Cisco AAA/Identity/Nac :: 2960S Switch-port Stuck In Guest Mode?
Mar 18, 2012
I am using 802.1x authentication with multi-domain ports; Phone and PC connected to phone. The phones are Nortel (Avaya) and the PCs are Dell/HP Laptops. All are configured for Certificate authentication and this works well. However we sometimes get some ports stuck in Guest mode. when a non certificated laptop connects to a phone port and fails authentication, the data port is placed in the Guest VLAN. However when the laptop disconnects the port isn't reset and remains in the guest state. When a subsequent good laptop connects and attempts to authenticate the switch ignores this and leaves the data port in the Guest VLAN. he switch is a 2960S with Version 12.2(58)SE2 IOS.
The port is configured as follows:
!
interface GigabitEthernet1/0/15
description DANS Port
switchport access vlan 1807
switchport mode access
switchport voice vlan 1855
priority-queue out
[code]....
I placed the AAA, dot1x, eap and auth debug on for all events and then connected a good laptop, the only debug message I got were as follows:
Mar 19 16:17:01.391 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:01.653 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:02.654 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
[code]....
I would have expected the auth function to have reacted to the EAP packets sent by the good client when it connected and performed eap authentication but it didn't, all it did was say the ports in Guest mode and left the laptop in this VLAN.
View 2 Replies
ADVERTISEMENT
Dec 13, 2012
After powering up a WS-C3750-48PS switch, Normal POST LED flashing of lights does not happen, instead the switch is stuck in SYST Mode on the front panel. My attempt to hold down the mode button upon powering up for 15 sec fails to reboot the switch. I cannot console to the switch. Is this switch unrecoverable? Should I RMA with TAC?
View 5 Replies
View Related
Apr 20, 2011
I am testing a ACS 5.2 in our lab environment, I am testing port security for policy based VLAN and ACL assignment. The problem I am having is with the 2960S switches; in my current setup it is working but it doesn't seem to me like it is the way that it should be working. I have a downloadable ACL in the ACS defined and associated to an Access policy and it is working correctly. The problem is, from what I understand, I have to assign a default ACL on the switchport? So what I have assigned on the switchport is ip access-group 10 in. The downloadable ACL from the ACS is also called 10. Do I really need to match the ACL on the switchport with the ACL name I have created in ACS? That doesn't seem like it's dynamic if that is the case? What is the ACL that I should apply to the switch port (if any) in order for the downloadable acls that I configure in the ACS to work no matter what port the user is patched into?
View 2 Replies
View Related
Feb 4, 2012
I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius.I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switchI think this is because we're using "single use" tokens for maximum security with RSA Secure-ID and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server (okay on the first authentication, but each time after it's going to want a different token code)
(if there's a way to get the switch to just authenticate once instead of multiple times against the radius server) For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2
View 2 Replies
View Related
May 18, 2013
I am configuring 802.1X in a 3560 Switch, my Radius server is a Microsoft IAS, when I connect a station of a guest user, the guest-vlan is not assigned in the port, and I have these logs:
May 8 21:23:02: dot1x-ev:Received an EAP Timeout on FastEthernet0/8 for mac 0000.0000.0000
May 8 21:23:02: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not
[Code].....
View 7 Replies
View Related
Jan 20, 2013
Can I configure the Port at the ASA 5050 from Mode: access Port to trunk during the FW is running in a production area without console access ?As I know at the 5505 ist should work?
View 3 Replies
View Related
Jun 19, 2012
I'm trying to get an IP_ADDR set on the management port in SWITCH: mode but for some reason the port seems disabled. PC shows connection unplugged. MGMT_INIT is not a valid command (not listed under '?' ). Bootloader version is 12.2(53R)SE2 FC1.
View 4 Replies
View Related
Mar 5, 2013
I am trying to configure a 3500XL switch (and I know its old). I get to the int fa 0/1 line and thats where it all stops working.
switch#(config-if)#switch port mode access
switch#copy run start
or
switch#(config-if)#switch port mode access
switch#sh run int fa 0/1
It will show the configuration for port fa 0/1 as if I hadn't entered the "switch port mode access" command. Or any other command for that matter. Why the switch is not holding configuration and seemingly loses it as soon as you exit out of each interface?
View 4 Replies
View Related
Jul 10, 2011
I'm having problem with DFM under LMS 3.2. For some reason it periodically loses discovered devices and put all of them into "Learining" state. Sometimes restarting daemon manager useful but now it doesn't. I tried rediscovery few times but it doesn't work at all.
View 2 Replies
View Related
Sep 22, 2010
I've ended up in rommon mode on my new"old" RMA'ed ASA5505, and I'm stuck there, I'v tried to erase Disk0 and all that, and tftp'ed a new image into the box, but when booting I get the message :
INFO: Unable to read firewall mode from flash
WARNING: Unable to write firewall mode to flash, this is normal if flash is not formatted
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
This activattion key is invalid, use default settings only
i2c_write_byte_w_suspend() error, slot = 0x0, device = 0x40, address = 26 byte count =1. Reason: I2C_UNPOPULATED_ERROR
View 7 Replies
View Related
Dec 16, 2012
I have 6509 E. Actually what happen it last 3-4 times it reload its self and got stuck in rommon mode, i tried to boot it with boot by connecting a console cable on supervisor 720 2b. What and where is problem and why is stuck in rommon after reload.
View 11 Replies
View Related
Jan 25, 2013
My Cisco seems to be stuck when it boots up, with the following:
Upgrade ROMMON initalized
And it goes on with self comperessing image then an OK but then it starts loading again all over.
View 13 Replies
View Related
Mar 4, 2012
I have 5 to 6 878 routers and in all these routers the ATM interface is stuck up with initializing mode. This is the IOS running on it c870- advipservicesk9-mz. 124-15.T9.bin
View 1 Replies
View Related
Oct 9, 2011
I am currently supporting an engineer onsite remotely and have come across a strange problem . I have installed a few controllers but none of them have behaved in this manner. The model is a WLC 5508-50k9 model wireless controller and software 7.0.98.0, I have seen as per installation guideline that amber means th following
Distribution ports 1-8 Off: Not present.
#Green: Indicates SFP port is active and link is established.
#Amber: Present with failure
This mean that so coherent fault lies as follows on Layer 1&2 . The switch port light does not go green either. We have used both xover and straight but no luck
View 3 Replies
View Related
May 6, 2010
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
!interface GigabitEthernet2/34 switchport mode access ip arp inspection limit rate 30 authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 6 spanning-tree portfast ip verify source vlan dhcp-snoopingend
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
View 1 Replies
View Related
Oct 1, 2012
my ISE 3315 is stuck in ISE 3315 stuck in INIT Entering runlevel: 3 when i connect a screen and keyboard i can only see this last message : ISE 3315 stuck in INIT Entering runlevel: 3 There is nothing after, i cannot login (no prompt) even after waiting 20 minutes with this message
I have no char return via serial cable depsite i was able to run initial setup from console (same cable, the DB9-DB9 provided, same serial config, same laptop)
Version ADE : ADE-OS-2.0 (2.6.18-238.1.1.el5PAE)
Version ISE : 1.1.0.665
View 4 Replies
View Related
Feb 26, 2013
How can we know that 6500 and 7600 series switch and router are running in native mode or in hybrid mode.
View 2 Replies
View Related
Mar 22, 2012
configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.
View 1 Replies
View Related
Jul 17, 2012
We installed some new switches this winter, mostly Dell Powerconnect 5548 and 5548P switches. Everything was working OK, but I have not tested the network with iperf or any other tools since it did not have any important devices on it at the time. I also deployed LAG+LACP between switches.But now that we moved our infrastructure around, 2 of those switches have a bunch of servers on them. Everything looked fine at day 1 (1Gbit link speed everywhere, smooth operations) but the following week, All the nightly backups were slow as a turtle, mostly stuck at 100mbit-ish speeds. I started to have some complaints about database performance too.
So I started doing some iperf testing and I got a lot of throughput problems with some servers, mostly capping around the 100mbit mark.Then I looked around and found a thread where one guy said it's related to the broadcom NIC's on my Dell servers that has issues with those specific Dell Switches (ironic).Before going haywire and invest quite some time in this problem to shuffle servers around and updating firmwares, any problems with Dell switches or Broadcom NICs?
View 13 Replies
View Related
Dec 10, 2012
I have a 2960S Catalyst switch in my LAN, with the firewall and the servers in the same VLAN (vlan 3).All the servers and the firewall are in the vlan 3 are in the "192.168.19.0/24" subnet, the firewall has the IP "192.168.19.1".I can land on the firewall with a VPN (192.168.130.0/24) which has a complete view on the subnet 19/24.I can access, manage and get SNMP information of the Catalyst from the servers but I can't do the same from the VPN.Is there some feature I need to enable on the switch in order to allow 192.168.130.0/24 to access it?
View 4 Replies
View Related
Apr 16, 2012
I have 6 cisco switches already on my network and I just got a 2960S PoE switch that I need to enable for VoIP. The voice vendor is coming in to setup our phone system for VoIP and I need to enable this new 2960S 48 port switch for the VoIP phones, I don't know how to do that, or other taskes needed for this project.
I was told that I need to uplink the new 2960S with the Catalysy 4507R using an ethernet cable and to "trunk the ports" and enable the 2960S as a VTP client - ok great - how?
I was told I also need to use the switch port voice VLAN command for the new VLAN - again, great - but how?
I actually was able to telnet into the switch and I gave it an IP and I created a new vlan but thats all. We are using non Cisco IP phones.
View 4 Replies
View Related
Aug 13, 2012
I have a cisco catalyst 2960-s PoE switch. I have a web access to the switch and am able to get statistics on each port. However, I am wondering if there is a way to have a diagram of the trafic on each port?
Also, what is the best way to monitor the trafic on a router ( i have a cisci 1811W)
View 9 Replies
View Related
Apr 29, 2013
I have a running setup having 2 Cisco 2960s 24 TS switch with Stack configuration. Now I want to add one more same Cisco switch. My questions are:-
1) How can I do this...(Should follow the same process as I did before.
2) Could I do this without impacting the service. i.e. without rebooting the switch.
3) What should be the connection archiecture as of now since there is two switch so it is connected 1 -1 and 2-2. but for 3 switch should we require to change the connectivity.
View 1 Replies
View Related
Jan 21, 2013
I use the Switch 2960S support PoE and 10 access points cisco.I have one more question:
-- If all 10 access points cisco use copper cable to connect to 2960S, 5 access points use power adapter and 5 access points use power from Switch. How Switch 2960S will provide power for 10 AP or switch 2960S will understand and only provide power for 5 APs?
View 3 Replies
View Related
Oct 22, 2012
Need to confirm purpose of command below
dot11 ssid TEST
vlan 4
authentication open
authentication key-management wpa
guest-mode ?????
Why we need guest-mode command in above config?
View 5 Replies
View Related
Dec 11, 2012
We have a Cat2960-S Series PoE+ currently running 12.2(55) SE5 ios with SW image C2960S-UNIVERSALK9-M.We want to upgrade the ios to the lastest version but found there are 2 version: 12.2(53) SE2 and 15.0(1) SE.Which is the best & suitable for upgrade?
View 3 Replies
View Related
Apr 18, 2012
I was just curious about something with upgrading a 2960s stack.
To copy the image to the switches in the stack I use: Switch# archive download-sw tftp://x.x.x.x/filename
Does this also set the image as the boot image or do I still need to issue the boot system flash command?
can I just issue this command on the master switch and reload and the new config will be pushed to the rest of the switches?
View 5 Replies
View Related
Jun 5, 2013
After i have already configured my cisco switch 2960 , i configured my console as the below [code] after i reboot my switch , i found that the switch asked me for username . However i did not configure username , how can i solve this problem , without password reset . I have already configured 15 switch , 100% this problem will be in all switches.
View 19 Replies
View Related
Sep 29, 2011
When will Campus Manager support the 2960S switch series?
View 2 Replies
View Related
Jan 20, 2013
I have hybrid network in which I want to configure VLAN on Cisco 2960 S switch. I have unmanged switch where my DHCP server and other servers are connected. Now I created two VLANs on cisco 2960S and they don't talk each other, but as soon as I connect unmanaged switch to 2960S switch, both VLANs start communicating which I don't want. I want to listen server traffic from unmanaged switch from both VLANs but simultaneously I don't want to communication between two VLANs.
View 10 Replies
View Related
Oct 3, 2012
I have enabled syslog on my Cisco 2960S swtich as shown below -
-logging facility local6
-logging host 10.11.12.122 transport tcp port 514
I have sent the port to TCP since that is what is configured on the SYSLOG server which is a CENTOS 5.8, running rsyslogd.I have tested the rsyslogd locally and it work.However i want to send any and all log messages in the buffer to my syslog server and it is not working.there is no firewall on the CENTOS and the ASA firewall filter is enabled for outgoing traffic.
View 5 Replies
View Related
Aug 28, 2012
Connecting Avaya 9611G IEEE class 1 devices to a Cat2960s. How ever some of the phone are registering as class 3 devices no matter what interface the phone is connected to. Typical port config is as follows:
interface GigabitEthernet1/0/2
switchport access vlan 25
switchport mode access
switchport nonegotiate
switchport voice vlan 22
srr-queue bandwidth share 1 30 35 5
[code]....
View 4 Replies
View Related
May 6, 2013
I have a single 2960s without stack module. The stack port has a status of down, however I'd like to disable it so that it does not generate a false alarm in my NMS. The documentation states that there should be a command "switch 1 stack port 1 disable" but the switch (running 15.0(2)SE2) doesn't seem to be available. Is this a dcumentation bug or is the command not there at all?
View 2 Replies
View Related
