Hi,
Today i have been looking to a good table for the privilege levels in comware 7. Within Clearpass you can return a priv-level within the tacacs authentication.
This table is also know as the RBAC table.
Here is the table i was looking for:
User role name | level | Permissions |
network-admin | - | Accesses all features and resources in the sytem. |
network-operator | - |
Accesses all display commands for all features and resouces in the system. Enables local authentication users to change their passwords. |
level-n(0 to 15) | 0 |
Has access to dianostics commands like tracert and ping. These are configurable. |
1 | Has all rights of 0 plus display commands to all resources in the system | |
2-8,10-14 | No rights by default | |
9 | Has all rights to all features and resources accept RBAC, local users, file management and device management | |
15 | Has all rights exept changing local users with network-admin of network-operator role |
Found this in the tech docs of Meru.
Via CLI commands on the Meru controller CLI
To enable the station log while in the Meru controller CLI, enter these commands:
Enter the interactive per-station event logging shell:
wlan-controller # station-logAfter entering "station-log" the prompt will change to "station-log>" at which point the following commands can be entered (where <MAC address> is the station's MAC address containing colons):
station-log> station add <MAC address>At this point, the Meru controller will display information about the specified station(s), specifically, debug messages for the station's 802.11 connection.
station-log> enable
station-log> station del <MAC address>
station-log> disable
station-log> quit
Via Meru Controller Web UI
The station log for a specific station can also be obtained via the Meru controller Web UI under Monitor > Diagnostics > Station.
1. Enter MAC address containing colons and click on "Start Diagnostics".
2. Select "Station Diagnostics".
3. To disable logging of the station log, click on "Stop Diagnostics".
Works great!
URL of the KB http://kb.fortinet.com/kb/viewContent.do?externalId=FD38775&sliceId=1
Hi,
I ran into a bug today with an wireless controller of Meru. The customer had an wireless network with 802.1x authentication with reauthentication.
Within the access tracker i saw a lot of rejects from this controller.
Radius:IETF:Called-Station-Id %mac%
Radius:IETF:Calling-Station-Id %mac%
Radius:IETF:Connect-Info CONNECT Unknown Radio
Radius:IETF:Framed-MTU 1250
Radius:IETF:NAS-IP-Address %IP% from meru controller
Radius:IETF:NAS-Port 0
Radius:IETF:NAS-Port-Type 19
Radius:IETF:Service-Type 1
Radius:IETF:User-Name %mac same as Calling station ID%
After a while i figured out that in the security profile both " MAC Auth Primary RADIUS Profile Name " and " MAC Auth Secondary RADIUS Profile Name " where filled in.
"MAC Filtering" was configured as off, so if i wanted to change this i needed to put is on and change it to no radius and set it back to off. The Meru controller did nothing with this change.
Trough the cli i tried it also with the following commands under the security profile:
no mac-filter-radius-server primary
no mac-filter-radius-server secondary
But when you exit you receive the following error:
Error:Acl Environment state and MAC Primary and Secondary Radius Profile valid only if mac filtering is on
So i created a new security profile and set it to the ESS of the network with the issue and the problem of the rejects disappeared.
PS: After applying the new security profile every client needs the re-authenticate.
Hi,
Today i ran into a problem with radius authentication on a ArubaOS-Switch for management.
The switch was a Aruba 2530 with ssh configured to authenticate to a clearpass cluster with peap-mschapv2.
The error i got in clearpass was "Client did not complete EAP transaction". and in the logs there was no inner method available.
So the switch was configured this way:
aaa authentication web login peap-mschapv2 local
aaa authentication web enable radius local
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable radius local
After some looking i found out that the time on the switch was running behind and that the sntp configuration was not correct. So i changed it to the correct config and let it sync.
Now the authentication did complete as normal and i could login over ssh.
Today the latest version of ArubaOS-Switch is released for the 5400 and the 3810M switches.
You can find the release notes here: http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=a00007008en_us
With now support for /31 subnets!
I had to make an site to site ipsec connection between a Juniper SRX and a Fritz!box.
Now the configuration is not that easy on the Fritz!box so i will post the configurations of both devices here.
Things to remember:
- Fritz!Box : You can't use the 192.168.178.0/24 subnet for your internal network, the tool below don't let you.
- Fritz!Box : You can use the tool which is made available by AVM to generate you own config for the Fritz!Box. You can download it from: https://en.avm.de/service/vpn/overview/
- Juniper SRX: add the tunnel interface in a security zone!
You can change the proposals in the Fritz!Box config to the following
IKE:
http://www.ebsa.nl/data/_uploaded/media/ike_1.pdf
IPsec:
http://www.ebsa.nl/data/_uploaded/media/ipsec_2.pdf
The config of the Fritz!Box vpn connection is done within the following menu:
Internet -> Permit Access : Tab VPN
Juniper interfaces { security-zone vpn-1 { |
Fritz!box vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = "vpn-to-srx"; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = %ip-of-SRX%; remote_virtualip = 0.0.0.0; localid { ipaddr = %Local-External-IP%; } remoteid { ipaddr = %ip-of-SRX%; } mode = phase1_mode_aggressive; phase1ss = "def/3des/sha"; keytype = connkeytype_pre_shared; key = "KEY"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.120.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 192.168.1.0; mask = 255.255.255.0; } } phase2ss = "esp-all-all/ah-all/comp-all/pfs"; accesslist = "permit ip any 192.168.1.0 255.255.255.0"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } |
Hi,
There is a new HCL released, version 2.0.2.1 you can download it from the HCL page!