Home
Search results “Cisco radius secret”
External Authentication with RADIUS and TACACS+ (CCNA Complete Video Course Sample)
 
03:05
In large enterprise networks, you probably don't want to give all of your network engineers the enable secret password of your routers. For example, if someone leaves the company, you would have to reset the password on all of your devices. A much more scalable approach is to use an external authentication server. This video compares two external authentication server options, RADIUS and TACACS+. his video is part of the "CCNA Complete Video Course" by Kevin Wallace (CCIEx2 (R/S and Voice) from Pearson IT Certification. If you enjoyed this video, the entire CCNA course can be purchased here: http://bit.ly/19A84Qk Follow Kevin: Homepage: http://kwtrain.com Twitter: http://twitter.com/kwallaceccie Facebook: http://facebook.com/kwallaceccie YouTube: http://youtube.com/kwallaceccie LinkedIn: http://linkedin.com/in/kwallaceccie Google+: http://google.com/+KevinWallace
Views: 12763 Kevin Wallace
MicroNugget: AAA, TACACS+, and SSH
 
05:00
Not a subscriber? Start your free week. http://cbt.gg/23KoQXW CBT Nuggets trainer Keith Barker prepares a router that has no security in place to be able to work with a AAA server using TACACS+ to authenticate users and restrict access to the SSH.
Views: 23055 CBT Nuggets
Cisco CCNA Packet Tracer Ultimate labs: AAA Lab. Answers Part 1: TACACS & RADIUS configuration.
 
07:52
Packet Tracer file (PT Version 7.1): https://goo.gl/eTvXLq Get the Packet Tracer course for only $10 by clicking here: https://goo.gl/vikgKN Get my ICND1 and ICND2 courses for $10 here: https://goo.gl/XR1xm9 (you will get ICND2 as a free bonus when you buy the ICND1 course). For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. #CCNA #PacketTracer #CCENT Two prominent security protocols used to control access into networks are Cisco TACACS+ and RADIUS. The RADIUS specification is described in RFC 2865 leavingcisco.com, which obsoletes RFC 2138 leavingcisco.com. Cisco is committed to supporting both protocols with the best of class offerings. It is not the intention of Cisco to compete with RADIUS or influence users to use TACACS+. You should choose the solution that best meets your needs. This document discusses the differences between TACACS+ and RADIUS, so that you can make an informed choice. Cisco has supported the RADIUS protocol since Cisco IOS® Software Release 11.1 in February 1996. Cisco continues to enhance the RADIUS Client with new features and capabilities, supporting RADIUS as a standard. Cisco seriously evaluated RADIUS as a security protocol before it developed TACACS+. Many features were included in the TACACS+ protocol to meet the needs of the growing security market. The protocol was designed to scale as networks grow, and to adapt to new security technology as the market matures. The underlying architecture of the TACACS+ protocol complements the independent authentication, authorization, and accounting (AAA) architecture. RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers: TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be. TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server. Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running. TCP is more scalable and adapts to growing, as well as congested, networks. Translation: Okay, so let’s see if we can complete this lab. We’re told to configure the TACACS and radius server as follows. So on the AAA server, we need to enable the AAA service and then we need to specify our clients. First client is router 1, that’s going to use this IP address, we will configure the router in a moment. The secret password that we’ll use here is cisco. The protocol used is TACACS. I’m going to click add to add that client. Next client is router 2, IP address is 10.1.1.253 The password used is cisco and in this case, it needs to be radius. Switch 1, client IP address is 10.1.1.252 secret will be cisco. This device is going to use TACACS. We then need to add a user, the user name is David the password is cisco. So that’s the server configured. Server has an IP address once again of 10.1.1.250 The first device we need to configure is router 1. Here’s router 1. It’s just booted up. It’s asking us whether we want to enter the initial configuration dialog. We don’t want to do that. So I’m going to say no. I’ll configure the router with a hostname of R1. So we’re told to configure AAA for login and enable using TACACS with server 10.1.1.250 Now before we can do that, we need to make sure we have IP connectivity. So I’m going to configure the router with an IP address on gigabit 0/0/0 and I’m going to no shut the interface. That’s per our network topology and we’ve been given the IP address of the TACACS client. So we know the router needs to be configured with this IP address. So can the router ping the TACACS server 10.1.250? Yes it can. So before we configure AAA , we need to ensure that we have IP connectivity on our devices. I’ll do something similar while I’m here with the router 2. So host name is router 2 interface gigabit 0/0/0 no shut, IP address is 10.1.1.253 /24 mask. Can we ping the AAA server?
Views: 2448 David Bombal
TACACS+ & RADIUS Configuration on ACS for Cisco ASA
 
14:05
Prashanth V is part of Cisco Technical Assistance Center, AAA Team and have been serving Cisco's Customers and Partners in both APAC and EMEA theaters. Prashanth has firm knowledge on technologies like Firewall, ACS, ISE etc. He currently hold a Bachelor’s degree in Electronics and Communication engineering.
Views: 11301 Cisco Community
How to Add RADIUS to Windows Server 2012 to Authenticate Cisco ASA VPN Users: Cisco ASA Training 101
 
11:43
http://www.soundtraining.net-cisco-asa-training-101 In this Cisco ASA tutorial, IT author-speaker Don R. Crawley shows you how to install and configure Windows Server 2012's Network Policy and Access Server to support RADIUS authentication of Cisco ASA Security Appliance VPN users. You'll also learn how to integrate RADIUS with Active Directory for VPN user authentication. By implementing this configuration, remote users can authenticate for the VPN using their Active Directory credentials, thus simplifying network access for them and simplifying user management for the network administrator.
Views: 72789 soundtraining.net
How to Configure AAA, TACACS and RADIUS
 
29:46
#packettracer #ccnp #aaa #tacacs #radius In a nutshell, you can think of AAA in the following manner: Authentication: Who is the user? Authorization: What is the user allowed to do? Accounting: What did the user do? User authentication can be handled by several methods: 1. Usernames and passwords configured locally on the devices username cisco secret cisco 2. One or more external Remote Authentication Dial-In User Service (RADIUS) servers 3. One or more external Terminal Access Controller Access Control System+ (TACACS+) servers Configuring Authentication: Step 1: Enable AAA on the switch. aaa new-model Step 2: Define the source of authentication. username cisco secret cisco tacacs-server host 1.1.1.100 key cisco Step 3: Define a list of authentication methods to try. aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local Step 4: Apply a method list to a switch line. line vty 0 15 login authentication default Step 5: After authentication is configured on a device, it is a good idea to stay logged in on one session so that the authentication can be tested. If you exit the configuration session, you will not be able to log in again if the authentication is misconfigured. While you stay logged in on the original session, bring up a new SSH session to the switch. If you can authenticate successfully, everything is configured properly. Tip: Be sure to add either the local or line methods at the end of the list, as a last resort. This way, if all the RADIUS or TACACS+ servers are unavailable or the switch is completely isolated from the rest of the network, a locally configured authentication method will eventually be used. Otherwise, you will never be able to access the device until at least one of the servers comes back online. Reference: CCNP Routing and Switching SWITCH 300-115 Official Cert Guide David Hucaby, CCIE No. 4594
Windows Server 2016 - Setup RADIUS and NPS For VPN Access Security
 
18:52
Windows Server Setup RADIUS and NPS For VPN Access Security When using networked services like VPN we want to be able to control access like we are able to control access to NTFS files/folders. Well by setting up RADIUS and Network Policy Server we are able to ensure that access to or corporate network is controlled a lot better. As an example we can filter based on groups IP addresses, time etc. The videos mention in this video refer to our VPN and CA Service: https://youtu.be/uMtJgN0prME and https://youtu.be/lWZIHoAwu2c For more visit: https://www.windows10.ninja https://www.servers2016.com Transcript (machine generated so it contains errors) Hello and welcome today's video today's video work and I show you how to set up a radius server with the NPS role on it like a network protection policies are okay. Am all we need to do is basically, you can install this if you have one box in your active directory server with that VPN role. Already there and then add this role to otherwise based on your security, setup, you can have is on a separate server and that's one option. Another option is have a on the remote dial in server like a VPN server. Okay, it just makes connections a little bit easier that way, but were having is on a separate server over here, which are method you choose literally what were doing 99.99% is Exodus add roles and features. Click next role next cayenne and were click clicking on network policy access and feature, click next play next next install okay. Once the insole is finished. Okay, the eldest up for tidiness okay, all you need to do is go network policy server that will open up this window and service 16, you have the's complete literally automatic configuration system where you must take note of it. But what we will do will ghost this way because a quick way and then will show you what you would have needed to have manually configure okay let's show us click on that, that's fine. Good direct configure the learn name. It's a VPN connection you can go without a domain name argument down. We are now creating a radius client okay. Given the friendly name VPN range the house okay the IP address is you might think. The client is talking about this computer. Now it actually asking for where there is a web service running or your VPN service, et cetera okay, we'll just type in the IP address as we know that we can also type in the full name. If we want to carry click verify resolve finds it all good. If we had set up a shared secret template that would be fine. Worse yet, secret template and were shared secret is is basically like shall we say a password on this computer and also on the other computer that is joining up to this radius server and that's it. We suggest you use the generate because you get he you thing you would want a copy this down because is no way you can rise up for this instance, what do is just quit a manual one in case it asks us to tighten the manual one hand that will be later. Okay, so it is create something simple that confer conforms to policies. Okay, okay, that's been added okay. We are gonna add in EAP that makes everything a lot easier a lot more secure and that's it. Microsoft protected earlier this, the last one more secure one configure if you want, how many connection attempts, that's fine. You can also add in the other ones. We suggest an mostly stick with that one than now one you would have needed to have done is basically on your active directory computer created a security group, and within that security group. You then add your users, and this is what the benefit of using this NPS radius system actually is. It's fairly similar to file and folder permissions, access permissions, we can limit those two certain groups, et cetera okay, you can filter based on certain criteria. In this, you can filter based on which group they're part of what IP address they are the connection method all those things, so we have already set one up on our active directory computer nine. That said, it finds it all good. Click next, you can create some IP filters if you do want to work on a girl with the highest encryption makes realm name is not really needed, but you can type it in. If you want to, and were literally finished before we go on to our VPN server with the setting and are quickly show you how that group needs to be set up okay.
Views: 13993 Windows Ninja
Configure privilege levels commands on Cisco router
 
12:17
How to Configure privilege levels commands on routers
Views: 45 P.K tech videos
PT Activity-Configure AAA Authentication on Cisco Routers
 
20:22
The following details are also available at the PT activity, chapter 3 CCNA security. "The network topology shows routers R1, R2 and R3. Currently all administrative security is based on knowledge of the enable secret password. Your task is to configure and test local and server-based AAA solutions. You will create a local user account and configure local AAA on router R1 to test the console and VTY logins. User account: Admin1 and password admin1pa55 You will then configure router R2 to support server-based authentication using the TACACS+ protocol. The TACACS+ server has been pre-configured with the following: Client: R2 using the keyword tacacspa55 User account: Admin2 and password admin2pa55 Finally, you will configure router R3 to support server-based authentication using the RADIUS protocol. The RADIUS server has been pre-configured with the following: Client: R3 using the keyword radiuspa55 User account: Admin3 and password admin3pa55 The routers have also been pre-configured with the following: Enable secret password: ciscoenpa55" ·
Views: 5760 Random Videos
Install, Configure FreeRadius on Ubuntu Server 16.04 for WiFi and Setup Clients
 
14:51
Authentication Server Authentication, Authorization, Accounting Radius Windows 10 Client Android Client Playlist: https://www.youtube.com/playlist?list=PLl7PZYPUh5LaQmHJy2ZOST0M-gI5b9BJ9
2. Two factor Authentication on an ASA Firewall
 
12:31
CCNA-Security Chap 3. Authentication - real world labs
Views: 2891 System Engineer
Configure and Test RADIUS Server
 
15:32
Video showing how to create and test a RADIUS server for VPN connections.
Views: 34200 Scott Marlin
Install and Configuration 802.1x EAPOL Windows Server 2016
 
26:40
In this lab we are going to implement Network Policy Server to authenticate wired users over 802.1X EAPoL and Radius between the authenticator and authentication server (Windows Server 2016). Also we're going to configure 802.1x on a Cisco 2960. Cisco configuration: aa new-model aaa authentication dot1x default group radius dot1x system-auth-control radius-server host 192.168.25.25 auth-port 1812 acc-port 1813 key Secret radius-server host 192.168.25.25 key Secret int f0/15 switchport mode access dot1x port-control auto do wr end
Views: 284 Edgar Santiago
Radius Server (WinRadius) and SSH
 
38:35
I talked in this video about Radius server and SSH, how to configure it and test it. also I covered how to use WinRadius and make it ready to use. I hope it would be valuable for every one! Follow me : Twitter : https://twitter.com/#!/mohammadsaeed01 My Blog : http://cisco-learning-video.blogspot.com My LinkedIn : https://sa.linkedin.com/in/mohammad-k-saeed-04866847 My FB Cisco Group: https://www.facebook.com/groups/438507132862835/?ref=bookmarks My experience related to: - Supervising on second fix stage (pulling Data Cables and Fiber Optic cable and termination). - Prepare and finalize the physical Network stage, including the troubleshooting. - Implementing and configuring Cisco IP phones (Manager, reception, wireless and basic phones) - Install and configure CUCM (SUB and PUB) to fulfill the requirement of end user. - Install and configure EsXi VMware for virtual appliances. - Install and prepare UC servers by using CICM. - Responsible for licensing of Network appliances. - Install and configure WLC and APs (internal and external) connected to. Including troubleshooting and enhance the coverage and roaming better. - Implement and configure the Layer3 Core switch 6509e (from zero stage until fulfill all network requirements which including VSS between Main and redundant core) - Implement and configure the L2 switches (Port channels with core switches Main and redundancy) - Install and configure Cisco Prime Infrastructure and make a wireless heat-map on it. - Implement and configure Telepresence system. - Install, implement and configure the IPTV system (prepare the servers and STB (set-top boxes)). - Configure and prepare the HSIA server which belongs to IPTV system. - Work with RMS (Room Management System) and BMS (Building Management System) which including the Integration with IP network. - Configure of CCTV system, installation and implementations. - Talented to lead the team to get a perfect result during site work. Appliances and servers: - 2960-s and 2960-x. - 6509e (main and redundant) - WLC 5508. - APs 1142N, 1500E, 1602N. - Gateway router 2951 series. - ASA firewall 5520. - UC servers UCS C210 M2 and UCS C200 M2 - Voice Gateway 2921. - Cisco Prime Infrastructure 2.2. - EX60 and EX90 Scope of design work: - Responsible to work in Low level and high level design for networking - Work on preparing BoQ of Cisco Networking components for several projects - Work with Low current system design -~-~~-~~~-~~-~- Please watch: "How to configure IP phones Locally and remotely (VoIP) HD" https://www.youtube.com/watch?v=buMIA03OZIs -~-~~-~~~-~~-~-
Views: 9866 Cisco Saeed
Enable Password vs Enable Secret in cisco device -  rean computer 101
 
04:01
**Brief Explanation of enable password & enable secret with example** ▶ Watch Playlist of CCNA Tutorial - http://bit.ly/CcnaNetworking
Views: 92 Rean Computer 101
Password Recovery on a Cisco Router (CCNA Complete Video Course Sample)
 
04:35
What do you do if you forget the enable secret password on your Cisco router? This video demonstrates how to reset a password, if you have local access to a router's console. This video is a sample from Pearson IT Certification's upcoming "CCNA Complete Video Course" by Kevin Wallace, CCIEx2 (R/S and Voice) #7945 If you're interested in CCNA certification, check out this video on the 3 mistakes Cisco certification candidates make: http://youtu.be/TCYzrPDVHEc Follow me on Facebook: http://facebook.com/kwallaceccie Follow me on Twitter: http://twitter.com/kwallaceccie
Views: 20152 Kevin Wallace
CCNP SWITCH - [ SSH - LOGIN - AAA - RADIUS ]
 
01:00:40
CCNP SWITCH - [ SSH - LOGIN - AAA - RADIUS ] ¡ aaa new-model aaa local authentication attempts max-fail 3 aaa authentication login default group radius local aaa authentication login CONSOLE local aaa authorization console aaa authorization exec default group radius local aaa authorization exec CONSOLE local ¡ ¡ login block-for 120 attempts 3 within 60 login delay 2 login on-failure log every 3 login on-success log ¡ line con 0 exec-timeout 3 0 privilege level 15 authorization exec CONSOLE logging synchronous login authentication CONSOLE history size 30 ¡ username cisco privilege 15 secret 0 cisco ¡ service password-encryption ¡ ip radius source-interface vlan 1 ¡ radius server RADIUS1 address ipv4 192.168.12.253 auth-port 1645 acct-port 1646 key 7 01302F377824 ¡ aaa group server radius RADIUS-GRP1 server name RADIUS1 ¡
How to recover a password on a Cisco router? - Packet Tracer
 
11:51
In this tutorial, I cover password recovery procedures for a Cisco router for the Cisco CCNA. The process is demonstrated using Packet Tracer. The tutorial covers: the configuration register, the show version command, rom monitor mode (rommon), and saving the configuration file Subscribe! and for more information about the Cisco CCNA visit me at http://danscourses.com
Views: 97257 danscourses
How to create a Hotspot with Radius Server Authentication
 
14:29
How to create a Hotspot with Radius Server Authentication
Views: 21 bless live
Radius and Tacacs on Comware 5 with Aruba ClearPass
 
19:14
This video describes how to configure Radius and Tacacs+ on Comware 5 devices with Aruba ClearPass Policy manager. It also covers Role Based Access Control with Tacacs.
Configuration of Parser-View on Cisco Router by AK NetTech
 
05:17
Configuration of Parser-View on Cisco Router by AK NetTech How to add Router in GNS3 : https://www.youtube.com/watch?v=astewULiAok&t=19s Steps to configure Parser-View: 1- Set Router enable password/secret (Global Configuration Mode) [enable secret cisco] 2- Enable AAA authentication Model (Global Configuration Mode) [aaa new-model] 3- Enable Root View (Privileged Mode) [enable view] 4- Make Parser views a. Make parser view (Global Configuration Mode) [parser view view-name] b. Set password/secret of view (view mode) [secret view-password] c. Add Commands in view [commands exec include all command-name] NOTE: Add command-name one-by-one 5- Enable parser view which you made [enable view view-name] 6- Show parser view [show parser view]
Views: 71 AK NetTech
How to configure Cisco Local Database Authentication Using AAA
 
05:45
1. Open a terminal line 2. Telnet to the router 3. create enable secret 4. configure aaa new-model 5. edit aaa authentication list "default" and add local source or keyword to it. aaa authentication list default local 6. create aaa authorization list exec "default" and add local source or keyword to it. aaa authorization list exec local 7. apply the aaa to all line vty (vty 0 until 15): line vty 0 15 authentication local 8. create local database username, privilage level and secret entries username username1 privilige 1
Views: 758 Totz Freelance
Cisco Passwords - Enforcing Minimum Password Length - Part 2
 
09:45
Enforcing Minimum Password Length - Part 2 of 3 While in most production environments usernames and passwords will be handled by an authentication server such as TACACS+ or RADIUS, you will still need to configure passwords on the local device for some operations. In such cases, it's good to have a password policy in effect. While Cisco IOS does not provide mechanisms to meet all of the general password best practices, it does provide a mechanism for one of the most basic and important best practices: enforcing a minimum password length policy. security passwords min-length allows you to specify a minimum password length between 0 and 16 characters.
Views: 539 packetlab
[Lab 34] Setup Radius Server with FreeRadius v3 and Daloradius for PPTP Mikrotik
 
13:15
This video explained how to setup pptp radius server on mikrotik with freeradius v3 and daloradius on centos 7, pptp mikrotik, radius server linux, freeradius centos 7, radius server mikrotik, vpn radius mikrotik, dail pptp vpn use freeradius v3 and daloradius, install freeradius v3 on centos7, setup radius on mikrotik
Views: 19291 Dimzrio Tutorials
802.1x FreeRadius HP Procurve Authentifizierung mit dynamischer Vlan zurodung auf den Raspberry PI 2
 
05:34
Installation eines Freeradius Servers auf ein Raspberry Pi2 zur Netzwerkauthentifizierung IEEE802.1X mit VLAN Zuordnung Config /etc/freeradius/clients.conf client 192.168.1.184{ secret = radiustest shortname = HPSwitch } /etc/freeradius/users vlan10 Auth-Type := "EAP", Cleartext-Password := vlan10 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "10" vlan20 Auth-Type := "EAP", Cleartext-Password := vlan20 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "20" vlan30 Auth-Type := "EAP", Cleartext-Password := vlan30 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "30" /etc/freeradius/eap.conf Werte: use_tunneled_reply auf yes setzen Switch radius-server host IPRadiusServer key radiustest aaa authentication port-access eap-radius aaa port-access authenticator 1-16 (aaa port-access authenticator 1-16 client-limit 8) aaa port-access authenticator active (write mem) Raspberry PI 3 (im Video wurde das RPI2 genutzt) http://www.amazon.de/gp/product/B01CEFWQFA/ref=as_li_tl?ie=UTF8&camp=1638&creative=19454&creativeASIN=B01CEFWQFA&linkCode=as2&tag=techstephan-21 RPI2: http://www.amazon.de/gp/product/B00T2U7R7I/ref=as_li_tl?ie=UTF8&camp=1638&creative=19454&creativeASIN=B00T2U7R7I&linkCode=as2&tag=techstephan-21 MicroSD Karte: http://www.amazon.de/gp/product/B010Q57T02/ref=as_li_tl?ie=UTF8&camp=1638&creative=19454&creativeASIN=B010Q57T02&linkCode=as2&tag=techstephan-21 RPI Gehäuse: http://www.amazon.de/gp/product/B00V6FMT7K/ref=as_li_tl?ie=UTF8&camp=1638&creative=19454&creativeASIN=B00V6FMT7K&linkCode=as2&tag=techstephan-21 Storm: http://www.amazon.de/gp/product/B00JWXT6BK/ref=as_li_tl?ie=UTF8&camp=1638&creative=19454&creativeASIN=B00JWXT6BK&linkCode=as2&tag=techstephan-21 USB-Kabel: http://www.amazon.de/gp/product/B00NH124VM/ref=as_li_tl?ie=UTF8&camp=1638&creative=19454&creativeASIN=B00NH124VM&linkCode=as2&tag=techstephan-21
Views: 3388 Tech Stephan
Cisco CCNA Packet Tracer Ultimate labs: PPP & PPP CHAP: Answers Part 1
 
06:27
Packet Tracer file (PT Version 7.1): https://goo.gl/iJg2cJ Get the Packet Tracer course for only $10 by clicking here: https://goo.gl/vikgKN Get my ICND1 and ICND2 courses for $10 here: https://goo.gl/XR1xm9 (you will get ICND2 as a free bonus when you buy the ICND1 course). For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. #CCNA #PacketTracer #CCENT The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components: ● A method for encapsulating multi-protocol datagrams. ● A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. ● A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. The Challenge Handshake Authentication Protocol (CHAP) (defined in RFC 1994) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP: After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer. The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)). The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated. This authentication method depends on a "secret" known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication. For more information on the advantages and disadvantages of CHAP, refer to RFC 1994 Transcription: In this lab you need to configure Point-to-Point Protocol or PPP. Okay, so we’ll start the required tasks first. The first thing we need to do is configure the link between Customer 1 and ISP1 with PPP. So in other words, this link here needs to be configured with PPP. I’ll start with ISP 1. The ISP router has booted up. Go to enable mode, show ip interface brief We can see in the output that this interface gigabit 0.0.1 is configured with IP address 8.8.8.2 interfaces up up. This interface serial 0.1.0 the link to the customer is currently administratively shutdown. show interface serial 0.1.0 shows us that this interface is configured with default encapsulation of HDLC. The interface is once again administratively shutdown. So layer 1 and layer 2 are down, notice again that the default encapsulation is HDLC. So I’ll go on to the interface and configure an IP address because no IP address is currently configured on the interface. So ip address 8.8.10.1, the subnet mask it used here is /24 subnet mask. In the real world, on Point-to-Point Protocol links, you’re probably going to use a /30 mask to conserve IP addresses. But in a lab like this we don’t have to worry too much about that. Next thing I’ll configure is the encapsulation which I’m going to set to PPP and then I’ll no shut or enable the interface. So show interface serial 0.1.0 interface is currently up at Layer 1, Layer 2 is down because we haven’t configured the other side of the link. Notice the capsulation is now PPP, LCP or Link Control Protocol, is closed. NCPs or Network Control Protocols such as IPCP and CDPCP are also closed because the link is down. so show run that’s the configuration of the ISP side. Let’s do something similar on the customer side. So show interface serial 0.1.0 The physical interfaces is up but the line protocol is down that’s because the encapsulation is HDLC on this side but on the ISP side, it’s PPP. So again, show interface serial 1/0 on the ISP side. Layer 1 is up, Layer 2 is down. Same on the other side, Layer 1 is up, Layer 2 is down. The routers are using different encapsulations, so we need to configure them to use the same encapsulation. Before I do that, do show ip interface brief......
Views: 788 David Bombal
Cisco CCNA Packet Tracer Ultimate labs: PPP & PPP CHAP: Answers Part 2
 
06:55
Packet Tracer file (PT Version 7.1): https://goo.gl/iJg2cJ Get the Packet Tracer course for only $10 by clicking here: https://goo.gl/vikgKN Get my ICND1 and ICND2 courses for $10 here: https://goo.gl/XR1xm9 (you will get ICND2 as a free bonus when you buy the ICND1 course). For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. #CCNA #PacketTracer #CCENT The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components: ● A method for encapsulating multi-protocol datagrams. ● A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. ● A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. The Challenge Handshake Authentication Protocol (CHAP) (defined in RFC 1994) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP: After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer. The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)). The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated. This authentication method depends on a "secret" known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication. For more information on the advantages and disadvantages of CHAP, refer to RFC 1994
Views: 412 David Bombal
LOG8EL mini stories: How to enable secret for privileged levels
 
00:58
This video explains how to enable secret for privileged levels.
Views: 33 stronghopME
Install Radius Server in Lubuntu 16.04
 
21:28
0:00:00.400,0:01:33.900 Nothing Happen. Jump to 1:33 0:01:50.000,0:02:00.000 sudo apt-get istall freeradius 0:02:23.500,0:04:11.000 Nothing Happen. Jump to 4:11 0:05:37.000,0:05:45.000 sudo service freeradius status 0:06:00.000,0:06:03.000 vim /etc/freeardius/clients 0:06:04.000,0:06:07.000 Sorry, vim has not been installed yet 0:06:12.000,0:06:13.000 sudo apt-get install vim 0:07:16.000,0:08:07.000 Nothing important, jump to 08:07. 0:08:08.000,0:08:11.000 sudo -s 0:08:18.000,0:08:25.000 Configration files are all at /etc/freerdius 0:08:25.300,0:08:27.000 ls /etc/freeradius 0:08:30.000,0:08:32.300 /etc/freradius/clients.conf defines the IP range of AP/Switch that can use this radius server. 0:08:33.000,0:08:34.300 /etc/freradius/clients.conf also defines the secret key for spcific IP range. 0:08:35.000,0:08:37.000 vim /etc/freeradius/clients.conf 0:08:40.000,0:08:42.000 Check the default secret key. 0:08:50.000,0:08:53.000 "radtest" is used to test the radius server configuartion. 0:08:53.300,0:16:30.000 Please Jump to time stamp 16:30. 0:16:35.300,0:16:37.100 Add a new user that use plain-text password. 0:16:37.300,0:16:40.100 vim /etc/freeradius/users 0:16:41.000,0:17:10.000 Blue character is hard to read, but I don't know how to change the setting.(Jump to 17:15) 0:17:24.000,0:18:18.000 Add a new user in the bottom of /etc/freeradius/users 0:18:18.000,0:18:21.000 Restart Radius Server at debug mode. 0:18:23.000,0:18:25.000 serive freeradius stop 0:18:25.100,0:18:29.000 Start FreeRadius at Debug Mode. 0:18:30.000,0:18:32.000 freeradius -X 0:18:44.000,0:19:01.000 radtest cobra cobra localhost 0 testing123 0:19:03.000,0:19:05.000 Fail to pass 802.1x authentication. 0:19:15.000,0:19:18.500 Start to troubleshoot. 0:19:44.000,0:20:05.300 Format for user definition in configuration is wrong. 0:20:12.000,0:20:15.300 Do the authentication steps again. 0:20:25.800,0:21:25.300 "testing123" is the secret key defined in vim /etc/freeradius/clients.conf
Mikrotik Hotspot With Radius Windows Server 2012 R2 Active Directory LDAP - PART1
 
10:57
Mikrotik Hotspot With Radius Windows Server 2012 LDAP - PART1 Active Directory On Windows Server 2012 R2 Active Directory and Radius Server IP = 192.168.0.1 Mikrotik IP = 192.168.0.2 Shared Secret for dc and mikrotik are the same = [email protected]
Views: 15093 Osama Nassar
3.6.1.2 Packet Tracer - Configure AAA Authentication on Cisco Routers - 22
 
28:04
Download the file from here: https://ccdtt.com/3-6-1-2-packet-tracer-configure-aaa-authentication-on-routers/ 3.6.1.2 Packet Tracer - Configure AAA Authentication on Cisco Routers. Configuring TACACS+ and Radius Server. The network topology shows routers R1, R2 and R3. Currently, all administrative security is based on knowledge of the enable secret password. Your task is to configure and test local and server-based AAA solutions.
Views: 40 CCNADailyTIPS
Microsoft Network Policy Server (NPS) with Cisco Meraki Wireless Authentication video tutorial
 
11:54
Microsoft NPS with Cisco/Meraki Wireless Authentication. Radius Server utilizing Microsoft Active Directory.
Views: 21093 Steven Roman
Setting Up VPN Authentication Via RADIUS combine NPS in Windows Server 2012 R2
 
15:03
Setting Up VPN Authentication Via RADIUS combine NPS in Windows Server 2012 R2 1. Prepare - DC11 : Domain Controller (pns.vn), IP 10.0.0.11 | DC12 : RADIUS Server, IP 10.0.0.12 | DC13 : VPN + NPS server, IP 10.0.0.13 and 10.0.2.13 - DC14 : File Server, IP 10.0.0.14, Gateway 10.0.0.13 | WIN1091 : Client, IP 10.0.2.91, Gateway 10.0.2.13 2. Step by step : Setting Up VPN Authentication Via RADIUS combine NPS, WIN1091 access to File Server using HiepIT account - DC14 : Create and share a folder named DATA - DC12 : Install and configure "Network Policy and Access Services" + Server Manager - Manage - Add Roles and Features - Next to Server Roles : Select "Network Policy and Access Services" - Add Features - Next to Install + Server Manager - Tools - Network Policy Server - Right-click NPS (Local) - Register server in Active Directory - Standard Configuration - RADIUS server for Dial-Up or VPN Connections - Configure VPN or Dial-Up - Type of connections : Choose "Virtual Private Network (VPN) Connections" - RaDIUS clients : Add... - Friendly name : RADIUS Client, Address (IP or DNS) : 10.0.0.13 - Verify... - Resolve, Type password and confirm - Specify User Groups : Add... : GIT - Finish - DC13 : Install and configure routing + Server Manage - Manage - Add Roles and Features - Next to Server Roles : Select "Remote Access" - Next to Role Services - Select Routing - Add Features - Next to Install + Tools - Routing and Remote Access - Right-click DC13 (local) : Configure and Enable Routing and Remote Access - Choose "Remote access (dial-up or VPN)" - Select VPN - Network interfaces : Internet (10.0.2.13) - Choose "From a specified range of addresses" - New ... - Start IP 10.0.10.100 End IP 10.0.10.200 - Choose "Yes, set up this server to work with a RADIUS server" - Primary RADIUS server : 10.0.0.12, Shared secret : Type password - Finish + Right-click DC13 - All Tasks - Restart - WIN1091 : Test VPN + Right-click icon network - Open Network and Sharing Center - Setup a new connection or network - Connect to a workplace - Use my Internet connection (VPN) - I'll set up an Internet connection later - Internet address : 10.0.2.13 - Create + Right-click VPN Connection - Security tab - Type of VPN : Point to point Tunneling Protocol (PPTP) - Authentication : Choose "Allow the protocols", - Select "Microsoft CHAP Version 2 (MS-CHAP v2)"- Right-click VPN Connection - Connect - Connect - Type HiepIT account
Views: 382 microsoft lab
How to Create Username and Password Using AAA in CCP
 
20:20
វីដេអូនេះបង្ហាញអំពីរបៀបបនៃការបង្កើត Username and Password ដោយប្រើប្រាស់ GUI CCP In This video show all of you ,How to create username and Password Using AAA in CCP (Cisco Configuration Professional)
Setting Up VPN Authentication Via RADIUS in Windows Server 2016
 
14:02
Setting Up VPN Authentication Via RADIUS in Windows Server 2016 1. Prepare - DC21 : Domain Controller (pns.vn), IP 10.0.0.21 | DC22 : RADIUS Server, IP 10.0.0.22, Gateway 10.0.0.23 | DC23 : VPN Server, IP 10.0.0.23 and 10.0.2.23 - DC24 : File Server, IP 10.0.0.24, Gateway 10.0.0.23 | WIN1091 : Client, IP 10.0.2.91, Gateway 10.0.2.23 2. Step by step : Setting Up VPN Authentication Via RADIUS, WIN1091 access to File Server using HiepIT account - DC21 : Allow HiepIT VPN from Internet + Server Manager - Tools - Active Directory Users and Computers - pns.vn - IT OU - Right-click HiepIT - Properties - Dial-in tab - Network Access Permission : Allow access - DC24 : Create and share a folder named DATA - DC22 : Install and configure "Network Policy and Access Services" + Server Manager - Manage - Add Roles and Features - Next to Server Roles : Select "Network Policy and Access Services" - Add Features - Next to Install + Server Manager - Tools - Network Policy Server - NPS (Local) - RADIUS Clients and Servers - Right-Click RADIUS Clients - New : + Friendly name : RADIUS Client, Address (IP or DNS) : 10.0.0.23 - Verify... - Resolve, Type password and confirm - DC23 : Install and configure routing + Server Manage - Manage - Add Roles and Features - Next to Server Roles : Select "Remote Access" - Next to Role Services - Select Routing - Add Features - Next to Install - Close + Tools - Routing and Remote Access - Right-click DC23 (local) : Configure and Enable Routing and Remote Access - Choose "Remote access (dial-up or VPN)" - Select VPN - Network interfaces : Internet (10.0.2.23) - Choose "From a specified range of addresses" - New ... - Start IP 10.0.10.100 End IP 10.0.10.200 - Choose "Yes, set up this server to work with a RADIUS server" - Primary RADIUS server : 10.0.0.22, Shared secret : Type password - Finish + Right-click DC23 - All Tasks - Restart - WIN1091 : Test VPN + Right-click icon network - Open Network and Sharing Center - Setup a new connection or network - Connect to a workplace - Use my Internet connection (VPN) - I'll set up an Internet connection later - Internet address : 10.0.2.23 - Create + Right-click VPN Connection - Security tab - Type of VPN : Point to point Tunneling Protocol (PPTP) - Right-click VPN Connection - Connect - Connect - Type HiepIT account
Views: 928 microsoft lab
Configure Cisco Switch 1
 
13:10
this video will show you how to give a host name to a switch and assign the ip address including with enabling a secret password.
Views: 23 Why-not
How to Install Duo Security 2FA for Cisco ASA SSL VPN (Primary Configuration)
 
09:51
Duo Security provides a two-factor authentication integration for Cisco ASA SSL VPN that is easy to deploy, use, and manage. This demonstration video shows how to protect your Cisco ASA SSL VPN with Duo in less than 10 minutes. For additional information on this integration visit our Cisco ASA documentation at https://duo.com/docs/cisco and sign up for a free trial.
Views: 2784 Duo Security
Cisco CCNA Packet Tracer Ultimate labs: PPP & PPP CHAP: Can you complete the lab?
 
05:43
Packet Tracer file (PT Version 7.1): https://goo.gl/iJg2cJ Get the Packet Tracer course for only $10 by clicking here: https://goo.gl/vikgKN Get my ICND1 and ICND2 courses for $10 here: https://goo.gl/XR1xm9 (you will get ICND2 as a free bonus when you buy the ICND1 course). For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. #CCNA #PacketTracer #CCENT The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components: ● A method for encapsulating multi-protocol datagrams. ● A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. ● A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. The Challenge Handshake Authentication Protocol (CHAP) (defined in RFC 1994) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP: After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer. The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)). The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated. This authentication method depends on a "secret" known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication. For more information on the advantages and disadvantages of CHAP, refer to RFC 1994 Transcription: In this lab you need to configure point to point protocol or PPP. You need to configure Point-to-Point Protocol on the link between ISP 1 and Customer Router 1. You also need to configure Point-to-Point Protocol but with CHAP between ISP3 and Customer 2. In other words you’re going to configure PPP with a CHAP or Challenge Handshake Authentication Protocol. This lab consists of required tasks as well as bonus tasks. The required tasks are once again that you need to configure the link between Customer 1 and ISP1. This link here with PPP. You need to configure this link using PPP CHAP and a password of cisco You then need to configure static default routes on the customer routers pointing to the ISPs. The reason for doing that is that, these devices representing the Internet in this topology of running BGP in autonomous systems 65000, 65001, 65002. So you need to configure the customer routers to use static default routes so that they can send traffic on to the Internet and access the Google DNS server 8.8.4.4 You need to verify that things are working by ensuring that the customer routers can ping the DNS server and that they can ping Cisco.com So make sure that you configure both of the ISP side and customer side with PPP between ISP 1 and ISP 2. Configure IP addresses and anything else that’s relevant and again the side needs to be configured with PPP CHAP. That’s the required portion of the lab but to make the lab more real world, we have some bonus tasks. In the bonus tasks, you need to create a DHCP pool on the customer routers to allocate IP addresses to the PCs. Customer Router 1 needs to be configured with this IP address on gigabit 0.0.0 and it needs to allocate IP addresses to the PC in that subnet. Customer Router 2 needs to be configured with this IP address 10.1.2.1 on gigabit 0 /0 / 0 And you need to configure a DHCP pool on the customer router to allocate IP addresses to this PC in this subnet. Now without giving it away think about all the DHCP options that you need to allocate to your PCs to allow the PCs to ping Cisco.com The verification for this section is that PC 1 and PC 2 can ping Cisco.com. So think about what’s required from a DHCP point of view but also from a NAT or Network Address Translation point of view. You’re going to have to configure both of these routers with network address translation and to be specific; it’s actually port address translation so that the PCs can access the Internet. So make sure that these PCs which are using RFC 1918 addresses, in other words private IP addresses can access the Internet which is a public network. Notice as an example, that the BGP routers on the Internet only know about Network 8, they have no visibility of network 10. You are not going to advertise Network 10 to the Internet. Network 10 is a private IP address; it’s none routable on the Internet because ISPs will block that network. So can you complete this lab? Can you configure the network with PPP, PPP CHAP, DHCP Network Address Translation and DNS information?
Views: 957 David Bombal
Cisco Nexus 9000 - Initial Configuration
 
29:37
See my blog post on this! http://keepingitclassless.net/2014/02/cisco-aci-nexus-9000-initial-configuration/ In this first video in what I'm hoping will be a long series on Cisco ACI, I go through the initial configuration of a Nexus 9000 (9508) switch. Nothing super revolutionary, but will serve as a good intro to the platform that only a few short months ago was known as Insieme.
Views: 43417 KeepingItClassless
L2TP over IPsec VPN Server
 
14:27
This video demonstrates a couple of ways to set up an L2TP over IPsec VPN Server on an Edge Router. Here are the steps discussed in this video: STEP 1: Setting WAN Interface and internal network set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-networks allowed-network 192.168.1.1/24 set vpn ipsec nat-traversal enable STEP 2: Setting Authentication Mode and Create Users set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username xxxx password xxxx STEP 3: Setting Client IP Pool set vpn l2tp remote-access client-ip-pool start 192.168.1.xxx set vpn l2tp remote-access client-ip-pool stop 192.168.1.xxx STEP 4: Setting Client DNS Servers set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 4.2.2.2 STEP 5: Setting Pre-shared Secret set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret xxxxxxx set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 STEP 6: Setting Outside Access For Static: set vpn l2tp remote-access outside-address xxx.xxx.xxx.xx For DHCP: set vpn l2tp remote-access dhcp-interface eth0 For Dynamic DNS w/PPPOE: set vpn l2tp remote-access outside-address 0.0.0.0 STEP 7: Save Settings commit; save; exit To learn more about EdgeRouters and Ubiquiti products - http://www.ubnt.com Please share this video - https://youtu.be/nSYmcaOMM7Y Amazon Affiliate Links: EdgeRouter X - http://amzn.to/2kTFTUI EdgeRouter X SFP - http://amzn.to/2C6cDpe EdgeRouter Lite - http://amzn.to/2zImOKo Ubiquiti Cloud Key - http://amzn.to/2CRIXIo Unifi 8-Port 60W Switch - http://amzn.to/2CTmLO5 UAP-AP-Lite - http://amzn.to/2C4OAXP Disclaimers: I participate in the Amazon Affiliate Program. When purchasing using my Amazon Affiliate links, your price doesn't change. You pay the same, but I do get a small percentage of the sale in commission. This helps the channel to continue creating content. All images used in this video are my own. The music Yeah Yeah is from the YouTube's free music library. Yeah Yeah by Audionautix is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/...) Artist: http://audionautix.com/. About Tony: I am a retired educator of 32 years. I started out as an instrumental music teacher and evolved into technology support. After many years of providing technology support to teachers and students, the last ten years of my career, I was in a leadership position of Technology Coordinator and also Supervisor of Technology. My passion has always been helping people. I hope to continue helping people in my youtube community. That being said, I have no association with Ubiquiti Networks, the makers of the Edge Router, nor am I being paid to make this video. I purchased my own Edge Router for use on my own home network. Contact Tony at: [email protected] Follow me on: Twitter @quiktechreview Facebook @quiktechsolutionsllc Hope you enjoyed this video. Regards!!
GNS3 Talks: AAA Docker Appliance: Easy TACACS & RADIUS GNS3 servers! Part 2
 
11:26
GNS3 now has a AAA Docker Container. This makes it really easy to add RADIUS and TACACS servers to your GNS3 topologies! For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. ======================== R1 config: ======================== R1#sh run Building configuration... Current configuration : 3388 bytes ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! enable password cisco ! aaa new-model ! ! aaa group server tacacs+ gns3group server name container ! aaa authentication login default group gns3group local aaa authentication enable default enable ! ! ! ! ! aaa session-id common ethernet lmi ce ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! username david privilege 15 password 0 cisco ! redundancy ! no cdp log mismatch duplex ! ip tcp synwait-time 5 ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address dhcp duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ! ! tacacs server container address ipv4 192.168.122.201 key gns3 ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 transport input all ! no scheduler allocate ! end R1# ======================== Two prominent security protocols used to control access into networks are Cisco TACACS+ and RADIUS. The RADIUS specification is described in RFC 2865, which obsoletes RFC 2138 leavingcisco.com. Cisco is committed to supporting both protocols with the best of class offerings. It is not the intention of Cisco to compete with RADIUS or influence users to use TACACS+. You should choose the solution that best meets your needs.
Views: 2987 David Bombal
Quick Configs - Privilege Access Control (privilege levels, enable, exec)
 
11:24
This CCIE oriented episode of quick configs goes into configuring Privilege Access Control. See http://bit.ly/1VZYkFi for all CCIE notes.
Views: 945 Ben Pin