Michael McNamara

technology, networking, virtualization and IP telephony

Juniper EX4300 & EX2300 J-Web Authentication via TACACS+

by

About 6 weeks back now I thought this was going to be a quick configuration and I’d be done… this was all back before the global pandemic. Unfortunately, a few minutes turned into six week journey.

We were looking to provide our 24×7 and IT support teams with read-only access to the CLI and J-Web interfaces on our EX4300 and EX2300 switches. We were going to start with using TAC_PLUS but we would eventually integrate with our HPE/Aruba ClearPass instances down the road (authenticating against Windows Active Directory).

I quickly found out that authenticating against TACACS+ while logging in via J-Web was broken, SSH worked fine but logging in via the web browser was broken. The error, “Invalid username or password specified” would always be returned. Some quick troubleshooting showed that the switches weren’t even reaching out to the TACACS+ servers so we decided to reach out to JTAC. We were running Junos 18.2R3-S2 for the EX2300 and Junos 18.4R2-S2 for the EX4300, these were the recommended software releases for each platform at the time I started this adventure.

This past week Juniper let me know that there was a PR raised for the following;

Logging into JWEB fails with “Invalid username or password specified”, but same credentials work for SSH access to CLI when authentication-order is configured

The issue was resolved in the following software releases;

  • EX4300 – Junos 18.4R3
  • EX2300 – Junos 18.3R3-S1

I upgraded some switches in order to test and wouldn’t you know it.

It works!

Cheers!

Opengear pmshell ESCAPE sequences

by

If your in pmshell you’ll need to use the following escape sequences to get back to the “Connect to port >” prompt if for example you want to connect to different serial port. If you weren’t confused enough, if you are connecting via SSH you’ll need to use an extra ~ before those escape sequences so the ~ isn’t interpreted by your SSH client, it needs to pass through to pmshell.

Shell Commands:
~b - Generate BREAK
~h - View history
~p - Power menu
~m - Connect to port menu
~. - Exit pmshell
~? - Show this message

I’ve noticed on occasion that I need to be fairly quick with the keyboard strokes or pmshell will just pass the characters through to the device connected to the serial port.

Cheers!
Image Credit to Michaelaw

Avaya 1200 Series IP Phone Configuration Options

by

While working with the Avaya 1220 IP Phones over this past week I discovered a few tricks that I thought I would share with everyone. It can be very difficult and time consuming to troubleshoot configuration issues and the 5 line LCD display makes scrolling through all the configuration options painful to say the least. While working with the provisioning files I recalled that the 1200 series IP phone supports SSH so I logged into the IP phone via  SSH and I found a great little command. prtcfg. This command appears to print the entire configuration of the IP phone. I’ve noticed that the documentation is sometimes lacking so this is a great little resource to not only see how the phone is configured but to see all the available options.

[root@centos ~]# ssh -l admin 192.168.100.99
admin@192.168.100.99's password:

Welcome to Avaya problem determination tool.

You are connected to IP Phone 1220.
HW version: 1800247F9984E9662A
FW version 04.00.04.00
MAC Address = 00247F99FFFF
IP = 192.168.100.99
Type "bye" to exit current shell.
PDT> prtcfg
*********************SYSTEM CONFIG************************
*** SIPdomain1 asterisk.home
***   defUser user1
***   S1 IP: 192.168.1.6
***   S1 Ports: (UDP:5060, TCP:0, TLS:0)
***   S1 Proto: 2
***   S2 IP: 0.0.0.0
***   S2 Ports: (UDP:5060, TCP:0, TLS:0)
***   S2 Proto: 2
*** CONFERENCE_URI: conference@avaya.com
*** ADHOC_ENABLED: 0
*** MAX_ADHOC_PORTS: 0
*** SIPdomain2
***   defUser user2
***   S1 IP: 0.0.0.0
***   S1 Ports: (UDP:5060, TCP:0, TLS:0)
***   S1 Proto: 2
***   S2 IP: 0.0.0.0
***   S2 Ports: (UDP:5060, TCP:0, TLS:0)
***   S2 Proto: 2
*** CONFERENCE_URI: conference@avaya.com
*** ADHOC_ENABLED: 0
*** MAX_ADHOC_PORTS: 0
*** SIPdomain3
***   defUser user3
***   S1 IP: 0.0.0.0
***   S1 Ports: (UDP:5060, TCP:0, TLS:0)
***   S1 Proto: 2
***   S2 IP: 0.0.0.0
***   S2 Ports: (UDP:5060, TCP:0, TLS:0)
***   S2 Proto: 2
*** CONFERENCE_URI: conference@avaya.com
*** ADHOC_ENABLED: 0
*** MAX_ADHOC_PORTS: 0
*** SIPdomain4
***   defUser user4
***   S1 IP: 0.0.0.0
***   S1 Ports: (UDP:5060, TCP:0, TLS:0)
***   S1 Proto: 2
***   S2 IP: 0.0.0.0
***   S2 Ports: (UDP:5060, TCP:0, TLS:0)
***   S2 Proto: 2
*** CONFERENCE_URI: conference@avaya.com
*** ADHOC_ENABLED: 0
*** MAX_ADHOC_PORTS: 0
*** SIPdomain5
***   defUser user5
***   S1 IP: 0.0.0.0
***   S1 Ports: (UDP:5060, TCP:0, TLS:0)
***   S1 Proto: 2
***   S2 IP: 0.0.0.0
***   S2 Ports: (UDP:5060, TCP:0, TLS:0)
***   S2 Proto: 2
*** CONFERENCE_URI: conference@avaya.com
*** ADHOC_ENABLED: 0
*** MAX_ADHOC_PORTS: 0
*** DNSdomain asterisk.home
*** Config version 000005
*** User Config version 000001
*** Language version 000001
*** Image version 000001
*** Tone version 000001
*** Licensing file version 000001
*** User keys version 000001
*** CTL file version 000001
*** Boot version 000001
*** Security Policy version 000001
*** CRL file version 000001
*** Nortel Key version 000001
*** Misc version 000001
*** Service Pack version 000001
*** SIP_PING 1
*** VMAIL 5000
*** VMAIL_DELAY 300
*** BANNER Avaya SIP Client
*** FORCE_BANNER 0
*** DST_ENABLED 1
*** TIMEZONE_OFFSET 0
*** MAX_INBOX_ENTRIES 100
*** MAX_OUTBOX_ENTRIES 100
*** MAX_REJECTREASONS 20
*** MAX_CALLSUBJECT 20
*** MAX_PRESENCENOTE 20
*** DEF_LANG English
*** DSCP_CONTROL 0
*** 802.1P_CONTROL -1
*** DSCP_MEDIA 0
*** 802.1P_MEDIA -1
*** DSCP_DATA -1
*** 802.1P_DATA -1
*** LOG_LEVEL 255
*** RECOVERY_LEVEL 2
*** AUTO_UPDATE 0
*** AUTO_UPDATE_TIME 0
*** AUTO_UPDATE_TIME_RANGE 1
*** DOS_PACKET_RATE 5
*** DOS_MAX_LIMIT 100
*** DOS_LOCK_TIME 20
*** DEF_AUDIO_QUALITY High
*** DEF_DISPLAY_IM NO
*** MAX_IM_ENTRIES 999
*** MAX_ADDR_BOOK_ENTRIES 100
*** ADDR_BOOK_MODE NETWORK
*** IM_MODE DISABLED
*** ADMIN_PASSWORD 26567*738
*** ADMIN_PASSWORD Expiry Time 0
*** ENABLE_LOCAL_ADMIN_UI 1
*** HASHED_ADMIN_PASSWORD 0
*** HASH_ALGORITHM SHA1
*** HOLD_TYPE rfc3261
*** AUTH_METHOD AUTH
*** ENABLE_3WAY_CALL 1
*** DISABLE_PRIVACY_UI 0
*** DIALTONE
*** RINGINGTONE
*** BUSYTONE
*** FASTBUSYTONE
*** CONGESTIONTONE
*** DISTINCTIVE_RINGING 1
*** CALL_WAITING SPEAKER
*** PCPORT_ENABLE 1
*** LLDP_ENABLE 0
*** BLUE TOOTH Disable
*** NAT_SIGNALLING NONE
*** NAT_MEDIA NONE
*** NAT_TYPE NONE
*** NAT_TTL 120
*** STUN_SERVER_IP1 0.0.0.0
*** STUN_SERVER_IP2 0.0.0.0
*** STUN_SERVER_PORT1 3478
*** STUN_SERVER_PORT2 3478
*** USE_RPORT 0

*** VQMON PUBLISH ADDRESS: 0.0.0.0
***   PUBLISH ENABLE: 0
***   LISTENING R ENABLE [0:= No, 1:=Yes]: 0
***   LISTENING R WARNING: 0 [0:= 80]
***   LISTENING R EXECSSIVE: 0 [0:= 70]
***   PACKET LOSS ENABLE [0:= No, 1:=Yes]: 0
***   PACKET LOSS WARNING : 0 [0:= 1]
***   PACKET LOSS EXECSSIVE: 0 [0:= 5]
***   DELAY ENABLE [0:= No, 1:=Yes]: 0
***   DELAY WARNING: 0 [0:= 300]
***   DELAY EXECSSIVE: 0 [0:= 500]
***   JITTER ENABLE [0:= No, 1:=Yes]: 0
***   JITTER WARNING: 0 [0:= 150]
***   JITTER EXECSSIVE: 0 [0:= 500]
***   SESSION_RPT_EN: 0
***   SESSION_RPT_INT: 60
***   VQMON CONFIG BLOCK *** END ***
***
*** TRANSFER_TYPE: rfc3261
*** ENABLE_PRACK: 0
*** ENABLE_UPDATE: 1
*** PROXY_CHECKING: 1
*** REDIRECT_TYPE: MCS
*** MADN_PRIVACY:
*** MADN_TIMER: 1800
*** MADN_DIALOG: 0
*** IM_NOTIFY: 1
*** DISABLE_OCT_ENDDIAL: 0
*** FORCE_OCT_ENDDIAL: 0
*** DISPLAY_CALL_SNDR_IM_KEY: 1
*** FORCE_CFWD_NOTIFY: 0
*** DEFAULT_CFWD_NOTIFY: 0
*** FORCE_TIME_ZONE: 0
*** SNTP_SERVER:
*** SNTP_ENABLE: 0
*** RTP_MIN_PORT: 50000
*** RTP_MAX_PORT: 50100
*** TOVM_SOFTKEY_ENABLE: 0
*** TOVM_VOICEMAIL_ALIAS: transfertovm
*** TOVM_VOICEMAIL_PARAM: mbid
*** AUTOLOGIN_ENABLE: 1
*** SCA_BROADWORKS: 0
*** SCA_LINE_SEIZE_EXPIRES: 15
*** SCA_HOLD_BEHAVIOR: PUBLIC
*** SCA_APPEARANCES: 12
*** MAX_RING_TIME: 0
*** EXP_MODULE_ENABLE: 0
*** PROMPT_ON_LOCATION_OTHER: 0
*** ENABLE_ANSWER_MODE: 0
*** ANSWER_MODE_MAXALLOWADDR: 100
*** ANSWER_MODE_MICMUTE: 0
*** AUDIO_CODEC1:
*** AUDIO_CODEC2:
*** AUDIO_CODEC3:
*** AUDIO_CODEC4:
*** AUDIO_CODEC5:
*** AUDIO_CODEC6:
*** AUDIO_CODEC7:
*** AUDIO_CODEC8:
*** AUDIO_CODEC9:
*** AUDIO_CODEC10:
*** AUDIO_CODEC11:
*** AUDIO_CODEC12:
*** AUDIO_CODEC13:
*** AUDIO_CODEC14:
*** AUDIO_CODEC15:
*** G729_ENABLE_ANNEXB: 0
*** G723_ENABLE_ANNEXA: 0
*** LOGOUT_WITHOUT_PASSWORD: 0
*** ENABLE_SERVICE_PACKAGE: 0
*** SECURE_INCALL_DIGITS: 0
*** AVAYA_AUTOMATIC_QOS: 0
*** REMOTE_CHECK_FOR_UPDATE: 0
*** INTERCOM_PAGING: 0
*** ALPHA_ORDER_LOC_LIST: 1
*** MAX_LOGINS: 1
*** AUTOCLEAR_NEWCALL_MSG: 0
*** E911_USERNAME: anonymous
*** E911_PROXY   :
*** E911_PASSWORD: 123456
*** E911_TXLOC   : INVITE
*** FM_PROFILES_ENABLE: 1
*** FM_LANGS_ENABLE: 1
*** FM_SOUNDS_ENABLE: 1
*** FM_IMAGES_ ENABLE: 1
*** FM_CERTS_ENABLE: 0
*** FM_CONFIG_ ENABLE: 0
*** FM_LOGS_ENABLE: 1
*** PORT_MIRROR_ENABLE: 0
*** LOGSIP_ENABLE: 0
*** MEMCHECK_PERIOD: 86400 secs
*** SIP_UDP_PORT: 5060
*** SIP_TCP_PORT: 5060
*** SIP_TLS_PORT: 0
*** KEEP_ALIVE_TYPE: OS
*** CONN_KEEP_ALIVE: 120
*** REGISTER_RETRY_TIME: 30
*** REGISTER_RETRY_MAXTIME: 1800
*** SECURE_UI_ENABLE: 0
*** LOGIN_NOTIFY: OFF
*** LOGIN_NOTIFY_TIME: 0
*** ENABLE_USB_PORT: Yes
*** USB_MOUSE: UNLOCK
*** USB_KEYBOARD: UNLOCK
*** USB_HEADSET: LOCK
*** USB_MEMORY_STICK: UNLOCK
*** USB_LOCK_OVERRIDE: No
*** ATA_REGION: NA
*** IPV6_ENABLE: 0
*** PREFER_IPV6: 0
*** IPV6_STATELESS: 1
*** SECONDARY_LOGOUT_ENABLE: 0
*** SRTP_ENABLED 0
*** SRTP_MODE BE-2MLines
*** SRTP_CIPHER_1 AES_CM_128_HMAC_SHA1_80
*** SRTP_CIPHER_2 AES_CM_128_HMAC_SHA1_32
*** SSH 1
*** SFTP 0
*** SSHID admin
*** SSHPWD ****
EAPConfigRead - migrating EAP Configuration data from TFFS
Failed to open file /flash0/EAPDATA.DAT
*** EAP DISABLED
*** EAPID1
*** EAPID2
*** EAPPWD ****
*** CA
*** CA_DOMAIN
*** HOST_NAME
*** SFTP_READ_PATTERNS .cfg,.dat
*** SFTP_WRITE_PATTERNS .cfg,.dat
*** DSCP_OAM: 18
*** DSCP_MEDIA_FLASHOVERRIDE: 41
*** DSCP_MEDIA_FLASH: 42
*** DSCP_MEDIA_IMMEDIATE: 44
*** DSCP_MEDIA_PRIORITY: 45
*** SESSION_TIMER_ENABLE: 1
*** SESSION_TIMER_DEFAULT_SE: 1800
*** SESSION_TIMER_MIN_SE: 1800
*** SET_REQ_REFRESHER: 0
*** SET_RESP_REFRESHER: 2
*** HOTLINE_ENABLE: 0
*** HOTLINE_URL: hotline
*** DoD_ENABLE: 0
*** MLPP_NETWORK_DOMAIN: DSN
*** MLPP_PRECEDENCE_DOMAIN: 000000
*** CALL_WAITING_TONE: 0
*** MAX_APEARANCE: 10
*** DISABLE_SPKRPHN: 0
*** CALL_ORIGIN_BUSY: 0
*** SLOW_START_200OK: 0
*** SPEEDLIST_KEY_INDEX: 0
*** SPEEDLIST_LABEL: SDL
*** SCRNSVR_ENABLE: 1
*** SCRNSVR_UNPRTCTD_ENABLE: 0
*** SCRNSVR_UPASS_ENABLE: 0
*** SCRNSVR_MODE: 0
*** SCRNSVR_DELAY: 10
*** SCRNSVR_TEXT: Screensaver active
*** SCRNSVR_IMAGE:
*** MENU_AUTO_BACKOUT: 30
*** LOGIN_BANNER_ENABLE: 0
*** BLF_ENABLE: 0
*** BLF_RESOURCE_LIST_URI:
*** BG_IMAGE_ENABLE: 1
*** BG_IMG_SELECT_ENABLE: 1
*** USE_BG_IMAGE:
*** USER_FILE_ENABLE: 0
*** USER_FILE_PATH: /
*** DEFAULT_ADDRESSBOOK_FILE:
*** DEFAULT_SPEEDDIALLIST_FILE:
*** DEFAULT_CUSTOMKEYS_FILE:
*** TECH_SUPPORT_LABEL:
*** TECH_SUPPORT_ADDRESS:
*** SERVICE_PACKAGE_PROTOCOL: HTTP
*** SELECT_LAST_INCOMING 0
*** MKI_ENABLE: 0
*** ALLOW_EMERGENCY_PRIORITY_HEADER: 0
*** CALLINFO_IMAGE_ENABLE 0
*** maskSectionDwnloaded 0x0
*** SURV_SIP_SVR_ENABLE: 0
*** REG_REFRESH_TIMER:  86400
*** OUTLINEFONT_ENABLE: 1
*** FONTSMOOTH_ENABLE: 0
*** FIPS_MODE: 0
*** LOGINALPHA_ENABLE: 0
*** PROMPT_AUTHNAME_ENABLE: 0
*** KEEPALIVE_RETRIES 3
*** IP_OFFICE_ENABLE 0
*** USE_PUBLISH_FOR_PRESENCE 0
*** FAIL_BACK_TO_PRIMARY 0
*** CONTACT_HDR_PORT_CS1K 0
*********************************************************

I should point out that this command is available for the 1100 and 1200 series IP phones.

Cheers!

Avaya 1120e/1140e/1150e IP Phone SSH Access

by

1146283_66136726I was recently testing the built-in UNIStim VPN Client (UVC) on the Avaya 1120e IP phone and needed to access the SSH console of the IP phone to check the status of the VPN connection to the Nortel VPN Router. I thought I’d take a few seconds to document for anyone that might be interested. You obviously need to be running firmware 0623C7F, 0624C7F, 0625C7F or 0627C7F (or later) for IP Phone 1110, 1120E, 1140E or 1150E respectively.

You can enable the SSH console by the following commands;

  1. Press the Services key twice in quick succession
  2. Select Local Diagnostics
  3. Select Advanced Diag Tools
  4. Place a checkmark in the box labeled Enable SSH
  5. Set the UserID
  6. Set the Password
  7. Apply the settings

There is no reboot required to enable the SSH console. Here’s a quick example of the help command;

[root@centos ~]# ssh 10.1.1.10 -l admin
The authenticity of host '10.1.1.10 (10.1.1.10)' can't be established.
RSA key fingerprint is 09:14:95:11:c2:e6:d7:93:98:2c:4e:ce:e4:2c:64:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.10' (RSA) to the list of known hosts.
admin@10.1.1.10's password:

Welcome to Nortel problem determination tool.

You are connected to IP Phone 1120E.
HW version:18001365FF5E4FFFFF
FW version 0625C7F
MAC 001365FFFFF
IP 10.1.1.10

Type "pdtHelp" for list of available commands.
Bluetooth address 00140D01635B

Type "pdtHelp" for list of available commands.
Type "bye" to exit current shell.

PDT> pdtHelp

pdtHelp                                      Print PDT shell help
setLogLevel           <loglevel>             Set LogLevel, Critical:1, Major:2, Minor:3, Warning:4, Info:5
setRecoveryLevel      <recovery level>       Set RecoveryLevel, Critical:1, Major:2, Minor:3
setAutoRecoveryFlag   <flag>                 Set auto recovery flag, turn on:1, turn off:0
printLogLevel                                Print current logLevel, Critical:1, Major:2, Minor:3, Warning: 4, Info:5
printRecoveryLevel                           Print current recoveryLevel, Critical:1, Major:2, Minor:3
printAutoRecoveryFlag                        Print auto recovery flag
printUptime                                  Print set uptime
printLogFile          [severity level]       Print log files; Args - Critical:1, Major:2, Minor:3, Warning:4, Info:5
clearLogFile                                 Clear content of error log file
taskMonShow                                  Show task monitor list
taskMonAddTask        <taskName | task id>   Add a task to task minitor
taskMonRemoveTask     <taskName | task id>   Remove a task from task monitor
setCpuSamplingPeriod  <value>                Set CPU sampling period, range: 180-360s, step 10s
i                                            Print all task Info
ti                    <taskName | task id>   Complete info on TCB for task
tt                    <taskName | task id>   Task Trace
memShow               [level]                Show system memory partition blocks and statistics
checkStack            <taskName | task id>   Print a task's stack usage
ls                    [dirname] [-f]         List contents of directory, -f: include details
lsr                   [dirname]              Recursive list of directory contents
cd                    [dirname]              Set current working path
usbFsShow                                    Display MSDOS volume configuration data of USB memory stick
usbls                 [dirname] [-f]         List contents of USB directory, -f: include details
usblsr                [dirname]              Recursive list of USB directory contents
usbcd                 [dirname]              Set current USB working path
pwd                                          print the current default directory
ping                  <host ip> [# of pings] Test that a remote host is reachable
tracert               <host ip> [max hops]   traceroute to any host
netinfo                                      Print common network info
routeshow                                    Display host and network routing tables and stats
arpShow                                      Display entries in the system ARP table
listcerts                                    List all trusted certificates
printcert             <index>                Print a trusted certificate in detail
listcrls                                     Prints a detailed list of CRLs
listdevcerts                                 Prints all device certificates
listsecuritylogs                             Lists all events logged through the security interface
securitypolicy                               Prints the current Security Policy values
gxasinfo                                     Lists the GXAS configuration and current status
reportWidgetData                             shows widgets info
reportWindowData                             shows windows hierarchy
turnOnScreenScrape                           turn Screen Scrape feature on
turnOffScreenScrape                          turn Screen Scrape feature off
setScreenScrapeDelay  <delay>                set delay in ms for the Screen Scrape process
sendKey               <code> <state>         Emulate key with a code "code". State 0/1/2 = Key Down Message/Key Up Message/Key combination down followed by up.
showVPNStatistics                            Show VPN Statistics
showVPNStatus                                Show VPN Status
showVPNFilter                                Show VPN Filter
setVPNLogLevel        <loglevel>             Set VPN Log Level - 0:turn off log/1:log info/2:log info,error/3:log error,debug,info
printVPNLogLevel                             Print current VPN logLevel - 0:turn off log/1:log info/2:log info,error/3:log error,debug,info
showFIPSStatus                               Show FIPS Status
setVPNNatKeepaliveIntervalOverride <interval>             Set VPN NAT Keepalive Interval Override
scrShow                                      Show SCR Status
printSetInfo                                 Print HardwareID, FirmwareID and MAC address
vxshell                                      Switch to vxShell
bye                                          Exit current shell
PDT>

I don’t know that I would advise someone to enable this feature on every IP phone they deploy but it can certainly be helpful if enabled when needed during troubleshooting.

Cheers!

Recent Posts

Categories

SUBSCRIBE BY EMAIL