Here are some links to Cisco docs regarding DMVPN that may be of help if you don't have them already:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html On Thu, Feb 11, 2010 at 11:27 AM, <[email protected] > wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. ANY goood book on Getvpn and DMVPN (Yogesh Gawankar) > 2. Re: ANY goood book on Getvpn and DMVPN (Kingsley Charles) > 3. 802.1x (Jimmy Larsson) > 4. Re: 802.1x (Piotr Kaluzny) > 5. Re: 802.1x (Brandon Carroll) > 6. Re: 802.1x (Tyson Scott) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 11 Feb 2010 04:46:53 -0800 (PST) > From: Yogesh Gawankar <[email protected]> > Subject: [OSL | CCIE_Security] ANY goood book on Getvpn and DMVPN > To: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi all > ? > Does anyone know any good book that goes into DMVPN and GETVPN in depth ? > ? > I hv found heaps of books on IPSEC and SSL but not much on GRE and GET. > ? > Thanks? > ? > Yogesh > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100211/71653d1d/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Thu, 11 Feb 2010 20:32:26 +0530 > From: Kingsley Charles <[email protected]> > Subject: Re: [OSL | CCIE_Security] ANY goood book on Getvpn and DMVPN > To: Yogesh Gawankar <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > You can use this one for GETVPN: > > > http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf > > With regards > Kings > On Thu, Feb 11, 2010 at 6:16 PM, Yogesh Gawankar <[email protected] > >wrote: > > > Hi all > > > > Does anyone know any good book that goes into DMVPN and GETVPN in depth ? > > > > I hv found heaps of books on IPSEC and SSL but not much on GRE and GET. > > > > Thanks > > > > Yogesh > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100211/ef1842fa/attachment-0001.htm > > ------------------------------ > > Message: 3 > Date: Thu, 11 Feb 2010 17:15:32 +0100 > From: Jimmy Larsson <[email protected]> > Subject: [OSL | CCIE_Security] 802.1x > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi > > I am doing my first attempt ever to setup 802.1x. I know the basic idea > with > EAP-types and radius, but I cant get it to work. Fact: > > c2970. Configured like this: > > aaa new-model > ! > ! > aaa authentication login default none > aaa authentication dot1x default group radius > aaa authorization network default group radius > ! > interface FastEthernet0/19 > description T43 > switchport mode access > dot1x pae authenticator > dot1x port-control auto > dot1x violation-mode restrict > dot1x auth-fail vlan 1 > spanning-tree portfast > ! > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > radius-server vsa send authentication > > The ACS is setup with a username/password, I have configured the network > device and all that jazz... > > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > for username/password and saids "authentication failed". Debug of > radius/dot1x on the switch show me that I get a "Access-Reject" back from > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But > the > EAP-type column is empty. > > My gess is that there is something misconfigured in the win7-supplicant. I > have: > * Enabled dot1x-authentication. > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > * Under settings I have unchecked "Validate server certificate" > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > authentication method. > > But what am I doing wrong? Can I get more debug-output from my win7-client? > Or should I try with a third-party supplicant instead? > > Also, is the "dot1x pae authenticator"-command on the switchport needed in > my case? > > Can I get more detailed output from ACS than the default-info in the > failed-attempts-log? > > Thanks in advance! > > Br Jimmy > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100211/9d65c98c/attachment-0001.htm > > ------------------------------ > > Message: 4 > Date: Thu, 11 Feb 2010 17:22:10 +0100 > From: Piotr Kaluzny <[email protected]> > Subject: Re: [OSL | CCIE_Security] 802.1x > To: Jimmy Larsson <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Jimmy, > > Have you enabled EAP-MD5 under the "Global Authentication" section on the > ACS? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > > On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> wrote: > > > Hi > > > > I am doing my first attempt ever to setup 802.1x. I know the basic idea > > with EAP-types and radius, but I cant get it to work. Fact: > > > > c2970. Configured like this: > > > > aaa new-model > > ! > > ! > > aaa authentication login default none > > aaa authentication dot1x default group radius > > aaa authorization network default group radius > > ! > > interface FastEthernet0/19 > > description T43 > > switchport mode access > > dot1x pae authenticator > > dot1x port-control auto > > dot1x violation-mode restrict > > dot1x auth-fail vlan 1 > > spanning-tree portfast > > ! > > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > > radius-server vsa send authentication > > > > The ACS is setup with a username/password, I have configured the network > > device and all that jazz... > > > > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > > for username/password and saids "authentication failed". Debug of > > radius/dot1x on the switch show me that I get a "Access-Reject" back from > > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But > the > > EAP-type column is empty. > > > > My gess is that there is something misconfigured in the win7-supplicant. > I > > have: > > * Enabled dot1x-authentication. > > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > > * Under settings I have unchecked "Validate server certificate" > > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > > authentication method. > > > > But what am I doing wrong? Can I get more debug-output from my > win7-client? > > Or should I try with a third-party supplicant instead? > > > > Also, is the "dot1x pae authenticator"-command on the switchport needed > in > > my case? > > > > Can I get more detailed output from ACS than the default-info in the > > failed-attempts-log? > > > > Thanks in advance! > > > > Br Jimmy > > > > > > -- > > ------- > > Jimmy Larsson > > Ryavagen 173 > > s-26030 Vallakra > > Sweden > > http://blogg.kvistofta.nu > > ------- > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > > > > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100211/cdccce79/attachment-0001.htm > > ------------------------------ > > Message: 5 > Date: Thu, 11 Feb 2010 08:25:59 -0800 > From: Brandon Carroll <[email protected]> > Subject: Re: [OSL | CCIE_Security] 802.1x > To: Jimmy Larsson <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > You can add additional fields to the failed attempts log by going to > System Configuration>Logging in the ACS. > > What about using EAP-MD5 instead of PEAP? It's in Global > Authentication. You'll change it on the adapter under Authentication > as well. > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, > Security & Service Provider) Certification Training with locations > throughout the United States, Europe and Australia. Be sure to check > out our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com. > > > > > On Thu, Feb 11, 2010 at 8:15 AM, Jimmy Larsson <[email protected]> wrote: > > Hi > > I am doing my first attempt ever to setup 802.1x. I know the basic idea > with > > EAP-types and radius, but I cant get it to work. Fact: > > c2970. Configured like this: > > aaa new-model > > ! > > ! > > aaa authentication login default none > > aaa authentication dot1x default group radius > > aaa authorization network default group radius > > ! > > interface FastEthernet0/19 > > ?description T43 > > ?switchport mode access > > ?dot1x pae authenticator > > ?dot1x port-control auto > > ?dot1x violation-mode restrict > > ?dot1x auth-fail vlan 1 > > ?spanning-tree portfast > > ! > > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > > radius-server vsa send authentication > > The ACS is setup with a username/password, I have configured the network > > device and all that jazz... > > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > > for username/password and saids "authentication failed". Debug of > > radius/dot1x on the switch show me that I get a "Access-Reject" back from > > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But > the > > EAP-type column is empty. > > My gess is that there is something misconfigured in the win7-supplicant. > I > > have: > > * Enabled dot1x-authentication. > > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > > * Under settings I have unchecked "Validate server certificate" > > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > > authentication method. > > But what am I doing wrong? Can I get more debug-output from my > win7-client? > > Or should I try with a third-party supplicant instead? > > Also, is the "dot1x pae authenticator"-command on the switchport needed > in > > my case? > > Can I get more detailed output from ACS than the default-info in the > > failed-attempts-log? > > Thanks in advance! > > Br Jimmy > > > > -- > > ------- > > Jimmy Larsson > > Ryavagen 173 > > s-26030 Vallakra > > Sweden > > http://blogg.kvistofta.nu > > ------- > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > > > > ------------------------------ > > Message: 6 > Date: Thu, 11 Feb 2010 11:27:08 -0500 > From: "Tyson Scott" <[email protected]> > Subject: Re: [OSL | CCIE_Security] 802.1x > To: "'Piotr Kaluzny'" <[email protected]>, "'Jimmy Larsson'" > <[email protected]> > Cc: [email protected] > Message-ID: <007f01caab37$0f5bdcf0$2e1396...@com> > Content-Type: text/plain; charset="us-ascii" > > Jimmy, > > > > By default EAP-MD5 is the only protocol enabled but make sure you check it > as Piotr has suggested. But on the Windows Client you hare using PEAP. > Change that to EAP-MD5. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: <mailto:[email protected]> [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: <http://www.ipexpert.com/chat> > www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & > Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities > at > <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our > public website at <http://www.ipexpert.com> www.ipexpert.com > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Piotr > Kaluzny > Sent: Thursday, February 11, 2010 11:22 AM > To: Jimmy Larsson > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] 802.1x > > > > Jimmy, > > Have you enabled EAP-MD5 under the "Global Authentication" section on the > ACS? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > > > On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> wrote: > > Hi > > > > I am doing my first attempt ever to setup 802.1x. I know the basic idea > with > EAP-types and radius, but I cant get it to work. Fact: > > > > c2970. Configured like this: > > > > aaa new-model > > ! > > ! > > aaa authentication login default none > > aaa authentication dot1x default group radius > > aaa authorization network default group radius > > ! > > interface FastEthernet0/19 > > description T43 > > switchport mode access > > dot1x pae authenticator > > dot1x port-control auto > > dot1x violation-mode restrict > > dot1x auth-fail vlan 1 > > spanning-tree portfast > > ! > > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > > radius-server vsa send authentication > > > > The ACS is setup with a username/password, I have configured the network > device and all that jazz... > > > > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > for username/password and saids "authentication failed". Debug of > radius/dot1x on the switch show me that I get a "Access-Reject" back from > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But > the > EAP-type column is empty. > > > > My gess is that there is something misconfigured in the win7-supplicant. I > have: > > * Enabled dot1x-authentication. > > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > > * Under settings I have unchecked "Validate server certificate" > > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > authentication method. > > > > But what am I doing wrong? Can I get more debug-output from my win7-client? > Or should I try with a third-party supplicant instead? > > > > Also, is the "dot1x pae authenticator"-command on the switchport needed in > my case? > > > > Can I get more detailed output from ACS than the default-info in the > failed-attempts-log? > > > > Thanks in advance! > > > > Br Jimmy > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100211/4dc1658e/attachment.htm > > End of CCIE_Security Digest, Vol 44, Issue 36 > ********************************************* >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
