Cisco AAA/Identity/Nac :: 3750 AAA Sever Address Is Dropped After Restart Sometimes

Jan 20, 2013

We have Cisco 3750G switches and have them setup to use Cisco ACS 5.2.0.26.5. Some switches after they are restarted and we know that the config is saved the server address for the AAA authentication is dropped. We are running IOS c3750-ipbasek9-mz.122-40.SE. I have started to upgrade switches to c3750-ipbasek9-mz.122-50.SE5 to fix an issue with reporting high drops in Solarwinds.

View 6 Replies


ADVERTISEMENT

Cisco WAN :: Backup DHCP Sever In 2901 As A Same IP Address Generation?

Jul 1, 2012

I have two routers 1921 and 2901 and both of them are connecting to one Reliable Internet Line from one ISP. 1921 master router and 2901 as a Slave. this is my question, how i can make a Backup DHCP Sever in 2901 as a same IP address generation?
 
Example :
1921-------> Ip Generator 10.1.1.0 /24
2901-------> Ip Generate 10.1.1.0 /24
 
both generate same ip address, when the Master is lost, Slave could be Covered the LAN.

View 4 Replies View Related

Cisco WAN :: 3750 ME Switch Getting Error Message After Restart

Aug 28, 2011

I am using 3750 ME switch and we have restarted the switch 7 weeks age and we are getting error message, we are using MPLS / BGP in this switch.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 4506 - ACS RADIUS Request Dropped 11051

Jan 10, 2012

Our ACS v5.2.0.26 started to drop connection from wired and wireless connections, with a "Radius Request Dropped" message. The detailed message is : "RADIUS Request dropped : 11051 RADIUS packet contains invalid state attribute".This message is usually preceded with a "RADIUS Request dropped : 24444 Active Directory operation has failed because of an unspecified error in the ACS" error.The communication with Active Directory seems to be ok since worstations are getting a valid ip adress when connected to a non 802.1x switch port (Cisco 4506).

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Error Message 5405 RADIUS Request Dropped

Feb 22, 2011

The error message "5405  RADIUS Request dropped", what does it mean ? We have implemented 802.1X on a C4506 switch running IOS 12.2(53), it has worked fine for about 3 months but now I get users not able to authenticate. In the loggs on the ACS I get the obove message.
 
ACS 5.2 is running 5.2.0.26 Build 3075.

View 6 Replies View Related

Cisco Switching/Routing :: Cat 2960 Shows Mac Address Port As Dropped?

Jul 30, 2012

I am configuring a Cat 2960 port for connecting a VOIP phone, authenticated by MAB.  On connecting the phone, I get the port authenticated and assigned to the correct VLAN, with LLDP-MED advertising the correct voice vlan.  However, I then see no traffic from the phone on the switch.  I can see the MAC address of the phone is learned in the right VLANs, but the mac address is showing as "Drop", which normally means the address is statically configured to be blocked.  There is no static mac address table blocking configured on the switch. 

Switch Version
Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 50    WS-C2960-48TC-L    15.0(1)SE3            C2960-LANBASEK9-M
 Port configuration
interface FastEthernet0/1
description "Standard user port"

[code].....

View 1 Replies View Related

Upload Flash From A Sever?

Jun 13, 2012

I want to upload flash from a sever, as if I was uploading with flash, instead of a browser. I was told something about rfc..(Flash download request)Anyways, is their any sites, etc, that I can use?

View 2 Replies View Related

Accessing Sever Via HTTP Over MPLS?

Sep 30, 2011

This one is kicking my butt.I have an MPLS network with three stes.Site1 is where all my servers reside.Site2 and Site3 just have a few PC's.From Site2 and Site3 I cannot access the server at Site1 via http://IPADRESS.Of.Server.I am able to ping just fine.I thought it may be a router issue but... there is is a single PC at Site2 that can access it with out any issues.All the IP settings (Default GW, DNS, etc...) match the other PCs.The windows firewall is turned off on all PC's. AVG is disabled on the PCs.

View 9 Replies View Related

How To Convert Domain Sever Into Workgroup

Aug 12, 2011

How to convert domain sever into workgroup

View 2 Replies View Related

Servers :: Change User Name And Password On Sever / PC?

Feb 23, 2012

Change user name on server & pc

View 3 Replies View Related

Cisco Routers :: WRVS4400N - ACL Rule(s) Causing Sever Slowdown?

Feb 24, 2012

I have a DSL line at work that we use to test external services provided to external users on our primary Internet circuit (Citrix, web applications, etc).  Because this DSL line is for testing only, we want to lock it down so the only destinations allowed through the firewall are our own IP spaces. 
 
I purchased a WRVS4400N for this purpose, thinking I could use the IP based ACL list to create these restrictions.  However, every time I try to create an ACL, the internet slows to a crawl, and many sites don't come up at all.  This occurs even if the ACL rule I add is a simple "allow any any" rule similar to the default rules.
 
Is this a known issue, or am I configuring something incorrectly?  Here's an example of a rule I'm using (IP not real):
 
Action     Service          Source Interface     Source     Destination                                   Time              Day
Allow      All Protocol     LAN                    ANY           1.2.3.0/255.255.255.240*             Any Time       Every Day  
 
I also get the problem with a simple allow from a single IP (mine) to any destination, without any other rules enabled.
 
implementation of the ACL ruleset on these routers?

View 5 Replies View Related

Cisco Switching/Routing :: Nexus 7k - Possible To Send Syslog Messages To SNMP Sever

Jul 2, 2012

Query is, Can i send my syslog messages to SNMP sever? if so, what command needs to be enabled on nexus 7k?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 3750 - Configuring NPS AA

Jan 4, 2012

I am struggling with configuring NPS AA for our 3750 array ... authentication and authorization. I tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple: we have several AD groups.

1- Admin
2- Read only with few privileges for ping, show, trace route and telnet
 
I need my switches to be able to recognize the groups and assign them the correct priv. But it doesn't seem to be happening. Any clean config for  the switch and for NPS ?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Missing RADIUS On 3750?

Feb 27, 2012

When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISE & 3750 Switch MAB Configuration

Jan 16, 2013

I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 3750 - Cannot SSH To Switch 2960

Jan 10, 2012

I replaced an access switch 3750 with a switch 2960. Basically I just copy the whole config of the 3750 to 2960.
 
The 3750 use AAA, Crypto pki trustpoint TP-self-signed and radius-server host etc.
 
Now I can only telnet to 2960 but not SSH to it.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 3750 - IP HTTP Server (with No Authentication)

Dec 29, 2011

I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.

Here is the config: 
 
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
 ip http server
ip http authentication aaa login-authentication none

[code]....

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 3750 Replies To EAPoL On One Port But Not Another

Feb 24, 2013

There are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.
 
The ports are configured for 802.1x, auth order of  MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).
 
When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated. When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.
 
If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.

View 3 Replies View Related

AAA/Identity/Nac :: Authentication Login On Switch 3750 E

Mar 29, 2011

I would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
 
Cisco 3750 can support other IOS than 12.2 who have this ability ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 3750 AAA Authentication Banners And Banner Logins

Aug 10, 2009

I'm experiencing some problems with AAA authentication banners and banner logins.I'm trying to use spaces and empty lines, but when login, all the lines are after each other, no empty lines, no spaces.The problem appears on a 3750 with IOS version  12.2(5)SE2.

View 5 Replies View Related

AAA/Identity/Nac :: 3750 Using AV-Pairs To Add A Description To Port Based

May 9, 2013

I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 3750 / Get RADIUS Setup For Authentication To Switches And Routers?

Sep 19, 2012

We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers.  Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small.  I have attached my Microsoft NPS Network Policy.  Below is my IOS config:
 
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius

[code]....

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Catalyst 3750 - TACACS Authentication Stopped Working

Jul 25, 2011

We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Assign QoS Service Policy Via RADIUS To Catalyst 45k / 3750?

May 4, 2011

is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
 
in detail, we would like to assign this policy
 
policy-map SET_EF     class class-default       set dscp ef
 
to an interface. All traffic should be marked with a defined DSCP value.
 
This works find when doing it statically with
 
interface FastEthernet2/1         service-policy input SET_EF
 
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
 
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
 
unfortunately this seems to not work on Catalyst 45k and 37k.
 
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
 
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
 
4503-E#sh aaa attributes         AAA ATTRIBUTE LIST:        Type=1     Name=disc-cause-ext                 Format=Enum        Type=2     Name=Acct-Status-Type               Format=Enum

[Code]......

View 1 Replies View Related

Cisco Switching/Routing :: 3750 No MAC Address On Switch Port

Apr 15, 2012

There 's a Cisco IP phone that sits between a PC and the switch port. On the switch port, no MAC address is learned. However, the switch is able to detect the IP phone and deliver power to it: [code] Switch is Catalyst 3750 with IOS version  12.2(58)SE1.

View 1 Replies View Related

Cisco VPN :: ASA 3750 IPSec Client Registering Home IP Address

Aug 30, 2012

I installed some Nexus 5k to replace there 3750 and added dynamic routing. Well after working out most of the issues with most of the stuff, there is one issue that still remains. From what i understand (I have not made it abck to the site yet) when there users connect to VPN with IPSEC (they only use the thick client) they register there local ip address to DNS and thier VPN assigned IP address. At this time I dont have access to the configurations.

View 1 Replies View Related

Cisco Wireless :: 3750 Switch - DHCP Server / Cannot Get IP Address

Jan 8, 2012

I have a 1250 AP connected to an Switch Cisco 3750. We have a SSID(v lan 1 - native) which get an IP Address from our DHCP Server(located in a Windows 2003 server). I added a new SSID in VLAN 2 and I would like no to use the DHCP Server but to make the AP get an IP Address from the pool I created in the own AP (ip dhcp pool Guest) but every time I try to connect the new v lan, it doesn't get an ip address.
 
Follow the settings of the AP.
 
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
[Code]...

View 10 Replies View Related

Cisco Switching/Routing :: 2960 / 3750 - IP Address Conflict?

Feb 7, 2012

I have switch 2960 and router that connect with one interface to that switch. the link is trunk and Router function is inter vlan routing between 4 vlan. This netwrok has only one ip address space that is 10.10.2.0/24 and work without problem. We connect  cisco switch 2960 with optic link to another switch that in stack 3750 which configured as trunk link and allowed only 3 vlan between them. In the other side netwrok which consist the switch 3750 we have different subnet ip address that switch working in layer 3 too. the problem is that when I permit vlan 210 in the switch 2960 only layer 2 between this switch and the 3750 in network that consist th ip address 10.10.2.0/24 devices, if I disconnect and then connect pc to network he says that he has ip conflict and in the log  he show mac address of router that has vlan 210 subinterface configured with 10.10.2./24 subnet. But how I gibe back vlan 210 from permited  vlan in trunk  devices start normaly working. If I again put vlan 210 to permit vlan in that trunk  devices again said that there are conflict  ip address and show mac address vlan 210 router subinterface.

View 10 Replies View Related

Cisco :: Windows 7 2008 Duplicate Static Address When Using 3750

Apr 30, 2013

ISE 1.1.3
Cisco 3750 switches
Windows XP / 7 / 2008 clients
 
I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem.  Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor.  This is happening with Windows 7 and Windows 2008 devices.
 
Windows XP clients don't get the issue.
 
Some clients will use 802.1x native supplicant and some will be authenticated based on MAB.  Not noticed the problem with 802.1x clients but it always occurs on MAB.
 
I came across a similar issue here: URL
 
Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
 
The switches are 3750  switches running version 12.2(58)SE2.
 
All I have is  "count, interval, use-svi" as extra options.
 
Catalyst 4500 switch guide has  "delay" option but no "count, interval or use-svi".
 
The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client.  This is fine for the odd server but not realistic when there will be hundreds of other clients.

View 5 Replies View Related

Cisco Switching/Routing :: 3750 / Access A Target Server With IP Address 10.2.2.13?

Oct 16, 2012

Today when we run one applcation to access a target server with IP address 10.2.2.13, the application cannot run through and appearing error message related networking.The target server has two network ports whereby another one with IP 10.2.2.14 is running OK with the same application. All these two connections are connected to the same Cisco switch 3750, after the switch then go to Cisco ASA firewall which has no access control rule for this 10.2.2.13 and its subnet, and then the firewall connect directly to the application server.We can ping, remote desktop access and telent port for the application to the target server by using 10.2.2.13.We swapped the cable connection of the ports from one another and try the application again, the IP with 10.2.2.13 is still fail and IP with 10.2.2.14 is OK.We then change the IP from 10.2.2.13 to 10.2.2.12 or 10.2.2.155, all are OK. We changed back to 10.2.2.13, it is failed again.The switch is in running real time production and so we cannot power cycle or reload the switch.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: Change IP Address Of ACS 5.2 Itself Through The Web?

May 30, 2011

How can I change the IP Address of cisco ACS 5.2 itself through the web?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Changing IP Address

Apr 6, 2013

I need to change the IP address of existing primary cisco ACS 4.2 (windows based). What is the required procedure to change the IP address?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Ip Address Pool In ACS 5.3?

Sep 30, 2012

Is it possible to create an ip address pool for ip address assignment in ACS 5.3, like it used to be possible in 3.x and 4.x?

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved