I inherited a Ciscoworks installation, and would like to create a credential set for a certain class of device. However, after searching around the interface and documentation, I cannot find instructions on how to add a credential set with certain snmp, ssh, credentials. We use ACS authentication and authorization?
View 1 Replieswhen running Credential Verification Report, I get following notification: "None of the devices have credential verification data".I have made different Default Device Credential sets that I'm using when I add devices to LMS. I could not see wether this is bug in LMS 4.1 or if I have to do this a different way?
View 1 Replies View RelatedWe migrated to LMS4.2 and i created new credential set and set it as the default. However, the new cdredential set applies only to newly added devices no to the migrated devices. for example when i run device credential verfication for a migrated device, the username used my LMS is "cwuser" as opposed to the one i created with the new credential sets. how can i make this new credentila set be applicable to all devices?
View 3 Replies View Relatedi get for all devices telnet credential failed in my credential verification report. I exported the device from the Device Manager into a csv file to verify the correct passwords.The export shows the correct values in
<DEVATTRIB Name="primary_username">cwuser</DEVATTRIB>
<DEVATTRIB Name="primary_password">secretpassword</DEVATTRIB>
I have a problem with my AnyConnect clients connecting to an AD network via a 5510. Anyconnect VPN clients provide AD plus a one time passcode to authenticate to the 5510. This works fine apart from 3 things:
1. Once the VPN session has been established the user is further prompted for AD credentials when accessing an AD share for the first time. Once they provide the credentials the share can be accessed. Should the AD credentials not be passed through when the VPN connection is established? Or is this by design? What makes me think it's not be design is the fact that this could be related to problem 2.
2. Group Policy Update (windows gpupdate) fails. This again suggests to me that the full client/server relationship is not fully in tact.
3. In order to get Outlook to connect to exchange I've had to change Outlooks security settings from Negotiate (which would naturally choose Keberors), to NTLM. Not sure if this is related or not.
Note: DNS is functioning with out any problems
Maybe the first 2 issues are by design, but I thought the whole idea behind the AnyConnect VPN was that the remote machine would function as if connected to the LAN?
I recently installed and configured the Prime LMS 4.1 Soft Appliance. After discovering the devices on the network I ran a credential verification check on everything. All of my devices passed accept for the Nexus 7010s and Nexus 5020s -- these show up in the failed device report with a BLANK value for SSH and "Did Not Try" under Enable by SSH. I have verified SSH is enabled and accessible outside of Prime, and that there are no access lists preventing access. All other tests pass for these devices.
I've also visited the troubleshooting workflow section for these devices, and when I test the connectivity, SSHv2 passes.
I've downloaded all of the updates available for the device packages and have tried other credentials. All other aspects seem to be working properly.
I have a case for an LMS 4.0 running in a Live environement (With devices already discovered and organized into seperate groups), where the Device Credential and repository DCR is showing suddenly as empty and only i can see the groups listed, but without any devices in them (Through Inventory > Device Administration > Add/Import/Manage Devices).After a restart of the whole LMS server a few weeks ago, the problem was fixed and the devices appeared again, but now the same issue re-appeared.
View 5 Replies View RelatedI use windows 7 pro 64, and just in this last month (which makes me think a windows update is responsible) I got a problem where restarting my pc or any bootup causes the internet to break. By that, I mean that all of my devices are recognized and peripherals such as phones & ps3 can use the internet, but my PC has broken functionality.In the prompt at left, I have run ipconfig twice. The first time is immediately after a restart. The second time, about halfway down, is after manually reinstalling my realtek ethernet drivers. It does not matter which version I install, only that it is done manually: then the internet works: It appears that every reboot sets my default gateway to 0.0.0.0, which is of course incorrect. How do I stop this from happening?
View 5 Replies View RelatedI'm having issue with 881W router. this router doesnt let me logon to it after I restart the router and enter correct credentials. after being at the router - it doesn't let me logon to its AP module even after adding correct credentials. I've changed 2 routers so far but see same issue.
try to setup up credentials using: username <username> privilege 15 secret 0 <password> or username <username> priviledge 15 password 0 <password>
I have a small home with two clusters of 2-3 devices which use the Internet - one ground floor, south corner, and the other top floor, north corner. I have a wireless router (Netgear N750) in the ground floor south connected to my cable modem. All devices in the area of the existing router are plugged into it (Cat5 cable). The devices in the top-north corner use wireless to communicate with the down-south router.
Running cable drops is not in scope for me, as we have a finished basement and I would have to blind drill horizontally across 50' of flooring and joists.
Tried running cabling through heat vents using a wireless camera mounted to a cable puller and all I did was discover some areas of my home that appeared to be four-dimensional. Attic not accessible in locations required for cable drops.Tried powerline devices and performance was much worse than wireless - I know that's a major YMMV situation but the Netgear ones I tried had like 5 Mbps connection rates. I also could not connect from other outlets - I have read if you had electrical work installed and have new lines run it can impact powerline performance. That may be the case in my home.
My questions:
A. I have OK to poor signal strength in top-north and top rate is ~ 150 MBps off what is supposed to be 300N router. Would I get better performance if I installed a wireless router in top-north and connected the top-north devices to it? Down-south performance is fine so it's not the cable modem/internet connection.
B. I believe I'd set top-north router up as a wireless client. I've experimented with Tomato and DD-WRT but don't know how to evaluate. Any tradeoffs I should know about?
C. Any networking changes I should consider if I go with such a topology? (MTU, who does DNS, etc). Currently use router as source for DHCP and DNS lookups. Should I limit which router wireless devices may connect with?
I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
I have everything working on a new 5.2 ACS but:I can only make a command set that permits things and denies all.I thought with the check box. Permit any command that is not in the table below" one could allow all and specifically deny commands.and that would allow the user to do all commands except for conf and set. But it doesn't seem to adminstratively block it, it allows them to still "conf" for instance.
Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.I know I am in the right command set because the changes I make are reflected immediately.Can someone test the "Permit any command that is not in the table below' and tell me if it works? I can make it work with the unchecked box, sure, but it would be nice to get it to work.
how to map my command shells that I created to the access policies under Default Device Admin/Authorization. All I get an option for is Shell Profile but not commands. See attached doc.ACS 4.2 was easy.. I would just create a command set and apply to a group.
View 5 Replies View RelatedI have a group of five computers at one end of my home office and another group of four computers across the same room. All are hardwired on the same internal network. These cannot be consolidate or moved into one corner or closet. There just is not the space and it's just physically not possible.There is one Internet router as provided by the local cable company. I have this connected to a LinkSys WRT54G2 broadband router. A Netgear DS108 8-port hub is connected the LinkSys. All computers either connect to the Netgear hub or to the LinkSys router. As of now, the WiFi from the LinkSys router is only ever used by my cell phone while at home.
This set up is annoying. At first I did not mind, but there are cables on the floor that I have to step over. These CAT5 cables connect one set of computers to the LinkSys or Netgear. I have to watch where visitors are walking or stepping to assure they don't trip.How can I keep these computers on the same network and eliminate just those cables crossing the floor of my home office?Should I use WiFi NICs? Would this overwhelm the WiFi on the LinkSys?
I am setting up an ASA550 ver 7.2(3) - does this need upgrading?I have my ISP interfaces setup as primary and backup I have a static route pointing out:route primary 0.0.0.0 0.0.0.0 1.2.3.4 1 Question:Do I put the next static route to be route secondary 0.0.0.0 0.0.0.0 3.4.5.6 254 Will this set a high metric on the secondary route that will only take effect if the primary route is down? I assume I will need to have 2 sets of NAT rules to accommodate the dual ISP's
View 1 Replies View RelatedWhat is supported in terms of running a mixed feature set in a Cisco 3750 switch stack.We are looking at setting up a stack consisting of 5 x 3750V2 and 2 x 3750G. Due to a requirement for full EIGRP we need the IP Services feature set. Is it a supported configuration to run with 2 or 3 switches running the IP Services feature set as stack masters and the others running IP Base? I understand that if stack master priorities were set these switches with the higher feature set could manage the stack and offer IP Services accross the stack. If we were to lose all of the switches running IP Services the stack would drop back to IP Base.I am looking for guidance as to if this is a supported configuration and not in breach of licensing? Is this likely to cause any problem other than above now and for future IOS releases?
View 2 Replies View RelatedCurrently it seems as our 3550's doesn't send traps when bpdu-guard sets a port in err-disable state. Or DFM doesnt recognize it.Is there a way to get a DFM alert when a 3550-port gets into err-disable state?
View 2 Replies View Relatedtrying to perform a RME InventoryCollection job with cwcli inventory I wasn't able to perform this task.
View 2 Replies View RelatedI have problem with device cisco srp 521 , my problem is haw to create two VLAN-s first will be to WAN link, second for Management.
View 2 Replies View RelatedI need to create second VPN in same ASA5505, it has already a VPN to one of our clients. So it alredy have a transformset,cryptomap,policy.Now i need to create new one. i like to create a seperate transformset and crypto map for this 2nd VPN with a new name to identfy very easily.But i have doubt like may it will affect the current VPN? because it has another VPN with another tranformset and cryptomap.......
1) will it affect the current VPN?
2) do i need to create a seperate tranformset and cryptomap? or with same tranformset and cryptomap with different number.....if it possible to create multiple cryptomap then i would like that to create.....
I have an ASA5510 with VPN L2L two operand normally. I need to create another VPN L2L. When you add the 3rd VPN always drop one of those that were operating. What can be?
View 2 Replies View RelatedI need to create a LAG consisting of 4 ports on my SG 300-20.
When I go to create the ports via Port Management - Link Aggregation - LAG Management - LAG1 - Edit and move ports 5,6,13,14 over as LAG Members - Click apply I get Port gi5 belongs to a VLAN. If I try to add them individually I get the same error, i.e. port gi6 belongs to a VLAN, port gi13 belongs to a VLAN, etc..
how to get these ports out of a VLAN?
I'm baffled by a lot of new features of LMS4.2 and seem lost where to start looking.Our client needs to periodically make changes to switches to change their port settings.They have specific descriptions with a certain string. Let's say the description say "Cisco phone".The task is to create either template or ad-hoc Netconfig job that will send changes only to those switchports.
View 2 Replies View RelatedI have a weird problem. I can't create a vpn in windows xp. I click on create a new connection, the connection wizard opens up, I click "connect to the network at my workplace", and this happens mm31z.jpg at Free Image Hosting.I can't select VPN connection. I have no idea what is causing this, maybe a service is not running, I don't know. I tried uninstalling/ reinstalling my network and it did not work.
View 5 Replies View Relatedhow to create ip sec tunnel using these parameters. customer ip where tunnel has to be connected 1.1.1.1
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES
Authentication Mode: Pre-shared key
[Code]......
I am having a LAN with 30 switches and . Is it possible to create seperate dashlet/dash board to moniter only the uplink trunk ports of Lan Excluding acces ports with LMS 4.2?
View 1 Replies View RelatedI want to create a VPN between two PC's, (the server "Data" and "Remote Desktop" check the topology below), the Router Clabeck (cisco 2811 ) is connected to the internet through int f0/0 using a PPPoE connection and connects all the LAN PC's by PAT to the internet (you can see all the configurations in the Show Run below), the "Remote Desktop" is any PC with internet connection.
F0/1 F0/0
DATA--------------------SW-------------------ROUTER(Cisco 2811)---------------------INTERNET---------------REMOTE DESKTOP
192.168.1.51 192.168.1.254 201.122.53.177 192.168.1.1
Current configuration : 2116 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
[code]....
im trying to create a VPN between a Cisco ASA5510 and an ASR1002 when my Loopback interface is The Source IP . [code]
View 1 Replies View RelatedWe currently run dual ASA 5510's in A/S config on our main campus. We would like to create a VPN tunnel to a branch campus. Trying to decide between a 5505/5510/5512x, We would like to extend many of the capabilities of our network to the branch campus which will be 20-50 users on a 50mb/10mb internet connection.
Domain login
System Center workstation management
Cisco WCS
Shoretel voip
(Cisco NAC?)
Several different VLANs for wireless guest, student traffic, staff traffic, voip traffic, etc. Which device would be best and should we get the security plus license with it?
I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
View 1 Replies View RelatedWe are about to move our IT rack to a data centre and will be adding a new Layer 3 (Catalyst 3560) switch beyond our ASA 5510 which will be providing our existing WAN plus another SVI which will be carrying our HSRP range.
I have never configured a switch to use two SVI's before and can't seem to find the relevant docs online.
create a VPN dongle for my office users. I have Cisco ASA 5005 firewall. I want to give them remote access to our intranet but if the user doesn't have the dongle which has the certificate on it he/she can not connect to my office intranet.
View 2 Replies View Relatedon my Active/Stanby ASA5505 has Sec+ License(trial), I can't create more then 3 nameif interface however,
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited 17 days
Failover : Active/Standby 17 days
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled 17 days
AnyConnect Premium Peers : 2 perpetual