WLC 4404 – 7921 PEAP Authentication

If you are using a Cisco Wireless Lan Controller and want to Authenticate your phones using PEAP, make sure you adjust the eap request-timeout with the following command on the CLI of the controller :

config advanced eap request-timeout 20

make sure you type “save config” to write the change to flash.

Perl Script – Turning Aironet Wireless Interface On/Off

I had a need to be able to quickly turn the wireless interface on/off  on a 1231G Access point.

I wrote this simple Perl Script to logon too the AP via telnet and issue a “No shutdown” on the interface. To Sutdown the interface I use an identical script to perform a “Shutdown”.

You could then have both scripts on your desktop to easily toggle the state of the wireless, or you could do what I do and put the scripts in the start menu and use Launchy to run the scripts.

The Script uses Net::Telnet::Cisco , which can be installed with Perl Package Manager using the following command:

ppm install Net-Telnet-Cisco


APWirelessOn.pl

##
# Filename – APWirelessOn.pl
# Version – 0.1
# Creator – reloadin10
# contact – reloadin10.wordpress.com
# Description – Performs a no shutdown on a specified Cisco AP Interface
##

use Net::Telnet::Cisco;

# Define your variables here
$host=’1.1.1.1′;
$user=’username’;
$pass=’password’;
$enable=”enablePassword”;

#CODE
my $session = Net::Telnet::Cisco->new(Host => $host);
$session->login($user,$pass);
if ($session->enable($enable) ) {
$session->cmd(‘config terminal’);
$session->cmd(‘interface dot11Radio0’);
$session->cmd(‘no shutdown’);
} else {
warn “Can’t enable: ” . $session->errmsg;
}
$session->close;

PIX 6.x – PPPoE: Unsolicited PADO, Invalid session state

When configuring a PIX 6.x to use the PPPoE client on the outside interface, if you recieve the following error :

“PPPoE: Unsolicited PADO, Invalid session state”

It probably means you’re as dumb as I am and didn’t specify a vpdn username with the following command :

pix(config)#vpdn username <username from ISP> password <Password>

VG224 – Call Forward all / Feature Codes

One of our clients recently rolled out a series of VG224 voice gateways to provide analogue services in a residential deployment. Everything was running smoothly until one of the tenants wanted to know how to forward all his calls out to a mobile phone.

I remembered reading that this is supported if the VG224 is registering using Skinny, but couldn’t find any documentation on what the codes were.

I ended up finding the answer on an archived post from the [cisco-voip] mailing list.

To Enable Call Forward All on a VG224 you require the following command :

VG224(Config)#stcapp feature access-code

To View the Access Codes use the following Command:

VG224#sh stcapp feature codes

VG224 Output:
stcapp feature access-code
prefix **
call forward all **1
call forward cancel **2
pickup local group **3
pickup different group **4
pickup direct **6

stcapp feature speed-dial disabled

Cisco 3750 – 3rd Party SFP

It is possible to use 3rd party SFP’s in a Cisco 3750 with the following commands:

Switch(config)#service unsupported-transceiver

and

Switch(config)#no errdisable detect cause gbic-invalid

The first command will generate the following warning from cisco :

” Warning: When Cisco determines that a fault or defect can be traced to
the use of third-party transceivers installed by a customer or reseller,
then, at Cisco’s discretion, Cisco may withhold support under warranty or
a Cisco support program. In the course of providing support for a Cisco
networking product Cisco may require that the end user install Cisco
transceivers if Cisco determines that removing third-party parts will
assist Cisco in diagnosing the cause of a support issue.”

I wouldn’t recommend using non-Cisco SFP’s in production environments, but for a lab save the bucks and go for it.

IOS – Ping Sweep

I discovered a really cool feature of IOS that is probably common knowledge but I was never aware of.

You can perform a ping sweep of a directly connected network by pinging the broadcast or Network address.

Example:

Router#ping 192.168.1.255

The output is as follows :
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.255, timeout is 2 sec

Reply to request 0 from 192.168.1.19, 4 ms
Reply to request 0 from 192.168.1.59, 40 ms
Reply to request 0 from 192.168.1.57, 40 ms
Reply to request 0 from 192.168.1.56, 40 ms

This is incredibly useful for doing discovery and populating the routers ARP table after a reboot.

ASA 8.0(2) – disappearing ISAKMP nat-traversal

Version 8.0(2) contains a bug that involves an inconsistent interpretation of what the default command is for “crypto isakmp nat-traversal 20”. Whilst running, the device appears to have this command on by default but on boot the command is negated by default. The effect of this is nat-traversal is disabled every time you reboot the ASA.

Workaround?

Use a non-default keep-alive interval. I used “crypto isakmp nat-traversal 30” and the command now persists through a reboot.

Note: This issue appears to be fixed in 8.0(3) bug ID CSCsj5258.

ASA 8.x – L2TP & default Tunnel-groups

I recieved a lesson in research first, configure second today.

I was trying to configure l2tp over IPSEC on an ASA 5510 running version 8.0(2) software and for life of me couldn’t work out why it wasn’t working. I kept getting this error every time I tried to create the tunnel:

%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Can’t find a valid tunnel group, aborting…!
%ASA-3-713902: Group = x.x.x.x, IP = y.y.y.y, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Error: Unable to remove PeerTblEntry
%ASA-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

Google didn’t really turn much information. OK, time to check cisco.com and I found this article.

I made the mistake of jumping straight down to the configuration example, which still left me stumped for as far as I could tell I had configured the ASA correctly.

Then I noticed this line:

Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work.”

Arrrgh! I switched the configuration to “tunnel-group DefaultRAGroup” and everything worked great.

Interestingly though I didn’t switch the group-policy from my user-defined policy and the configuration still worked fine.