Integration Between ClearPass & Cisco OS , NX-OS as a Tacacs+ Server
ClearPass is one of best existing product in Network Access Control Market
for that i publish Configuration required to integrate between ClearPass As Tacacs+ server and Cisco Switch 3750,Cisco Router 29XX & NX-OS.
######################################
#config tacacs-server with Cisco Switch 3760#
######################################
config terminal
aaa new-mod
tacacs-server host “CLEARPASS-IP-ADDRESS” port 49 timeout 5 key “CLEARPASS-SHAREDKEY”
aaa group server tacacs+ Tacacs
aaa authentication enable default group tacacs+ enable
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
line vty 0 15
login authentication default
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
##############################################
#config tacacs-server with Cisco Routers 2900#
##############################################
tacacs server Clear-Pass
address ipv4 “CLEARPASS-IP-ADDRESS”
port 49
timeout 5
key 7 “CLEARPASS-SHAREDKEY”
exit
config terminal
tacacs-server host “CLEARPASS-IP-ADDRESS” port 49 timeout 5 key “CLEARPASS-SHAREDKEY”
aaa group server tacacs+ Tacacs
aaa authentication enable default group tacacs+ enable
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
line vty 0 15
login authentication default
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
#######
#NX-OS#
#######
tacacs-server host “CLEARPASS-IP-ADDRESS” key “CLEARPASS-SHAREDKEY” port 49 timeout 5
aaa group server tacacs+ Tacacs
server “CLEARPASS-IP-ADDRESS”
source-interface loopback0
tacacs-server directed-request
aaa authentication login default group Tacacs
aaa authorization commands default group Tacacs
######################################################################
Ahmed Omar
Integration between Aruba Controller and PaloAlto 7.1
Salam Alycom
you can make integration between Palo Alto And Aruba Controller to get User IP Map from Aruba to Plao Alto by using XML-API Tech .
what you need is only follow the steps in this link
Click to access SG_PaloAltoNetworks.pdf
its good document from aruba but really i face issue and the integration after upgrade Plao Alto from 7.0 to 7.1 , but after some analysis and open case with palo alto i note aruba refuse the PaloAlto certificate is unknown cert.
for that you need to make the following configuration after finish the documentation steps
1 in paloalto Firewall
A- Create certificate and i recommend the following link
after that download the certificate and save it folder
B- Create SSL/TLS Profile
device >certificate Management > SSL/TLS service Profile > add > “add any name and choose cerificate that you create it before and save and commit
C- after that go to device>setup>Management>general Settings > ssl/tls service profile”choose SSL profile that you created it before ” , and commit
2 Aruba Controller Side
Configuration > Certificates > upload
add any name
upload paloAlto Cert
Passphrase (optional) : “Leave it blank ”
Certificate Format : PEM
Certificate Type : trusted CA
after finish you can check it by the following command
in aruba
(Master) #show pan state
Palo Alto Networks Servers Connection State[PA-3060]
—————————————————-
Firewall State
——– —–
“PaloAlto ip”:443 UP[05/09/16 12:32:13]Established
in paloalto
show user ip-user-mapping all
in from section you must see some user “XMLAPI”
Ahmed Omar
Auto Backup from cisco nexus 9k
1- Cisco side
config t
feature scheduler
scheduler job name Backup-Weekly
copy running-config ftp://ftpusername:ftpuserpassword@ftp-server/cisco-device/switches/$(SWITCHNAME)-conf.$(TIMESTAMP)
end-job
scheduler schedule name Backup-Weekly
job name Backup-Weekly
time weekly 06:12:00
copy running-config startup-confi
FTP Server Side
i configure FTP server in linux called VSFTPD , you can install it only run command yum install vsftp
after finish all steps that required to run the ftp server go to sudo vi /etc/vsftpd/vsftpd.conf and add the following
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=tatweerftp
ftpd_banner=||| Warning |||
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
chroot_local_user=YES
local_root=/home/$USER <— folder path
user_sub_token=$USER
allow_writeable_chroot=YES
save and reset ftp server
sudo systemctl restart vsftpd
auto backup From Cisco Devices
first configure FTP Server in any PC
you can download it from here
after that add the following command
config t
!
ip ftp username USERNAME
ip ftp password PASSWORD
archive
path ftp://IP.IP.IP.IP/cisco-device/switches/$h
!
kron policy-list BACKUP_CONFIG
cli archive config
!
kron occurrence Backup at 12:00 Fri recurring
policy-list BACKUP_CONFIG
exit
exit
wr
to check it type
show kron schedule
ASA-PIX/FWSM: Unable to manage the unit via ssh/telnet/asdm
Documentation
This document is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
PIX: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1047288
ASA: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html
FWSM:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html
Unable to asdm
make sure vpn 3-des is enabled
Issue “sh ver” and make sure the unit has 3-des license.
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
.
.
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
If 3DES is not enabled, it is easy and free to the activaton key to enable that. Please go to http://www.cisco.com/go/license
and loging with your CCO ID and
please click here for available licenses.
and then choose Cisco ASA 3DES/AES License
Fill out all the information including the serial number of the firewall and you should see a message that says you will receive the activation key via
e-mail within 1 hour.
Once you receive the activation key via e-mail please add it to the unit via CLI
ASA#conf t
ASA(config)#activation-key <copy and paste the 4-tuple or 5-tuple>
ASA(config)#wri mem
ASA(config)#exit
Make sure to issue “sh ver” and make sure 3DES shows enabled.
make sure asdm image is loaded
Issure “sh ver” and make sure asdm image is loaded.
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
If not make sure to tftp the appropriate bin fil to flash and configure “asdm image disk0:/asdm-621.bin”.
Make sure you are running a matching asdm version for the ASA.
ASA code: http://tools.cisco.com/squish/10C815
ASDM image: http://tools.cisco.com/squish/a5338C
FWSM code: http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm
http server is enabled
Issure “sh run http” and make sure http server is enabled.
http server enable
http 172.18.124.0 255.255.255.0 inside ——> all hosts in this subnet are allowed to asdm
http 10.10.10.10 255.255.255.255 dmz —-> only one host 10.10.10.10 is the subnet is allowed to asdm
sh asp table socket
Make sure that the “sh asp table socket” shows that the unit is listening on port 443 on the interface that you are trying to asdm to. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 0000e5bf 172.18.124.254:443 0.0.0.0:* LISTEN
SSL 00019c6f 10.10.10.1:443 0.0.0.0:* LISTEN
If you do not see the unit listening on port 443 then try to remove the “http server enable” line and add it back to the config.
ASA#conf t
ASA(config)#no http server enable
ASA(config)#http server enable
http access is allowed
Issue the command “sh run http” and make sure the IP address that you are trying to asdm from is allowed.
ASA# sh run http
http server enable
http 172.18.124.0 255.255.255.0 inside
http 10.2.180.32 255.255.255.248 inside
webvpn enabled on the port 443
Issue the command “sh run webvpn” and see if it is enabled and has configuration section under webvpn, then change the port that asdm
listens to something else other than 443.
ASA#conf t
ASA(config)#http server enable 4443
Once done try to lauch asdm by going to https://10.10.10.1:4443 where 10.10.10.1 is the interface IP address of the firewall that is closer to the client.
sh run all ssl
Issue the command “sh run all ssl” and make sure you see the following line highlighted in red in the output. If not add it in the config.
ASA# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
make sure to run the latest java
Download the latest java available http://www.java.com/en/download/index.jsp and install it on the client and try to launch asdm.
check the logs
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client’s IP address from which you are trying to asdm.
collect captures
If you are running ASA /PIX 7.2 or above code you can issue the “match” keyword in the capture. In the below command
capin – is the name of the capture
10.10.10.1 – is the IP address of the ASA that is listening on port 443
inside – is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 443
sh cap capin
Once done troubleshooting you can remove the cature by issuing “no cap capin”. In case of FWSM the “match” keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Unable to telnet
make sure telnet is allowed
Issue the command “sh run telnet” and make sure telnet is allowed. Bear in mind that you cannot telnet to the lowest security interface on the firewall.
ASA# sh run telnet
telnet 0.0.0.0 0.0.0.0 dmz1
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
sh asp table socket
Issue the command “sh asp table socket” and make sure the firewall is listening on tcp port 23. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
TCP 00024a1f 172.18.124.254:23 0.0.0.0:* LISTEN
TCP 0002ea9f 10.10.10.1:23 0.0.0.0:* LISTEN
If you do not see it listening then, remove the telnet lines from the config and add them back in.
check the logs
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client’s IP address from which you are trying to telnet
collect captures
If you are running ASA /PIX 7.2 or above code you can issue the “match” keyword in the capture. In the below command
capin – is the name of the capture
10.10.10.1 – is the IP address of the ASA that is listening on port 23
inside – is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 23
sh cap capin
Once done troubleshooting you can remove the cature by issuing “no cap capin”. In case of FWSM the “match” keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Unable to ssh
make sure ssh is enabled and allowed
Issue the command “sh run ssh” and make sure ssh is enabled for the client IP or subnet. If not add the subnet or IP address that is allowed to ssh with the corresponding inteface.
ASA# sh run ssh
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dmz1
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 60
Is there an rsa key-pair
Issue the command “sh cry key mypubkey rsa” and make sure the “Default-RSA-Key” is present. If not create the rsa key-pair with the command “cry key generate rsa modulus 1024”
ASA# sh cry key mypubkey rsa
Key pair was generated at: 22:52:03 CEDT Aug 22 2007
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b41d91
.
.
effb9f5c 50a2ed60 290cdc4b ab1e0cc7 d334afdf e9850be4 c00faa18 47020301 0001
Key pair was generated at: 03:04:55 CEDT Sep 15 2010
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 008eba15 2281909f
.
.
82db59d0 c3633648 6334ca6b ff531605 48ec82ce e9977506 97020301 0001
sh asp table socket
Issue the command “sh asp table socket” and make sure the firewall is listening on tcp 22. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
TCP 0003dc4f 172.18.124.254:22 0.0.0.0:* LISTEN
TCP 00043c7f 10.10.10.1:22 0.0.0.0:* LISTEN
TCP 005de0a8 172.18.124.254:22 10.117.14.67:64892 ESTAB
check the logs
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client’s IP address from which you are trying to ssh.
collect captures
If you are running ASA /PIX 7.2 or above code you can issue the “match” keyword in the capture. In the below command
capin – is the name of the capture
10.10.10.1 – is the IP address of the ASA that is listening on port 22
inside – is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 22
sh cap capin
Once done troubleshooting you can remove the cature by issuing “no cap capin”. In case of FWSM the “match” keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
The Top 8 Free Asterisk Add-Ons
The Asterisk open-source IP PBX is popular for several very good reasons, including its low cost, flexibility and powerful feature set. Another factor that draws many businesses to Asterisk is the ability to enhance the product with an array of add-on features and utilities. Many of these offerings are available at no cost (although some developers request a modest donation). These eight free add-ons will help you monitor, configure and use Asterisk in a variety of different ways.
Related Articles:
OutCALL: OutCALL is an open-source product that integrates Asterisk with Microsoft Outlook for easier dialing and telecom support. The add-on’s features include the ability to place calls from within Outlook, a call-history log, real-time call notifications via pop-ups and automatic contacts updating.
Snap: Snap is a dialer and call pop-up application that allows users to dial by simply clicking a contact entry. The program works by sending the phone number that the user wishes to dial to the PBX, which then initiates a call back to the user’s phone. When the user picks up the phone, he or she will be connected to the number dialed. Snap integrates with Microsoft Outlook, Excel and PowerPoint, as well as with Mozilla Thunderbird. Snap comes in a free Basic version and a $29.99 Pro version.
OrderlyStats: A real-time call-center statistics package, OrderlyStats lets users assess overall call-routing capabilities and performance on an agent-by-agent basis. The technology also aims to help users manage shift times, assess the impact of new technologies and procedural changes, and monitor call-center improvements over a period of time.
Asterisk Web/PHP Event Monitor: The Asterisk Web/PHP Event Monitor offers a Web interface that’s designed to help users view the current condition of Asterisk and all Asterisk Events. The software doesn’t poll Asterisk for Events but instead collects them in a MySQL database via an Asterisk Manager API (application programming interface) Python script.
AsteriskControl: Asterisk Control aims to place users in charge of their IP PBX. The software allows Windows users to connect-in, view, disconnect and control calls, including those using SIP (Session Initiation Protocol)/IAX (Inter-Asterisk eXchange).
Asterisk Queue/CDR Log Analyzer: The Asterisk Queue/CDR Log Analyzer has a simple yet useful mission: to select, list and graph Asterisk queue and CD-R log records through a Web interface.
Asterisk Flash Operator Panel: Asterisk gets “flashy” with Asterisk Flash Operator Panel, a real-time Asterisk visual-operator panel. The application displays information about Asterisk PBX activity in real time via any standard Web browser with the Adobe Systems Inc.’s Flash plug-in. Asterisk Flash Operator Pane can integrate with CRM software and can be used to enable click-to-dial for Web-based applications.
AstBill: A Web-based billing interface for Asterisk, AstBill is used by many small businesses and is currently the calling platform for several Asterisk call-termination services. The interface can show the balance, expenditure, payments and number of calls on each account. The software also provides call data records, including cost and sales on each call, as well as many other features.
Bonus Selection: Don’t forget asterisk-addons, a package that includes MySQL support for call-detail records and other useful tools.
Related Articles:
Open-Source PBX Face-Off: SIPxchange ECS Vs. Asterisk
Asterisk Distribution Comparison
واخيرا بفضل الله قمت بعمل ربط ما بين AVAYA & Asterisk
واخيرا وبعد طول انتظار قمت بعمل ربط ما بين سيرفر استريسك و AVAYA
as h323 trunk
وكان هذا من احد اهدافى لانى لا اتعامل مع اجهزة Avaya كثير
Asterisk cmd GotoIfTime
Synopsis:
Conditional goto on current time
Description:
GotoIfTime(<time range>|<days of week>|<days of month>|<months>?[[context|]extension|]pri)
Asterisk 1.6
GotoIfTime(<time range>,<days of week>,<days of month>,<months>?[[context,]extension,]pri)
Note: Asterisk 1.6 do not support “|” as seperater it now only uses “,”
If the current time matches the specified time, then branch to the specified extension. Each of the elements may be specified either as ‘*’ (for always) or as a range. If the current time does not match the specified time, next priority is executed.
Times before Asterisk 1.6.2 are only accurate down to the 2-minute interval. So 12:01 is treated the same as 12:00.
Starting with 1.6.2, times are accurate down to the minute.
How to specify time
The include syntax is defined in the sample extensions.conf like this:
<time range>|<days of week>|<days of month>|<months>
where:
<time range>= <hour>’:'<minute>’-‘<hour>’:'<minute>
| “*”
<days of week> = <dayname>
| <dayname>’-‘<dayname>
| “*”
<dayname> = “sun” | “mon” | “tue” | “wed” | “thu” | “fri” | “sat”
<days of month> = <daynum>
| <daynum>’-‘<daynum>
| “*”
<daynum> = a number, 1 to 31, inclusive
<hour> = a number, 0 to 23, inclusive
<minute> = a number, 0 to 59, inclusive
<months> = <monthname>
| <monthname>’-‘<monthname>
| “*”
<monthname> = “jan” | “feb” | “mar” | “apr” | “may” | “jun” | “jul” | “aug” | “sep” | “oct” | “nov” | “dec”
daynames and monthnames are not case-sensitive.
Examples
If you replace an option with *, it is ignored when matching. For instance:
exten => 3000,1,GotoIfTime(9:00-17:00|mon-fri|*|*?open,s,1)
would transfer to context “open”, extension s, priority 1 if it’s between 9:00 and 17:00, Monday through Friday, not checking the day of month or month.
Another example:
exten => s,6,GotoIfTime(*|*|26-30|May?attendant,s,30)
would transfer to context “attendant”, extension s, priority 30 at any time from May 26th though May 30th. (In this example, an office is closed for Memorial Day.)
BADR CALL MANAGER
BADR CALL MANAGER
هو نظام مبنى على Astrtisk يتيح لك ادارة المكالمات واضافة الهواتف التى تعمل بتقنية الVoip
قمت بتصميمة واحببت ان اريكم اياه
وقد قمت برفع فيديوا تعريفى له فى الYou tube مكون من ثلاث اجزاء
الرجاء المشاهدة وابداء الراى
الجزء الاول
الجزء الثانى
الجزء الثالث
يسعدنى ابداء الراى من خلال
الهاتف :002-0112788942
البريد :ahmed_it@windowslive.com
الحمد لله نجحت فى امتحان JNCIS-ES
الحمد والشكر لله رب العالمين
بفضل الله بتاريخ 1/11/2009
نجحت فى امتحان JNCIS-ES
هو يهتم بالحماية وهو خاص بشركة جينبر
اسال الله ان نفرح بكم قريبا
M u s l i m - T e c h 