Cisco AAA/Identity/Nac :: 3750 Replies To EAPoL On One Port But Not Another
Feb 24, 2013
There are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.
The ports are configured for 802.1x, auth order of MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).
When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated. When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.
If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.
View 3 Replies
ADVERTISEMENT
May 27, 2010
I have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
Config and debug file attached.
I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
View 5 Replies
View Related
Apr 5, 2012
We have 2 access switches (3750s) that are both attached to a pair of Nexus 5548UPs with L3 cards over VPCs. Access switch (AC1) terminates our 4402 WLC. The WLC services 4 WLANs and connects to the access switch with a single trunked port. Access switch 2 (AC2) terminates an 1131AG lightweight AP. The WLAN is 10.1.1.0/24 on VLAN 300. Router 1 (R1) VLAN 300 IP is 10.1.1.2. Router 2 (R2) VLAN 300 IP is 10.1.1.3. R1 is the active router for VLAN 300. The standby IP for VLAN 300 is 10.1.1.1. The VPCs between both access switches and the router pair are functioning correctly and trunks are wide open (no pruning).
Wireless clients get a DHCP address from a server on another VLAN. Those addresses get handed out just fine.
Wireless clients can ping 10.1.1.3 (R2). They cannot ping 10.1.1.1 (standby address) or 10.1.1.2 (R1).
I took captures from the WLC and I see the ARP requests and replies from wireless clients to their gateway (10.1.1.1). I took another capture directly from the wireless clients themselves. From there, we see the ARP requests, but never the replies. If I create a static ARP entry on the client, it can ping the gateway just fine.
View 5 Replies
View Related
May 9, 2013
I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.
View 3 Replies
View Related
May 21, 2012
We have a stack of switches that is at the max number of members allowed in the stack. Problem is we are running out of port density and need to add more ports. So instead of adding a whole new stack I would rather replace 2 of the 24-port swicthes with 48-port switches.
If the two 24-port swicthes we are removing are stack members and neither of them are the stack master, I should be able to replace the 24-port switches with the 48-port switches without bringing the master offline? If the new 48-port switches are running the same IOS version as the current 24-port swicthes, they should add themselves to the stack?Would I have to tell the new 48-port swicthes what switch numbers they are replacing in order for them to be added to the stack since we are at the max number of members?Also since the 48-port swicthes are replacing 24-port switches will the master give the 48-port switches the configuration for only the 24-ports?
View 11 Replies
View Related
Mar 23, 2013
I have set up site-site VPN on 5505s on 2 sites. I can ping outside interfaces from both sites but cannot get replies when I ping clients behind the 5505 from the ASA itself. I have also tried to ping from 10.x.x.x to 217.41.x.x and to 192.168..x.x but do not get a response.
I was expecting the configuration to be enough but there might be something I am missing.
View 6 Replies
View Related
Feb 21, 2012
I have had several complaints from around the firm where by mobile devices are being bumped off the PSK secured network (All other SSID networks are operating A-OK). Both Android and iPhone devices are being affected, the device will just loop until it reconnects, sometimes up to 20 minutes of trying to establish a connection. It will eventually connect so the key is not the issue.I've attached a debug of a device which fails to connect and then shortly after is successful.
Controller 5508 v7.0.116.0
AP 3502i IOS 12.4(23c)JA2
View 4 Replies
View Related
Jan 4, 2012
I am struggling with configuring NPS AA for our 3750 array ... authentication and authorization. I tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple: we have several AD groups.
1- Admin
2- Read only with few privileges for ping, show, trace route and telnet
I need my switches to be able to recognize the groups and assign them the correct priv. But it doesn't seem to be happening. Any clean config for the switch and for NPS ?
View 8 Replies
View Related
Feb 27, 2012
When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?
View 1 Replies
View Related
Jan 16, 2013
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
View 1 Replies
View Related
Jan 10, 2012
I replaced an access switch 3750 with a switch 2960. Basically I just copy the whole config of the 3750 to 2960.
The 3750 use AAA, Crypto pki trustpoint TP-self-signed and radius-server host etc.
Now I can only telnet to 2960 but not SSH to it.
View 3 Replies
View Related
Dec 29, 2011
I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.
Here is the config:
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
ip http server
ip http authentication aaa login-authentication none
[code]....
View 1 Replies
View Related
Mar 29, 2011
I would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
Cisco 3750 can support other IOS than 12.2 who have this ability ?
View 2 Replies
View Related
Aug 10, 2009
I'm experiencing some problems with AAA authentication banners and banner logins.I'm trying to use spaces and empty lines, but when login, all the lines are after each other, no empty lines, no spaces.The problem appears on a 3750 with IOS version 12.2(5)SE2.
View 5 Replies
View Related
Jan 20, 2013
We have Cisco 3750G switches and have them setup to use Cisco ACS 5.2.0.26.5. Some switches after they are restarted and we know that the config is saved the server address for the AAA authentication is dropped. We are running IOS c3750-ipbasek9-mz.122-40.SE. I have started to upgrade switches to c3750-ipbasek9-mz.122-50.SE5 to fix an issue with reporting high drops in Solarwinds.
View 6 Replies
View Related
Sep 19, 2012
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
View 4 Replies
View Related
Jul 25, 2011
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies
View Related
May 4, 2011
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF class class-default set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1 service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Type=2 Name=Acct-Status-Type Format=Enum
[Code]......
View 1 Replies
View Related
May 22, 2012
I was wondering if there is a workaround to have a mac access-list bond to a port security violation action our need is the following: we have a range of 10 mac addresses that can use any port on the 3750, we only want to allow those ones yet we also need to tak action if a denied mac appears on any port of the switch.the only work around I found is to basically go into a port-rage mode and list all the allowed mac addresses under all the ports of the switch. I would also add to that a port violation action. did not test it but should work. problem is, it would be a huge config.I did read that we can create a mac access list and then bind that mac to physical ports wich will actually simplify our solution yet I did not find a way to bind the mac list with a port violation action.
View 1 Replies
View Related
Jul 14, 2011
Does Cisco 3750 ip sla can monitor, let's say, monitor 3750 G1/0/1 port status, once it is down, then 3750 also make G1/0/2 also down. If yes, what is the command to do it?
View 3 Replies
View Related
Jul 27, 2011
We are using 3750 switches as WAN router facing the WAN cloud. To configure QoS for its WAN port, should I use 'auto qos voip trust" or treat it like a router port and configure class-maps, policy-maps, and attact service-policy input or output?
Because switches have different queuing and dropping methods than routers, auto qos can generate QoS configs that are considered most appropriate for 3750 switches. However the switch functions as WAN router. Maybe it should be configured using router type of QoS with policy-maps and service-policy?
View 9 Replies
View Related
Nov 7, 2012
I have 2 3750x switches connected via a pair of stackwise cables, but I keep seeing error messages about the stack&switch ports going up and down,Performance wise, it seems to work, but I'd like to eliminate this message... Sometimes it will go hours without bouncing, sometimes it does it a few times a minute....
*Mar 4 12:56:57.903: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
*Mar 4 13:16:48.070: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state UP
*Mar 4 13:16:49.093: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN
*Mar 4 13:38:55.802: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state UP
*Mar 4 13:38:56.809: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
[code]...
View 4 Replies
View Related
Nov 14, 2012
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.We do not know whether we configured switch in proper way or do we need to modify it. [code]
View 5 Replies
View Related
May 4, 2012
Scenario: I have a vmserver w four virtual servers all in configured w in different subnets. What's the best way to configure a 3750-x switch to route traffic from the virtual servers to their vlans?
View 2 Replies
View Related
Jul 17, 2011
What is the load balance method of 3750 port channel ( by source ip , or by source mac ) to diver traffic to paths? I have tried to use 10.242.104.101 and 10.242.104.102 as source ip, it will travel to the same link (G0/1) within one port channel (G0/1+G0/2). Howerver, if I later use 10.242.104.109, then this time it will traffic to G0/2 link. What's the concept behind.
View 1 Replies
View Related
Jun 3, 2012
We use Orion for monitoring. We recently started monitoring a workstation switch and find many occurances of port speed changes indicated. Our workstation ports are configured with auto speed and duplex. Is it normal that we are detecting speed changes on the ports? Do workstations running XP automatically adjust their speed for traffic management or power save? Perhaps something like speeds changing when PC goes to sleep mode but has wake on LAN enabled? Is it possible that the MIB is misreporting?
I realize that there are many different NIC vendors/drivers that might act differently. Just wondering (in others experience) if it is somewhat normal or if there is anything on network I should be looking into as to why speeds are changing? We plan to not monitor workstation ports (only uplinks) on the switch.. but before we do, I thought I would see if what we are detecting needs to be addressed?
Here is an example from Orion of a speed changing. Seems always off hours:
6/1/2012 6:17:52 AM eventWoRKSTATION-3750-CLUSTER - GigabitEthernet1/0/14 · 2nd Floor Patch#11 Interface Speed changed from 10000000 to 1000000000 bps
6/1/2012 2:47:52 AM eventWoRKSTATION-3750-CLUSTER - GigabitEthernet1/0/14 · 2nd Floor Patch#11 Interface Speed changed from 1000000000 to 10000000 bps
View 1 Replies
View Related
May 19, 2013
I have a stack of 4 3750 Switches.
1. WS-C3750G-12S
2. WS-C3750G-12S
3. WS-C3750X-48P
4. WS-C3750X-48P
The stack cable connected to Switch 1 Port 1 and Switch 4 Port 2 will not come back online. The logs show that there was a Stack line change. I have replaced the 1 meter Stack cable from Switch 1 to Switch 4 three times and it still does not come back online. This is the part that is interesting.. I have disconnected Port 1 Switch 4 and connected it to Port 2 Switch 4 and then Switch 4 came back online. This made me think Port 2 on Switch 4 was working correctly. Then I disconnected Port 2 Switch 1 and connected it to Port 1 Switch 1 and then Switch 1 came back online.
View 1 Replies
View Related
Mar 11, 2013
have a cable i think is bad, is it possiable to switch the cable out without causing any downtime to the switch or connected devices?
HQ-1st-Flr-Stack#show switch stack-ports summary
Switch#/ Stack Neighbor Cable Link Link Sync # In
Port# Port Length OK Active OK Changes Loopback
Status To LinkOK
[Code].....
View 15 Replies
View Related
Jan 2, 2013
I want to configure Port channel for WLC 5508 and cisco 3750 Stack Switch. What changes I need to make on WLC and where?
View 7 Replies
View Related
Feb 22, 2013
We have configured Cisco 3750X POE series switchs with Stack.WS-C3750X-48P each with Redundant 1100W & 715 W PSU's. They are configured with Stack-Power in Sharing mode and the switches are Smart Stacked as well.IP Phone and Access points are connected its working in last two years,
Now we are facing some issue on Cisco IP Phone and Access point, When i have problem if unplug (disconnect & Reconnect) the IP Phone from Switch port,Power is not comming on switch port.Plug it into another switchport of the same Switch it may not power in any port.I tried shut & no shut and reconfigured on switch port , I have verified multiple switch ports same issue on the switch I have changed cable.
View 2 Replies
View Related
Nov 7, 2011
I am trying to configure a 3750 48 port switch and having trouble with getting it to see the sfp. I just want to set up the router with a pretty basic set up since I am using it for a ping test between 2 buildings, via fiber. How I can enable the sfp port?
View 3 Replies
View Related
Jun 18, 2012
I have configured SPAN in cisco 3750 switch as below mentioned. but the destination port protocol is down.switch(config)#monitor session 1 source interface gigabitethernet1/0/1switch(config)#monitor session 1 destination interface gigabitethernet1/0/11 ingress vlan 1
View 8 Replies
View Related
Apr 9, 2012
I have a customer that would like a 40Gb port-channel between two 3750-x switch stacks. When I try to activate four 10Gb ports in the channel, they go into error-disable. However, I am able to create a 20Gb port-channel without issue. I have had my configurations verified to Cisco best practice.
Is there a limitation on the amount of throughput that the 3750-x can handle? According to the data sheet the 3750X-48T can handle 101.2mpps, based on two 10Gb uplinks so if my math is correct then a stack of two 3750X-48T should be able to handle 202.4mpps.
[URL]
View 3 Replies
View Related
