GANYMEDE Config question
Hello
This is the configuration for GANYMEDE but is not authentication works.
AAA new-model
!
!
connection of AAA 5 authentication attempts
enable AAA authentication login default group Ganymede + local line
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands by default 15 group Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
radius-server host 14.24.6.8
radius-server host 17.24.66.1
RADIUS-server timeout 1
RADIUS-server application made
The problem must be resolved
Advanced thanks.
Concerning
Dhananjay.M
Number of things before hit us part of troubleshooting:
1.] RADIUS-server timeout 1 ->> is a time interval for when waiting for server for the AAA client to respond. 1 sec is too aggressive, don't know what that allows you to configure this prompted. Pleasee defined only at least 5 seconds.
2.] you have configured the shared secret on the AAA client?
Run debugs it on the switch/router, try to connect with Ganymede credetials and paste the o/p here.
debugging Ganymede
Debug aaa authentication
~ BR
Jatin kone
* Does the rate of useful messages *.
Tags: Cisco Security
Similar Questions
-
GANYMEDE + Config questions
3750 Ganymede SE4 IOS 15.0 (2) then the radius-server show host X.X.X.X I get "the cli will be deprecated soon" Please notify
check CSCty69125
-
Having trouble with a Ganymede config...
I can't SSH into my switch 3560 with a configured RADIUS username / password but orders as write mem or dir display an error message.
The command ' write
' is not allowed for the user [user_name] and customer [ip address] AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
AAA authorization config-commands
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 1 default group Ganymede + authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA - the id of the joint sessionHi Rob,
As everything is Ganymede + specific.
If the command is without authority, this has be checked on the Ganymede server +.
What is a Ganymede server + you use?
Concerning
Ed
-
My MXL blades have been set up by Dell Technology Services and work fine, but I would like to make a few changes now and not being Setup is not a network engineer, I have a problem with the docs I could find on the config of Force 10. Specifically, I want to do 3 things:
(1) change the SSH root password
(2) remove a port to a LAG (port channel) group
(3) add a new VLAN to some ports in the switch, including the one I just removed the lag, but abandon the SHIFT since the new VLAN
Can someone point me to a doc that explains how to do this kind of things?
Also, is it possible to access the console somehow by SSH in the CMC? I swear I've seen Dell Tech Services people who do somehow, but I don't know how they did it. Maybe I misunderstood what they were doing. It would be nice to not have the addresses of IP config exposed and control access through the permissions of CMC.
Thank you.
Hi amunter,
You can SSH to the CMC racadm commands and use to set it up. You just need to use PuTTY or other terminal program and go to the CMC host name or IP address.
You should be able to change the password in this way
(Force10) > activate
(Force10) #config
(Force10) (Config) #username admin passwd un_mot_de_passe
You can remove a port of a port channel in the channel of the port and using the command config no channel-member interface
Page 395
You can assign a VLAN to a port with the command interface vlan id - vlan
Page 910
-
Hai all,
New to Cisco IAM, I have a Cisco 2811 router with 2 ethernet ports:
Here is my config:
2-port ethernet on my router
1 port 0/0 directly connected to the ISP link
WAN IP is configured as 122.183.1xx.6 ip and the gateway is 122.183.1xx.5
1 port 0/1 connected to my local network which is 192.168.1.0 network
LAN Port 0/1 IP's 192.168.1.200
Internet works fine
-----------------------------------------------------------------------------------------------------------
If I do one that is my IP address?
I get the IP as 122.183.1xx.42
My ISP says its a Pool of LAN IP:
122.183.1xx.43 - 47
----------------------------------------------------------------------------------------------------------
Now I just discovered my DVR outside of my internet network?
Do I need a NAT to view my DVR?
If I use an ID DYDNS my 2811 router filters the 37777.how port of release
DVR IP is 192.168.1.242 port is no 37777
What is the procedure for nat to a static pool of ip from my ISP? How to unblock port 37777?
Help to sort it out...
Thank you...
have you tried the previous suggestion? I asked for but I don't see everything.
To check if your ISP blocks or do not do the following:
1. create an ACL as follows
access-list 199 permit tcp any newspaper EQ 37777 122.183.1xx.43 host
access ip-list 199 permit a whole
2. apply to the external interface
Router (config) # int fa0/1
(config-if) #ip group-access 199 in
3. now Telnet 37777 outdoor port 122.183.1xx.43
4. check if the th packages hit you box by running the following command:
See the list of 199 ip access
If you see numbers of access increases on the front-line ACL meanas your ISP does not block the traffic.
After doing this. Please send the latest config.
-
ASA5520 failover Config Question
Can I use the same interface for failover lan cable and the sync'ing of the State?
I currenlty have the following ocnfig, but I really need another interface for a demilitarized zone, so I would like to consolidate the lan interface and connect the interface if possible. They would use the same IP addresses if this scenario is a valid option?
-----
primary failover lan unit
failover failover lan interface GigabitEthernet0/3
link failover FWstate GigabitEthernet0/2
failover interface ip failover 10.2.0.1 255.255.255.0 ensures 10.2.0.2
failover UI FWstate 10.2.1.1 ip 255.255.255.0 ensures 10.2.1.2
Basically, I'm asking the following will work:
primary failover lan unit
failover failover lan interface GigabitEthernet0/3
link failover FWstate GigabitEthernet0/3
failover interface ip failover 10.2.0.1 255.255.255.0 ensures 10.2.0.2
failover UI FWstate 10.2.0.1 ip 255.255.255.0 ensures 10.2.0.2
It is possible, but do not duplicate failover interface address. Use after config:
primary failover lan unit
local failover FAIL GigabitEthernet0/3 network interface
failover link FAIL GigabitEthernet0/3
failover interface ip FAIL 10.2.0.1 255.255.255.0 ensures 10.2.0.2
mikrobi,
-
Need Extra pair of eyes to look over the VPN config question...
I have a 515 and 3 501. I have currently 2 VPN works well. I'm having a bit of time lift the 3rd VPN. I check that the same key is used for both configs. I know I'm missing something simple here, but I can't see it...
515:
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
...
hostname YRPCI
domain xxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
fixup protocol http-8080
fixup protocol ftp 22
names of
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
MainOffice x.x.71.7 name (this is the local device)
name x.x.152.238 Savannah
allow the ip host 192.168.50.10 access list acl_outbound a
allow the ip host 192.168.50.75 access list acl_outbound a
allow the ip host 192.168.50.201 access list acl_outbound a
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq smtp
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq pop3
acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.51.0
acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.52.0
acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.53.0
access-list acl_outbound allow the host tcp 192.168.50.11 a
acl_inbound list access permit tcp any host MainOffice eq 3389
acl_inbound list access permit icmp any any echo response
access-list acl_inbound allow icmp all once exceed
acl_inbound list all permitted access all unreachable icmp
allow the ip host MainOffice one access list acl_inbound
acl_inbound list access permit tcp any any eq ssh
acl_inbound list access permit tcp any host pop3 eq MainOffice
acl_inbound list access permit tcp any host MainOffice eq smtp
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 103 allow ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
pager lines 24
interface ethernet0 car
Auto interface ethernet1
Automatic stop of interface ethernet2
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
IP address outside pppoe setroute
IP address inside 192.168.50.1 255.255.255.0
intf2 IP address 127.0.0.1 255.255.255.255
alarm action IP verification of information
alarm action attack IP audit
don't allow no history of pdm
ARP timeout 14400
Global interface 2 (external)
NAT (inside) - 0 100 access list
NAT (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside, outside) MainOffice 3389 192.168.50.75 tcp 3389 netmask 255.255.255.255 0 0
static (inside, outside) tcp MainOffice 192.168.50.11 pop3 pop3 netmask 255.255.255.255 0 0
static (inside, outside) tcp smtp MainOffice 192.168.50.11 smtp netmask 255.255.255.255 0 0
Access-group acl_inbound in interface outside
acl_outbound access to the interface inside group
...
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-sha-hmac RIGHT
VPN1 card crypto ipsec-isakmp 10
correspondence address 10 card crypto vpn1 102
card crypto vpn1 pfs set 10 group2
card crypto vpn1 together 10 peer ConstOffice
card crypto vpn1 10 set transform-set RIGHT
vpn1 20 ipsec-isakmp crypto map
correspondence address 20 card crypto vpn1 101
card crypto vpn1 pfs set 20 group2
20 card crypto vpn1 peer BftOffice game
card crypto vpn1 20 set transform-set RIGHT
vpn1 30 ipsec-isakmp crypto map
correspondence address 30 card crypto vpn1 103
card crypto vpn1 pfs set 30 group2
30 card crypto vpn1 peer Savannah game
card crypto vpn1 30 set transform-set RIGHT
vpn1 outside crypto map interface
ISAKMP allows outside
ISAKMP key * address ConstOffice netmask 255.255.255.255
ISAKMP key * address BftOffice netmask 255.255.255.255
ISAKMP key * address netmask 255.255.255.255 Savannah
ISAKMP identity address
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 sha hash
10 1 ISAKMP policy group
ISAKMP life duration strategy 10 86400
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 192.168.50.0 255.255.255.0 inside
SSH timeout 20
VPDN group pppoex request dialout pppoe
VPDN group localname yearround1 pppoex
VPDN group ppp authentication pap pppoex
VPDN username yearround1 password *.
Terminal width 80
Cryptochecksum:849d6fdb066c58cf7cfe868b6109145c
: end
501: (VPN is not working)
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
Select 7RD3DIuHCed/Bft9 of encrypted password
7RD3DIuHCed/Bft9 of encrypted passwd
Savannah hostname
domain yrpci.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
name x.x.152.238 Savannah
name x.x.71.7 MainOffice
acl_outbound ip 192.168.53.0 access list allow 255.255.255.0 any
acl_outbound list of allowed access host ip MainOffice 192.168.53.0 255.255.255.0
acl_inbound list access permit icmp any any echo response
access-list acl_inbound allow icmp all once exceed
acl_inbound list all permitted access all unreachable icmp
acl_inbound of the x.x.152.0 255.255.252.0 ip access list permit 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.53.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 101 permit ip host Savannah 192.168.50.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside dhcp setroute
IP address inside 192.168.53.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM logging 100 information
don't allow no history of pdm
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 192.168.53.0 255.255.255.0 0 0
Access-group acl_inbound in interface outside
acl_outbound access to the interface inside group
allow icmp a conduit
Route outside 0.0.0.0 0.0.0.0 x.x.152.1 1
...
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-sha-hmac RIGHT
vpn1 30 ipsec-isakmp crypto map
correspondence address 30 card crypto vpn1 101
card crypto vpn1 pfs set 30 group2
30 card crypto peer MainOffice vpn1 game
card crypto vpn1 30 set transform-set RIGHT
ISAKMP allows outside
ISAKMP key * address MainOffice netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 sha hash
10 1 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Telnet 192.168.53.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 20
dhcpd address 192.168.53.55 - 192.168.53.60 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:57589b8bf8636b0a7f8a2d5a5e582649
: end
Thanks for your help in advance guys.
Dave
I think the following should be added to the config of the 501
vpn1 outside crypto map interface
-
IPSec site to site config question
Hi all
I want to config vpn site to site between cisco 871w and openswan on CentOS way.
I found that it can direct press 'Enter' after command:
"crypto ipsec transform-set esp - aes 256 test"
In my mind, I know that ipsec can be configured not encryption in the esp Protocol. So, what happens if there is no MCHA for auth in this scenario?
Default hash method will MCHA took or something else?
Thank you
Drank Breya
If you do not configure a HMAC for your IPSec security associations, and then no HMAC is used. That should NEVER be done! There are examples on ORC showing encryption without authentication, and also older versions of the official courses Cisco Firewall did that. But it is a non-secure config because he knows attacks against IPSec if you are not using authentication. Use always the ESP with a HMAC!
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
New to VM, network config question
I have a question with networking on a virtual machine host. IM pretty new MV so forgive me if this is a stupid question or if its in the wrong forum.
I have a single host VM with ESXi 5 turn several Win2008 server. The physical network switch is a 48-Port 10/100 but a 2 gigabit ports. The physical host has 4 gigabit NIC. Is it better to launch 4 NICs to 100 MB/s or two Gigabit? What happened to run 2 network cards in each (2 gigabytes) and 2 in 100? How do I configure?
Im just trying to see what options are avilable for me with this and what is the preferred configuration.
Thank you!
So you can plug them into the ports of 1 GB as if you don't need all the traffic flowing on routes rising 1 GB and host to the same new host which will be at least 1 GB speed.
Your army to the workstation traffic will flow to 100 MB max.
Personally, I would look to pick up a new switch if budgets permit. You can get a switch 48-Port gigabit for £180 all about, or if you do not use the 48-port you can get a smaller much cheaper.
Kind regards
Simon Greaves
www.simongreaves.co.UK
-
What does this line in the config? GSM. MaterialSpec.AnalyticalProperty.CofA.Enabled = False
We do not see more of country of origin on the failure column. Here's what we currently have in the config.
GSM. MaterialAttribute.CountryOfOrigin.Enabled = True
GSM. MaterialSpec.AnalyticalProperty.CofA.Enabled = False
Please define GSM. MaterialSpec.MaterialBreakdowns.MaterialBreakdown.COO.Enabled to true, then reset IIS for the re - test.
-
watching storage NFS since FC storage, have network config question
I have a lot of hosts running ESX3.5 U3. 4 network cards each have... 1 SC, 2 for VM, 1 for SC2 and VMotion. My question is when I go to use storage NFS I should use the vswitch which has the port of VKernel configured on it, correct? and I can only have a VKernel port on a host, correct? If those who are both good while I have my storage VMotion traffic and NFS on the same vswitch (NIC), correct? for my tests, I added a quad-port nic to a couple of hosts and predicted the addition of these NICs to the existing vswitch SC2/VMotion.
current:
vmnic0 = SC (vswitch0)
vmnic1 = VM (vswitch1)
vmnic2 = VM (vswitch1)
No nic (vswitch2) network
vmnic3 = VMotion/SC2/NFS (vswitch3)
Futures:
vmnic0 = SC (vswitch0)
vmnic1 = VM (vswitch1)
vmnic2 = VM (vswitch1)
No nic (vswitch2) network
vmnic3 = unassigned or add to VM vswitch network
vmnic4 = VMotion/SC2/NFS (vswitch3)
vmnic5 = VMotion/SC2/NFS (vswitch3)
vmnic6 = unassigned or add to vswitch3
vmnic7 = unassigned or add to vswitch3
control at will!
You can have multiple vmkernel ports, but not on the same subnet. If you segment your NFS traffic in a separate network, you can create another vmkernel port to take advantage of this way.
In addition, the only reason to have multiple sc ports is if you didn't trust your configuration VLAN switch. To provide redundancy, I pair a 2nd NETWORK card with the first port of sc and get the hardware redundancy rather than adding complexity with a 2nd service console IP. Then use a 2nd pair for vmotion, a 3rd pair for the vm traffic and a 4th pair for NFS. That would give you redundancy at each layer, and if you use separate network segments with each type of data, provide you a better level of security as well.
-KjB
-
Where are stored the DNS? HA config question
I have 6 hosts ESX 3.5 on a private network. Don't not using DNS.
I added the IP addresses and host names to all guests, including VC and confirmed that they can mutually ping by host name.
Always make a config HA if error. When I go into the properties of the Vmotion on the VC switch and look at the DNS configuration tab, there:
Name: mktgvmw20 (correct)
Domain: empty nothing (correct)
Preferred DNS: 192.168.10.1 (not good)
I want my DNS preferred to say nothing. I have 3 other hosts configured in this way and they are working with the HA, but I can't figure out how to remove this DNS entry. When I try using the VC in this window, it is said, "the domain name is not in the correct format" and not save any changes I make to this DNS Configuration tab. I don't want a domain in there name.
Where in ESX can I manually remove the preferred DNS entry? Thank you.
Check /etc/resolv.conf
-
Hi all
I have a MD3200i with dual raid and 2 hosts modules, I want to reach the maximum connection speed that I can with the 8 x 1 GB on the MD3200i iSCSI ports.
If both of my hosts were to have each 8 NETWORK ports, with the switches between the two could I theoreticly reach 2 x 4 GB links to each host the MD3200i? (1 x 4 GB using MPIO to each raid by host controller module)
If the module port 0 raid 0 controller IP 192.168.130.101, can serve 2 Server separated from different hosts with IP 192.168.130.103 and 192.168.130.104?
hope it makes sense.
Thank you
You can have up to a 4Gbit "pipe" to a single controller with the right settings. You'll want to use 4 subnets for sure and definitely use decent to good (dedicated) switches for iSCSI.
To get an idea of which switches are decent, see Dell Equallogic support matrix, available at en.community.dell.com/.../2661.equallogic-compatibility-matrix-06192013.aspx.
-
3495 initial ISE server config question
Hello
I must be powered by a secure server 3495, for the first time in two weeks. I spent review the online documentation for this. I think it is a little vague.
When the first power of the server tells me it will automatically run a "setup" program How to view this? I have a monitor, keyboard and mouse for the 3495 or can I connect using a network terminal program?
Any ideas?
Please see the below quick start guide
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide...
-
I bought 2 switches of SG500x that I will be the battery and connect to a NAS to 10G. I need to buy some transceivers. The documentation has confused me. I want to just make sure I can use SFP - 10 G - SR to stack and the interface to the NAS. S1/S2 for the stacking and XG1/XG2 to connect to the NAS all at 10G.
SG500X-48 supports 4 10 gig and 2-port combo for 5 gig (the concert 5 is kinda useless if you have 10 gig modules) then, Yes, you should stack 10 gig and NAS simultaneously.
-Tom
Please evaluate the useful messages
Maybe you are looking for
-
Error message: no screws to download from the app
Got the error message in the subject: Use"Debug Library Application or shared... Typed the IP address of the cRIO Clicked on update Startup.rtexe selected Click on connect Called NOR and discovered that the cRIO-9004 controller does not support do re
-
Vista - Cannot install KB2183461 (crashes at 92%)
KB2183461 for vista 32 bit stops installation at 92% and the 700w Windows stops "to help prevent damage. This problem lasts for a month. Upon the closing of the pc (DELL XPS M1330) he tries always to install the update, one of which he manages never
-
HP Envy 5530: HP Envy 5530 - incomplete print document
I just installed the printer and everything seemed fine until I printed a 7 page pdf document. printing was ok for 3 pages and then stopped mid page. After a retry him would not always the whole document printer. What makes printed was fine, without
-
Hello! I have a little problem with the table control in CVI. I have a panel with a Table I am today in my test program, the table can show 16 rows at a time so that I will have more than 100 different tests. While the test is running, I see the firs
-
NX7009 - Checkpoint FW layer 2 and layer 3 topology?
We have two pairs of NX7009 and a pair of Checkpoint 12600. Pair of control point will be active/passive mode. A pair of NX7009 will be connected to the pair of Checkpoint in trunk of layer 2. The other pair of NX7009 is connected to the same pair of