Saturday, December 24, 2016

Configure Windows server to not enforce password for certificate enrollment

Please refer below link:

http://www.petenetlive.com/KB/Article/0000947

NDES Disable Password Requirement.

I've read a few blogs and articles that say;
"There is no way for Cisco devices to supply the required password to enroll with NDES/MSCEP, so you need to disable the requirement for a password."
This is NOT TRUE, however the whole point of issuing certificates via your PKI infrastructure, is that it can scale dramatically. If you are creating passwords and embedding those passwords in all your enrollments, it can get a little unwieldy. So it may be sensible to remove the password requirement.
1. Windows Key+R > regedit {Enter} > Navigate to;
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > EnforcePassword > EnforcePassword
To disable change the value to 0 (zero).
Disable NDES Password Enforce
Below you can see the difference, with the password requirement enforced, and without.
Get NDES password
2. Restart the Certificate Services Service;
net stop certsvc net start certsvc
Restart Certificate Services

Tuesday, December 13, 2016

Windows server installation

Windows 2008 Enterprise CA NDES Installation with SCEP on Cisco Router: https://youtu.be/387OccoWDQQ

Automate certificate management for a local computer: https://youtu.be/0UXZ-6DEPsA

OCSP : http://www.vkernel.ro/blog/installing-and-configuring-a-microsoft-online-certificate-status-protocol-ocsp-responder

https://www.youtube.com/watch?v=TAwhvllLB34

https://www.youtube.com/watch?v=jRVCDsN3rf8


Use below URL to get the "enrollment challenge password" to be used during certificate request:

https://10.105.41.153/certsrv/mscep_admin/

Thursday, November 3, 2016

RADSEC Commands

RADSEC Commands on ISE:

To display only open UDP ports try the following command:(http://stackoverflow.com/questions/17523389/check-all-socket-opened-in-linux-os)

netstat -vaun | grep 11.22

Example:

[root@RADSEC-4 ~]# netstat -vaun | grep 2083
udp        0      0 172.17.0.1:2083         0.0.0.0:*                        
udp        0      0 11.22.33.44:2083        0.0.0.0:*                        
udp        0      0 10.105.41.134:2083      0.0.0.0:*                        
udp        0      0 127.0.0.1:2083          0.0.0.0:*                        
[root@RADSEC-4 ~]#

Tuesday, October 18, 2016

Crypto PKI config

CA Server config on ASR 1k:
###########################
ntp server 9.27.14.135
ip http server

crypto key generate rsa modulus 1024 label ASR_CA_KEY exportable

crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco123

crypto pki server cisco
 database level complete
 no database archive
 issuer-name CN=CA.cisco.com,OU=TAC
 grant auto

Download CA certificate and import to ISE as trusted certificate
crypto pki export cisco pem terminal

Client config:
###############
ntp server 9.27.14.135
ip http server

crypto key generate rsa modulus 1024 label SPOKE_KEY exportable

crypto ca trustpoint cisco
enrollment url http://9.27.14.135:80
subject-name CN=Spoke.cisco.com,OU=TAC
revocation-check crl
auto-enroll
exit

crypto pki authenticate cisco
######################################################################################

CA Server logs:

AAA_UUT_ASR(config)#crypto key zeroize rsa ASR_CA_KEY
% Keys to be removed are named 'ASR_CA_KEY'.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#$generate rsa modulus 1024 label ASR_CA_KEY exportable  
The name for the keys will be: ASR_CA_KEY

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)

AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#crypto key export rsa ASR_CA_KEY pem url nvram: 3des cisco$
% Key name: ASR_CA_KEY
   Usage: General Purpose Key
Exporting public key...
Destination filename [ASR_CA_KEY.pub]?
Writing file to nvram:ASR_CA_KEY.pub
Exporting private key...
Destination filename [ASR_CA_KEY.prv]?
Writing file to nvram:ASR_CA_KEY.prv
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#do show run | s crypto
AAA_UUT_ASR(config)#crypto pki server cisco
AAA_UUT_ASR(cs-server)# database level complete
AAA_UUT_ASR(cs-server)# no database archive
AAA_UUT_ASR(cs-server)# issuer-name CN=CA.cisco.com,OU=TAC
AAA_UUT_ASR(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

% Certificate Server enabled.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#shut
Certificate server 'shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#gra
AAA_UUT_ASR(cs-server)#grant au
AAA_UUT_ASR(cs-server)#grant auto
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#no shut
Certificate server 'no shut' event has been queued for processing.
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#do show crypto pki server
Certificate Server cisco:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=CA.cisco.com,OU=TAC
    CA cert fingerprint: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 15:12:23 UTC Sep 19 2019
    CRL NextUpdate timer: 21:12:30 UTC Sep 19 2016
    Current primary storage dir: nvram:
    Database Level: Complete - all issued certs written as <serialnum>.cer
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR(cs-server)#
AAA_UUT_ASR#show run | s crypto
crypto pki server cisco
 database level complete
 no database archive
 issuer-name CN=CA.cisco.com,OU=TAC
 grant auto
crypto pki trustpoint cisco
 revocation-check crl
 rsakeypair cisco
crypto pki certificate chain cisco
 certificate ca 01
  30820223 3082018C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  25310C30 0A060355 040B1303 54414331 15301306 03550403 130C4341 2E636973
  636F2E63 6F6D301E 170D3136 30393138 32323132 32335A17 0D313930 39313832
  32313232 335A3025 310C300A 06035504 0B130354 41433115 30130603 55040313
  0C43412E 63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 8100A4A0 6D117950 649A5D19 330FC3AA 5A71BD23 5B887343
  92CE154A A2B600B1 E2439D5D 95739605 1A1F13BB 5628AA17 6EA5A9E8 890C905D
  A073D5D3 27D76509 1697BE53 31DC1AEF C264C74B DF64C7FF 846979F4 286F9DED
  A092B29C 7E220EF6 7CABFD79 67DAE9DC 5DBE5289 5CFBEDCD 992D1C7F 13B39B46
  2FB1E8D4 B75D9432 FA090203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  14019B3D 9A21C288 8781A56F DA73ADAD 0EBF57AB 93301D06 03551D0E 04160414
  019B3D9A 21C28887 81A56FDA 73ADAD0E BF57AB93 300D0609 2A864886 F70D0101
  04050003 81810018 C376715A 5CE20C23 91D7B3C9 771C1BDF E5F20DED 37486819
  143781D4 14187BC2 894DEC6A 9C39DA24 33B4B9A9 6D6D16FC 11A52BF7 2C2D37D8
  DCF961D7 81124F99 FC11BD9C 1F1E277A AF6B6728 1727BCC9 1363DD59 F06AAA35
  2E94C00D 68AF67C3 93C3151A 1CC291C6 5AEF22FC 8E962785 AE3E6679 6E357850
  29E27FA0 67FD00
        quit
AAA_UUT_ASR#

#########################################################################################

AAA_EDISON(config)#crypto ca trustpoint cisco
AAA_EDISON(ca-trustpoint)#enrollment url http://9.27.14.135:80
AAA_EDISON(ca-trustpoint)#subject-name CN=Spoke.cisco.com,OU=TAC
AAA_EDISON(ca-trustpoint)#revocation-check crl
AAA_EDISON(ca-trustpoint)#auto-enroll
AAA_EDISON(ca-trustpoint)#exit
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#crypto pki authenticate cisco
Certificate has the following attributes:
       Fingerprint MD5: 3AD4C4B7 9BBC8735 ACD8F5BF 8842B95B
      Fingerprint SHA1: 80259439 3C6ECA01 BFE5D908 A4189328 16F55C17

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
Sep 19 15:18:50.257: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint cisco
Sep 19 15:18:50.281: CRYPTO_PKI:  Certificate Request Fingerprint MD5: FE8F9DB3 AEC3DEA9 CF8A747B E4B42F00
Sep 19 15:18:50.282: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: D09B976F DB0025D2 4F46ECD7 6D80E32D 76F9525C
Sep 19 15:18:55.784: %PKI-6-CERTRET: Certificate received from Certificate Authority
Sep 19 15:18:55.784: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#
AAA_EDISON(config)#^Z
AAA_EDISON#
AAA_EDISON#
AAA_EDISON#wr
Sep 19 15:19:28.449: %SYS-5-CONFIG_I: Configured from console by client1 on console
Building configuration...
[OK]
AAA_EDISON#
AAA_EDISON#

Configure_CA_cert_to_ISE

1. Generate a CSR from ISE
2. Save the CSR in.pem format
3. Follow below step

AAA_UUT_ASR#crypto pki server cisco request pkcs10 terminal pem            
PKCS10 request in base64 or pem

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDEDCCAfgCAQAwZjEbMBkGA1UEAxMSUkFEU2VjLnBvbGFyaXMuY29tMQwwCgYD
VQQLEwNBQUExEDAOBgNVBAoTB3BvbGFyaXMxDDAKBgNVBAcTA0JMUjEMMAoGA1UE
CBMDS0FSMQswCQYDVQQGEwJJTjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMYSOEQ7Yg+0dxyaT3cGw/x3K0wSaABn/xO4kvF9M7WTxluztBrhOtLCZSsN
X+142RGW1HBYo3KDYQKot2Upff8WaRK5G+lZu/GUW5nNdhfGeEJHvPOd21DQV2sd
WMGjVwv7sVScfTCr40jp1t9wVK3Y9ag4/fSVgje0ybc/2PnssHd08UIJaOQ0idZI
HByuCnlKUK266xYoF/IPi3CeZzk1eCjrTyY8Wb+e79gH1MjoOGz0PlxuLIzvpOpX
mUPbUdAPicARIRruWCERpyH+ZhNt4Sz/rM/qsOFHPCZUubn59cDEJrsmVRS7hcCB
0lA8ZqvKz5tAsbTgDuiwlhJMsI0CAwEAAaBlMGMGCSqGSIb3DQEJDjFWMFQwCwYD
VR0PBAQDAgXgMB0GA1UdDgQWBBTaOaPuXmtLDTJVv++VYBiQr9gHCTATBgNVHSUE
DDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQELBQAD
ggEBALUCoU+8+TlmojJYjH+aWq/60o0joEvFixAM3NksWADRdKCk9CQYgVM9zNOa
DXh0RUNhD43gNQ8Jwe8icKkIhPFXnrtPRVpUV1/t3cs1lbKcjZHrKt4d/x4znxEI
75aGuvXDVm1AqzZzCf63IoV6aK+zXYrXHQpNnZAdGBF2tgFHE5+h3wqhv+Hefv+B
UDHD69MsfvzDp2WgjS6KjT1eURd4y0mZ5JgHlReaQhrEW9uehfab5QIxVAonMml3
a3FDrA+KxQrHvh9SQIRZejR9i/imL6FpxaEmpza6xob24kR5/VoGT3Fr2aRI7gu9
EfHccmSQ0RZxVNiZEJsO9W0l0S4=
-----END CERTIFICATE REQUEST-----

% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIC6TCCAlKgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MjgxOTI1MDBaFw0xNzA5Mjgx
OTI1MDBaMGYxGzAZBgNVBAMTElJBRFNlYy5wb2xhcmlzLmNvbTEMMAoGA1UECxMD
QUFBMRAwDgYDVQQKEwdwb2xhcmlzMQwwCgYDVQQHEwNCTFIxDDAKBgNVBAgTA0tB
UjELMAkGA1UEBhMCSU4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG
EjhEO2IPtHccmk93BsP8dytMEmgAZ/8TuJLxfTO1k8Zbs7Qa4TrSwmUrDV/teNkR
ltRwWKNyg2ECqLdlKX3/FmkSuRvpWbvxlFuZzXYXxnhCR7zzndtQ0FdrHVjBo1cL
+7FUnH0wq+NI6dbfcFSt2PWoOP30lYI3tMm3P9j57LB3dPFCCWjkNInWSBwcrgp5
SlCtuusWKBfyD4twnmc5NXgo608mPFm/nu/YB9TI6Dhs9D5cbiyM76TqV5lD21HQ
D4nAESEa7lghEach/mYTbeEs/6zP6rDhRzwmVLm5+fXAxCa7JlUUu4XAgdJQPGar
ys+bQLG04A7osJYSTLCNAgMBAAGjZDBiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIF4DAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNV
HQ4EFgQUY6Rk95CJvaL5jj1UDvrUCAP2hNEwDQYJKoZIhvcNAQEEBQADgYEASKNu
ckM9C3VVow6CdtyoMYbjZ4jcU5JoMl2PCczDKhKVEN5eVbCjUPaxZir+yO2fnwin
FEQO94JzGaMiO3I9AcPoDg2Y0i6haTj3MT8S9aAFgqlgCCe0Af34DzSAjgFfOGGJ
5MSaTTyejM7igt6Wu9yQKMV8bwlniuIsQRk7y4k=
-----END CERTIFICATE-----

AAA_UUT_ASR#

4. Save the certificate to a file
5. Under CSR tab in ISE, select the CSR and click on "Bind certificate"
6. Upload the certificate saved in step 4 and select "EAP-TLS and RADIUS-DTLS"
7. Execute below command on CA Server to export the CA certificate

AAA_UUT_ASR(config)#crypto pki export cisco pem terminal
% The specified trustpoint is not enrolled (cisco).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MTgyMjEyMjNaFw0xOTA5MTgy
MjEyMjNaMCUxDDAKBgNVBAsTA1RBQzEVMBMGA1UEAxMMQ0EuY2lzY28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkoG0ReVBkml0ZMw/DqlpxvSNbiHND
ks4VSqK2ALHiQ51dlXOWBRofE7tWKKoXbqWp6IkMkF2gc9XTJ9dlCRaXvlMx3Brv
wmTHS99kx/+EaXn0KG+d7aCSspx+Ig72fKv9eWfa6dxdvlKJXPvtzZktHH8Ts5tG
L7Ho1LddlDL6CQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNVHQ4EFgQU
AZs9miHCiIeBpW/ac62tDr9Xq5MwDQYJKoZIhvcNAQEEBQADgYEAGMN2cVpc4gwj
kdezyXccG9/l8g3tN0hoGRQ3gdQUGHvCiU3sapw52iQztLmpbW0W/BGlK/csLTfY
3Plh14EST5n8Eb2cHx4neq9rZygXJ7zJE2PdWfBqqjUulMANaK9nw5PDFRocwpHG
Wu8i/I6WJ4WuPmZ5bjV4UCnif6Bn/QA=
-----END CERTIFICATE-----

AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#

8. Save above certificate and add it under "Trusted certificates" in ISE

Tuesday, August 2, 2016

My quick scripts

Run below script on PAGENT after bringing up dot1x sessions using eapse

for {set count 1} {$count <= 222} {incr count} {
   dce stop
   dce clear all
   dce g0/1
   dce add client
   dce expand 79
   dce delay-start 500
   after 5000
   dce start
   after 1800000
}

#################################################################################

Run below script on DHCP server after bring up all dot1x sessions:

for {set count 1} {$count <= 400} {incr count} {
      puts "\nIteration - $count\n"
        puts [exec clear ip dhcp bind *]
        after 1000
        ios_config "ip dhcp excluded-address 23.23.0.0 23.23.99.255"
        after 1000
        puts [exec clear ip dhcp bind *]
        puts "\n#### \nSleep 500 seconds  ####\n"
        after 500000
        puts "\nBindings should be above 23.23.99.255\n"
        after 1000
        puts [exec sh ip dhcp bind | c 23.23]
        after 5000
        puts [exec sh ip dhcp bind]
        after 50000
        puts [exec clear ip dhcp bind *]
        after 1000
        ios_config "ip dhcp excluded-address 23.23.100.0 23.23.199.255"
        after 1000
        ios_config "no ip dhcp excluded-address 23.23.0.0 23.23.99.255"
        puts "\n#### \nSleep 500 seconds  ####\n"
        after 500000
        puts "\nBindings should be below 23.23.100.0\n"
        after 1000
        puts [exec sh ip dhcp bind | c 23.23]
        after 50000
        puts [exec sh ip dhcp bind]
        after 5000
        ios_config "no ip dhcp excluded-address 23.23.100.0 23.23.199.255"
        after 1000
        puts "End of iteration - $count"
}

#########################################################################################

1. Run the command "./UIHC-cont" to collect Auth Manager and EPM memory data every 5 minutes
2. Run "./UIHC-mem-report-generator" to dump the collected data

Below files form a set:

UIHC-ssh
UIHC-cont
UIHC-mem-usage        
UIHC-mem-report-generator

#############################################################################################

Run below scripts on free radius server to collect stats periodically:


root@FR-121:~# ls UIHC*
UIHC_collect_stats       UIHC-cont         UIHC-mem-report-generator  UIHC-ssh
UIHC_collect_stats_cont  UIHC_health_data  UIHC-mem-usage

UIHC:
root@FR-121:~#
##############################################################################################

root@FR-121:~# cat UIHC-ssh

sshpass -p "welcome123" ssh -o StrictHostKeyChecking=no client1@9.27.156.11 << EOF


show clock

term shell

sleep 300

show process memory detailed process iosd sorted | i EPM.*MAIN|Auth.*Manager|Free

EOF
root@FR-121:~#

###############################################################################################

root@FR-121:~# cat UIHC-cont
#!/bin/bash
a=1
while [ $a -gt 0 ]
do
  /root/UIHC-ssh >> UIHC-mem-usage
done
root@FR-121:~#

##############################################################################################


root@FR-121:~# more UIHC-mem-report-generator
rm auth_mgr
rm processor_mem
rm mem_report
cat UIHC-mem-usage | grep "Auth Manager" | cut -c 34-42 | nl >> auth_mgr
cat UIHC-mem-usage | grep "Processor" | cut -c 40-50 >> processor_mem
paste auth_mgr processor_mem | column -s $'\t' -t >> mem_report
cat mem_report
root@FR-121:~#
##############################################################################################

Below files form a set:

UIHC_collect_stats
UIHC_collect_stats_cont
UIHC_health_data

##############################################################################################

root@FR-121:~# cat UIHC_collect_stats
sshpass -p "welcome123" ssh -o StrictHostKeyChecking=no client1@9.27.156.11 << EOF

######################  BEGIN ITERATION  #####################

show clock

term shell

term exec prompt timestamp

show clock

show ver

show region

show auth sess | i count

show dot1x all count

show ip dhcp snooping bind

show processes memory sorted

show processes memory detailed process iosd sorted

show processes memory detailed process iosd maps

show memory detailed process iosd allocating-process total

show redundancy

show redundancy switchover history

show aaa memory detailed

show aaa memory stats all

show mem deb leaks detailed process iosd

show auth attrlist

sleep 3600

##################  END OF ITERATION  ##############################
EOF
root@FR-121:~#

###########################################################################################

root@FR-121:~# cat UIHC_collect_stats_cont
#!/bin/bash
a=1
while [ $a -gt 0 ]
do
  /root/UIHC_collect_stats >> UIHC_health_data
done

root@FR-121:~#

############################################################################################
copy_mem_report script to be run on 10.104.99.167 to fetch the mem_report from 9.27.15.121

#!/bin/bash
a=1
while [ $a -gt 0 ]
do
  scp root@9.27.15.121:/root/mem_report .
  sleep 300
done

Run as shown below by running Cygwin terminal as administrator:

admin@NOVA-PC ~
$ cd "C:\Users\admin\Desktop\POLARIS\UIHC"

admin@NOVA-PC /cygdrive/c/Users/admin/Desktop/POLARIS/UIHC
$ ./copy_mem_report
mem_report                                    100% 3596     3.5KB/s   00:01
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00
mem_report                                    100% 3596     3.5KB/s   00:00


############################################################################################################


Friday, July 29, 2016

scp usage syntax


scp from one linux server to another:

[bear-xxx-xxx:/auto/tftp-sanity-testbed-infra]>scp -v ./UIHC_Fix.bin root@9.27.15.121:/root/UIHC/UIHC_Fix.bin
Executing: program /usr/bin/ssh host 9.27.15.121, user root, command scp -v -t /root/UIHC/UIHC_Fix.bin
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /users/srikragh/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 9.27.15.121 [9.27.15.121] port 22.
debug1: Connection established.
debug1: identity file /users/srikragh/.ssh/identity type -1
debug1: identity file /users/srikragh/.ssh/id_dsa type -1
debug1: identity file /users/srikragh/.ssh/id_rsa type 1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '9.27.15.121' is known and matches the RSA host key.
debug1: Found key in /users/srikragh/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /users/srikragh/.ssh/identity
debug1: Trying private key: /users/srikragh/.ssh/id_dsa
debug1: Offering public key: /users/srikragh/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending command: scp -v -t /root/UIHC/UIHC_Fix.bin
Sending file modes: C0777 497607048 UIHC_Fix.bin
Sink: C0777 497607048 UIHC_Fix.bin
UIHC_Fix.bin                                                                             81%  385MB   7.4MB/s   00:12 ETA



############################################################################

###########  Change "\" to "/" in the windows path  ###############

Original windows path: C:\Users\admin\Desktop\POLARIS\UIHC

To be used windows path in scp command: C:/Users/admin/Desktop/POLARIS/UIHC/UIHC_Fix.bin

##########################################################################


bgl-ads-843:26> scp -v ./UIHC_Fix.bin admin@10.104.99.167:C:/Users/admin/Desktop/POLARIS/UIHC/UIHC_Fix.bin
Executing: program /usr/bin/ssh host 10.104.99.167, user admin, command scp -v -t C:/Users/admin/Desktop/POLARIS/UIHC/UIHC_Fix.bin
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /users/srikragh/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.104.99.167 [10.104.99.167] port 22.
debug1: Connection established.
debug1: identity file /users/srikragh/.ssh/identity type -1
debug1: identity file /users/srikragh/.ssh/id_dsa type -1
debug1: identity file /users/srikragh/.ssh/id_rsa type 1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9
debug1: match: OpenSSH_6.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host '10.104.99.167' is known and matches the RSA host key.
debug1: Found key in /users/srikragh/.ssh/known_hosts:29
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /users/srikragh/.ssh/identity
debug1: Trying private key: /users/srikragh/.ssh/id_dsa
debug1: Offering public key: /users/srikragh/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
admin@10.104.99.167's password: 
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: scp -v -t C:/Users/admin/Desktop/POLARIS/UIHC/UIHC_Fix.bin
Sending file modes: C0777 497607048 UIHC_Fix.bin
Sink: C0777 497607048 UIHC_Fix.bin
UIHC_Fix.bin                                                                            100%  475MB  33.9MB/s   00:14    
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 14.3 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0
bgl-ads-843:27> 

###############################################################################

scp from cisco switch to linux machine:

CAT4k-SUP8E#copy scp: bootflash: vrf mgmtVrf 
Address or name of remote host [9.27.15.121]? 
Source username [root]? 
Source filename [/root/UIHC/UIHC_Fix.bin]? 
Destination filename [UIHC_Fix.bin]? 
Password: 
 Sending file modes: C0777 497607048 UIHC_Fix.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#########################################################################

scp from linux machine to cisco switch:
[Entered enable password = "cisco" to start file transfer when prompted to enter password]

root@FR-121:~/UIHC# scp -v ./UIHC_Fix.bin client1@9.27.156.11:UIHC_Fix.bin
Executing: program /usr/bin/ssh host 9.27.156.11, user client1, command scp -v -t -- UIHC_Fix.bin
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 9.27.156.11 [9.27.156.11] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA a6:a0:b7:3b:73:1f:6f:9a:68:8c:81:61:fb:2b:eb:fa
debug1: Host '9.27.156.11' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
C
***************************************************************************
WARNING
This resource is for use by authorized University of Iowa Hospitals and
Clinics users only. Individuals using or attempting to use this resource
without proper authorization are subject to criminal and civil prosecution.
Access to this resource is monitored and recorded.
***************************************************************************
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:
C Your failed attempt has been recorded.
debug1: Authentications that can continue: publickey,keyboard-interactive,password
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 9.27.156.11 ([9.27.156.11]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_IN
debug1: Sending command: scp -v -t -- UIHC_Fix.bin
Sending file modes: C0777 497607048 UIHC_Fix.bin
UIHC_Fix.bin                                                                              2%   10MB 307.5KB/s   25:47 ETA

Thursday, February 11, 2016

Grep a file, but show several surrounding lines?

Grep a file, but show several surrounding lines?

http://stackoverflow.com/questions/9081/grep-a-file-but-show-several-surrounding-lines

Ex:

[bear-bld-lnx:/auto/tftp-nbardevtest]>grep -A 3 "a,fed,bmalloc" /auto/tftp-nbardevtest/outputfile_20160210231010.log
a,fed,bmalloc
                          Dependent Head           10           22       1728
                                 Summary          790          802       1728

--
a,fed,bmalloc
                          Dependent Head           10           25       2160
                                 Summary          790          805       2160

--
a,fed,bmalloc
                          Dependent Head           10           25       2160
                                 Summary          790          805       2160

--
a,fed,bmalloc
                          Dependent Head           10           25       2160
                                 Summary          790          805       2160