[c-nsp] Cisco 2600 with async NM-32 sending wrong characters

Ziv Leyes zivl at gilat.net
Thu Jun 3 09:40:16 EDT 2010


In case you have networking problems and want to access a device via console then I assume is not so good to be needed to authenticate other than locally, right?
So in the case of the console you should change the auth to local, there are a few ways to do it but the easiest one I guess will be

line con 0
login authentication local


From: Youssef Bengelloun-Zahr [mailto:youssef at 720.fr]
Sent: Thursday, June 03, 2010 1:02 PM
To: Ziv Leyes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 2600 with async NM-32 sending wrong characters

Here is the output from a switch but it's the same for all of the equipments :

aaa new-model
aaa group server radius radius-interne
 server X.X.X.X
 server X.X.X.X
!
aaa authentication login default group radius-interne enable
aaa authentication enable default enable
aaa authorization exec default group radius-interne local if-authenticated
enable secret 5 striped_chain
!
line con 0
 no exec
 exec-timeout 0 0
 password 7 striped_chain
 logging synchronous
 transport preferred telnet
 stopbits 1
!

SW1.IX1#sh line console 0
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
     0 CTY              -    -      -    -    -      0       0     0/0       -

Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 1 stopbits, 8 databits
Status: Ready
Capabilities: EXEC Suppressed
Modem state: Ready
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
                ^^x    none   -     -       none
Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch
                never         never                        none     not set
                            Idle Session Disconnect Warning
                              never
                            Login-sequence User Response
                             00:00:30
                            Autoselect Initial Wait
                              not set
Modem type is unknown.
Session limit is not set.
Time since activation: 01:21:02
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed transports are telnet.  Preferred is telnet.
No output characters are padded
No special data dispatching characters


Y.


2010/6/3 Ziv Leyes <zivl at gilat.net<mailto:zivl at gilat.net>>
I'm more concerned about what do you have configured on the console port of your core routers and less on your console router itself.
Could you please post a config of the aaa settings of a core router as well as the con 0 config?
Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] On Behalf Of Youssef Bengelloun-Zahr
Sent: Wednesday, June 02, 2010 3:23 AM
To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: [c-nsp] Cisco 2600 with async NM-32 sending wrong characters

Dear List,

I have just installed an Out Of Band network in case of major crashes for
our company.

The architecture is the following :

3 Cisco 2600 routers gearded with async NM32 modules and octal cables. Each
console is connected to the console port of my backbone routers.

The routers are NATed behind another IPS DSL line. Such kind of OOB network
comes in handy sometimes ;-)


My core routers are configured to authenticate with our internal radius
servers before falling back to the enable password, just in case. Here is
what I have started seeing in my RADIUS logs :

*** Received from X.X.X.X port 47832 ....
Code:       Access-Request
Identifier: 83
Authentic:  <221>r<176>Z<189><221><25><8><
142>T<20>b<244>S<176>O
Attributes:
       User-Name = *"CONS1.IX1>"*
       User-Password =
"<161><2><22>s[jR<217>\<245>R<217><25><129><197><137>^<213>7<220><27>5=h,<192><158>9<1>T<31><196>"
       NAS-IP-Address = X.X.X.X

Wed Jun  2 01:40:19 2010: DEBUG: Handling request with Handler ''
Wed Jun  2 01:40:19 2010: DEBUG:  Deleting session for CONS1.IX1>, X.X.X.X,
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
Wed Jun  2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
is_staff FROM auth_user WHERE username='CONS1.IX1>' AND is_active IS TRUE':
Wed Jun  2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user*
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Jun  2 01:40:19 2010: DEBUG: Reading users file
/etc/radiator/users-interne
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
CONS1.IX1> [CONS1.IX1>]Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE
REJECT: No such user: CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such user
Wed Jun  2 01:40:19 2010: INFO: Access rejected for CONS1.IX1>: No such user
Wed Jun  2 01:40:19 2010: DEBUG: Packet dump:
*** Sending to 77.246.80.138 port 47832 ....
Code:       Access-Reject
Identifier: 83
Authentic:  <221>r<176>Z<189><221><25><8><142>T<20>b<244>S<176>O
Attributes:
       Reply-Message = "Request Denied"


*** Received from X.X.X.X port 52229 ....
Code:       Access-Request
Identifier: 181
Authentic:  z5<183>6L<27>z`<191><221><22><6><213><20><13><143>
Attributes:
       User-Name = *"CONS2.IX1> ### Login failed"*
       User-Password = "UP<214><250><11><158>%<245><251>jJ<195>M<145>c<2>"
       NAS-IP-Address = X.X.X.X

Wed Jun  2 01:40:19 2010: DEBUG: Handling request with Handler ''
Wed Jun  2 01:40:19 2010: DEBUG:  Deleting session for CONS2.IX1> ### Login
failed, X.X.X.X,
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
Wed Jun  2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
is_staff FROM auth_user WHERE username='CONS2.IX1> ### Login failed' AND
is_active IS TRUE':
Wed Jun  2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user*
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE REJECT: No such user:
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such user
Wed Jun  2 01:40:19 2010: INFO: Access rejected for CONS2.IX1> ### Login
failed: No such user
Wed Jun  2 01:40:19 2010: DEBUG: Packet dump:


Where :

- X.X.X.X is the source ip address of my core equipment used to reach the
internal RADIUS servers

- CONS1.IX1 and CONS2.IX1 are my console routers' names.


The consoles keep on flooding the RADIUS servers with such a like requests
continuasly. For your information, we have been using theese console routers
for years now but they connected directly to the backcone until tonight.

Here is the output of a sh version of the consoles :

CONS1.IX1#sh version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.2(46a), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 11-Jul-07 20:22 by pwade
Image text-base: 0x8000808C, data-base: 0x812948AC

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

CONS1.IX1 uptime is 1 hour, 51 minutes
System returned to ROM by reload
System image file is "flash:c2600-ik9s-mz.122-46a.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export at cisco.com<mailto:export at cisco.com>.

cisco 2621 (MPC860) processor (revision 0x102) with 60416K/5120K bytes of
memory.
Processor board ID JAD04290CT0 (2953820044)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
32 terminal line(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


Here is my template of configuration :


version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CONS3.IX1
!
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local
enable secret 5 $1$B6xi$Wvur3lYfDVqH8Ztaq9dg51
!
username XXXX privilege 15 password 7 120E041C131F09142F29252A3C202C
ip subnet-zero
ip cef
!
!
no ip domain-lookup
ip domain-name XXXXX
ip host LOCALHOST 192.168.0.1
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
!
ip ssh time-out 60
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description Link to Freebox
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
 no shut
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.254
no ip http server
!
!
menu login text 1 se connecter sur BB1.IX1-SUP1
menu login command 1 telnet LOCALHOST 2033
menu login text 2 se connecter sur BB1.IX1-SUP2
menu login command 2 telnet LOCALHOST 2034
menu login text 3 se connecter sur LNS1.IX1
menu login command 3 telnet LOCALHOST 2035
menu login text 4 se connecter sur LNS2.IX1
menu login command 4 telnet LOCALHOST 2036
menu login text 5 se connecter sur FW1.IX1
menu login command 5 telnet LOCALHOST 2037
menu login text 6 se connecter sur FW2.IX1
menu login command 6 telnet LOCALHOST 2038
menu login text 7 se connecter sur FW3.IX1
menu login command 7 telnet LOCALHOST 2039
menu login text 8 se connecter sur LNS7.IX1
menu login command 8 telnet LOCALHOST 2040
menu login text 0 sortir du menu
menu login command 0 menu-exit
!
dial-peer cor custom
!
!
!
!
!
line con 0
line 33 64
 exec-timeout 0 0
 no exec
 transport input all
 escape-character 3
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 30 0
 logging synchronous
 transport input ssh
!
ntp server XXX.XXX.XXX.XXX
ntp server XXX.XXX.XXX.XXX
end


Any ideas to what my problem might be ?

Thanks in advance.

Best regards.

Y.

--
Youssef BENGELLOUN-ZAHR ..................
Ingénieur Réseaux et Télécoms


Technopole de l'Aube  en Champagne - BP 601 - 10901 TROYES  Cedex 9
Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE
Tel                 +33 (0) 825 000 720
Tel. direct      +33 (0) 1 77 35 59 14
Tel. portable  +33 (0) 6 22 42 63 80
Email            ybz at 720.fr<mailto:ybz at 720.fr>
...................................www.720.fr<http://www.720.fr>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



--
Youssef BENGELLOUN-ZAHR ......................................................
Ingénieur Réseaux et Télécoms


Technopole de l'Aube  en Champagne - BP 601 - 10901 TROYES  Cedex 9
Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE
Tel                 +33 (0) 825 000 720
Tel. direct      +33 (0) 1 77 35 59 14
Tel. portable  +33 (0) 6 22 42 63 80
Email            ybz at 720.fr<mailto:ybz at 720.fr>
...............................................................................................www.720.fr<http://www.720.fr>




************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





More information about the cisco-nsp mailing list