分类目录归档:sec

ACS 5.X加微软AD域失败问题解决方法

 确保NTP、时区、DNS、域名的正确性

 clock timezone Asia/Chongqing

ip domain-name oa.gdb.local

ip name-server 10.0.0.1

ntp server 10.0.0.1 

如果AD服务器oa.test.local是分布式的,解析出来的地址不一定是自己想要的服务器,所以要指定主机名,类似于S001DC016.oa.test.local地址,但是ACS5.3存在bug,不能直接使用S001DC016.oa.test.local来进行同步域,只能输入类似oa.test.local

所以需要在

acs-config  登陆使用web界面密码 

ad-agent-configuration dns.dc.oa.test.local S001DC016.oa.test.local 

show ad-agent-configuration oa.test.local进行查看

radius 厂商私有属性

 Radius报文中,code=1是认证请求报文,code=2和code=3分别是认证通过和认证失败报文,这三种报文只在用户上线时产生。在用户上网的漫长过程中,是依靠code=4报文来维系计费和用户在线信息。

 关于radius里面code=4和code=5的报文:
     code=4:计费请求,由客户端发出(一般是配置了radius的交换机)
     code=5:计费回应。由radius服务器发出
 
Attribute-Value(AV) Pairs 属性和值的pairs
 
IETF属性很多是可以直接使用的 像使用802.1X做vlan授权这些,这些都是只有一个ID的
 
Radius Attribute Type 26 表示厂商私有属性 是专门给厂商自己定义的
下面的value 9表示cisco type 1表示Cisco-AVPair
下面的value 2636就是juniper的 311是微软的 下面的可以是厂商自己定义的
 
例如:
026/009/001就是代表cisco-av-pair
026/009/101就是代表cisco-h323-credit-amount
 

ASA配置同步

 

Configuration Replication

Configuration replication is the function of synchronizing the configuration of the primary PIX Firewall to the secondary PIX Firewall. For configuration replication to succeed, both the primary and secondary PIX Firewalls must be exact matches of each other in both hardware and software (as previously stated). Configuration replication occurs over the failover cable from the active PIX Firewall to the standby PIX Firewall when any of these three events occurs:

  • When the standby PIX Firewall completes its initial bootup, the active PIX Firewall replicates its entire configuration to the standby PIX Firewall.

  • As commands are entered on the active PIX Firewall, they are sent across the failover cable to the standby PIX Firewall.

  • By entering the write standby command on the active PIX Firewall, which forces the entire configuration in memory to be sent to the standby PIX Firewall.

Configuration replication only occurs from the running config of the Primary to the running config of the Secondary. Because this is not a permanent place to store configurations, you must use the write memory command to write the configuration into NVRAM on both units. If failover occurs during replication, the new active PIX Firewall will have only a partial configuration. To recover from a configuration synchronization failure, you will need to force the Primary back to active and use the write standby command to update the Secondary.

就是最好是write memory来搞一把保存,这样才是最保险的

ASA防火墙failover发生的条件

 A failover occurs when one of the following situations takes place:

  • The standby active command is issued on the Primary PIX.

  • The failover active command is issued on the Secondary PIX.

  • Block memory exhaustion occurs for 15 consecutive seconds or more on the active PIX Firewall

  • Network Interface Card (NIC) status. If the Link Status of a NIC is down, the unit will fail. "Down" means that the NIC is not plugged into an operation port. If a NIC has been configured as "down," it does not fail this test.

  • Failover Network communications. The two units send "hello" packets to each other over all network interfaces. If no "hello" messages are received for two failover poll intervals, the non-responding interface is put in testing mode to determine who is at fault.

  • Failover cable communication. The two units send "hello" messages to each other over the failover cable. If the standby doesn’t hear from the active within two failover poll intervals, and the cable status is OK, the standby takes over as active.

  • Cable errors. The failover cable is wired so that each unit can distinguish between:

    • A power failure other unit.
    • A cable unplugged this unit.
    • A cable unplugged other unit.
  • If the standby detects that the active is powered off (or reload/reset), it takes active control. If the failover cable is unplugged, a syslog is generated but no switching will occur.