Incompatibility of Secret shared in DB replication

Similar Questions

• What is the secret shared key when connecting to a VPN, and where can I find/do.

  I'm hosting a VPN server on my windows computer. But when I try of is there to connect, I can't understand what the "secret shared key" what he wants is, and where I can find. I tried for this search in many places. Please tell me where I can find and where I can create. Thank you!

  The shared secret is a sort of password. It is defined by the VPN server, then this would be the place to start looking. Personally, I have no experience in running Windows Server VPN service, so I can't be more specific, but I hope that puts you in the right direction.

• Connection API with a secret shared instead of the password

  Is it possible to connect to Connect via an API call using a secret shared instead of a password?  All of the examples I see uses the value of the password to the action of the connection, but I think that if the shared secret value is set, there should be an option for this as well.

  You can talk to Support Platinum (you should be on a deployment allowed since you are using SSO) and see if they have all the methods to do this. It's maybe just something that's not in the API documentation.

• A secret shared 20 bytes works with GBLink v4?

  The technical reference Guide documentation is a little sparse on GBLink version 4 (most of the references are version 3). Can I use the secret shared the full dispenser 20 bytes when I connect URL parameters for the realization of GBLink of Content Server 4? I use the following ColdFusion code to generate the URL:

  < cfscript >

  action = "enterorder" ;

  ordersource = 'test' ;

  OrderID = "123456789" ;

  RESID = ' urn: uuid:f65407dc - 1558-ce72-4facefbfcc544fdf ' ;

  rights = "$prn##0$" ;

  sharedSecret = 'o95AO5FaTdxkpaPzHXCXMve1fBU =' ;

  Base URL

  baseUrl = " " " "http://< acs Server > / fulfillment/URLLink.acsm? " ;

  URL parameters

  params = "action =" & action;

  params & = '& ordersource =' & UrlEncodedFormat (ordersource);

  params & = "& orderid =" & UrlEncodedFormat (orderid);

  params & = "& resid ="        & UrlEncodedFormat (resid);

  params & = "& rights = ' & UrlEncodedFormat (rights);

  params & = '& gbauthdate ='   & UrlEncodedFormat (DateFormat(Now(), "m/d/yyyy") & " " & TimeFormat(Now(), "H:mm") & " UTC");

  params & = "& dateval ="      & UrlEncodedFormat (DateDiff("s", CreateDate(1970,1,1), Now()));

  params & = '& gblver = 4' ;

  Calculating HMAC SHA1 based on URL parameters

      key = createObject ()'java' 'javax.crypto.spec.SecretKeySpec') .init (JavaCast()'chain', sharedSecret) .getBytes ("iso-8859-1"""),'HmacSHA1');

      mac = createObject ()'java' 'javax.crypto.Mac') .getInstance (key.getAlgorithm ());

  Mac.init (Key);

  mac.update (JavaCast()'chain', params) .getBytes ("iso-8859-1"""));

  Convert ascii bytes and lowercase alphabetic characters

      auth = LCase ()BinaryEncode(mac.doFinal (),'Hex'));

  Parameter auth

  authParam = "& auth =" & auth;

  Assemble the last URL

  finalUrl = baseUrl & params, & authParam;

  < / cfscript >

  Yes, it is difference between v3 and v4 is what shared secret is used.  For V3 is the first byte 16, v4, this is the full 20 bytes

• VPN Site to Site Secret shared and can co-exist RADIUS authenticated VPN?

  Hello

  I have a setup VPN site to site between two offices on 515Es PIX (v.6.2 software) and has recently added a vpngroup/shared secret based VPN remote access to one of the offices. Given that just forced me to add a number of different policies to my existing crypto card, it was a plant direct and easily implemented. For more security, I want to use a RADIUS server to give to each remote user their own connections and profiles rather than a group on all password is configured. To do this, however, it seems that I have to add the following additional commands to my existing crypto card:

  client configuration address map mymap crypto initiate

  client card crypto mymap RADIUS authentication

  These do not correspond to the policy number (my site-to-site is 10, and remote access policy is political 20), so I don't know what the effect would be if I added the. It would cause my connection from site to site for authentication RADIUS request (a very bad thing)? If so, do I need another interface to bind a new encryption card to? The answer to this would be greatly appreciated!

  Also, if anyone knows an example configuration for a similar configuration, I can look at, please let me know! Thank you.

  -A.Hsu

  For the site to site connection, you change line isakmp keys and add the parameters of "No.-xauth No.-config-mode" at the end of this one, which tells the PIX not to do the auth RADIUS or assign an IP address, etc. for the specific site-to-site tunnel.

  Example of config is here:

  http://www.Cisco.com/warp/public/110/37.html

  Note that there is no command options I have just said, I just sent an email to the web guys to fix this. Basically, your config will look with the options "No.-xauth No.-config-mode" on the line «isakmp x.x.x.x key...» "for LAN-to-LAN tunnel.

• ACS appliance 4.2 - database replication internal problem

  HelloW

  I'm yunchoul jung in Korea

  now I'm setting up ACS unit 1113 ver4.2

  in internal, primary and secondary database replication server ACS cannot repliacate the database due to the configuration of SELF (127.0.0.1) by default in the configuration of the network.

  so I have a guestion, how do I replace 127.0.0.1 address to the ip address you want or delete SELF (127.0.0.1) address

  I don't understand a procedure of solution in the documentation below.

  Thank you for your help in advance

  Problem: 127.0.0.1 is a reserved address

  You have two units of the ACS SE 1113 and replicate the database internal from the primary to the secondary.

  but you notice this error message in the secondary unit:

  Replication of database of ACS denied - incompatibility of secret shared incoming

  When you try to change the key of course AAA under Network Configuration Server error message is

  returned.

  This is due to a known bug,

  Symptom: 127.0.0.1 address appears in ACS and the replication fails

  Conditions:

  Install Acs S/W version 4.2.0.124

  Disable the network adapter

  Enable network card

  * Go to the network settings page.

  * Should see the AA server IP to be a return loop

  Workaround solution:

  For windows: remove the 127.0.0.1 entry

  For the device: back up the database, install ACS on windows, restore, delete

  the entry, make a backup and restore on the device

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCso39795

  Kind regards

  ~ JG

  Note the useful messages

• where is the secret field shared for the ACS 5.3 server itself?

  Hello

  We currently have a distributed PR and DR ACS 5.3 installation, implemented with Ganymede and a unit RADIUS.

  The RADIUS is AppResponse Xpert admin. used Opnet we try to intergrate AppResponse Xpert Admin with ACS.

  The GUI for AppResponse Xpert Admin request the ip address of the radius server - IE our ACS, RADIUS port - is to say 1812 and 'secret' - I assume that means the secret shared real AEC itself (not the shared secret used by network devices).

  On our ACS 4.2 systems, we have a field for a secret shared on the ACS itself Server (to allow replication?).

  With the help of the search function for "Shared Secret" in pdf format "the User Guide for Cisco Secure Access Conrol system 5.3" has only found references to define one for network devices and not a ground for GBA is.»

  A shared secret of the ACS server is still topical for the 5.x ACS system?

  Hi Stuart,

  To answer your question:

  There is no shared secret for the ACS itself.

  If the ACS needs to communicate with another device, you must define an AAA client and define a shared secret.

  ACS 4, used this secret shared to protect/secure replication, the ACS 5, secured by encryption replication and not shared secrets (hash).

  Rate if useful

• Replicate the VMS with FTP and VM with virtual disk shared by: SRM with vSphre replication

  I have a VM and FT is configured on it. Now I can reproduce the virtual machine with SRM with replication of vSphere. I have not configured array based replication. Similarly, I have two DB VMs cluster, but they share a virtual disk between them. Can I replicate these VMs DB with vSphere replication?

  Your valuable contribution is much appreciated.

  I got the answer, for the virtual machine with FT and shared virtual disk replication, to do SRM with array based replication. vSphere replication cannot replicate virtual machine with FT or shared disk.

• Problem with ACS 4.2 database replication

  Greetings,

  I'm not able to replicate data between two ACS SE 4.2. I get the following error:

  Inbound replication of database of ACS 'ACS_BEX_001' denied - shared secret mismatch.

  Apparently, the configuration is ok. I enclose the configuration of these two ACS.

  Hello

  The problem you see are because of the Self entered on each ACS is set to 127.0.0.1.  For replication to work, you must set all 4 entries of ACS at the same shared secret, even the self ones.  The problem is when you try to change these entries, it will tell you that you can't use 127.0.0.1, but it also won't let you change the ip address.

  The bug Id for this problem is CSCso36620.  Workaround declares that the CLI, you can use the "set ip" command to put the IP address in the initial INVESTIGATION period and it should update the self entry in the GUI.  At this point, you should be able to update the secret shared on all 4 devices.

  Let me know if you have problems to make it work.

  Thank you

  Nevin

• Secret of account and itunes application

  I am new to this and will build my first multi -folio app.
  I created an Application account. The customer wants that all the folios must be completely free to download. Should I still to fill ITunes secrets?
  
  Grateful for the quick response, have a period the corner of the street
  Thanks in advance

  Sincerely

  Ake
  

  No, you don't need secret shared for free folios. Publish your folios as "Public and free.

• ASA as a customer Radius in ACA

  Hi all

  I added ASA as Radius (version 8.0) client to the ACS (version 4.2) server. When I do "test the aaa authentication" on SAA and run 'debug RADIUS', I got this error message:

  aaa authentication ACS host 10.1.2.25 test test passwo username $
  INFO: Attempt to <10.1.2.25>IP address authentication test (timeout: 12 seconds)
  Ray mkreq: 0x6cb
  alloc_rip 0x29f79044
  new application 0x6cb--> 221 (0x29f79044)
  obtained the user 'test '.
  has obtained the password
  add_req 0x29f79044 0x6cb 221 session id
  RADIUS_REQUEST
  RADIUS.c: rad_mkpkt

  RADIUS packet decode (authentication request)

  --------------------------------------
  Data of raw packets (length = 62)...
  01 dd 00 3F 11 76 77 02 13 50 49 6f 7 c 4F 4 d e4 |  ... > .vw. M... PINo |
  05 5 a 8 b 68 01 06 74 65 73 74 02 12 11 ca 28 65 |  . Z.h.. test... (e
  A4 49 ee 8 a 76 46 29 10 3rd f9 3f 04 06 ac 1B 1f |  . I have... FV). >. ? .....
  FB 02 05 06 00 00 00 28 06 00 00 00 05 3d |  ....... (=.....

  Packet analyzed data...
  RADIUS: Code = 1 (0x01)
  RADIUS: Identifier = 221 (0xDD)
  RADIUS: Length = 62 (0x003E)
  RADIUS: Vector: 117677E44D021350494E6F7C055A8B68
  RADIUS: Type = 1 (0x01) - user name
  RADIUS: Length = 6 (0x06)
  RADIUS: Value (String) =
  74 65 73 74                                        |  test
  RADIUS: Type = 2 (0x02) username-password
  RADIUS: Length = 18 (0x12)
  RADIUS: Value (String) =
  11 ca 28 65 a4 49 ee 8 a 76 46 29 10 3rd f9 3f 1f |  .. (EI. FV). >. ?.
  RADIUS: Type = 4 NAS-IP-Address (0x04)
  RADIUS: Length = 6 (0x06)
  RADIUS: Value (IP address) = 172.27.251.2 (0xAC1BFB02)
  RADIUS: Type = 5 (0x05) NAS-Port
  RADIUS: Length = 6 (0x06)
  RADIUS: Value (Hex) = 0 x 28
  RADIUS: Type = 61 (0x3D) NAS-Port-Type
  RADIUS: Length = 6 (0x06)
  RADIUS: Value (Hex) = 0x5
  Send 10.1.2.25/1645 pkt
  RIP 0x29f79044 id State 7 221
  rad_vrfy(): bad auth req
  rad_procpkt: radvrfy failed
  RADIUS_DELETE
  remove_req 0x29f79044 0x6cb 221 session id
  free_rip 0x29f79044
  RADIUS: send empty queue
  ERROR: Authentication server is unresponsive: failure of decoding AAA... secret server incompatibility

  and I know not secret shared is the match between the ASA and ACS. any suggestions would be much appreciated.

  Thank you

  Alex

  Hi Alex,

  The ASA is defined in any NDG to GBA?

  If so, please remove the secret shared the NDG and try once again to test authentication please.

  Let me know how it goes.

  Kind regards

  Anisha

  PS: Please mark this thread solved if you think that your query is answered.

• Cannot replicate from the primary to the secondary servers ACS

  I have a primary ACS server and secondary and trying to replicate the primary database to the secondary.  When I do, the seconary reports 'inbound replication of database of ACS '' denied - shared secret mismatch. "  I believe that this refers to the shared secret, as I walked to the encryption of the database during installation.  Is it possible to change this secret shared without having to reinstall?  (Note that this isn't the key to AAA listed for itself in the Network Configuration).

  Version is 4.1 on Windows Server 2003.

  What version of acs do you use, and it is in fact the shared secret for the AAA servers and not the shared secret for the encryption of the database. There is a known bug, if you look at the free entry on the two instances of the acs is either one of them shows a loopback address and not the real ip address? If Yes, then you hit the bug I mentioned. The best way to solve it is to access the console as and change the ip address (for example to enable the dhcp pull an ip address and let the services restart). Then go back into the box and assign the static ip address you used. Services once to return to verify that the entered car now has the correct ip address (physical and not looping) and test your replication again.

  Thank you

  Tarik

• NPS Windows Help for authentication of aaa for Cisco router - is it safe?

  I am very confused about how all this works and was hoping someone could help me.

  I followed a bunch of tutorials online for authentication RADIUS of installation on a Cisco router and he did to a NPS Windows Server. Now I can ssh into the router my AD account.

  Now that I got it to work, I go to the settings to make sure everything is secure.

  On my router, the config is pretty simple:

  aaa new-modelaaa group server radius WINDOWS_NPSserver-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykeyaaa authentication login default local group WINDOWS_NPS
  
  ip domain-name MyDomcrypto key generate rsa
  
  (under vty and console)# login authentication default
  On the NPS Windows:
  I created a new RADIUS client for the router.
  Created a secret shared and specified Cisco as the name of the seller.
  Created a new strategy of network with my desired conditions.
  And now the frame of the configuration of the network policy that worries me:
  
  
  So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:
  
  
  
  capture.jpg
  
          
      
  
  
  How is my password being encrypted and how strong is the encryption?
  
  Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.
   
  			 
  Hello
  RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.
  You can find the encryption used by RADIUS in the RFC scheme:
  https://Tools.ietf.org/html/rfc2865#page-27
  MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch
  Thank you
  John
  		   

• Correct configuration of the Cisco Access Point 1242AG

  Hi all

  Here's the situation:

  Recently, we decided to create a small network of WLAN in our company. We choose the Cisco AIR-AP1242AG-E-K9 with 2x2.4GHz 2.2dbi rotating dipole antenna.

  For better management, a new VLAN routable (ID:20) added to our router IP 192.168.55.1 and SNET 255.255.255.0

  Then, I made the following configurations in the autonomous AP through WEB Console:

  • Static IP:192.20.10.35, SNET:255.255.254.0, GWY:192.20.10.200
  • Vlan1 (native) and VLAN20 (Radio0 - 802.11 g) added in Services.
  • I put the encryption against zero for VLAN1 Mode and cipher AES-CCMP for VLAN20
  • In Server Manager, I've defined a new 192.20.10.35 RADIUS server (AP-IP) and a secret shared and left the default ports for authentication and accounting (1645 and 1646). Also, in the default server priorities section I put focused 1 time for authentication EAP and the IP (Radius Server) 192.20.10.35 Access Point MAC.
  • During the General local RADIUS server configuration, I add as a server for access to the network current (AAA client) the same IP address and the shared secret as the ones I use during the configuration of the RADIUS server above. In authentication protocols enable I left checked only the JUMP and the Mac. In addition, in the users individual section 2 new users created with passwords.
  • In the SSID Manager a new hidden SSID created for interface Radio0 - 802.11 g, associated with VLAN20 and in the Client authentication settings section, I left as accepted authentication open with MAC and EAP authentication method. Also, I left the option to use by default for EAP and MAC authentication servers in Server priorities Section and finally I choose mandatory for key management in the section Client authenticated and active the option enable WPA key management.

  I can ping VLAN20 IPs from any PC which is a member of the VLAN native both AP

  As wireless clients, I use 2 Motorola MC5574 with Windows Mobile 6.1 professional. Both of them have a WLAN Jedi adapter that is configured with the following:

  IPs:192.168.55.10 and 192.168.55.11

  SNET:255.255.255.0

  GWY:192.168.55.1

  In addition, a unique profile has been created on all of them to use for the authentication of the association AP. Each profile has been configured for WPA2-Enterprise with AES and LEAP and identification information predefined user (those defined in the PA for individual users)

  The problem:

  Association of clients with AP is always successful but, authentication fails, and I can't ping the AP IP, IP VLAN20, nor the other customers.

  What I'm missing here? I'm sure it's quite simple somenthing but although I tried several different configurations (even WPA - PSK, WPA2-PSK with TKIP) I always find myself without an appropriate solution to unable to ping.

  Thanks in advance for any help

  Hello

  Can you please paste the show run out of AP?

  Kind regards

  Madhuri

• NAS Perfigo Service starts do not

  I upgraded the NAS and the NAM 4.1.3 to 4.5. NAM has been upgraded successfully, but I have problem with upgradation of NAS. I can't add NAS in NAM and when I do the first co nfiguration I get following errors.

  Cisco Clean Access Server, (C) 2008 Cisco Systems, Inc..

  Configure the network interfaces:

  Please enter the IP address for the [interface eth0]: 10.31.90.2

  Please enter the network mask for the [interface eth0]: 255.255.255.240

  Please enter the IP address for the default gateway []: 10.31.90.1

  [Management Vlan Tagging] for the release of packets from eth0 is disabled.

  You want to allow it? (y/n)? [n] n

  You want to allow it? (y/n)? [n] n

  ID of vlan default management for packets of eth0 evacuation is 0.

  You want to change it? (y/n)? [n] n

  Please enter the id of (0-4095) default management vlan

  for the trust interface (eth0): 319

  You entered: 319

  Is this correct? (y/n)? [there]

  Please enter the IP address to ensure that the approved interface eth1 []: 10.31.90.2

  Please enter the IP address to ensure that the approved interface eth1 []: 10.31.90.2

  Please enter the network mask for the [interface eth1]: 255.255.255.240

  Please enter the IP address for the default gateway []: 10.31.90.1

  [Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.

  [Management Vlan Tagging] for the release of packets from eth1 is disabled.

  You want to allow it? (y/n)? [n]

  Please enter the hostname [nacserver]: NAC-Server

  Please enter the IP addresses for the name servers: []: 10.31.10.11

  You entered 10.31.10.11 is this correct? (y/n)? [there]

  / perfigo/Access/bin/ssconf: line 870: /perfigo/common/bin/hosts_file_handler.py: no such file or directory

  / perfigo/Access/bin/ssconf: line 871: /perfigo/common/bin/hosts_file_handler.py: no such file or directory

  The shared secret used between the clean Access Manager and clean access server is the default string: cisco123

  Remember to configure all the devices own access with the same string.

  Only the first 8 characters provided will be used.

  Please enter the secret shared between the clean access server and Clean Access Manager: xxxx

  You entered: xxxx

  Is this correct? (y/n)? [there]

  > Set the date and time:

  Update the zone information...

  Current date and time hh: mm: mm/dd/yy [22:14:15 01/18/09]: 17:15:30 01/18/09

  You need to generate a valid SSL certificate to use the own access console of the secure web server.

  Please answer the following questions correctly.

  Information for a new SSL certificate:

  Enter the full domain name or IP address: 10.31.90.2

  Enter the name of the organization unit: IT

  Enter the name of the Organization: xxxx

  Enter the name of the city: xxx

  Enter the status code: xx

  Enter the 2-letter country code: xx

  Generation Certificate.../perfigo/access/conf/generate-cert2.sh SSL: line 30: / perfigo/logs/perfigo-log: no such file or directory

  /perfigo/access/conf/generate-cert2.sh: line 33: / perfigo/logs/perfigo-log: no such file or directory

  / bin/cp: cannot stat ' / root/.tomcat.key.1232288168.01182009': no such file or directory

  / bin/cp: cannot stat ' / root/.tomcat.csr.1232288168.01182009': no such file or directory

  Fact

  / perfigo/Access/bin/ssconf: line 1045: /perfigo/common/bin/banner_handler.py: no such file or directory

  For security reasons, it is strongly recommended that you change the password for the root user.

  updated successfully.

  Please enter a password that is properly secured for the user to admin console.

  The two strings you typed in does not match or contain non-alphanumeric characters. Please try again.

  Password Web console admin changed successfully.

  Configuration is complete.

  Changes require a RESTART of the clean access server.

  AND once that I reboot it gives me the following error.

  From HAL daemon: [OK]

  From perfigo: /etc/rc3.d/S99perfigo: line 12: /etc/profile.d/nac.sh: no such file or directory

  [NOT]

  Good to hear that. It would be great if you can write down.