I installed GNS3 in my windows 7. And bridged GNS3 with loop back interface.
I set the same subnet on both loop back interface and virtual router interface,but they cannot communication.
After tried lots of methods, include reboot my machine / restart GNS3 / enable then disable the windows firewall, All these operations didn't work.
At last, I set the GNS3 properties to "always running in administrator mode" and set the compatibility to "windows vista sp 2"
Start GNS3
All things works fine now!
Thursday, July 4, 2013
Tuesday, June 11, 2013
Need Attention: Radware Authenticate with Radius Failed!
Recently, I got a problem with radius authentication of radware.
The detail is:
I used two Radware LinkProof as a VRRP pair. Use the recommend configuration of GUIDE.
But the two appliance are separated in VRRP status. Because the VR interface are all down at that time.
Then I set the radius authentication on both of the boxes.
The problem coming out! The Master LP cannot pass the radius authenticate, but the Backup box has no problem.
I tried to captured in the master box, and I found that when I enter the correct radius account/password, LP send it to radius server and radius server returning a access message. But user cannot pass the authentication. In the console interface and support files, I can find the message "function failed" It is so weird!
At first, I think it's OOM(out of memory), then I tried to restart and upgrade it. But it still doesn't work......
After lots of testing jobs. I found the problem. The problem is, when the VRRP isn't working but the VR status is UP, and simultaneously the interface grouping option is enable. then the radius function will out of work.
So, that the problem why I can pass through the backup box's authenticate, But doesn't work on Master box. Because, backup box's interface grouping is disable in default setting.
After worked out of this problem, Another problem came out.
I want to use dynamic token with radius authentication. It works good at first time. But when I want to login the second time, it failed.
For example, I login Radware via http and dynamic token at first time, then I want to login command interface via ssh or telnet in a relatively short period of time, It will failed
By the capture work and analysis, I found the problem is, when I login successful at the first time, then in the "Radius client life time" option set value period, the second authentication will not be sent to radius server.(I use 3600 second of this option)
So, you may ask, why not lower the life time value?
In this case, the random password of dynamic token will changed every one minutes, so, If I set this value to low, use will need repeatedly authenticate, But if I set this value more than one minute, the another login action will be failed with the correct password in radius server!
This is a contradictory situation.
I have no suggestion of this issue. And I have already seek advise from Radware support engineer, they can do nothing...
So, I don't suggest use dynamic token authentication in Radware.
The detail is:
I used two Radware LinkProof as a VRRP pair. Use the recommend configuration of GUIDE.
But the two appliance are separated in VRRP status. Because the VR interface are all down at that time.
Then I set the radius authentication on both of the boxes.
The problem coming out! The Master LP cannot pass the radius authenticate, but the Backup box has no problem.
I tried to captured in the master box, and I found that when I enter the correct radius account/password, LP send it to radius server and radius server returning a access message. But user cannot pass the authentication. In the console interface and support files, I can find the message "function failed" It is so weird!
At first, I think it's OOM(out of memory), then I tried to restart and upgrade it. But it still doesn't work......
After lots of testing jobs. I found the problem. The problem is, when the VRRP isn't working but the VR status is UP, and simultaneously the interface grouping option is enable. then the radius function will out of work.
So, that the problem why I can pass through the backup box's authenticate, But doesn't work on Master box. Because, backup box's interface grouping is disable in default setting.
After worked out of this problem, Another problem came out.
I want to use dynamic token with radius authentication. It works good at first time. But when I want to login the second time, it failed.
For example, I login Radware via http and dynamic token at first time, then I want to login command interface via ssh or telnet in a relatively short period of time, It will failed
By the capture work and analysis, I found the problem is, when I login successful at the first time, then in the "Radius client life time" option set value period, the second authentication will not be sent to radius server.(I use 3600 second of this option)
So, you may ask, why not lower the life time value?
In this case, the random password of dynamic token will changed every one minutes, so, If I set this value to low, use will need repeatedly authenticate, But if I set this value more than one minute, the another login action will be failed with the correct password in radius server!
This is a contradictory situation.
I have no suggestion of this issue. And I have already seek advise from Radware support engineer, they can do nothing...
So, I don't suggest use dynamic token authentication in Radware.
Sunday, May 19, 2013
Windows domain authenticate failed!!! (Bluecoat)
Recently, A client running in a problem, really big problem : (
They have a Bluecoat proxy SG to access to the internet, and in order to authorizes different users , they used windows domain with windows 2003 server.
All things running well until ... they upgraded the windows server 2003 to 2008, then they began to got the complaint phone calls from end users, end users said that they cannot browsing the internet, when they open websites they will got a message prompting "Access Denied"
There have not so much complaint person, just about 100 users, but which one got this problem is random (they have 4,000 end users). actually , this is a big problem.
We tried to find the root cause of this problem, and then we found the reason in Bluecoat KB.https://kb.bluecoat.com/index?page=content&id=FAQ873&actp=search&viewlocale=en_US&searchid=1368960465967
Then, another problem came out, how to solve it! this is the key point!
I checked all the KB website and tried all the methods Bluecoat gives. No one works.
After a lot test and refer to the Bluecoat SE's advise, finally I found the really works way.
This is my commands:
define condition IWA_SILENT_USERS
user="NT AUTHORITY\anonymous logon"
user="AUTORITE NT\anonymous logon"
user.regex='.+\$$'
end condition
<Proxy>
realm=AD_Authen condition=IWA_SILENT_USERS deny.unauthorized user.login.log_out(yes)
<Proxy>
condition=userAgentList authenticate(no) allow
condition=DoNotAuthDomains authenticate(no) allow
define condition userAgentList
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="MSUpdate"
request.header.User-Agent="AVUpdate"
request.header.User-Agent="iTunes"
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Stocks"
request.header.User-Agent="CFNetwork"
request.header.User-Agent="Windows-Media-Player"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="flash"
request.header.User-Agent="Office"
request.header.User-Agent="webex utiltp"
request.header.User-Agent="241Extra!"
request.header.User-Agent="Acrobat Messages Updater"
request.header.User-Agent="Adobe Log Transport"
request.header.User-Agent="Adobe Update Manager"
request.header.User-Agent="Microsoft BITS"
request.header.User-Agent="Microsoft Data Access Internet Publishing Provider Protocol Discovery"
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="Microsoft-WebDAV"
request.header.User-Agent="Windows-Update-Agent"
request.header.User-Agent="ncsi"
request.header.User-Agent="TMUFE"
end
define condition DoNotAuthDomains
url.domain=msftncsi.com
url.domain=windowsupdate.com
url.domain=crl.microsoft.com
url.domain=mscrl.microsoft.com
url.domain=crl.microsoft.com
url.domain=verisign.com
url.domain=mscrl.microsoft.com
url.domain=watson.microsoft.com
url.domain=trendmicro.com
url.domain=update.nai.com
url.domain=update.symantec.com
url.domain=acs.pandasoftware.com
url.domain=secure.pandasoftware.com
end
After I added these commands into local policy files, All things going well ...
And I think the major commands is the bold fonts, I tried to added the other commands independently, It doesn't work.
They have a Bluecoat proxy SG to access to the internet, and in order to authorizes different users , they used windows domain with windows 2003 server.
All things running well until ... they upgraded the windows server 2003 to 2008, then they began to got the complaint phone calls from end users, end users said that they cannot browsing the internet, when they open websites they will got a message prompting "Access Denied"
There have not so much complaint person, just about 100 users, but which one got this problem is random (they have 4,000 end users). actually , this is a big problem.
We tried to find the root cause of this problem, and then we found the reason in Bluecoat KB.https://kb.bluecoat.com/index?page=content&id=FAQ873&actp=search&viewlocale=en_US&searchid=1368960465967
Then, another problem came out, how to solve it! this is the key point!
I checked all the KB website and tried all the methods Bluecoat gives. No one works.
After a lot test and refer to the Bluecoat SE's advise, finally I found the really works way.
This is my commands:
define condition IWA_SILENT_USERS
user="NT AUTHORITY\anonymous logon"
user="AUTORITE NT\anonymous logon"
user.regex='.+\$$'
end condition
<Proxy>
realm=AD_Authen condition=IWA_SILENT_USERS deny.unauthorized user.login.log_out(yes)
<Proxy>
condition=userAgentList authenticate(no) allow
condition=DoNotAuthDomains authenticate(no) allow
define condition userAgentList
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="MSUpdate"
request.header.User-Agent="AVUpdate"
request.header.User-Agent="iTunes"
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Stocks"
request.header.User-Agent="CFNetwork"
request.header.User-Agent="Windows-Media-Player"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="flash"
request.header.User-Agent="Office"
request.header.User-Agent="webex utiltp"
request.header.User-Agent="241Extra!"
request.header.User-Agent="Acrobat Messages Updater"
request.header.User-Agent="Adobe Log Transport"
request.header.User-Agent="Adobe Update Manager"
request.header.User-Agent="Microsoft BITS"
request.header.User-Agent="Microsoft Data Access Internet Publishing Provider Protocol Discovery"
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="Microsoft-WebDAV"
request.header.User-Agent="Windows-Update-Agent"
request.header.User-Agent="ncsi"
request.header.User-Agent="TMUFE"
end
define condition DoNotAuthDomains
url.domain=msftncsi.com
url.domain=windowsupdate.com
url.domain=crl.microsoft.com
url.domain=mscrl.microsoft.com
url.domain=crl.microsoft.com
url.domain=verisign.com
url.domain=mscrl.microsoft.com
url.domain=watson.microsoft.com
url.domain=trendmicro.com
url.domain=update.nai.com
url.domain=update.symantec.com
url.domain=acs.pandasoftware.com
url.domain=secure.pandasoftware.com
end
After I added these commands into local policy files, All things going well ...
And I think the major commands is the bold fonts, I tried to added the other commands independently, It doesn't work.
Saturday, May 4, 2013
LinkProof的一个小问题
昨晚LinkProof上线,仅仅做了很简单的转发配置,完全没有更加复杂的就近性,A记录解析等配置。
可是问题出现了,当LinkProof上线后,内网接口无法与下联防火墙进行通信,无法ping通,但是不能建立任何通信会话,也可以获取正确的MAC地址。
问题终于找到:
因为LinkProof上使用了port channel, 同时使用了VRRP,仅需将指定VR shutdown 再up,该问题解决。
原因暂不明。
Saturday, January 19, 2013
Bluecoat configuration restore
经过验证OS Version: Bluecoat SGOS 5.10.x
Bluecoat archived configuration 包含了设备中保存的一些必要密码,如登陆帐户,FTP,Radius、LDAP等密码,这些密码在archievd configuration文件中都是经过加密的,当将配置导入一台密钥证书不同的设备时(如一台全新的,拥有相同OS Version的设备),就会出现密码无法识别而导入失败的现象。
解决该问题的办法也很简单,将初始设备的证书导出后导入到需要恢复配置的设备上即可。
方法如下:
1 备份初始密钥
进入CLI界面,进入配置模式,备份密钥。
ProxySG#(config ssl)view keypair des3 configuration-passwords-key
Encryption password: ******
Confirm encryption password: ******
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F7764081EA599B91
Bluecoat archived configuration 包含了设备中保存的一些必要密码,如登陆帐户,FTP,Radius、LDAP等密码,这些密码在archievd configuration文件中都是经过加密的,当将配置导入一台密钥证书不同的设备时(如一台全新的,拥有相同OS Version的设备),就会出现密码无法识别而导入失败的现象。
解决该问题的办法也很简单,将初始设备的证书导出后导入到需要恢复配置的设备上即可。
方法如下:
1 备份初始密钥
进入CLI界面,进入配置模式,备份密钥。
ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line. End with CTRL-Z.
ProxySG#(config)ssl
ProxySG#(config ssl)view keyring
Enable Password:
ProxySG#config t
Enter configuration commands, one per line. End with CTRL-Z.
ProxySG#(config)ssl
ProxySG#(config ssl)view keyring
Keyring ID: configuration-passwords-key
Private key showability: show
Signing request: absent
Certificate: absent
Private key showability: show
Signing request: absent
Certificate: absent
ProxySG#(config ssl)view keypair des3 configuration-passwords-key
Encryption password: ******
Confirm encryption password: ******
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F7764081EA599B91
YD8C7eAnkiikacn7uez0wHV02dD0sieFwFEMtOSkWmetCrp0Q5wZQEE+1PKHZgnM
K3VckXPcG6I2l6QO7YoN+BTFGVuPTB/a6FCd+hxAh94npN671mvkPAV+v2B9n4FO
kXQgcfNPH/2mDk7lXcEphQ9WB2JgkeuW5QJNQJIQqFzYG4ETNJAcU4gioKP6D/ys
xarTBSjqppYJQ2sY4nXsnWRQnN3xe9aPF+uq3D2HM0XOJz9ynmxfSVEpWtit6OHp
my7Z+w9oAv9xTyFxG10LZiEFMi82P4CzfFPwWIJEh+PLBmjmpvfpK5wlAlvfGuJO
kdwY5lf4Elcz9XUlZ58Mpe9wo5EfSe/5185ZUG+EJc/mp7kqzDr5tljNRE2PwR6G
5mt8p+kCP3CTrjhDUNv+1WtxhmSiUH6qRZMkae769pzmwYw7HXYdI246+H2Uye1W
dUMjxQ8J5Ki8Wn7vYnNieYo1KCF3VZzQB96P1ltp96617nKjlXDaGTja8XHU0Kv0
2aO2Gb9zM5PM6uEWgKKlniFtBfsfZjOiuqYbUGXYL7Epr/JaMMdnhstYBe/TvDiH
U+uMJcJbolQQJrrFyG75ynNUy3j2UGgKEjEUg19CctiMedVNG/V7l334u2NoGK2v
uEXxQhchmhcnIcQEczo5QpSfpXHr29oMRmrwxvqS3odN42p6SJhex9J1g2ZO9rpU
Gvo5wg5rHUP2+BKAWhbXMk7KYs7asJG73ebB5PPqAcatV8l47xttKIn09IOELyrU
oeHjgi6rBJa+MnnepvJK5FRGIQqjPESva1KpH8V3no8=
-----END RSA PRIVATE KEY-----
ProxySG#(config ssl)
K3VckXPcG6I2l6QO7YoN+BTFGVuPTB/a6FCd+hxAh94npN671mvkPAV+v2B9n4FO
kXQgcfNPH/2mDk7lXcEphQ9WB2JgkeuW5QJNQJIQqFzYG4ETNJAcU4gioKP6D/ys
xarTBSjqppYJQ2sY4nXsnWRQnN3xe9aPF+uq3D2HM0XOJz9ynmxfSVEpWtit6OHp
my7Z+w9oAv9xTyFxG10LZiEFMi82P4CzfFPwWIJEh+PLBmjmpvfpK5wlAlvfGuJO
kdwY5lf4Elcz9XUlZ58Mpe9wo5EfSe/5185ZUG+EJc/mp7kqzDr5tljNRE2PwR6G
5mt8p+kCP3CTrjhDUNv+1WtxhmSiUH6qRZMkae769pzmwYw7HXYdI246+H2Uye1W
dUMjxQ8J5Ki8Wn7vYnNieYo1KCF3VZzQB96P1ltp96617nKjlXDaGTja8XHU0Kv0
2aO2Gb9zM5PM6uEWgKKlniFtBfsfZjOiuqYbUGXYL7Epr/JaMMdnhstYBe/TvDiH
U+uMJcJbolQQJrrFyG75ynNUy3j2UGgKEjEUg19CctiMedVNG/V7l334u2NoGK2v
uEXxQhchmhcnIcQEczo5QpSfpXHr29oMRmrwxvqS3odN42p6SJhex9J1g2ZO9rpU
Gvo5wg5rHUP2+BKAWhbXMk7KYs7asJG73ebB5PPqAcatV8l47xttKIn09IOELyrU
oeHjgi6rBJa+MnnepvJK5FRGIQqjPESva1KpH8V3no8=
-----END RSA PRIVATE KEY-----
ProxySG#(config ssl)
请注意,密钥里面包含的---BEGIN ----和---END---一定要完整的复制下来,否则在导入的时候会提示证书无法识别错误。
进入需要恢复配置的设备界面, Configuration-SSL-Keyrings,将已经存在的configuration-password-key删除并用同样的名字新建一个,配置如图,将备份的密钥复制进入即可。
For more detais, Please click https://kb.bluecoat.com/index?page=content&id=KB2880
Bluecoat KB2880
Subscribe to:
Posts (Atom)