Cisco Aironet konfigurointi (ja Cisco yleensäkin)

[juhaa]

Nyt tarvitaan apuja Cisco:n konffaajilta. SER-lavalta pelastettu Aironet 2700E sarjalainen ja en osaa tuohon tarpeeksi eloa saada aikaan.
AP oli controlleri firmiksellä, sen sain resetoitua ja vaihdettua tuoreimpaan Autonumous versioon. Kiitos Internetin. MD5 hash tuli tarkistettua ennen flashausta, kun ei pystynyt suoraan Ciscolta saada firmistä. Kiitos heille siitäkin.

Firmiksen sain konsolikaapelilla vaihdettua ja pääset nyt jopa kirjautumaan AP:n sisään telnetillä, mutta nyt meni kymmenettä kertaa sormisuuhun, kuinka ihmeessä saan edes Web GUI:n toimimaan? Se ei vain vastaa.

Telnetillä kun lähtee tästä etiäpäin, niin mitä loitsuja pitää tuolle heitellä http yhteyttä varten?
DHCP on valmiina reitittimellä tuolle ja sieltä se IP:n hakee.

Username: admin
Password:
ciscoAP>en
Password:
Password:
ciscoAP#

Tuohon kun laittaa 'enable', niin default salasana "Cisco" pitää sille tarjota. Admin käyttäjälle on laitettu toinen, mikä telnetille kelpaa.

Nämä ei todellakaan ole kuluttajavehkeitä...

 

[Miika]

Konfigurointitilaan pääsee komennolla "configure terminal" ja itseltä löytyy http-käyttöliittymään liittyvät seuraavat rivit:
ip http server
no ip http secure-server

Ja web-gui näyttää aukeavan. Tosin itse käytän vain SSH:lla. Ja tässäpä samalla koko konffi, jollatekee yhden WPA2 ssid:n:

tt-aironet#show running-config
Building configuration...

Current configuration : 2836 bytes
!
! No configuration change since last restart
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname "vaihda omaksi"
!
!
logging rate-limit console 9
enable secret 5 "vaihda omaksi"
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 2 0
no ip source-route
no ip cef
ip name-server 8.8.8.8
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid "vaihda omaksi"
   vlan 1
   band-select
   authentication open
   authentication key-management wpa version 2
   accounting acct_methods
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 7 "vaihda omaksi"
!
dot11 band-select parameters
   cycle-count 3
   cycle-threshold 200
   expire-supression 20
   expire-dual-band 60
   client-rssi 80
!
!
no ipv6 cef
!
!
username Cisco password 7 "vaihda omaksi... joutas kyllä poiskin tämä tunnus"
username admin secret 5 "vaihda omaksi"
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 3600
!
!
ssid "vaihda omaksi"
!
antenna gain 0
mbssid
channel 2437
station-role root
world-mode dot11d country-code FI indoor
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 3600
!
!
ssid "vaihda omaksi"
!
antenna gain 0
peakdetect
no dfs band block
mbssid
channel width 40-above
channel dfs
station-role root
world-mode dot11d country-code FI indoor
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet1
duplex auto
speed auto
!
interface BVI1
mac-address a89d.217f.b708
ip address dhcp client-id GigabitEthernet0 hostname "vaihda omaksi"
no ip route-cache
arp timeout 120
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip ssh version 2
!
!
!
bridge 1 route ip
!
!
!
line con 0
password 7 "vaihda omaksi"
line vty 0 4
transport preferred ssh
transport input ssh
transport output ssh
!
sntp server 0.fi.pool.ntp.org
end

tt-aironet#

 

[juhaa]

Kiitos. Askel eteenpäin

GUI kyselee jo tunnuksia
"http://192.168.1.66 pyytää käyttäjätunnusta ja salasanaa. Sivusto sanoo: ”level_15_access”", mutta eipä huoli käyttäjiäni.

ciscoAP>en
Password:
ciscoAP#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ciscoAP(config)#ip http server
System is configured with default enable secret.Please change it before enabling HTTP Server

ciscoAP(config)#no enable secret
ciscoAP(config)#ip http server
ciscoAP(config)#no ip http secure-server
ciscoAP(config)#end
ciscoAP#show privilege
Current privilege level is 15

Tämän hetkinen konffi:
salasanat höpöhöpötetty, kuten myös mac.

ciscoAP#show running-config
Building configuration...

Current configuration : 1814 bytes
!
! Last configuration change at 12:07:39 UTC Mon Mar 1 1993 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ciscoAP
!
!
logging rate-limit console 9
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
!
no ipv6 cef
!
!
username Cisco password 7 84726428F8342729
username admin password 7 98472983472F2342B9821
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
shutdown
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
antenna gain 0
peakdetect
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet1
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address ccXX.dXXX.0XXX
ip address dhcp client-id GigabitEthernet0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
password 7 298347239472E398742
login
line vty 0 4
login local
transport input all
!
end

edit: Matka tuntemattomassa jatkuu. Tein vain uuden käyttäjän "privilege 15" ja pääsen sillä nyt ilmeisesti tekemään aivan kaiken. Sain myös SSH:n enabloitua.

ciscoAP(config)#username uusikayttaja privilege 15 password salasana1
ciscoAP(config)#enable secret salasana1
ciscoAP(config)#line vty 0 15
ciscoAP(config-line)#login local
ciscoAP(config-line)#end
ciscoAP#configure t
Enter configuration commands, one per line.  End with CNTL/Z.
ciscoAP(config)#crypto key generate rsa
The name for the keys will be: ciscoAP.localdomain
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

ciscoAP(config)#line vty 0 4
ciscoAP(config-line)#transport input ssh
ciscoAP(config-line)#login local
ciscoAP(config-line)#password 7
% Incomplete command.

ciscoAP#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha2-256,hmac-sha2-512
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-360012334214
ssh-rsa ####################################
ciscoAP#

 

[juhaa]

Tuohan oli liian hyvää ollakseen totta. Mitään ei voi tallentaa GUI:n kautta..
Ihan sama mitä yrittää tallentaa, niin "404 Not Found"

Sitten kokeilemaan tälläisiä loitsuja, kello oikeaan aikaan ja jotkut certifikaatit, mutta ei auttanut.

ciscoAP#show clock
*13:03:14.144 UTC Mon Mar 1 1993
ciscoAP#configure t
Enter configuration commands, one per line.  End with CNTL/Z.
ciscoAP(config)#sntp server 0.fi.pool.ntp.org
Translating "0.fi.pool.ntp.org"...domain server (192.168.1.1) [OK]

ciscoAP(config)#sntp broadcast client
ciscoAP(config)#end
ciscoAP#write mem
Building configuration...
[OK]
ciscoAP#show clock
09:34:42.862 UTC Mon Oct 12 2020
ciscoAP#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ciscoAP(config)#ip http server
ciscoAP(config)#crypto pki server IOS-CA
ciscoAP(cs-server)#grant auto
ciscoAP(cs-server)#database level complete
ciscoAP(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

% Certificate Server enabled.
ciscoAP(cs-server)#show crypto pki server IOS-CA Certificates
                        ^
% Invalid input detected at '^' marker.

ciscoAP(cs-server)#end
ciscoAP#show crypto pki server IOS-CA Certificates
Serial Issued date              Expire date               Subject Name
1       09:37:22 UTC Oct 12 2020 09:37:22 UTC Oct 12 2023  cn=IOS-CA

ciscoAP#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ciscoAP(config)#crypto pki trustpoint TEST
ciscoAP(ca-trustpoint)#enrollment url http://192.168.1.66:80
ciscoAP(ca-trustpoint)#subject-name CN=TEST
ciscoAP(ca-trustpoint)#revocation-check none
ciscoAP(ca-trustpoint)#rsakeypair TEST
ciscoAP(ca-trustpoint)#exit

ciscoAP(config)#crypto pki auth TEST
Certificate has the following attributes:
       Fingerprint MD5: xxxx xxxx xxxxx xxxxxx
      Fingerprint SHA1: xxxxx xxxx xxxx xxxx xxxx

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ciscoAP(config)#crypto pki enroll TEST
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=TEST
% The subject name in the certificate will include: ciscoAP.localdomain
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: xxxx
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose TEST' commandwill show the fingerprint.

ciscoAP(config)#end
ciscoAP#show crypto pki certificate verbose TEST
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-CA
  Subject:
    Name: ciscoAP.localdomain
    Serial Number: xxxx
    serialNumber=xxxx+hostname=ciscoAP.localdomain
    cn=TEST
  Validity Date:
    start date: 09:41:10 UTC Oct 12 2020
    end   date: 09:41:10 UTC Oct 12 2021
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: xxxx
  Fingerprint SHA1: xxxx
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: xxxx

    X509v3 Authority Key ID: xxxx
    Authority Info Access:
  Associated Trustpoints: TEST
  Key Label: TEST

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=IOS-CA
  Subject:
    cn=IOS-CA
  Validity Date:
    start date: 09:37:22 UTC Oct 12 2020
    end   date: 09:37:22 UTC Oct 12 2023
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: xxxx
  Fingerprint SHA1: xxxx
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: xxxx
    X509v3 Basic Constraints:
        CA: TRUE

    X509v3 Authority Key ID: xxxx
    Authority Info Access:
  Associated Trustpoints: TEST IOS-CA


ciscoAP#config t
Enter configuration commands, one per line.  End with CNTL/Z.
ciscoAP(config)#ip http secure-server

ciscoAP(config)#end
ciscoAP#write mem
Building configuration...
[OK]
ciscoAP#

 

[Ogeli]

Asiaa tuntematta mutta onko sulla activex kelpoinen selain (IE) Ciscot usein vaatii sen ?

 

[juhaa]

Asiaa tuntematta mutta onko sulla activex kelpoinen selain (IE) Ciscot usein vaatii sen ?

On kokeiltu kaikki selaimet IE:stä lähtien ja tässä Googlettelun perusteella vaikuttaa aikalailla bugilta Ciscon puolelta.

Juttua mm. täällä: Web Gui problem

Tuolla olleen video/kommentit perusteella "JJ1" olisi ollut viimeinen hyvin toimiva, nyt pitäisi se saada jostain ladattua ja aloittaa hommaa taas alusta

Tämä ilmeisestikin olisi se varmasti toimiva.
ap3g2-k9w7-tar.153-3.JJ1.tar

Software Download - Cisco Systems

software.cisco.com

Olisko jollain tunnareita, että saisi tuon ladattua?

edit: Löyty ja ainakin tuon kohdalla MD5 matchaa viralliseen.

Index of /PUB/Cisco/Wireless/1700_2600_2700_3600_3700

edit2: Ei mene putkeen

 

[juhaa]

Downgrade 15.3(3)JJ1 ja nyt toimii tallennukset GUI:sta. Pysynpä siis tässä versiossa