Cisco – Testing AAA Authentication (Cisco ASA and IOS)

KB ID 0001175 

Problem

I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step!

Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well.

 

Solution

Cisco ASA Test AAA Authentication From Command Line

You will need to know the server group and the server you are going to query, below the ASA is using LDAP, but the process is the same for RADIUS, Kerberos, TACACS+, etc.

[box]

Petes-ASA# show run | begin aaa
aaa-server TEST-LDAP-SERVER protocol ldap
aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10
 ldap-base-dn dc=TEST,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=asa,OU=Users,OU=Test-Corp,dc=TEST,dc=net
 server-type auto-detect

[/box]

To test your user, (username: ttester password: Password123);

[box]

Petes-ASA# test aaa-server authentication TEST-LDAP-SERVER host 192.168.110.10 username ttester password Password123
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
INFO: Authentication Successful

[/box]

Cisco ASA Test AAA Authentication From ASDM

Log into the ADSM  > Configuration > Device Management > Users/AAA  > Select the Server Group > Select the Server > Test.

Select ‘Authentication’ > Enter Username/Password > OK.

Cisco IOS Test AAA Authentication From Command Line

As above, you need to know which server group, and server, you are going to test authentication against;

[box]

Petes-Router#show run aaa
!
aaa authentication login default local
aaa authorization exec default local
!
aaa group server radius RADIUS-GROUP
 server-private 192.168.110.10 key 666999
!
aaa new-model
aaa session-id common
!

[/box]

Text

[box]

Petes-Router#test aaa group RADIUS-GROUP tester Password123 legacy
Attempting authentication test to server-group RADIUS-GROUP using radius
User was successfully authenticated.

OR

Petes-Router#test aaa group RADIUS-GROUP tester Password123 new-code
User successfully authenticated

USER ATTRIBUTES

Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
noescape 0 True
autocmd 0 " ppp negotiate"
Petes-Router#

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA 5500 Client VPN Access Via Kerberos (From CLI)

Set Cisco ASA for Kerberos Authentication

Event ID 7001

KB ID 0000137 

Problem

Event ID 7001

The McAfee ePolicy Orchestrator 3.5.0 Server service depends on the McAfee ePolicy Orchestrator 3.5.0 Event Parser

Service which failed to start because of the following error: The operation completed successfully.

The domain admin password has been changed and ePO is using the old one.

Solution

1. Start > run > services.msc

2. Locate the following three services.

i. MacAfee ePolicy Orchestrator {version} Discovery and Notification services.

ii. MacAfee ePolicy Orchestrator {version} Event Parser.

iii. MacAfee ePolicy Orchestrator {version} server.

3. Right Click each one of the services above > Properties > “Log On” tab > This account.

4. Enter the account e.g. domainnameadministrator > enter and confirm the password.

5. Repeat for each service.

6. Locate the following file on your server CFGNAIMS.EXE and run it.

7. Select the “administrator” tab and enter the correct credentials.

8. You can now either right click the services then select “Start” or reboot.

Related Articles, References, Credits, or External Links

NA

Deploy a Router in your ESX Environment

KB ID 0000182

Problem

ESX is designed for building both enterprise class networks, and networks solely for test purposes. That’s all fine and dandy but what if you want turn on DHCP in your network but still have it connected to the outside world? Yes you could deploy a Windows server running Routing and Remote Access – as a router, but that seems to be overkill in the extreme. In the past I’ve done articles on deploying virtual firewalls. But again that might be a little too much for your scenario.

Solution

To solve the problem, we can do what VMware do on their own training courses, for anyone who has done a VCP3 or VCP4 course you will have seen this router deployed in one of the labs.

FreeSco is a linux router on a floppy disk, (Microsoft Disciples “don’t panic” there will be next to no sandal wearing coming up). I hunted all over the internet for the version I used on my course and most of the links I found are dead, or provide a router we don’t know the root password for. However after much searching I found one that works, we know the password for,and can be configured.

1. Download the floppy image HERE

2. Follow the instructions below (Note: this was done in ESX3 the process for vSphpere is the same).

Related Articles, References, Credits, or External Links

http://www.rtfm-ed.co.uk/2005/10/10/routernatfirewall-on-a-floppy-linux-based/

VMware error on HP Proliant “Host Baseboard Management Controller status”

KB ID 0000418 

Problem

Saw this today on a HP Proliant DL380 G7 Server.

Solution

1. It’s a simple one to solve, the server was built with the HP ESXi build, and the management agents are complaining because the iLO is not connected to the network.

2. When you connect the iLO socket to the network the alarm should change as shown below.

3. Once you have connected or disabled it you can reset the alarm.

4. Take the opportunity to log in and configure the iLO. Access via an internet browser (it will get a DHCP address by default, you can set a static IP address by entering the iLO setup at boot (see disabling iLO section below)).

5. The user name is Administrator (capital A) and the password will be either on a pull out tab on the front of the server, or a brown cardboard label tied to the front of the server (you did keep that didn’t you!), or on a brown sticker on top of the server chassis. On certain models HP also stick this information under the server lid.

6. Then you can log in and configure.

Disable the iLO

1. If you do not want to use the iLO then you can disable it (I cant think why you would want to, because its a handy piece of kit, but heres how to do it.)

2. Reboot the server, and when prompted press F8 to enter the iLO setup.

3. Settings > Configure.

4. These are the default settings, use the cursor keys to select and the space bar to enable/disable the options.

5. All disabled.

 

Related Articles, References, Credits, or External Links

NA

RSA Authentication Manager – Importing SecureID Tokens

KB ID 0001080 

Problem

It’s been a while since I had to do this, you used to simply take a number from the token pack, import it into the RSA Authentication Manager, job done. Now the tokens are shipped to you encrypted, you need to register them with RSA, decrypt them, then import them.

Solution

1. The tokens come with the licenses encrypted, on an accompanying CD. Go to the URL specified on the CD.

2. Good job I was alone and had no CD drive! Anyway the two numbers you need to enter on the website to register are;

  • Token Pack ID: On the sleeve, and on the CD
  • Confirmation Number : On the CD

3. When you have finished registration you will download a .zip file, save it somewhere sensible.

4. Put the CD in a computer > Run the ‘Run the Token Decryption Utility’ > You will need to give it the .zip file you downloaded and a password.

5. When complete, you will be given two files, an XML file that has all your token information.

6. And a password file, that gives you a password to import the XML file with.

7. Armed with these two files log into the ‘Security Console’ > Administration > SecureID Tokens > Import Tokens Job > Add New.

8. Give the job a name accept all the defaults and browse to the XML file, then copy and paste in the password form the text file and run the import job. Check on the completed tab to make sure it was a success.

Related Articles, References, Credits, or External Links

NA

Windows XP – Sysprep (for imaging)

KB ID 0000599 

Problem

A client who we recently did a WDS (Windows 7) install for, needed to image a couple of Windows XP machines, (They had some software that either would not run, or was not supported on Windows 7).

They asked me for some documentation on how to do this, it’s been such a long time since I imaged any XP machine, so I took the opportunity to document it properly.

Solution

Before you begin, be aware you need to be building your reference machine with a Volume Licenced copy of Windows XP NOT an OEM or Retail copy (i.e. DONT build the machine with manufacturers rescue disks like Dell or HP). If you don’t do this you will need to activate every Windows machine that you deploy with Microsoft.

Make sure the version of sysprep you are using is at the same service pack level as the reference machine or bad things will happen.

Windows XP SP3 version of Deploy.cab

1. Build your reference machine, and configure it as you require.

2. Create a folder on the root of the C: Drive called ‘Sysprep”. Insert the Windows XP CD and locate the Deploy cabinet file. (This is ‘like’ a zip file and it’s in the supporttools folder).

3. Double click the support cab, then copy over the sysprep.exe file, the setupcl.exe file and the setupmgr.exe file to your c:sysprep folder.

4. You can now run sysprep.exe and skip to step 13. BUT if you require an answerfile (a script that will answer all the questions Windows will ask while it’s reinstalling post sysprep) then run the setupmgr.exe program, at the welcome screen click next.

5. Create New > Sysprep Setup > Windows XP Professional.

6. Fully Automate > Enter Name and Organisation > Set the Display Properties.

7. Set Time Zone > Enter the Volume Licence unlock code > If you are joining a domain, I suggest generating a random name then changing it later.

8. Set the Local Administrators password > Typical settings will enable DHCP > Supply any domain and domain credentials you need to join your domain.

9. Telephony (I just skip this) > Regional Settings > Languages.

10. Printers > Run Once commands > Additional Commands.

11. Enter a string that will go into the registry, and can be identified later > Finish > Accept the default save path > OK > At this point it looks like it’s crashed, you can manually close the setupmgr.

12. Now you can run sysprep.exe > OK > I select ‘mini-setup’ (If you don’t, it will run the welcome to windows session and play the annoying music you cant turn down!) > If you have installed applications and are going to image the machine click Reseal > OK.

Note: Factory will literally set the machine back to a ‘day one’ install of Windows XP.

The machine will then shut down and can be imaged.

Final Note: If you power it back on, it will rebuild itself and delete the c:sysprep directory. Which is fine unless you are doing some testing and realise you have to do the whole thing from scratch!

Related Articles, References, Credits, or External Links

Windows Deployment Services (Server 2003)
Deploying Windows XP

Windows Deployment Services (On Server 2008 R2)
Deploying Windows 7

Password Does Not Meet Complexity Requirements

KB ID 0000229 

Problem

Windows Server has a password complexity requirement to make sure passwords are strong. Yes it can be disabled, but while it is in place you need your passwords to confirm to the following.

Error within AD

Error at Logon

Note: To disable password complexity click here.

 

Solution

To meet the policy your password MUST,

1. Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.

2. Passwords must be at least six characters in length

3. Passwords must contain characters from THREE of the following four categories:

  • English uppercase characters (A through Z).
  • English lowercase characters (a through z).
  • Base 10 digits (0 through 9).
  • Non-alphabetic characters (for example, !, $, #, %).

Permissable (examples only).

St@ndard – Stranger123 – s!mple1

Not Permissable (examples only).

Password – c0mplex – steve1970

 

Related Articles, References, Credits, or External Links

Disable Password Complexity