While trying to perform a password recovery on a Cisco ASA, I noticed that the password recovery feature was disabled on the appliance. Without the password recovery feature enabled, you can recover the Cisco ASA, but the file system will be wiped completely.
During the boot of the Cisco ASA you need to press ESC to enter rommon and you will receive the following warning.
WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be downloaded via ROMMON.
Erase all file systems? y/n [n]: y
Permanently erase Disk0: and Disk1:? y/n [n]: y
All data from disk0: will be erased after which you will gain access to the rommon of the appliance. To perform the full recovery you need to enter the following commands:
rommon #0> interface <interface id>
rommon #1> address <IP address>
rommon #2> file <image name>
rommon #3> server <IP address TFTP server>
rommon #4> tftp
The new image will be loaded to the Cisco ASA appliance and the appliance will boot with its default configuration. After the Cisco ASA is booted you have the format disk0:. When you issue the show disk0: command before the format, you will notice that there is no free space on the disk. After the format you need to upload the appropriate ASA and ASDM image.
Be aware that after performing a full recovery the previous VPN-3DES-AES activation keys and other licenses will be lost. You can get a new activation key at http://www.cisco.com/go/license.
I don’t know if people from Argentina read my blog, but if they do I would like to thank them for their wireless coverage throughout the country. I am traveling for some time through Argentina and I slept in multiple hotels and hostels. Every single hotel and hostel offers some kind of internet connection. Mostly I have the option to use my iPhone and my iBook without extra fees to pay.
Many (public) places broadcast a wireless network, even in places you wouldn’t suspect a wireless network, like a baker or take the little town El Chaltén. El Chaltén doesn’t have an ATM machine. You cannot use your credit card, but there is a wireless internet connection via a satellite uplink. Some wireless networks are open and some have a captive portal configuration to log in. However most wireless networks are protected with a WPA(2) key. I only need to ask for the key and they directly write it down for me.
Security is something the Argentineans are less familiar with. I guess it’s a hobby, but every time I join a wireless network, I always try to access the router / default gateway. When trying to access the router, in most cases you get some kind of login page or basic authentication popup. These kind of pages mostly tell me what kind of router is used. A quick search on the internet for some default passwords already gave me access to three routers. Not so clever to use default password!!!
Internet speeds are also decent. You cannot compare it to the speed in the Netherlands, but I made some SIP phone calls without any problems. Internet access makes the holiday a lot easier, because I have to book multiple hostels and hotel along the ride and I can upload my picture from the camera to the iBook and from there to my NAS at home.
You Argentineans are doing a great job. I hope your friends in Chili are like you, because that is the next stop in a couple of days.
Lately I noticed something strange. I configured an ISA server as reverse proxy for OWA. The customer demanded the ability for users to change their password through OWA. I configured the OWA listener with LDAPS authentication against the Active Directory and enabled the option to select “I want to change my password after logging on” like shown below.
I tested the environment by logging in and changing the password. Everything looks okay and the password is changed correctly. I tried some extra test. I opened another browser and tried to login with the old password, which succeeded. I could now login with the old and the new password.
Strange to me…..so I tried some more test. The customer is using an SSL portal with RADIUS authentication to the same Active Director. So I tried to log in with the old and new password. I guess you know the answer. It was possible to login with both password. Another test was login in to the network components, which also use RADIUS against the Active Directory. Again the test were positive.
The last test was login in on a workstation. With this test, I could only login in with the new password and not the old one. Strange to me…… After one hour I tried again, and this time it was only possible to login with the new password.
I guess there is some kind of period where you can use both password. Maybe someone noticed this before and knows more about it…
Ictivity received via via an e-mail about strong authentication products from ID Control. Strong authentication is authentication were you need multiple factors (what you have, what you know, what you are) to actual authenticate to a system, network or something else. We, as Connectivity Consultant, were asked to look at the different products and start a discussion about these products. Are they interesting for us or some of our customers??
The main focus is on three different authentication products. In this post you can read MY OPINION about the three different authentication items.
HandyID is the leading mobile authentication method which provides a One Time Password (OTP) token-based, two-factor authentication solution on your mobile phone (handy), PDA, Blackberry and/or smart phone. HandyID turns your mobile device into a hardware token enabling a cost-effective, easy, convenient and user-friendly strong authentication solution for online banking, government and ecommerce. In combination with ID Control Server the set up and deployment is easy and fast.
Reading the text above I am thinking what HandyID brings extra in comparison to tokens like the ones from RSA. In my opinion I only see disadvantages. According to ID Control, you can use HandyID on every mobile device. I will not run it on my device, because the Nokia I am using isn’t that stable. I see crashing mobile phones, mobile phones with empty batteries and no charger nearby. I see incompatibilities with some tropical applications. In general, I like the concept of HandyID, but I would prefer a decent token from RSA (RSA SecurID).
KeystrokeID is the biometric solution based on behaviour traits that are acquired over a certain time period the user is typing on his or her keyboard (versus a physiological characteristic or physical trait). KeystrokeID monitors and analyses all keyboard behaviour performed by the user during his/her access. Based on this keystroke behaviour performed in comparison to the user’s normal behaviour access is granted when this user is also authorized.
Huh?? So reading this, the keyboard is learning the way you type and grants you access on that process. Sounds cool, but again I see a lot of customers having problems accessing the stuff they would like to access. I can image that KeystrokeID would work for a private secretary who finds the keys blindly on the keyboard, but what about people who cannot type that well and what when you are typing at night in bed, without decent light. I guess you won’t type the same as during normal day time. Summarizing, I would advise OUR customers to use KeystrokeID, because I THINK that the product brings more authentication problems than solving authentication problems.
ID Control’s USB Token is a portable end-user authentication token that can replace user name and password for workstation, website, VPN, file, email, network, file and/or disk access security. ID Control USB Token plugs into any standard USB port and can even run without any software.
After reading the documentation about USB Token, I definitely imagine advising USB Token to customers and even use one for my own. The USB Tokens ease of use looks really better in comparison to smart-cards or biometrics. Nowadays USB keys are common usage and the price for USB keys won’t be that high. Another advantage of the USB Token is that you only need an enabled USB port on a workstation and that’s it. For smart-cards and biometrics, you normally need extra equipment before you can actually use the smart-cards.
The USB Token can be used for different reasons like Secure VPN Authentication, File and Disk Encryption, Web (Application) Sign-on, Secure Password Manager, Computer and Network Sign-on, Email Encryption & Signing and PKI. I would definitely use the USB Token for File and Disk Encryption and Secure Password Manager. In my line of work and our customers, I can also imagine using the USB Token for Secure VPN Authentication.