An IPS 4255 appliance was given to me for my home lab and the previous owner configured a username and password on the box...it was given to me by a 3rd party and I don't have the username and password that was configured. Does anyone have any suggestions on how I can reset the appliance back to it's default configuration as it is out of the box? Appreciate any assistance.
Thank You John A. On Tue, Mar 30, 2010 at 2:50 PM, <[email protected]>wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Re: Stuck with ms certsrv in wb1 lab 5 task 5.10 (Jimmy Larsson) > 2. ip device tracking (Kingsley Charles) > 3. Re: ip device tracking (Brandon Carroll) > 4. Re: NAC L3 prompt for username? (Tyson Scott) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 30 Mar 2010 18:20:27 +0200 > From: Jimmy Larsson <[email protected]> > Subject: Re: [OSL | CCIE_Security] Stuck with ms certsrv in wb1 lab 5 > task 5.10 > To: Tyson Scott <[email protected]> > Cc: OSL Security <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi > > a few hours ago I was pretty sure that the wb I was working on today was > downloaded this morning. However I am not that sure anymore since there is > no MS certsrv if I look in that document now. I guess Ive been looking in a > old version locally downloaded earlier. > > I will download fresh copies of all material today to make sure that this > doesnt happen again. Can any of you guys make sure that my print counters > are being reset so that I can print fresh copies? I have already wasted > like > 1000 papers of color prints because of changes in the material. > > I love you guys updating the material! But limiting my ability to print the > material is abit annoying... ;) > > Besides. Thank god I dont have to bother about ms certsrv anymore! ;) > > Br Jimmy > > > 2010/3/30 Tyson Scott <[email protected]> > > > Jimmy, > > > > > > > > Lab 5 only uses a locally generated certificate on ACS for NAC. But it > > used to have MS CertServ on it and I removed that, that is why I was > > wondering why you were using MS CA. Volume II is when you start using > IOS > > CA Services but the first couple labs last year were first written with > MS > > CA then I switched them to PKI. > > > > > > > > Regards, > > > > > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > > > Technical Instructor - IPexpert, Inc. > > > > Mailto: [email protected] > > > > Telephone: +1.810.326.1444, ext. 208 > > > > Live Assistance, Please visit: www.ipexpert.com/chat > > > > eFax: +1.810.454.0130 > > > > > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > > training locations throughout the United States, Europe, South Asia and > > Australia. Be sure to visit our online communities at > > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of > *Jimmy > > Larsson > > > > *Sent:* Tuesday, March 30, 2010 9:10 AM > > *To:* Tyson Scott > > *Cc:* OSL Security > > *Subject:* Re: [OSL | CCIE_Security] Stuck with ms certsrv in wb1 lab 5 > > task 5.10 > > > > > > > > Tyson, > > > > > > > > I dont really follow. I downloaded WB1 Lab 5 from the download are this > > morning and it saids nothing about ios ca in there...? > > > > > > > > Br Jimmy > > > > > > > > 2010/3/30 Tyson Scott <[email protected]> > > > > Jimmy, > > > > > > > > Unless you are doing MS services for your own learning I wouldn't spend > > much time on it as it is no longer relevant to the test. If you are > using > > our old version of labs that have MS CertServ in them please access the > more > > current material that covers Certificates using Cisco's PKI model. > > > > > > > > Regards, > > > > > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > > > Technical Instructor - IPexpert, Inc. > > > > Mailto: [email protected] > > > > Telephone: +1.810.326.1444, ext. 208 > > > > Live Assistance, Please visit: www.ipexpert.com/chat > > > > eFax: +1.810.454.0130 > > > > > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > > training locations throughout the United States, Europe, South Asia and > > Australia. Be sure to visit our online communities at > > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > > > > > *From:* [email protected] [mailto: > > [email protected]] *On Behalf Of *Jimmy Larsson > > *Sent:* Tuesday, March 30, 2010 4:43 AM > > *To:* OSL Security > > *Subject:* [OSL | CCIE_Security] Stuck with ms certsrv in wb1 lab 5 task > > 5.10 > > > > > > > > Hi > > > > > > > > I am stuck in this task with something that isn?t dealt with in DSG: When > > requesting a certificate from certsrv and I go into the MSC to issue the > > certificate it cannot be issued, I get an "The revocation function was > > unable to check revocation because the recovation server was offline". I > > simply cannot get a certificate out ofr M$ cert-server. > > > > > > > > As far as I can see there is not external CRL-server configured so it > > shouldnt be a comm-issue. Right? > > > > > > > > Anyone who knows how I should deal with this? Working on Security pod 117 > > of proctor labs. > > > > > > > > Br Jimmy > > > > > > > > -- > > ------- > > Jimmy Larsson > > Ryavagen 173 > > s-26030 Vallakra > > Sweden > > http://blogg.kvistofta.nu > > ------- > > > > > > > > > > -- > > ------- > > Jimmy Larsson > > Ryavagen 173 > > s-26030 Vallakra > > Sweden > > http://blogg.kvistofta.nu > > ------- > > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/ed7dae1e/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Tue, 30 Mar 2010 22:16:31 +0530 > From: Kingsley Charles <[email protected]> > Subject: [OSL | CCIE_Security] ip device tracking > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi all > > Is "ip device tracking" specific for NAC L2 IP. I see "ip device tracking" > enabled for an interface only when that interface is configured for NAC and > triggered for an ARP. > > Can someone please explain the purpose of "ip device tracking" > > > With regards > Kings > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/b71ae68d/attachment-0001.htm > > ------------------------------ > > Message: 3 > Date: Tue, 30 Mar 2010 10:03:51 -0700 > From: Brandon Carroll <[email protected]> > Subject: Re: [OSL | CCIE_Security] ip device tracking > To: Kingsley Charles <[email protected]> > Cc: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Kings, > > The short answer is "No." It can be used for web authentication as well as > with source-guard. Refer to the following link: > > > http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swwebauth.html > > I > > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > On Mar 30, 2010, at 9:46 AM, Kingsley Charles wrote: > > > Hi all > > > > Is "ip device tracking" specific for NAC L2 IP. I see "ip device > tracking" enabled for an interface only when that interface is configured > for NAC and triggered for an ARP. > > > > Can someone please explain the purpose of "ip device tracking" > > > > > > With regards > > Kings > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/68a2ad9b/attachment-0001.htm > > ------------------------------ > > Message: 4 > Date: Tue, 30 Mar 2010 14:50:31 -0400 > From: "Tyson Scott" <[email protected]> > Subject: Re: [OSL | CCIE_Security] NAC L3 prompt for username? > To: "'Kingsley Charles'" <[email protected]> > Cc: [email protected] > Message-ID: <00c001cad039$e0a42ed0$a1ec8c...@com> > Content-Type: text/plain; charset="us-ascii" > > Kingsley, > > > > To be honest I haven't tested it before. I am curious now based on the > findings Shawn gave below if I can cause a failure/pass success based on > the > username being either in the local ACS database or Active Directory. But I > am not sure how that information is passed from the CTA Client, whether it > is part of the posture tokens (Which is my assumption) or something else. > I > am not 100% sure right now. I will have to look into it. > > > > The only thing I know is that I have not found a way to prompt for > authentication. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: <mailto:[email protected]> [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: <http://www.ipexpert.com/chat> > www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our > public website at <http://www.ipexpert.com/> www.ipexpert.com > > > > From: Kingsley Charles [mailto:[email protected]] > Sent: Tuesday, March 30, 2010 11:24 AM > To: Tyson Scott > Cc: shawn mesiatowsky; [email protected] > Subject: Re: [OSL | CCIE_Security] NAC L3 prompt for username? > > > > Hi Tyson > > > > Correct but then what is the credentials sent for the inner authentication > method (MS-CHAP). > > > > In the ACS logs, I see the PC Logged on username sent to ACS. > > > > Does that mean, the NAC L3 IP is undergoing anonymous authentication, where > ACS doesn't look for an username/password for inner authentication. > > > > > > > > With regards > > Kings > > On Tue, Mar 30, 2010 at 8:47 PM, Tyson Scott <[email protected]> wrote: > > The authentication tab is for 802.1x authentication. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > <http://www.ipexpert.com/> > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Kingsley > Charles > Sent: Tuesday, March 30, 2010 11:03 AM > To: shawn mesiatowsky > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] NAC L3 prompt for username? > > > > > http://support.microsoft.com/kb/950725 > > > > After you install Windows XP Service Pack 3 (SP3), the Authentication tab > is > missing in the properties dialog box of the computer's wired network > adapter. For example, when you open the Local Area Connection Properties > dialog box of a wired network adapter, you see only the General tab. > > > > To resolve this issue, manually start the Wired AutoConfig service > (DOT3SVC). To do this, follow these steps: > > 1. Click Start, and then click Run. > 2. Type services.msc in the Open box, and then press ENTER. > 3. Locate the Wired AutoConfig service, right-click it, and then click > Start. > > > > > On Tue, Mar 30, 2010 at 8:18 PM, Kingsley Charles > <[email protected]> wrote: > > I am working on NAC L3 IP and I remember something that I did long before. > > > > Basically PEAP is for outer authentication and for the inner authentication > either of the following can be used: > > GTC is way beyond the scope. > > > > . PEAPv0/EAP-MSCHAPv2 > > . PEAPv1/EAP-GTC > > > > > > EAP-MSCHAPv2 uses an username/password and that is what you are asking for. > > > > > > I think, by default the PC sends the Administrator username. > > > > If you need to configure for interactive authentication, the open network > connection > right click LAN > properties. > > > > You can see two tabs General and Advanced. But there is another one > "Authentication" which I see rarely. > > I don't know, how to make that visible. > > > > In the "Authentication", you have the option to configure for md5. > > > > > > With regards > > Kings > > On Tue, Mar 30, 2010 at 6:38 PM, shawn mesiatowsky < > [email protected]> > wrote: > > just wondering why the difference? is this becuase the 802.1x supplicant > (built into CTA) is only used during 802.1x, and authentication is > handled differently for EOU? So is there anyway to perform l3 NAC > posture assesment while at the same time, requiring different > authentication then your current credentials? So for instance, you > wanted users to use RSA tokens for authentication, and also perform > posture assesment, but do not want to use 802.1x but would rather > perform this function at l3? Would you then perform L3NAC as well as > auth proxy? > > > Tyson Scott wrote: > > Shawn, > > > > In the document you referenced below they are only specifically for the > > 802.1X NAC functions of the client. That is not used by ACS. It will > only > > pass the logon credentials of the machine you are working with. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > > CCIE (R&S, Voice, Security& Service Provider) certification(s) with > > training locations throughout the United States, Europe, South Asia and > > Australia. Be sure to visit our online communities at > > www.ipexpert.com/communities and our public website at www.ipexpert.com > <http://www.ipexpert.com/> > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Shawn > > Mesiatowsky > > Sent: Tuesday, March 30, 2010 12:49 AM > > To: [email protected] > > Subject: [OSL | CCIE_Security] NAC L3 prompt for username? > > > > I have L3 NAC working great, but one question? > > > > CTA never seems to prompt for user credentials, and credentials that are > > passed seem to authenticate regardless. eg. > > > > I log onto my xp workstation with a local account: xpws001\user1 > > > > I do not have a that user defined in acs, but it still giving the user a > > healthy token > > > > Authen OK XPWS001:user1 ...... 5.5.5.5 l3 NAC-SAMPLE-HEALTHY-L3-RAC > > > > but then if I go into the authorization policy, of the L3 NAP, and I > > change "any" group to any other group such as "default group" or group1, > > the user is given a quarantined token > > > > Authen OK XPWS001:user1 ...... 5.5.5.5 l3 NAC-SAMPLE-QUARANTINE-L3-RAC > > > > When you use the "any" group in an authorization policy, does that > > include non-existant users? > > How do you configure CTA to prompt for user credentials as opposed to > > using the credentials of the logged on user for single sign on? > > > > I did find this document > > > > http://www.cisco.com/en/US/docs/security/cta/2.1.103.0_supplicant/admin_guid > > e/ctaSuppl.html#wp1013985 > > > > and I used the deployment tool to build an xml file, but that still did > > not work. In the document the following section of the document > > > > > > http://www.cisco.com/en/US/docs/security/cta/2.1.103.0_supplicant/admin_guid > > e/ctaSuppl.html#wp1000675 > > it states > > > > Step 5 In the User Credentials area, select either of these radio > buttons: > > > > .Use Single Sign-on for password credentials. This option passes the > > username and password from the Windows logon to the ACS. > > > > .Request password when needed. This option prompts users for their > > username and password when they are trying to connect to the network. > > This username and password may be different from the Windows logon > > information. This value is configured in ACS. > > > > Well how do you configure this in ACS? I could find no documentation. > > Thanks for your help > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com <http://www.ipexpert.com/> > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com <http://www.ipexpert.com/> > > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/d01419fd/attachment.htm > > End of CCIE_Security Digest, Vol 45, Issue 153 > ********************************************** > -- John M. Abruzzese ISE Data Systems, Inc. 43716 Lees Mill Square Leesburg, Virginia 20176 Google Voice#: 703-468-1805 Pager#: 800-204-7023 Fax#: 703-652-6217 Email: [email protected]
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
