|
Wired 802.1x is so full of hurt.
|
#
?
Feb 23, 2011 18:47
|
|
|
|
| # ? May 14, 2024 09:18 |
|
|
ragzilla posted:Ah. Not on FastIron Edge (only on regular FastIron). Yea I had considered that, but no dice. We have a single rack at the carrier house and it is only that single Foundry Switch. Guess I'll have to re-do our services vlans.
|
|
#
?
Feb 23, 2011 19:15
|
|
|
jwh posted:Wired 802.1x is so full of hurt. Naw bro, all you need is ACS 5.x and a Profiler!  It's like, stupid easy.
|
|
#
?
Feb 23, 2011 19:17
|
|
|
You mean my ACS 4.1 box isn't current!?
|
|
#
?
Feb 23, 2011 19:51
|
|
|
jwh posted:You mean my ACS 4.1 box isn't current!?  Just remember to restart the services any time you make any change and its great!
|
|
#
?
Feb 23, 2011 21:21
|
|
|
Ugh, battling with ACS 4.1 here as well.. The server will randomly stop accepting authentications and the java-applet login will go down. SSH service will still run as normal. Pissing me off. Our old tac_plus box is 10x more stable. 
|
|
#
?
Feb 23, 2011 21:32
|
|
|
I guess the new ACS 5 can be ordered as a vmdk, which is a nice idea. I still haven't researched which features are missing from 5.x versus 4.2. Hopefully nothing that will ruin me.
|
|
#
?
Feb 23, 2011 21:47
|
|
|
Badgerpoo posted:Interesting post, we are doing exactly this very soon on our large edge network. We were thinking of using MAB for any non domained machines initially using a freeradius back end. Can you expand on the problems you've faced? If you are lucky enough to have printers or PCs that are all from the same manufacturer you might be able to get away with using an auto smart port macro or two that identifies devices based upon MAC OUI but then you run the risk of someone bringing in a PC from the same manufacturer. So let's say like me you've done this and it's working marvelously despite its high maintenance requirements. What happens when something goes wrong? Now you need a quarantine VLAN which has access to suitable services for remediation to fix any of the following: - Expired machine account, - Out of date supplicant configuration, - Expired ACS (or similar) certificate. But before you even even realise you need to remediate you need to know the machine needs remediation. With ACS 4.x it's not a simple process to determine what exactly is wrong because the error messages are quite cryptic, for example an EAP-TLS or PEAP authentication failure during the SSL handshake can mean one of several things is wrong. Meanwhile the user has absolutely no idea what is going on because most 802.1x supplicants have very poor user feed back mechanisms so all they know is that they can't get on the network or they can get on the network with very limited access and they won't be able to provide much information to your help/service desk. TL;DR: Wired 802.1x is great if you only have domain joined computers, and nothing ever goes wrong. The ability to deal with edge cases like non-domain machines/printers/etc is not really there, and reporting/remediation are difficult. Don't do it unless you have a solid mechanism/process for managing MAC address lists and a solid process for identifying and handling remediation. I really really need to get my hands on a profiler to test. I have a feeling I might not have a problem with all this list management etc if I had a profiler. Time to talk to my Cisco rep. Edit: Or not. I remember why I discarded the Profiler idea; it needs a collector to sniff network traffic in every l2 domain. jwh posted:I guess the new ACS 5 can be ordered as a vmdk, which is a nice idea. We're trialing ACS 5.1 in a VM at the moment, it's quite nice. My favourite parts so far are: - No more ACS client running on an AD box, it joins a domain directly and query other domains provided suitable trust relationships exist. - Rule based rather than group based. Initially I thought this wasn't that big a change from group based, but it really really is. It allows for far more granularity in how you process say, RADIUS requests. For example, I have (RADIUS-IETF:NAS-IP-Address = x.x.x.x Or RADIUS-IETF:NAS-IP-Address = x.x.x.x) which identifies proxied RADIUS requests from our WAN provider, then another rule that matches RADIUS requests coming from our WLAN controllers, and then yet another to deal with our wired 802.1x requests. You can do this sort of thing already with ACS 4.x if you get your groups right but this is so much easier and logical. - Reporting is excellent compared to ACS 4.x, and little things like hit counters for service selection rules are great. - Vastly improved interface in all areas. - It's a virtual appliance built on CentOS, so there is no need to manage a windows installation. Things I don't like: - Can only join one domain - This is more due to us inheriting a domain when we gobled up another department and it's slowly being phased out so our server goons don't want to establish a full trust relationship. - Admin permissions could be more granular - For example we have some downloadable ACLs that are used by our security group's ASAs and I would like to allow them to log in and edit them but nothing else. So far this does not seem to be possible. - Backup can only be done to FTP/TFTP/NFS file stores, no SMB/CIFS. It's not a huge thing as I just setup a TFTP server for it but I would have liked to simply be able to backup directly to a network share on our backup server. ruro fucked around with this message at 02:40 on Feb 24, 2011 |
|
#
?
Feb 24, 2011 00:16
|
|
|
If they join a root domain, can they then query the whole forest?
|
|
#
?
Feb 24, 2011 00:54
|
|
|
jwh posted:If they join a root domain, can they then query the whole forest? I'm not sure how our AD folks have it setup exactly, but when I asked if I'd be able to query computer membership in the second domain from the first domain I was told it would not be possible due to them only setting up a partial trust relationship between our primary domain and the second domain. Our AD/Exchange guys are primadonas/magical unicorns who think they walk on water so I try not to agitate them lest I need them to do something for me in the future.
|
|
#
?
Feb 24, 2011 01:02
|
|
|
Anyone know how to disable MWI on a single deskset for Cisco VoIP? I have no web portal/CUCM. A user gets his VM notifications to his emails, so really there's no point on having the light I guess.
|
|
#
?
Feb 24, 2011 04:15
|
|
|
lol internet. posted:Anyone know how to disable MWI on a single deskset for Cisco VoIP? I have no web portal/CUCM. What system is the phone connected into? (Asterisk, CME, CM etc.)
|
|
#
?
Feb 24, 2011 07:15
|
|
|
jwh posted:Wired 802.1x is so full of hurt. 802.1x...integrated into a billing system, interfacing with packet shapers  Yey, look upon yor destiny and despair - the devil is real
|
|
#
?
Feb 24, 2011 09:46
|
|
|
Tremblay posted:What exactly are you thinking of rolling out? Cisco NAC? Microsoft NAP? Both (DON'T DO THIS)? 802.1x? 802.1x using the built in supplicants in Windows XP sp3 (kinda works ok) and Win7 (Works great!). Several Freeradius 2.2.10 Debian servers for the backend. ruro posted:Lots of stuff The vast majority of systems are domained so should just work (lol). As for the rest, we will actually have a Service Desk software that is ITIL compliant holding all the MAC addresses for every single device we have, so I'm hoping the MAC maintenance will be done for us. All I'll need to do is have some kind of link into it's database and auto update a local DB on the Freeradius boxes. I've never even looked at ACS, is it as terrible as any other software provided by Cisco?
|
|
#
?
Feb 24, 2011 10:08
|
|
|
Badgerpoo posted:802.1x using the built in supplicants in Windows XP sp3 (kinda works ok) and Win7 (Works great!). Several Freeradius 2.2.10 Debian servers for the backend. quote:I've never even looked at ACS, is it as terrible as any other software provided by Cisco?
|
|
#
?
Feb 24, 2011 15:51
|
|
|
optik posted:What system is the phone connected into? (Asterisk, CME, CM etc.) Cisco Unity Express? (I think.) When I configure the phone. I need to login via terminal, when I configure the voicemail portion I login a a webportal. Also, I just want the mwi off for the one phone.. not every single one. thanks!
|
|
#
?
Feb 24, 2011 16:48
|
|
|
Cthalupa posted:Unrelated: What service desk program? I've got to find a good one, and trying to find some that people like. What version? ACS 4.1 has been pretty okay for us, even though it's a bit of a bear to work with. Interesting aside, there's a cisco logo .gif in the upper left corner of the ACS 4.1 UI, but somebody put some image tag dimensions in that "smush" it kinda vertically, so the whole thing ends up looking like a Geocities site from 1999. It's kind of charming.
|
|
#
?
Feb 24, 2011 17:01
|
|
|
Badgerpoo posted:802.1x using the built in supplicants in Windows XP sp3 (kinda works ok) and Win7 (Works great!). Several Freeradius 2.2.10 Debian servers for the backend. They rewrote the whole thing for the 5.0 release. It's still not 1:1 feature parity with 4.x. However in my experience its much more stable. Does take some getting used to though.
|
|
#
?
Feb 24, 2011 17:35
|
|
|
HydroPimp posted:This is less of a short Cisco question and more of a I'm using cisco (linksys) products and need to know if something is possible. This one's old, but in case you're still looking for a solution there are two ways to get close, but I don't think you can do exactly what you want without a wire. In both cases, you'll need to start by ensuring both networks are on different subnets so everything knows where it needs to send traffic destined for one end or the other. Option 1 is a VPN. IPsec is likely the easiest way, and should be built in to DD-WRT. Match most settings on both ends, configure the local and remote networks as appropriate, and set up Dynamic DNS names if you have dynamic IPs at either location. This will be limited by the upload speed at the source site, so it's likely that HD video won't work and even normal Xvids might be too much depending on your connection. Option 2 is a wireless link. You'll need two additional bridge-capable wireless devices (Ubiquiti Bullet or many DD-WRT compatible devices will do it) on top of any exiting wireless and preferably two directional antennas (though you can get away with omnidirectional if they're close enough, you may interfere with your normal wireless). Set up the wireless bridge as appropriate so computers on either end could talk to each other, then enable VLANs on the main routers and configure a port on each as a separate network. Both devices should use the same subnet here. Connect this port to the bridge at each end and see if the routers can ping each other. If they can ping successfully, configure a static route on each saying that the opposite router's IP on the bridge connection is the gateway for the opposite router's LAN. In theory at this point with either option you should be able to freely pass traffic between the networks, but computers at the other location will NOT show up when browsing the local network on either end and Homegroup features will likely not work, as both are designed to work within a local network and do not cross routers. You can still use the \\IP\share\ format to access shares across the link and stream content, it just won't be 100% automatic. If the full auto-detection and homegroup features are what you desire, you need a wire or a more complicated wireless bridging solution. Either way would likely require abandoning DHCP at one end since it would cross the link and whoever had the faster-responding router would end up with all the computers using his internet connection.
|
|
#
?
Feb 24, 2011 20:49
|
|
|
Cthalupa posted:Unrelated: What service desk program? I've got to find a good one, and trying to find some that people like. It is TopDesk, but we haven't started using it yet. Afaik the main reason we bought it is because it was the cheapest...
|
|
#
?
Feb 24, 2011 21:54
|
|
|
Badgerpoo posted:802.1x using the built in supplicants in Windows XP sp3 (kinda works ok) and Win7 (Works great!). Several Freeradius 2.2.10 Debian servers for the backend. I love the Windows 7 supplicant, 802.1x just works. I'm very envious of your MAC addresses being taken care of by your service desk software, hopefully the export to your freeradius installations is super easy. Make sure your service/help desk is made well aware of the client symptoms that indicate a need for remediation.
|
|
#
?
Feb 24, 2011 22:15
|
|
|
I ran into something really fun this week. One of our remote sites was having a new VMware environment installed. I ask if the VM's could be on their own VLAN...here is the reason why: interface vlan 1 ip address 10.124.1.0 255.255.255.0 secondary ip address 10.124.2.0 255.255.255.0 secondary ip address 10.124.3.0 255.255.255.0 secondary ip address 10.124.4.0 255.255.255.0 secondary ip address 10.124.5.0 255.255.255.0 secondary ip address 10.124.54.0 255.255.255.0 no ip redirect And DHCP was magically working with a Windows box running a superscope (on the .2 subnet). They said they needed VLAN 1 exposed to do the P2V, etc. All ports were either setup with switchport or trunking all VLANs. For whatever reason, when I allowed vlan 1 on one of the trunk ports for the esx box, DHCP quit working (which it shouldn't have worked, at least reliably anyways, in the first place). Until I added the ip-helper into vlan 1, none of the machines were seeing responses from the DHCP server, and the DHCP server wasn't seeing any requests (which is what should have been happening to begin with). I add the IP helper to VLAN 1 and I start seeing request/responses and then the DHCP server handing out DHCPNACK's because the server thought that the client was requesting 0.0.0.0, which gave an amazing error on the windows clients. I log all of my putty sessions out of habit. So, it was obvious to see what changes I had made. I was on site for the changes which made this so much fun. I called Cisco and went through a couple of tiers of folks that were just as confused I was. In one of those "AHA! moments" after a few hours of troubleshooting, it was decided to move the DHCP server onto another VLAN. That immediately fixed the issue. Has anyone experienced the 0.0.0.0 thing with DHCP clients before? Or have you seen a similar situation... My next few months with that site is going to be fun due to the amount of work it's going to take to untangle the vlan 1. On top of that, esx has a hard time being on the native vlan.
|
|
#
?
Feb 24, 2011 23:08
|
|
|
CaptainGimpy posted:interface vlan 1 Smack whoever put that into production. Jesus. jbusbysack fucked around with this message at 23:41 on Feb 24, 2011 |
|
#
?
Feb 24, 2011 23:37
|
|
|
I have a 1811W router which is booting into ROMMON mode. When I do a "dir flash:" it says that there is no valid filesystem on there. I tried putting the CF card into my computer and while my computer seems to somewhat react to it (commotion in dmesg), I can't see the device in any partitioning software. I think I need to reinstall an iOS onto the CF (assuming the CF card isn't broken), but it seems I am stuck with an xmodem transfer since I can't seem to assign an IP to any interface. The xmodem transfer says it will take 5 hours, but it actually cuts off after a few minutes every time I try. Can anyone suggest what I should try doing here? Thanks.
|
|
#
?
Feb 24, 2011 23:56
|
|
|
Mutant2600#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-TSJSPGEN-M), Experimental Version 12.2(20030430:004739) So I just found pagent IOS. Anyone ever used this before or know any places where the traffic generator is is more detailed. Dinking around with it, i was able to do this to a switch in the lab: 3560Gb#sh int gig0/3 | i rate 5 minute input rate 6509000 bits/sec, 12713 packets/sec Seems pretty powerful for just running on a 2611XM router. Now I want to figure out how to create multicast streams. Or even better find a version that will work on a 7200
|
|
#
?
Feb 25, 2011 00:50
|
|
|
CaptainGimpy posted:I ran into something really fun this week. One of our remote sites was having a new VMware environment installed. I ask if the VM's could be on their own VLAN...here is the reason why: This kind of config is going to lead to a poo poo ton of slow-path punts. What platform is this?
|
|
#
?
Feb 25, 2011 01:04
|
|
|
Eyecannon posted:I have a 1811W router which is booting into ROMMON mode. When I do a "dir flash:" it says that there is no valid filesystem on there. I tried putting the CF card into my computer and while my computer seems to somewhat react to it (commotion in dmesg), I can't see the device in any partitioning software. I think I need to reinstall an iOS onto the CF (assuming the CF card isn't broken), but it seems I am stuck with an xmodem transfer since I can't seem to assign an IP to any interface. The xmodem transfer says it will take 5 hours, but it actually cuts off after a few minutes every time I try. Can anyone suggest what I should try doing here? Thanks. What you might try is downloading the image, zeroing out the CF card and then using dd to do a "raw" copy to the CF card. The rommon can't understand fat32, but will understand RAW mode.
|
|
#
?
Feb 25, 2011 01:44
|
|
|
Tremblay posted:This kind of config is going to lead to a poo poo ton of slow-path punts. What platform is this? 6509 at the core, with "stacked" switches (they're just interconnected). They're just connected via 1 gig....with VLAN 1 everywhere except for 30 or so users. There's close to 1,000 devices on the network. captaingimpy fucked around with this message at 01:58 on Feb 25, 2011 |
|
#
?
Feb 25, 2011 01:45
|
|
|
CaptainGimpy posted:6509 at the core, with stacked switches (they're just interconnected). They're just connected via 1 gig....with VLAN 1 everywhere except for 30 or so users. There's close to 1,000 devices on the network. Good news! When you've unfucked that mess you'll some great reductions in CPU utilization. Not the worst I've seen btw. SVI VLAN 1 with 30 secondary addresses attached. Then the brain donors decided to try and implement clean access.
|
|
#
?
Feb 25, 2011 01:48
|
|
|
Powercrazy posted:What you might try is downloading the image, zeroing out the CF card and then using dd to do a "raw" copy to the CF card. The rommon can't understand fat32, but will understand RAW mode. The problem is that I can't dd something that doesn't have a proper device assignment... I'm thinking that the CF card is bad.
|
|
#
?
Feb 25, 2011 01:50
|
|
|
Is there anywhere to download the latest Cisco VPN Client without having a big fancy account? I'm looking to access my shared drive at work from my personal computer. I don't know if this counts as a  question because although it says the VPN client is "free", it requires logging in to Cisco's secure servers to download.
|
|
#
?
Feb 25, 2011 02:44
|
|
|
Tremblay posted:Good news! When you've unfucked that mess you'll some great reductions in CPU utilization. That's not even the whole story....the DHCP server is an AD box with a massive file share on it. It had not been rebooted in a year. It had been screaming about a checkdisk that they didn't want to do, due to them being scared that it would be down too long. We rebooted the box, ran the checkdisk...everything seemed fine. The next morning we get word that a ton of files are missing. There was some piece of software that ran as a service that provided "backups". The software deleted all the files of a local share, then copied files from the "server". One of the admins stopped the service, but didn't disable it. During the last year they had retired the "server", moved the share over to the AD box. Hilarity ensued.
|
|
#
?
Feb 25, 2011 02:46
|
|
|
Stew Man Chew posted:Is there anywhere to download the latest Cisco VPN Client without having a big fancy account? I'm looking to access my shared drive at work from my personal computer. Only way I know is if you have a CCO account. HOWEVER, there are plenty of other clients that will connect to a ipsec VPN. I've used ShrewSoft VPN client in the past. http://www.shrew.net/download
|
|
#
?
Feb 25, 2011 04:58
|
|
|
CaptainGimpy posted:That's not even the whole story....the DHCP server is an AD box with a massive file share on it. It had not been rebooted in a year. It had been screaming about a checkdisk that they didn't want to do, due to them being scared that it would be down too long. We rebooted the box, ran the checkdisk...everything seemed fine. The next morning we get word that a ton of files are missing. There was some piece of software that ran as a service that provided "backups". The software deleted all the files of a local share, then copied files from the "server". One of the admins stopped the service, but didn't disable it. During the last year they had retired the "server", moved the share over to the AD box. Hilarity ensued. I hate being a highly paid janitor some days.
|
|
#
?
Feb 25, 2011 07:11
|
|
|
Tremblay posted:I hate being a highly paid janitor some days. Me too. That's why I drink. Well, that and NAC.
|
|
#
?
Feb 25, 2011 09:26
|
|
|
jwh posted:I guess the new ACS 5 can be ordered as a vmdk, which is a nice idea. Now if they would just knock 50% off the cost it would be perfect (and I could convince the CIO to sign the PO for it).
|
|
#
?
Feb 25, 2011 16:33
|
|
|
Off-topic: but has anybody had any experience with Springsource as a consulting outfit? On-topic: who got hurt by the Tata route leakage yesterday?
|
|
#
?
Feb 25, 2011 17:05
|
|
|
jwh posted:On-topic: who got hurt by the Tata route leakage yesterday? It really confused some path testing I was doing. I stopped advertising a prefix through all upstreams, then started re-advertising it through one upstream, and got very confused seeing the traceroute go into as6453.net. I didn't know that their route leakage was the problem until I saw your post. 
|
|
#
?
Feb 25, 2011 17:19
|
|
|
For a while everything was ending up in London, which was kinda neat.
|
|
#
?
Feb 25, 2011 17:22
|
|
|
|
| # ? May 14, 2024 09:18 |
|
|
Tremblay posted:Good news! When you've unfucked that mess you'll some great reductions in CPU utilization. Is this purely due to traffic originating on VLAN 1 and going back out via the secondaries? Or are there punted paths inherit with just the use of secondaries?
|
|
#
?
Feb 25, 2011 17:37
|
|