- Welcome to Networking-Forums.com.
We're Here to Help!
Recent posts
#21
Security / Re: TACACS+ failed auth attemp...
Last post by deanwebb - February 17, 2024, 09:48:50 PMAh-ha! 
There's likely going to have to be a number of other things that got hammered out of CentOS that are still in RHEL.
There's likely going to have to be a number of other things that got hammered out of CentOS that are still in RHEL.
#22
Security / Re: TACACS+ failed auth attemp...
Last post by config t - February 16, 2024, 11:24:07 AMFive-year old Forescout bug that was reintroduced in the OS version we are running.
The appliance tries to use a public key to log in first, fails, and then uses the correct key for the successful attempt.
Add to SSH paramaters in switch object: -o PubkeyAuthentication=no
The appliance tries to use a public key to log in first, fails, and then uses the correct key for the successful attempt.
Add to SSH paramaters in switch object: -o PubkeyAuthentication=no
#23
Security / Re: TACACS+ failed auth attemp...
Last post by Otanx - February 15, 2024, 09:46:45 AMHow long is the delay between the last two packets. Is ISE taking too long to return the valid authentication, and devices are timing out? Are the devices configured for multiple tac_plus servers, and those are timing out before it tries the one you are looking at? Also re-reading your original post what are the AAA configs on the devices, is that initial failure coming from the local database, and then it tries tac_plus?
I am not sure on how to decrypt at SSH session using wireshark. You could try enabling telnet to bypass the whole issue of decrypting it, but I would doubt it would show you much.
Thanks,
-Otanx
I am not sure on how to decrypt at SSH session using wireshark. You could try enabling telnet to bypass the whole issue of decrypting it, but I would doubt it would show you much.
Thanks,
-Otanx
#24
Security / Re: TACACS+ failed auth attemp...
Last post by deanwebb - February 14, 2024, 07:43:40 PMYou may have hit a bug:
https://quickview.cloudapps.cisco.com/quickview/bug/CSCsd58148
Is it configured with login on-failure log?
https://quickview.cloudapps.cisco.com/quickview/bug/CSCsd58148
Is it configured with login on-failure log?
#25
Security / Re: TACACS+ failed auth attemp...
Last post by config t - February 14, 2024, 06:28:39 PMBeing able to decrypt with wireshark is pretty useful. So is the native PCAP feature on network devices.
I don't see two authentication conversations, just one successful login attempt.
1. NAC SSH -> NAS
2. NAS SSH -> ISE
3. NAS -> ISE Q: Authentication request (username visible)
4. ISE -> NAS A: Give me PW
5. NAS -> ISE Q: PW populates username field (pw visible)
5. ISE -> NAS A: Pass. The other AA parts are fine too.
The only thing I can't see is the client/server conversations inside the SSH tunnel that happen between some of the steps. Is there a way to extract the session key from the DH exchange?
I don't feel like I have enough evidence to point the finger at the NAC or ISE yet. I ruled out the switches because it's happening on the three different platforms.
I don't see two authentication conversations, just one successful login attempt.
1. NAC SSH -> NAS
2. NAS SSH -> ISE
3. NAS -> ISE Q: Authentication request (username visible)
4. ISE -> NAS A: Give me PW
5. NAS -> ISE Q: PW populates username field (pw visible)
5. ISE -> NAS A: Pass. The other AA parts are fine too.
The only thing I can't see is the client/server conversations inside the SSH tunnel that happen between some of the steps. Is there a way to extract the session key from the DH exchange?
I don't feel like I have enough evidence to point the finger at the NAC or ISE yet. I ruled out the switches because it's happening on the three different platforms.
#26
Routing and Switching / Re: Connect to a network devic...
Last post by deanwebb - February 12, 2024, 06:11:18 PMBasically, the device has two connections: one to the 4G network for normal functionality and then a LAN connection for administrative work.
As such, there are tools on the market to allow "vendor gateways" as you describe so that the customer can permit you access to their network in order to take care of the functions you wish to discharge (password changes, maintenance, things like that) and the vendor gateways can be set up so that you only see what the customer wants to allow you to see - most likely, your devices and only your devices.
This can be accomplished with a VPN as you show here, but the risk is that with the VPN connection, you have access to more of the network. Therefore, using a front end that you access via the Internet and likely passes through a security vendor's cloud, you can be offered a more secure, restricted view. My firm has partnerships with CyberArk and Netskope that offer this kind of functionality through their customers' cloud portals.
As such, there are tools on the market to allow "vendor gateways" as you describe so that the customer can permit you access to their network in order to take care of the functions you wish to discharge (password changes, maintenance, things like that) and the vendor gateways can be set up so that you only see what the customer wants to allow you to see - most likely, your devices and only your devices.
This can be accomplished with a VPN as you show here, but the risk is that with the VPN connection, you have access to more of the network. Therefore, using a front end that you access via the Internet and likely passes through a security vendor's cloud, you can be offered a more secure, restricted view. My firm has partnerships with CyberArk and Netskope that offer this kind of functionality through their customers' cloud portals.
#27
Routing and Switching / Connect to a network device by...
Last post by JohnDoe - February 10, 2024, 11:23:19 AMHello!
I have a problem i need some help with.
The situation is i have a device that i program with an UI software.
Once programmed it is shipped to panel builders that incorporate the device into a panel.
The panel is then connected to a 4G router.
My device is connected to the router with a LOCAL address. The 4G router has a static IP which connects to the clients process network. Data stored on my device is reached through the public IP of the router of course.
Now the client wants to change passwords on a regular basis on my device for security reasons which is fine.
I need to reach my device with an UI software.
Now to be able to reach my device the administrative computer needs to be on the same network as the device itself (The LAN)
which means i need to connect directly to the device. I cannot use the public IP of the 4G router for this task.
So the question is can i set up a VPN like connection locally on the administrative computer like setting up a network adapter that the UI Software could connect to "tricking" it that it is connected directly to my device. The adapter the UI would use could be connected to the network adapter used to connect to the process network.
To add some more problems.
I cannot use my computer on the process network. I could only use a virtual machine for this. Located inside the process network.
Please see attached picture
I have a problem i need some help with.
The situation is i have a device that i program with an UI software.
Once programmed it is shipped to panel builders that incorporate the device into a panel.
The panel is then connected to a 4G router.
My device is connected to the router with a LOCAL address. The 4G router has a static IP which connects to the clients process network. Data stored on my device is reached through the public IP of the router of course.
Now the client wants to change passwords on a regular basis on my device for security reasons which is fine.
I need to reach my device with an UI software.
Now to be able to reach my device the administrative computer needs to be on the same network as the device itself (The LAN)
which means i need to connect directly to the device. I cannot use the public IP of the 4G router for this task.
So the question is can i set up a VPN like connection locally on the administrative computer like setting up a network adapter that the UI Software could connect to "tricking" it that it is connected directly to my device. The adapter the UI would use could be connected to the network adapter used to connect to the process network.
To add some more problems.
I cannot use my computer on the process network. I could only use a virtual machine for this. Located inside the process network.
Please see attached picture
#28
Management Tools / Re: Switch SNMP Connectivity I...
Last post by deanwebb - February 10, 2024, 08:31:50 AM"We have a password that no machine account can possibly use!"
"You're welcome!"
"You're welcome!"
#29
Management Tools / Re: Switch SNMP Connectivity I...
Last post by icecream-guy - February 09, 2024, 03:08:27 PMQuote from: Otanx on February 09, 2024, 09:05:05 AMMost systems won't like some special characters. For linux try to stay away from any quotes " ' ` slashes /\ ampersand & dollar sign $. All of those have special meaning and have to be escaped to work, but it is justeasiermore secure tonotuse ematall.
-Otanx
sorry had to do that..
#30
Management Tools / Re: Switch SNMP Connectivity I...
Last post by Otanx - February 09, 2024, 09:05:05 AMMost systems won't like some special characters. For linux try to stay away from any quotes " ' ` slashes /\ ampersand & dollar sign $. All of those have special meaning and have to be escaped to work, but it is just easier to not use em at all.
-Otanx
-Otanx