[c-nsp] Cisco 2600 with async NM-32 sending wrong characters

Youssef Bengelloun-Zahr youssef at 720.fr
Thu Jun 3 06:02:02 EDT 2010


Here is the output from a switch but it's the same for all of the equipments
:

aaa new-model
aaa group server radius radius-interne
 server X.X.X.X
 server X.X.X.X
!
aaa authentication login default group radius-interne enable
aaa authentication enable default enable
aaa authorization exec default group radius-interne local if-authenticated
enable secret 5 *striped_chain*
!
line con 0
 no exec
 exec-timeout 0 0
 password 7 *striped_chain*
 logging synchronous
 transport preferred telnet
 stopbits 1
!

SW1.IX1#sh line console 0
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns
Int
     0 CTY              -    -      -    -    -      0       0     0/0
-

Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 1 stopbits, 8 databits
Status: Ready
Capabilities: EXEC Suppressed
Modem state: Ready
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
                ^^x    none   -     -       none
Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch
                never         never                        none     not set
                            Idle Session Disconnect Warning
                              never
                            Login-sequence User Response
                             00:00:30
                            Autoselect Initial Wait
                              not set
Modem type is unknown.
Session limit is not set.
Time since activation: 01:21:02
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed transports are telnet.  Preferred is telnet.
No output characters are padded
No special data dispatching characters


Y.



2010/6/3 Ziv Leyes <zivl at gilat.net>

> I'm more concerned about what do you have configured on the console port of
> your core routers and less on your console router itself.
> Could you please post a config of the aaa settings of a core router as well
> as the con 0 config?
> Ziv
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Youssef Bengelloun-Zahr
> Sent: Wednesday, June 02, 2010 3:23 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco 2600 with async NM-32 sending wrong characters
>
> Dear List,
>
> I have just installed an Out Of Band network in case of major crashes for
> our company.
>
> The architecture is the following :
>
> 3 Cisco 2600 routers gearded with async NM32 modules and octal cables. Each
> console is connected to the console port of my backbone routers.
>
> The routers are NATed behind another IPS DSL line. Such kind of OOB network
> comes in handy sometimes ;-)
>
>
> My core routers are configured to authenticate with our internal radius
> servers before falling back to the enable password, just in case. Here is
> what I have started seeing in my RADIUS logs :
>
> *** Received from X.X.X.X port 47832 ....
> Code:       Access-Request
> Identifier: 83
> Authentic:  <221>r<176>Z<189><221><25><8><
> 142>T<20>b<244>S<176>O
> Attributes:
>        User-Name = *"CONS1.IX1>"*
>        User-Password =
>
> "<161><2><22>s[jR<217>\<245>R<217><25><129><197><137>^<213>7<220><27>5=h,<192><158>9<1>T<31><196>"
>        NAS-IP-Address = X.X.X.X
>
> Wed Jun  2 01:40:19 2010: DEBUG: Handling request with Handler ''
> Wed Jun  2 01:40:19 2010: DEBUG:  Deleting session for CONS1.IX1>, X.X.X.X,
> Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
> Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
> Wed Jun  2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
> is_staff FROM auth_user WHERE username='CONS1.IX1>' AND is_active IS TRUE':
> Wed Jun  2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
> CONS1.IX1> [CONS1.IX1>]
> Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
> CONS1.IX1> [CONS1.IX1>]
> Wed Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user*
> Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun  2 01:40:19 2010: DEBUG: Reading users file
> /etc/radiator/users-interne
> Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
> CONS1.IX1> [CONS1.IX1>]Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE
> REJECT: No such user: CONS1.IX1> [CONS1.IX1>]
> Wed Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such user
> Wed Jun  2 01:40:19 2010: INFO: Access rejected for CONS1.IX1>: No such
> user
> Wed Jun  2 01:40:19 2010: DEBUG: Packet dump:
> *** Sending to 77.246.80.138 port 47832 ....
> Code:       Access-Reject
> Identifier: 83
> Authentic:  <221>r<176>Z<189><221><25><8><142>T<20>b<244>S<176>O
> Attributes:
>        Reply-Message = "Request Denied"
>
>
> *** Received from X.X.X.X port 52229 ....
> Code:       Access-Request
> Identifier: 181
> Authentic:  z5<183>6L<27>z`<191><221><22><6><213><20><13><143>
> Attributes:
>        User-Name = *"CONS2.IX1> ### Login failed"*
>        User-Password = "UP<214><250><11><158>%<245><251>jJ<195>M<145>c<2>"
>        NAS-IP-Address = X.X.X.X
>
> Wed Jun  2 01:40:19 2010: DEBUG: Handling request with Handler ''
> Wed Jun  2 01:40:19 2010: DEBUG:  Deleting session for CONS2.IX1> ### Login
> failed, X.X.X.X,
> Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
> Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
> Wed Jun  2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
> is_staff FROM auth_user WHERE username='CONS2.IX1> ### Login failed' AND
> is_active IS TRUE':
> Wed Jun  2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user*
> Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE REJECT: No such user:
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such user
> Wed Jun  2 01:40:19 2010: INFO: Access rejected for CONS2.IX1> ### Login
> failed: No such user
> Wed Jun  2 01:40:19 2010: DEBUG: Packet dump:
>
>
> Where :
>
> - X.X.X.X is the source ip address of my core equipment used to reach the
> internal RADIUS servers
>
> - CONS1.IX1 and CONS2.IX1 are my console routers' names.
>
>
> The consoles keep on flooding the RADIUS servers with such a like requests
> continuasly. For your information, we have been using theese console
> routers
> for years now but they connected directly to the backcone until tonight.
>
> Here is the output of a sh version of the consoles :
>
> CONS1.IX1#sh version
> Cisco Internetwork Operating System Software
> IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.2(46a), RELEASE SOFTWARE
> (fc1)
> Copyright (c) 1986-2007 by cisco Systems, Inc.
> Compiled Wed 11-Jul-07 20:22 by pwade
> Image text-base: 0x8000808C, data-base: 0x812948AC
>
> ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>
> CONS1.IX1 uptime is 1 hour, 51 minutes
> System returned to ROM by reload
> System image file is "flash:c2600-ik9s-mz.122-46a.bin"
>
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are unable
> to comply with U.S. and local laws, return this product immediately.
>
> A summary of U.S. laws governing Cisco cryptographic products may be found
> at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>
> If you require further assistance please contact us by sending email to
> export at cisco.com.
>
> cisco 2621 (MPC860) processor (revision 0x102) with 60416K/5120K bytes of
> memory.
> Processor board ID JAD04290CT0 (2953820044)
> M860 processor: part number 0, mask 49
> Bridging software.
> X.25 software, Version 3.0.0.
> 2 FastEthernet/IEEE 802.3 interface(s)
> 32 terminal line(s)
> 32K bytes of non-volatile configuration memory.
> 16384K bytes of processor board System flash (Read/Write)
>
> Configuration register is 0x2102
>
>
> Here is my template of configuration :
>
>
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname CONS3.IX1
> !
> aaa new-model
> aaa authentication login default local enable
> aaa authorization exec default local
> enable secret 5 $1$B6xi$Wvur3lYfDVqH8Ztaq9dg51
> !
> username XXXX privilege 15 password 7 120E041C131F09142F29252A3C202C
> ip subnet-zero
> ip cef
> !
> !
> no ip domain-lookup
> ip domain-name XXXXX
> ip host LOCALHOST 192.168.0.1
> ip name-server XXX.XXX.XXX.XXX
> ip name-server XXX.XXX.XXX.XXX
> !
> ip ssh time-out 60
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
>  description Link to Freebox
>  ip address 192.168.0.1 255.255.255.0
>  duplex auto
>  speed auto
>  no shut
> !
> interface FastEthernet0/1
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 192.168.0.254
> no ip http server
> !
> !
> menu login text 1 se connecter sur BB1.IX1-SUP1
> menu login command 1 telnet LOCALHOST 2033
> menu login text 2 se connecter sur BB1.IX1-SUP2
> menu login command 2 telnet LOCALHOST 2034
> menu login text 3 se connecter sur LNS1.IX1
> menu login command 3 telnet LOCALHOST 2035
> menu login text 4 se connecter sur LNS2.IX1
> menu login command 4 telnet LOCALHOST 2036
> menu login text 5 se connecter sur FW1.IX1
> menu login command 5 telnet LOCALHOST 2037
> menu login text 6 se connecter sur FW2.IX1
> menu login command 6 telnet LOCALHOST 2038
> menu login text 7 se connecter sur FW3.IX1
> menu login command 7 telnet LOCALHOST 2039
> menu login text 8 se connecter sur LNS7.IX1
> menu login command 8 telnet LOCALHOST 2040
> menu login text 0 sortir du menu
> menu login command 0 menu-exit
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> line 33 64
>  exec-timeout 0 0
>  no exec
>  transport input all
>  escape-character 3
>  stopbits 1
> line aux 0
> line vty 0 4
>  exec-timeout 30 0
>  logging synchronous
>  transport input ssh
> !
> ntp server XXX.XXX.XXX.XXX
> ntp server XXX.XXX.XXX.XXX
> end
>
>
> Any ideas to what my problem might be ?
>
> Thanks in advance.
>
> Best regards.
>
> Y.
>
> --
> Youssef BENGELLOUN-ZAHR ..................
> Ingénieur Réseaux et Télécoms
>
>
> Technopole de l'Aube  en Champagne - BP 601 - 10901 TROYES  Cedex 9
> Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE
> Tel                 +33 (0) 825 000 720
> Tel. direct      +33 (0) 1 77 35 59 14
> Tel. portable  +33 (0) 6 22 42 63 80
> Email            ybz at 720.fr
> ...................................www.720.fr
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> ************************************************************************************
>
>
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> ************************************************************************************
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Youssef BENGELLOUN-ZAHR ………………………………………………
Ingénieur Réseaux et Télécoms


Technopole de l'Aube  en Champagne - BP 601 - 10901 TROYES  Cedex 9
Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE
Tel                 +33 (0) 825 000 720
Tel. direct      +33 (0) 1 77 35 59 14
Tel. portable  +33 (0) 6 22 42 63 80
Email            ybz at 720.fr
……………………………………………………………………………….....www.720.fr


More information about the cisco-nsp mailing list