Cisco AAA/Identity/Nac :: 3560 Dot1x Failure After IOS Upgrade To 12.2. (55) SE1
Apr 5, 2012
This weekend we have upgraded the ios on quite a few switches on a larger site, the site is a mix of 2960 and 3560 switches and the previouse ios versions were 12.2.44 on most switches but some had an older 12.2.25.On monday when we came into work we got a call that most of the ports on these switches were an amber color and most people could't use the network.After some investigation we discovered that we had a problem with dot1x so for a quick solution we just removed it from the switches and restarted all the ports with no dot1x enabled,[code]
View 6 Replies
ADVERTISEMENT
Jan 24, 2010
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies
View Related
Apr 9, 2012
I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status. The server is Juniper IC4500.
View 2 Replies
View Related
Aug 12, 2012
Is it possible to set up a multi use port that will use dot1x to authenticate several laptops, only 1 connected at a time, but I need the phone to automatically connect without having to make changes to the phone config as I don't have access to the Cisco call manager to set up the authentication.
Setup would be using catalyst 3650x at the access layer, various Cisco ip phones models and a Cisco acs 4.2 server doing the authentication. The laptops would be plugged in through the phone. The switch is already in use and setup and using both data and voice vlans, but now I need to enable it for several users. The acs is already setup to authenticate our wireless network so I'm planning on using the same setup for the wired side.
View 1 Replies
View Related
May 31, 2013
I have 3 ws-c3750-48ps in a stack and i'd like to enable dot1x on the stack I entered the commands: [code] I also have dot1x enabled on several interface on the 2nd and 3rd switches in the stack with these commands [code] dot1x successfully works on these ports and I see the logs in acs, heres where the problem comes in when i try to enable dot1x using the above commands on any interface on the first switch in the stack it doesn't work its like the switch doesn't support dot1x. I'm assuming that there is a bug in version 3 but after googling I didn't come up with much.
View 6 Replies
View Related
Jan 17, 2013
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
View 6 Replies
View Related
Aug 11, 2011
I configured dot1x on my swicth 4500 series, Here is the interface configration:
interface FastEthernet3/2
description Test dot1x
switchport mode access
load-interval 30
authentication event fail action authorize vlan 800
authentication host-mode multi-host
authentication port-control auto
[code]....
When I remove the port-control configuration on the interface, the status change to UP/UP.
View 1 Replies
View Related
Feb 20, 2011
I'm trying to upgrade a 3750-24TS from c3750-ipservices-mz.122-25.SEE2 to a more recent image. On the first pass, I got
Error: There is insufficient space in flash: to install the requiredError: image. Clean up some old images, and try again.
So I used the delete /recursive flash:image-dir-name to clean out the old files, but I'm still getting the same message after doing this. What's the problem? Now I have a switch with no IOS and need to at least get something on there.
Switch#sh verCisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)Copyright (c) 1986-2006 by Cisco Systems, Inc.Compiled Fri 28-Jul-06 08:46 by yenanhImage text-base: 0x00003000, data-base: 0x010CE290ROM: Bootstrap program is C3750 boot loaderBOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEC, RELEASE SOFTWARE (fc4)Switch uptime is 1 hour,(code)
View 16 Replies
View Related
Mar 22, 2011
I have a Cisco 1200 Series (AIR-AP1231G-A-K9) access point, I have been upgrading these models to lightweight mode but are having issues with one in particular, this access point keeps "rebooting" itself, I am assuming that the upgrade failed, how can I get the access point upgraded?
When I start to access the AP by typing "enable" and enter the password it starts resetting again.
I have reset the AP by the mode button, power option but still not working.
At this point I would even accept a fix to get it back to working condition. Here is a capture.
Cisco IOS Software, C1200 Software (C1200-RCVK9W8-M), Version 12.3(11)JX1, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
[Code].....
View 15 Replies
View Related
Jun 28, 2011
Tried upgrading my firmware to 4.0.2.08-tm and now I cannot log in via the web interface. The router boots and gets out to the internet. It still allows incoming vpn connections. The login screen displays and will display an error message if I use incorrect credentials, but if I log in properly and am directed to the routers web config homepage at "192.168.1.1/default.htm", I get a 404 error message. Telnet does not work either (not sure if it's on, never used it before) 404 Not FoundThe requested server-side-includes filename, /usr/local/EasyAccess/www/htdocs/default.htm, does not seem to exist.As if the web pages after the login screen got removed or corrupted after the update.
SN is NKS10403247
I realize there is a newer version. Attempted the upgrade incrementally since I could not find documentation specifiying if that was required or not.
View 5 Replies
View Related
Jan 24, 2013
IOS upgrade tried on the stack of 2XWS-C3750X-24T-S , Upgrade was tried to support WCCP on the platform. Current version is Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(58)SE1, Not able find any IP Plus ios in the site ? Only available are IP base and Universal K9 , Tried upgrading to c3750e-universalk9-tar.122-58.SE2.tar by using stack upgrade method as per document [URL]
Upgrade fails with error :
%Error opening flash:update/info (No such file or directory)
ERROR: Image is not a valid IOS image archive.
Why current ios is not supporting WCCP , I hope it is there in the featureset. ( tried "sdm prefer routing" but no success) Does c3750e-universalk9-tar.122-58.SE2.tar will give me wccp support ? What is the issue with my upgrade and how do I do a successfull upgrade ?
View 3 Replies
View Related
Jul 20, 2011
I've been working with a client's integrated 3750 WLC running 4.0.179.11. I want to upgrade the code because it is old plus I am having DHCP trouble. I have a couple of questions:
1. Is it OK to upgrade to SWLC3750K9-5-2-193-0.aes ? or do I need to go through 4.2 first ?
2. Will that code upgrade the bootloader at the same time?
3. How can I make sure there is enough flash space on the WLC?
4. Are there any special considerations to plan/prepare for?
The DHCP issue is failure of associated clients to get an IP address with this message found in WLC debugging:
[Code]...
View 10 Replies
View Related
Nov 5, 2011
applied an iOS update to a stack via tftp. I used the archive Download-sw tftp:// method. I rebooted the stack after complete and it never came back up. I discovered the master switch upgraded but not the member. The member was sitting there with all amber lights on and frozen after the iOS load. The master wouldn't finish boot until I removed the member from the stack. I had a version mismatch and they would not communicate.
View 2 Replies
View Related
Jun 20, 2011
I recently tried to deploy an ACS appliance with version 5.2 installed on it for a customer.
After setting up the WLC to use the ACS as a radius server, and successfully testing connection from the ACS to the AD, I get an error message " 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate" anytime a client tries to connect to the network.
This is surprising because I had already generated a certficate for the ACS from a CA and binded the CA signed certificate with the ACS, I also specified the CA in the client machine's wireless properties and checked the "validate certificate" button.
When I tried to connect using the internal identity store, the client was successfully authenticated without any certificate issues.
View 1 Replies
View Related
Dec 20, 2012
7x stack WS-C3750E-48TD-E orignal code 12.2.35...i wanted to get it to 15.0.1 so as a test i disconnected top switch (not the master ) and installed via archive download-sw /allow upgrade 15.0.1.tar. and it worked away fine...
so i moved onto the stack, issued the same command, image loaded rebooted and stack hung..Consoled in and switch was unable to boot..looping on trying to load flash. [code]
View 8 Replies
View Related
Mar 10, 2013
I have tried to upgrade the firmware to the latest greatest but keep getting the "Incorrect image file" error. I bought two of the V1 units and had no trouble with one of them but the other is frustrating me. I have reset it and even tried a tftp upgrade of the firmware but still get "Incorrect image file" even in tftp.
View 1 Replies
View Related
Sep 14, 2010
I was prompted by Cisco Connect to upgrade the router software. During this process it came back and said the update failed. At this time the network connection dropped. The power light is now flashing on the device.
View 9 Replies
View Related
Feb 12, 2011
I've tried to upgrade firmware through chrome, but chrome abruptly shut down during upgrade.Since that, I have not even loggin set-up menu which should be shown up putting 192.168.0.1 to make it back. Amber light is just blinking on Power lamp.
View 2 Replies
View Related
May 21, 2012
I am receiving a RADIUS authentication failure stating user must change password; however, password has been changed in AD and is not requiring change password any longer on the AD side.
Is there a cache on the ACS that needs to be cleared? AD connection from ACS to domain is fine. All other accounts authenticate.
It appears that if a user lets their account expire is when this happens. Account has been reenabled in AD and password has been changed. Still will not authenticate via ACS.
View 1 Replies
View Related
Feb 2, 2012
We have an ACS 4.2 installation and we have users configured on the user setup, they authenicate using the windows database (AD). We ran failure tests and simulated AD failure but disabling the firewall rule. So the ACS server is up, AD is down. Tested user login to a switch and get the following error. External DB user invalid. It looks like as the ACS does not get a response from AD it rejects the user login.
What we want it to do is in the event of AD failure is to be able to login to the switch with the username configured on the switch. (as if ACS server does not respond)
Date Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device Network Device Group 02/03/201214:09:13Authen failedtest.testNetwork192.168.1.1(Default)External DB user invalid or bad password....tty310.0.0.1..........SWITCH30Office
View 3 Replies
View Related
Jun 12, 2012
I am trying to apply pach 5 to my ACS version 5.3 using FTP but i receive the following errors after issuing the show backup history command. When i use TFTP, i get a message saying that the file is too big, which i understand 164 MB.
after issuing the show repository "repository name", i get the following error.% Error reading directory on remote server.the patch is on one of my hard drives D, how do i specify on the ACS file path which drive to use?I can only place a url but without specifying which drive.
View 3 Replies
View Related
Aug 24, 2011
I've my ACS linked with AD to give administration access to few network devices and I've created an access policy to link my AD groups with those network devices and command sets.
Unfortunately I found I can use any user from my AD to login to my devices. Only LOGIN, the authorization definition is restricting the command set for those users.
How can I restrict the LOGIN to an specific AD group?
View 2 Replies
View Related
Sep 14, 2011
i'm trying to re-image an asc se 1113 with a recovery cd but i keep getting a disk error complaining of an invalid destination drive
View 1 Replies
View Related
Nov 22, 2011
we have ACS 4.2 and 2851 router with IOS 15.0(1)M4. There is authentication failure with error no 254. Is there any compatibilty issue with 15.0(1)M4 IOS
View 1 Replies
View Related
Apr 8, 2009
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
View 7 Replies
View Related
Jul 31, 2012
on the dashboard of the "Monitoring & Report Viewer" I see a lot of system alarms related to the database.The explanation of the alarm says to look at the Collector logs for the details.
View 3 Replies
View Related
Sep 10, 2012
Is it possible to upgrade the CSACS-1121-UP-K9 to be a non upgrade part? We were going to upgrade from a Windows 4.x to the above Appliance (version 5.x) but there is now a reason to keep the old Windows version running therefore we cannot give the new Appliance the old ACS's licenses?!So we should have (with hindsight) bought a fresh version of the ACS 5.x rather than an upgrade.
View 1 Replies
View Related
Nov 22, 2012
I have defined Radius proxy on csg2 to external radius server, but pdp fails with Authorization failure message on GGSN and on Csg2 debut log I see “SAMI 3/3: Nov 23 15:11:43.937: RADIUS: Dropping the unsolicited RADIUS packet”
View 0 Replies
View Related
Feb 24, 2013
We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server. Starting from today, ACS fails to authenticate users. Using the same external user (andrea-meconi) I can verify successfull and failed authentication. This is the AUTH.log for a genericRADIUS request...
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi]
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting
[Code].....
View 1 Replies
View Related
Jun 11, 2012
I'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.
View 7 Replies
View Related
Jul 8, 2011
I have a cisco cat 3560 and the present IOS is 12.2(46)SE and i want to upgrade the IOS to 12.2(58)se1.As there is only 8mb of frees space i cant straightly copy the new IOS on the switch. Any convenient way to Upgrade IOS.
View 2 Replies
View Related
Feb 28, 2013
I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started
[Code]......
View 0 Replies
View Related
May 1, 2012
I want to upgrade a Catalyst 3560-48PS to the last IOS.I get an errormessage stating that there is insufficient space in flash: I have deleted all files in flash - but I still get the same error message. According to the documentation there should be enough memory. Messages are pasted below:
Switch#dir
Directory of flash:/
No files in directory
15998976 bytes total (15997952 bytes free)
Switch#archive download-sw tftp://192.168.9.13/c3560-ipservicesk9-tar.122-55.SE.tar
Loading c3560-ipservicesk9-tar.122-55.SE.tar from 192.168.9.13 (via Vlan9): !!!!!!!
[OK - 15964160 bytes]
Loading c3560-ipservicesk9-tar.122-55.SE.tar from 192.168.9.13 (via Vlan9): !!!!!!!!
examining image...
extracting info (109 bytes)
[code]....
Error: There is insufficient space in flash: to install the required
Error: image. Clean up some old images, and try again.
View 20 Replies
View Related
