Cisco :: 2500 - Dot1x Configuration On WLC And ACS 4.2
Feb 4, 2013
I’m going though dot1x implementation using Cisco WLC 2500 series and ACS 4.2 but I have problems with joining to the SSID. I revised the configuration many times as attached but don’t know what is wrong
log 2013.02.05 17:34:02=
(Cisco Controller) >
(Cisco Controller) >debug dot1x all enable
(Cisco Controller) >*apfMsConnTask_2: Feb 05 07:27:19.865: 00:26:c7:3b:dc:d8 apfMsAssoStateInc
*dot1xMsgTask: Feb 05 07:27:19.867: 00:26:c7:3b:dc:d8 Station 00:26:c7:3b:dc:d8 setting dot1x reauth timeout = 0
*dot1xMsgTask: Feb 05 07:27:19.867: 00:26:c7:3b:dc:d8 Stopping reauth timeout for 00:26:c7:3b:dc:d8
[code]...
View 6 Replies
ADVERTISEMENT
Jun 6, 2013
I grew tired of entering my username and password in my 2500 series lab router. So I removed authentication by typing "no username xxxxxx password xxxxxx".Different than what I expected (removal of authentication), the router still prompted me for my username, it just won't accept anything I type.
I decided to do a password reset, I changed the register to 0x2102 and then typed "i" for Initialize. It comes back with error "Configuration from version 12.0 message may not be understood correctly." and then boots to running config with a prompt for username again....right back where I started.
why removing authentication by just typing "no username xxxxx password" would lock me out?If I am actually locked out or maybe there is another way to access?
View 4 Replies
View Related
Jan 18, 2010
I have 3750 switch (WS-C3750G-24TS-S1U) with IP Services version
Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 28 WS-C3750G-24TS-1U 12.2(46)SE C3750-IPSERVICESK9-M
on the switch, I have configured aaa new-modelaaa authentication dot1x default group radius dot1x system-auth-control but i am not able to implement the command under interface
Switch(config)#int gigabitEthernet 1/0/20Switch(config-if)#do?down-when-looped
dot1x commands are not available under the interface config. Is the IOS version is compatible with dot1x?
View 5 Replies
View Related
Jan 24, 2010
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies
View Related
Oct 6, 2009
I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"
View 8 Replies
View Related
Apr 9, 2012
I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status. The server is Juniper IC4500.
View 2 Replies
View Related
Apr 5, 2012
This weekend we have upgraded the ios on quite a few switches on a larger site, the site is a mix of 2960 and 3560 switches and the previouse ios versions were 12.2.44 on most switches but some had an older 12.2.25.On monday when we came into work we got a call that most of the ports on these switches were an amber color and most people could't use the network.After some investigation we discovered that we had a problem with dot1x so for a quick solution we just removed it from the switches and restarted all the ports with no dot1x enabled,[code]
View 6 Replies
View Related
Aug 12, 2012
Is it possible to set up a multi use port that will use dot1x to authenticate several laptops, only 1 connected at a time, but I need the phone to automatically connect without having to make changes to the phone config as I don't have access to the Cisco call manager to set up the authentication.
Setup would be using catalyst 3650x at the access layer, various Cisco ip phones models and a Cisco acs 4.2 server doing the authentication. The laptops would be plugged in through the phone. The switch is already in use and setup and using both data and voice vlans, but now I need to enable it for several users. The acs is already setup to authenticate our wireless network so I'm planning on using the same setup for the wired side.
View 1 Replies
View Related
May 31, 2013
I have 3 ws-c3750-48ps in a stack and i'd like to enable dot1x on the stack I entered the commands: [code] I also have dot1x enabled on several interface on the 2nd and 3rd switches in the stack with these commands [code] dot1x successfully works on these ports and I see the logs in acs, heres where the problem comes in when i try to enable dot1x using the above commands on any interface on the first switch in the stack it doesn't work its like the switch doesn't support dot1x. I'm assuming that there is a bug in version 3 but after googling I didn't come up with much.
View 6 Replies
View Related
Mar 14, 2011
I have issue with 2950 switch dot1x config is not working , but on 2960 its working fine .Below are the configs from both switches and a debug dot1x all snap, what may be the issue with 2950 switch ...
on 2950======>
aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius
[Code].....
View 1 Replies
View Related
Jan 17, 2013
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
View 6 Replies
View Related
Nov 2, 2011
I am seeing the following behavior when computers move from one switch to another with dot1x ONLY when there is a 'stupid' switch in between.
computer -------- 'stupid' switch ------- 2960
dot1x is working fine but when the computer is disconnected, the port still shows the authentication session id so when the computer connects to another port or switch, authentication succeeds but traffic doesn't pass. While I'm almost certain that the culprit is the 'stupid' switch that doesn't clear the session id, I have already tried another one and the problem remains so I'm actually just asking for a confirmation that all these 'stupid' switches present this behavior and if there is a workaround in this case.
View 0 Replies
View Related
Dec 6, 2012
We're having an issue with the command "cts dot1x" when applied to an uplink interface.It basically kils the connection with this command is applied. Once you remove it, everything is back to normal, the platform is a cisco 3750x.
View 5 Replies
View Related
Aug 11, 2011
I configured dot1x on my swicth 4500 series, Here is the interface configration:
interface FastEthernet3/2
description Test dot1x
switchport mode access
load-interval 30
authentication event fail action authorize vlan 800
authentication host-mode multi-host
authentication port-control auto
[code]....
When I remove the port-control configuration on the interface, the status change to UP/UP.
View 1 Replies
View Related
Sep 12, 2007
Trying to authenticate a Wireless 1242 AP to a switch port with Dot1x enabled. It seems like the switch can't get the mac or doesn't ever start authentication for the port when I plug in an ap. The ap is configured to pull dhcp on start for fa 0, however never gets an address, even though the port should fail into guest network after auth fails.Any thoughts,, a debug only shows this...
*Mar 1 00:19:27.127: %IF-3-VLAN_NOT_CONFIGURED: Received dot1Q VLAN tagged packet on interface which does not have VLAN configured.
View 3 Replies
View Related
May 7, 2012
we're having an issue with the command "cts dot1x" when applied to an uplink interface. It basically kils the connection with this command is applied. Once you remove it, everything is back to normal, the platform is a cisco 3750x.
View 0 Replies
View Related
Jul 11, 2012
Hardware: Cisco 3750 switch and Cisco autonomous access point (AIR-AP1142N-E-K9).Requirement: A single broadcast SSID; use dot1x to assign vlan 98 to authenticated clients (computer certificate); assign vlan 3 (guest) if the authentication fails.I can achieve assigning a guest vlan on authentication failure when using a wired connection by using the following command on the interface:authentication event fail action authorize vlan 3 I'm after a way to achieve the above using the wireless access point. The main point is that internal users cannot access vlan 3 as they have a valid certificate and that guests do not have to authenticate.
View 2 Replies
View Related
Sep 17, 2012
I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.
I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:
Switch(config-if)#switchport voice vlan 123
Command rejected: Gi7/20 is Dot1x enabled port.
let me know what should I do to get dot1x working?
Note: I have connected a laptop directly to the port and dot1x is working fine.
View 5 Replies
View Related
May 6, 2010
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
!interface GigabitEthernet2/34 switchport mode access ip arp inspection limit rate 30 authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 6 spanning-tree portfast ip verify source vlan dhcp-snoopingend
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
View 1 Replies
View Related
Feb 16, 2012
I'm having a little trouble with a router I have got my hands on to practice for my CCNA.Im connected via serial>USB adapter and via XP HT on Win7. Router boots and I then break the boot sequence with ctrl-break. But then it does not go into ROMMON mode. It simply says this:
-System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
-Copyright (c) 1986-1995 by cisco Systems
-2500 processor with 2048 Kbytes of main memory
How I get it into ROMMON to reset the password on it.
View 7 Replies
View Related
Nov 20, 2011
I am having trouble adding a new controller(2500) to the WCS.
-My WCS version 6.0.196.0
-My WLC version 7.0.116.0
If i upgrade my WCS i may add the new contoller? Even if in cisco DATA-SHEET there isnt any mention regarding this WLC(basicly it says that the WCS does not support this WLC)
Monitoring and migration of selected Cisco Aironet standalone (autonomous) access points. Monitoring of the standalone access points of Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers.
View 3 Replies
View Related
Jan 3, 2012
I have a scenario where we have
Cisco 1300 Outdoor APs
Cisco 3600 Indoor APs
WLC 2500
Now i need to integrate the WLC with Windows 2008 AD for authentication.The idea is to let the users authenticate via AD for accesing the wireless network.
Will the integration work with NPS?
View 2 Replies
View Related
Feb 15, 2012
I'm configuring a 2500 series WLC to test some wireless configuration changes we'd like to make on our 5500's that are currently in prodcution.
The 2500 and the 5800's interfaces are configured as a LAG.
One of the primary goals of these configuration changes is to move the LAPs from their current VLAN (the same subnet as our primary WLAN) to two separate VLANs. Were choosing to move the LAPs to 2 APs based on the WLC best practices document's suggestion to limit the number of LAPs per vlan to 60-100. We've had several issues in the past with LAPs failing to join with their static IPs, releasing them and then joining with DHCP addresses.
LAP's will be on separate vlans using subnets 10.10.10.0/25 and 10.10.10.128/25. WLC management interface is in the 10.10.1.0/25 subnet.
Should we continue using static IPs for the LAPs or DHCP?
What subnet should the AP management interface be on?
Is it possible to have mutiple AP management interfaces with LAG?
View 4 Replies
View Related
Jan 31, 2012
Ive used an old 2500 in the past with multiple serial connections to achieve console connections to all my devices in remote offices. What to use now a days? I dont want to put in an old 2500, i would rather use something more modern. Ive seen a lot of devices out there.
View 1 Replies
View Related
Mar 14, 2013
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. If CISCO WLC 2500 support EAP TTLS, if yes then how to configure.So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLCMy android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
View 2 Replies
View Related
May 10, 2013
By any way can I achieve HA in 2500 controller? I dont mind even I didnt get Stateful switchover.
View 5 Replies
View Related
Mar 28, 2012
which differences exist between 7.0 and 7.2 firmwares? I have to decide/choose which of them to run, before continuing to configure my WLAN infrastructure.
View 3 Replies
View Related
Aug 2, 2011
We are looking at MAC address filter on the WCS (Limted to 2500?) for the machine then a rule on the ACS pointing to an AD group.
View 1 Replies
View Related
Oct 2, 2012
I have Cisco Wireless Controller 2500 series (AIR-CT2504) and 10 LAPs implemented in my office building. I need to enforce security policy.
I have few questions below regarding the Wireless controller 2500 Series.
1) Can i enforce Internet security policy such that all prohibitive sites remain block from the WLC?
2) Is it possible to allow Internet access to only designated machines/users ?
3) Initial logon page for user /machine authentication to get access to wi-fi ?
View 1 Replies
View Related
Apr 10, 2012
I recently bought a Cisco WLC 2500. I want to configure a WLAN with Active directory authentication.How I can do this?
View 4 Replies
View Related
Jun 4, 2013
We are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. Is this possible to change the web authentication method from HTTPS to HTTP.
View 1 Replies
View Related
Dec 7, 2012
i am having wirless controller cisco 2500 series. i want to know how many web authentication users i can create in the 2500 series controller with time out option for each users.
i know it will support the web authentication for internet access for the users but i need to know how many it will accept at a time with hours specification.
View 4 Replies
View Related
Nov 27, 2011
know if Cisco LMS will ever support the 2500 wireless controller ? I have just checked the supported devices for LMS 4.1 and the controller is not there.
View 1 Replies
View Related
