http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_password_recoveri es_list.html
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of John Abruzzese Sent: Tuesday, March 30, 2010 3:02 PM To: [email protected] Subject: [OSL | CCIE_Security] IPS 4255 Resetting Configuration to Default An IPS 4255 appliance was given to me for my home lab and the previous owner configured a username and password on the box...it was given to me by a 3rd party and I don't have the username and password that was configured. Does anyone have any suggestions on how I can reset the appliance back to it's default configuration as it is out of the box? Appreciate any assistance. Thank You John A. On Tue, Mar 30, 2010 at 2:50 PM, <[email protected]> wrote: Send CCIE_Security mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/mailman/listinfo/ccie_security or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Security digest..." Today's Topics: 1. Re: Stuck with ms certsrv in wb1 lab 5 task 5.10 (Jimmy Larsson) 2. ip device tracking (Kingsley Charles) 3. Re: ip device tracking (Brandon Carroll) 4. Re: NAC L3 prompt for username? (Tyson Scott) ---------------------------------------------------------------------- Message: 1 Date: Tue, 30 Mar 2010 18:20:27 +0200 From: Jimmy Larsson <[email protected]> Subject: Re: [OSL | CCIE_Security] Stuck with ms certsrv in wb1 lab 5 task 5.10 To: Tyson Scott <[email protected]> Cc: OSL Security <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hi a few hours ago I was pretty sure that the wb I was working on today was downloaded this morning. However I am not that sure anymore since there is no MS certsrv if I look in that document now. I guess Ive been looking in a old version locally downloaded earlier. I will download fresh copies of all material today to make sure that this doesnt happen again. Can any of you guys make sure that my print counters are being reset so that I can print fresh copies? I have already wasted like 1000 papers of color prints because of changes in the material. I love you guys updating the material! But limiting my ability to print the material is abit annoying... ;) Besides. Thank god I dont have to bother about ms certsrv anymore! ;) Br Jimmy 2010/3/30 Tyson Scott <[email protected]> > Jimmy, > > > > Lab 5 only uses a locally generated certificate on ACS for NAC. But it > used to have MS CertServ on it and I removed that, that is why I was > wondering why you were using MS CA. Volume II is when you start using IOS > CA Services but the first couple labs last year were first written with MS > CA then I switched them to PKI. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Jimmy > Larsson > > *Sent:* Tuesday, March 30, 2010 9:10 AM > *To:* Tyson Scott > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] Stuck with ms certsrv in wb1 lab 5 > task 5.10 > > > > Tyson, > > > > I dont really follow. I downloaded WB1 Lab 5 from the download are this > morning and it saids nothing about ios ca in there...? > > > > Br Jimmy > > > > 2010/3/30 Tyson Scott <[email protected]> > > Jimmy, > > > > Unless you are doing MS services for your own learning I wouldn't spend > much time on it as it is no longer relevant to the test. If you are using > our old version of labs that have MS CertServ in them please access the more > current material that covers Certificates using Cisco's PKI model. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jimmy Larsson > *Sent:* Tuesday, March 30, 2010 4:43 AM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] Stuck with ms certsrv in wb1 lab 5 task > 5.10 > > > > Hi > > > > I am stuck in this task with something that isn?t dealt with in DSG: When > requesting a certificate from certsrv and I go into the MSC to issue the > certificate it cannot be issued, I get an "The revocation function was > unable to check revocation because the recovation server was offline". I > simply cannot get a certificate out ofr M$ cert-server. > > > > As far as I can see there is not external CRL-server configured so it > shouldnt be a comm-issue. Right? > > > > Anyone who knows how I should deal with this? Working on Security pod 117 > of proctor labs. > > > > Br Jimmy > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu <http://blogg.kvistofta.nu/> > ------- > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu <http://blogg.kvistofta.nu/> > ------- > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu <http://blogg.kvistofta.nu/> ------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/ed7d ae1e/attachment-0001.htm ------------------------------ Message: 2 Date: Tue, 30 Mar 2010 22:16:31 +0530 From: Kingsley Charles <[email protected]> Subject: [OSL | CCIE_Security] ip device tracking To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hi all Is "ip device tracking" specific for NAC L2 IP. I see "ip device tracking" enabled for an interface only when that interface is configured for NAC and triggered for an ARP. Can someone please explain the purpose of "ip device tracking" With regards Kings -------------- next part -------------- An HTML attachment was scrubbed... URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/b71a e68d/attachment-0001.htm ------------------------------ Message: 3 Date: Tue, 30 Mar 2010 10:03:51 -0700 From: Brandon Carroll <[email protected]> Subject: Re: [OSL | CCIE_Security] ip device tracking To: Kingsley Charles <[email protected]> Cc: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Kings, The short answer is "No." It can be used for web authentication as well as with source-guard. Refer to the following link: http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst3560/software/re lease/12.2_52_se/configuration/guide/swwebauth.html I Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> On Mar 30, 2010, at 9:46 AM, Kingsley Charles wrote: > Hi all > > Is "ip device tracking" specific for NAC L2 IP. I see "ip device tracking" enabled for an interface only when that interface is configured for NAC and triggered for an ARP. > > Can someone please explain the purpose of "ip device tracking" > > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/68a2 ad9b/attachment-0001.htm ------------------------------ Message: 4 Date: Tue, 30 Mar 2010 14:50:31 -0400 From: "Tyson Scott" <[email protected]> Subject: Re: [OSL | CCIE_Security] NAC L3 prompt for username? To: "'Kingsley Charles'" <[email protected]> Cc: [email protected] Message-ID: <00c001cad039$e0a42ed0$a1ec8c...@com> Content-Type: text/plain; charset="us-ascii" Kingsley, To be honest I haven't tested it before. I am curious now based on the findings Shawn gave below if I can cause a failure/pass success based on the username being either in the local ACS database or Active Directory. But I am not sure how that information is passed from the CTA Client, whether it is part of the posture tokens (Which is my assumption) or something else. I am not 100% sure right now. I will have to look into it. The only thing I know is that I have not found a way to prompt for authentication. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com <http://www.ipexpert.com/> From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, March 30, 2010 11:24 AM To: Tyson Scott Cc: shawn mesiatowsky; [email protected] Subject: Re: [OSL | CCIE_Security] NAC L3 prompt for username? Hi Tyson Correct but then what is the credentials sent for the inner authentication method (MS-CHAP). In the ACS logs, I see the PC Logged on username sent to ACS. Does that mean, the NAC L3 IP is undergoing anonymous authentication, where ACS doesn't look for an username/password for inner authentication. With regards Kings On Tue, Mar 30, 2010 at 8:47 PM, Tyson Scott <[email protected]> wrote: The authentication tab is for 802.1x authentication. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, March 30, 2010 11:03 AM To: shawn mesiatowsky Cc: [email protected] Subject: Re: [OSL | CCIE_Security] NAC L3 prompt for username? http://support.microsoft.com/kb/950725 After you install Windows XP Service Pack 3 (SP3), the Authentication tab is missing in the properties dialog box of the computer's wired network adapter. For example, when you open the Local Area Connection Properties dialog box of a wired network adapter, you see only the General tab. To resolve this issue, manually start the Wired AutoConfig service (DOT3SVC). To do this, follow these steps: 1. Click Start, and then click Run. 2. Type services.msc in the Open box, and then press ENTER. 3. Locate the Wired AutoConfig service, right-click it, and then click Start. On Tue, Mar 30, 2010 at 8:18 PM, Kingsley Charles <[email protected]> wrote: I am working on NAC L3 IP and I remember something that I did long before. Basically PEAP is for outer authentication and for the inner authentication either of the following can be used: GTC is way beyond the scope. . PEAPv0/EAP-MSCHAPv2 . PEAPv1/EAP-GTC EAP-MSCHAPv2 uses an username/password and that is what you are asking for. I think, by default the PC sends the Administrator username. If you need to configure for interactive authentication, the open network connection > right click LAN > properties. You can see two tabs General and Advanced. But there is another one "Authentication" which I see rarely. I don't know, how to make that visible. In the "Authentication", you have the option to configure for md5. With regards Kings On Tue, Mar 30, 2010 at 6:38 PM, shawn mesiatowsky <[email protected]> wrote: just wondering why the difference? is this becuase the 802.1x supplicant (built into CTA) is only used during 802.1x, and authentication is handled differently for EOU? So is there anyway to perform l3 NAC posture assesment while at the same time, requiring different authentication then your current credentials? So for instance, you wanted users to use RSA tokens for authentication, and also perform posture assesment, but do not want to use 802.1x but would rather perform this function at l3? Would you then perform L3NAC as well as auth proxy? Tyson Scott wrote: > Shawn, > > In the document you referenced below they are only specifically for the > 802.1X NAC functions of the client. That is not used by ACS. It will only > pass the logon credentials of the machine you are working with. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Technical Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security& Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> <http://www.ipexpert.com/> > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Shawn > Mesiatowsky > Sent: Tuesday, March 30, 2010 12:49 AM > To: [email protected] > Subject: [OSL | CCIE_Security] NAC L3 prompt for username? > > I have L3 NAC working great, but one question? > > CTA never seems to prompt for user credentials, and credentials that are > passed seem to authenticate regardless. eg. > > I log onto my xp workstation with a local account: xpws001\user1 > > I do not have a that user defined in acs, but it still giving the user a > healthy token > > Authen OK XPWS001:user1 ...... 5.5.5.5 l3 NAC-SAMPLE-HEALTHY-L3-RAC > > but then if I go into the authorization policy, of the L3 NAP, and I > change "any" group to any other group such as "default group" or group1, > the user is given a quarantined token > > Authen OK XPWS001:user1 ...... 5.5.5.5 l3 NAC-SAMPLE-QUARANTINE-L3-RAC > > When you use the "any" group in an authorization policy, does that > include non-existant users? > How do you configure CTA to prompt for user credentials as opposed to > using the credentials of the logged on user for single sign on? > > I did find this document > http://www.cisco.com/en/US/docs/security/cta/2.1.103.0_supplicant/admin_guid > e/ctaSuppl.html#wp1013985 > > and I used the deployment tool to build an xml file, but that still did > not work. In the document the following section of the document > > http://www.cisco.com/en/US/docs/security/cta/2.1.103.0_supplicant/admin_guid > e/ctaSuppl.html#wp1000675 > it states > > Step 5 In the User Credentials area, select either of these radio buttons: > > .Use Single Sign-on for password credentials. This option passes the > username and password from the Windows logon to the ACS. > > .Request password when needed. This option prompts users for their > username and password when they are trying to connect to the network. > This username and password may be different from the Windows logon > information. This value is configured in ACS. > > Well how do you configure this in ACS? I could find no documentation. > Thanks for your help > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com <http://www.ipexpert.com/> <http://www.ipexpert.com/> > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> <http://www.ipexpert.com/> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20100330/d014 19fd/attachment.htm End of CCIE_Security Digest, Vol 45, Issue 153 ********************************************** -- John M. Abruzzese ISE Data Systems, Inc. 43716 Lees Mill Square Leesburg, Virginia 20176 Google Voice#: 703-468-1805 Pager#: 800-204-7023 Fax#: 703-652-6217 Email: [email protected]
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
