Pentium D 925. The Pentium D is not on the list with Prosessors supported in Ref. to the DC7800 technical guide. Hans

  • kind of audio book

    Sansa clip. using a pc. Windows xp. My sansa clip is a 4 GB, black. Help Sansa people told me how to change the kind of AUDIO book, but it must be a track at a time. I'm about to rip 6 audio books that are about 900 titles. He's crazy about change 90

  • Error message when turn on computer so very strong and high beep for a minute, already entered in the password box and typing of characters is uncontrolled.

    When I turn on my computer an error message flashes but it's too fast to read, after which there is a strong and high slope beep. Then he'll ask me if I want to start my computer on Vista or run the memory diagnostics. When it gets to the entered pas

  • Filter 'Find' of Windows Live Mail is broken

    Win7 - 64 bit When I enter a date - 01/01/2014, say - in the find > Message > "Before receipt" box, he finds that all of the messages received AFTER this date!