Cisco AAA/Identity/Nac :: 3750 AAA Sever Address Is Dropped After Restart Sometimes
Jan 20, 2013
We have Cisco 3750G switches and have them setup to use Cisco ACS 5.2.0.26.5. Some switches after they are restarted and we know that the config is saved the server address for the AAA authentication is dropped. We are running IOS c3750-ipbasek9-mz.122-40.SE. I have started to upgrade switches to c3750-ipbasek9-mz.122-50.SE5 to fix an issue with reporting high drops in Solarwinds.
View 6 Replies
ADVERTISEMENT
Jul 1, 2012
I have two routers 1921 and 2901 and both of them are connecting to one Reliable Internet Line from one ISP. 1921 master router and 2901 as a Slave. this is my question, how i can make a Backup DHCP Sever in 2901 as a same IP address generation?
Example :
1921-------> Ip Generator 10.1.1.0 /24
2901-------> Ip Generate 10.1.1.0 /24
both generate same ip address, when the Master is lost, Slave could be Covered the LAN.
View 4 Replies
View Related
Aug 28, 2011
I am using 3750 ME switch and we have restarted the switch 7 weeks age and we are getting error message, we are using MPLS / BGP in this switch.
View 1 Replies
View Related
Jan 10, 2012
Our ACS v5.2.0.26 started to drop connection from wired and wireless connections, with a "Radius Request Dropped" message. The detailed message is : "RADIUS Request dropped : 11051 RADIUS packet contains invalid state attribute".This message is usually preceded with a "RADIUS Request dropped : 24444 Active Directory operation has failed because of an unspecified error in the ACS" error.The communication with Active Directory seems to be ok since worstations are getting a valid ip adress when connected to a non 802.1x switch port (Cisco 4506).
View 3 Replies
View Related
Feb 22, 2011
The error message "5405 RADIUS Request dropped", what does it mean ? We have implemented 802.1X on a C4506 switch running IOS 12.2(53), it has worked fine for about 3 months but now I get users not able to authenticate. In the loggs on the ACS I get the obove message.
ACS 5.2 is running 5.2.0.26 Build 3075.
View 6 Replies
View Related
Jul 30, 2012
I am configuring a Cat 2960 port for connecting a VOIP phone, authenticated by MAB. On connecting the phone, I get the port authenticated and assigned to the correct VLAN, with LLDP-MED advertising the correct voice vlan. However, I then see no traffic from the phone on the switch. I can see the MAC address of the phone is learned in the right VLANs, but the mac address is showing as "Drop", which normally means the address is statically configured to be blocked. There is no static mac address table blocking configured on the switch.
Switch Version
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 50 WS-C2960-48TC-L 15.0(1)SE3 C2960-LANBASEK9-M
Port configuration
interface FastEthernet0/1
description "Standard user port"
[code].....
View 1 Replies
View Related
Jun 13, 2012
I want to upload flash from a sever, as if I was uploading with flash, instead of a browser. I was told something about rfc..(Flash download request)Anyways, is their any sites, etc, that I can use?
View 2 Replies
View Related
Sep 30, 2011
This one is kicking my butt.I have an MPLS network with three stes.Site1 is where all my servers reside.Site2 and Site3 just have a few PC's.From Site2 and Site3 I cannot access the server at Site1 via http://IPADRESS.Of.Server.I am able to ping just fine.I thought it may be a router issue but... there is is a single PC at Site2 that can access it with out any issues.All the IP settings (Default GW, DNS, etc...) match the other PCs.The windows firewall is turned off on all PC's. AVG is disabled on the PCs.
View 9 Replies
View Related
Aug 12, 2011
How to convert domain sever into workgroup
View 2 Replies
View Related
Feb 23, 2012
Change user name on server & pc
View 3 Replies
View Related
Feb 24, 2012
I have a DSL line at work that we use to test external services provided to external users on our primary Internet circuit (Citrix, web applications, etc). Because this DSL line is for testing only, we want to lock it down so the only destinations allowed through the firewall are our own IP spaces.
I purchased a WRVS4400N for this purpose, thinking I could use the IP based ACL list to create these restrictions. However, every time I try to create an ACL, the internet slows to a crawl, and many sites don't come up at all. This occurs even if the ACL rule I add is a simple "allow any any" rule similar to the default rules.
Is this a known issue, or am I configuring something incorrectly? Here's an example of a rule I'm using (IP not real):
Action Service Source Interface Source Destination Time Day
Allow All Protocol LAN ANY 1.2.3.0/255.255.255.240* Any Time Every Day
I also get the problem with a simple allow from a single IP (mine) to any destination, without any other rules enabled.
implementation of the ACL ruleset on these routers?
View 5 Replies
View Related
Jul 2, 2012
Query is, Can i send my syslog messages to SNMP sever? if so, what command needs to be enabled on nexus 7k?
View 3 Replies
View Related
Jan 4, 2012
I am struggling with configuring NPS AA for our 3750 array ... authentication and authorization. I tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple: we have several AD groups.
1- Admin
2- Read only with few privileges for ping, show, trace route and telnet
I need my switches to be able to recognize the groups and assign them the correct priv. But it doesn't seem to be happening. Any clean config for the switch and for NPS ?
View 8 Replies
View Related
Feb 27, 2012
When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?
View 1 Replies
View Related
Jan 16, 2013
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
View 1 Replies
View Related
Jan 10, 2012
I replaced an access switch 3750 with a switch 2960. Basically I just copy the whole config of the 3750 to 2960.
The 3750 use AAA, Crypto pki trustpoint TP-self-signed and radius-server host etc.
Now I can only telnet to 2960 but not SSH to it.
View 3 Replies
View Related
Dec 29, 2011
I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.
Here is the config:
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
ip http server
ip http authentication aaa login-authentication none
[code]....
View 1 Replies
View Related
Feb 24, 2013
There are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.
The ports are configured for 802.1x, auth order of MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).
When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated. When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.
If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.
View 3 Replies
View Related
Mar 29, 2011
I would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
Cisco 3750 can support other IOS than 12.2 who have this ability ?
View 2 Replies
View Related
Aug 10, 2009
I'm experiencing some problems with AAA authentication banners and banner logins.I'm trying to use spaces and empty lines, but when login, all the lines are after each other, no empty lines, no spaces.The problem appears on a 3750 with IOS version 12.2(5)SE2.
View 5 Replies
View Related
May 9, 2013
I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.
View 3 Replies
View Related
Sep 19, 2012
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
View 4 Replies
View Related
Jul 25, 2011
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies
View Related
May 4, 2011
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF class class-default set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1 service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Type=2 Name=Acct-Status-Type Format=Enum
[Code]......
View 1 Replies
View Related
Apr 15, 2012
There 's a Cisco IP phone that sits between a PC and the switch port. On the switch port, no MAC address is learned. However, the switch is able to detect the IP phone and deliver power to it: [code] Switch is Catalyst 3750 with IOS version 12.2(58)SE1.
View 1 Replies
View Related
Aug 30, 2012
I installed some Nexus 5k to replace there 3750 and added dynamic routing. Well after working out most of the issues with most of the stuff, there is one issue that still remains. From what i understand (I have not made it abck to the site yet) when there users connect to VPN with IPSEC (they only use the thick client) they register there local ip address to DNS and thier VPN assigned IP address. At this time I dont have access to the configurations.
View 1 Replies
View Related
Jan 8, 2012
I have a 1250 AP connected to an Switch Cisco 3750. We have a SSID(v lan 1 - native) which get an IP Address from our DHCP Server(located in a Windows 2003 server). I added a new SSID in VLAN 2 and I would like no to use the DHCP Server but to make the AP get an IP Address from the pool I created in the own AP (ip dhcp pool Guest) but every time I try to connect the new v lan, it doesn't get an ip address.
Follow the settings of the AP.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
[Code]...
View 10 Replies
View Related
Feb 7, 2012
I have switch 2960 and router that connect with one interface to that switch. the link is trunk and Router function is inter vlan routing between 4 vlan. This netwrok has only one ip address space that is 10.10.2.0/24 and work without problem. We connect cisco switch 2960 with optic link to another switch that in stack 3750 which configured as trunk link and allowed only 3 vlan between them. In the other side netwrok which consist the switch 3750 we have different subnet ip address that switch working in layer 3 too. the problem is that when I permit vlan 210 in the switch 2960 only layer 2 between this switch and the 3750 in network that consist th ip address 10.10.2.0/24 devices, if I disconnect and then connect pc to network he says that he has ip conflict and in the log he show mac address of router that has vlan 210 subinterface configured with 10.10.2./24 subnet. But how I gibe back vlan 210 from permited vlan in trunk devices start normaly working. If I again put vlan 210 to permit vlan in that trunk devices again said that there are conflict ip address and show mac address vlan 210 router subinterface.
View 10 Replies
View Related
Apr 30, 2013
ISE 1.1.3
Cisco 3750 switches
Windows XP / 7 / 2008 clients
I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem. Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor. This is happening with Windows 7 and Windows 2008 devices.
Windows XP clients don't get the issue.
Some clients will use 802.1x native supplicant and some will be authenticated based on MAB. Not noticed the problem with 802.1x clients but it always occurs on MAB.
I came across a similar issue here: URL
Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
The switches are 3750 switches running version 12.2(58)SE2.
All I have is "count, interval, use-svi" as extra options.
Catalyst 4500 switch guide has "delay" option but no "count, interval or use-svi".
The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client. This is fine for the odd server but not realistic when there will be hundreds of other clients.
View 5 Replies
View Related
Oct 16, 2012
Today when we run one applcation to access a target server with IP address 10.2.2.13, the application cannot run through and appearing error message related networking.The target server has two network ports whereby another one with IP 10.2.2.14 is running OK with the same application. All these two connections are connected to the same Cisco switch 3750, after the switch then go to Cisco ASA firewall which has no access control rule for this 10.2.2.13 and its subnet, and then the firewall connect directly to the application server.We can ping, remote desktop access and telent port for the application to the target server by using 10.2.2.13.We swapped the cable connection of the ports from one another and try the application again, the IP with 10.2.2.13 is still fail and IP with 10.2.2.14 is OK.We then change the IP from 10.2.2.13 to 10.2.2.12 or 10.2.2.155, all are OK. We changed back to 10.2.2.13, it is failed again.The switch is in running real time production and so we cannot power cycle or reload the switch.
View 9 Replies
View Related
May 30, 2011
How can I change the IP Address of cisco ACS 5.2 itself through the web?
View 3 Replies
View Related
Apr 6, 2013
I need to change the IP address of existing primary cisco ACS 4.2 (windows based). What is the required procedure to change the IP address?
View 4 Replies
View Related
Sep 30, 2012
Is it possible to create an ip address pool for ip address assignment in ACS 5.3, like it used to be possible in 3.x and 4.x?
View 2 Replies
View Related