Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About ZedGama3
ZedGama3
Comes here often
Member since Dec 3, 2020
Jan 31 2024
Community Record
4
Posts
0
Kudos
0
Solutions
Dec 28 2023
9:09 AM
How can I have clients prefer our WAN1 IPv6 connection? We have IPv6 active on both WAN1 and WAN2, WAN1 is the preferred uplink in traffic shaping, but WAN2's prefix is being advertised as the preferred prefix. Another strange thing is that the VLAN in question only shows a prefix delegation from WAN1, even though it's advertising both and preferring WAN2. If it's helpful, WAN1 has a prefix of /56 and WAN2 of /48. Everything else is configured the same. @IPv6
... View more
Labels:
- Labels:
-
Other
Dec 4 2020
9:53 AM
Is there a list of supported TLS versions for MR devices? I have a mixed environment of MR18, 32, and 53 devices. After migrating to Windows Server 2019 I found that RADIUS wasn't working for the 18 and 32 APs and was finally able to pin it down to TLS 1.0 having been disabled - reenabling it allowed the MR 18 and 32 devices to connect, the 53 APs didn't have any issues and appear to be negotiating TLS 1.2. At first, I thought that the older firmware versions didn't support TLS 1.2, but then I found an article in the community stating that they didn't have a problem disabling TLS 1.0 on their server. Also, there is no mention of adding TLS 1.2 support in the change log and I find it difficult to believe that a firmware version released earlier this year wouldn't be able to negotiate TLS 1.2. I've contacted Meraki support and was told that this is "outside the scope of Meraki support". Related thread: https://community.meraki.com/t5/Wireless-LAN/MR53-Issues-When-Disabling-TLS-1-0/m-p/17735
... View more
Dec 3 2020
1:56 PM
So the short answer is no. TL;DR; The concern I'm trying to address is the ability for someone in a privileged position to impersonate someone else without them realizing it. As for extracting password hashes, I'm surprised that Microsoft hasn't implemented a better hashing algorithm that would require more time to brute force the hash. Regarding Wi-Fi, I see several challenge-response pairs and was assuming the mechanism was using an authentication method that didn't require sending the password. Example: the server sends a random string, the client then responds with a hash resulting from the combination of the hashed password and the random string - by doing this multiple times the server can be sure that the client knows the password without actually sending the password. Of course, depending on how much access the admin has, they can enable reversible encryption and install key loggers. No solution is perfect, but I'm trying to limit an attacker's options - regardless of if they are foreign or domestic. If a password gets changed, it's recognized right away. The other issue is that most users re-use passwords and could gain access to systems beyond the original scope of the attacker.
... View more
Dec 3 2020
11:58 AM
I've set up an MX client VPN to use RADIUS authentication and noticed that Wireshark is able to show the plain-text password when provided with the RADIUS secret. Is there a way to prevent this? As it stands, anyone with admin access to the server could get the passwords for anyone who uses the VPN. Interestingly, this doesn't seem to be the case for Wi-Fi authenticating via RADIUS.
... View more
© 2024 Cisco Systems, Inc.
