Cisco AAA/Identity/Nac :: 4500 / Interface Is Up / Line Protocol Is Down (not Connect) / Dot1x?
Aug 11, 2011
I configured dot1x on my swicth 4500 series, Here is the interface configration:
interface FastEthernet3/2
description Test dot1x
switchport mode access
load-interval 30
authentication event fail action authorize vlan 800
authentication host-mode multi-host
authentication port-control auto
[code]....
When I remove the port-control configuration on the interface, the status change to UP/UP.
View 1 Replies
ADVERTISEMENT
Jan 26, 2013
I was working on a problem the other day and came across something that I had seen before but never given much thought. I had a router with a switch connected to it and the interface was showing as Ethernet0 is up, line protocol is down. The problem in the end turned out to be a cable that had fell out because it was not connected correctly, but I was able to replicate this interface status on a router (FastEthernet0/0 is up, line protocol is down), and NO cable was attached to the interface.I've had a look on the internet but cant seem to find a good answer, so does anybody else know why this status is shown on the router? Remember, NO cable is connected to the interface so it isn't a speed or duplex problem
View 5 Replies
View Related
Sep 7, 2009
how to bring this interface back up? It's a 1252 with 80211.n.I started configuring it with CLI and then was using the web interface. I made a change on the web interface and it caused the AP to hang. I rebooted it and can access via Hyperterminal, but I cannot ping the IP address nor bring it up in the web interface any longer.I tried the "No shut" command in the BVI1 interface.
View 4 Replies
View Related
Jan 24, 2010
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies
View Related
Apr 9, 2012
I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status. The server is Juniper IC4500.
View 2 Replies
View Related
Apr 5, 2012
This weekend we have upgraded the ios on quite a few switches on a larger site, the site is a mix of 2960 and 3560 switches and the previouse ios versions were 12.2.44 on most switches but some had an older 12.2.25.On monday when we came into work we got a call that most of the ports on these switches were an amber color and most people could't use the network.After some investigation we discovered that we had a problem with dot1x so for a quick solution we just removed it from the switches and restarted all the ports with no dot1x enabled,[code]
View 6 Replies
View Related
Aug 12, 2012
Is it possible to set up a multi use port that will use dot1x to authenticate several laptops, only 1 connected at a time, but I need the phone to automatically connect without having to make changes to the phone config as I don't have access to the Cisco call manager to set up the authentication.
Setup would be using catalyst 3650x at the access layer, various Cisco ip phones models and a Cisco acs 4.2 server doing the authentication. The laptops would be plugged in through the phone. The switch is already in use and setup and using both data and voice vlans, but now I need to enable it for several users. The acs is already setup to authenticate our wireless network so I'm planning on using the same setup for the wired side.
View 1 Replies
View Related
Jan 21, 2013
I'm replacing a PA-POS-OC3-SM with PA-POS-1OC3 in a flex Wan module (WS-X6582-2PA) in Cisco 6506 using WS-SUP32P-GE PISA.I have a hard time bringing the "protocol up. the status I see is line up and protocol down. Debug shows (attached) no comunication with the edge router but when i put the older PA (PA-POS-OC3-SM ) back evertything works fine and older PA has been running for many years without the issue. I'm replacing older PA is becuase this is going EOL. I had opened a TAC case but the TAC engineer added no value. [code]
View 2 Replies
View Related
May 31, 2013
I have 3 ws-c3750-48ps in a stack and i'd like to enable dot1x on the stack I entered the commands: [code] I also have dot1x enabled on several interface on the 2nd and 3rd switches in the stack with these commands [code] dot1x successfully works on these ports and I see the logs in acs, heres where the problem comes in when i try to enable dot1x using the above commands on any interface on the first switch in the stack it doesn't work its like the switch doesn't support dot1x. I'm assuming that there is a bug in version 3 but after googling I didn't come up with much.
View 6 Replies
View Related
Jan 17, 2013
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
View 6 Replies
View Related
May 7, 2012
we're having an issue with the command "cts dot1x" when applied to an uplink interface. It basically kils the connection with this command is applied. Once you remove it, everything is back to normal, the platform is a cisco 3750x.
View 0 Replies
View Related
Aug 2, 2012
I have a cisco 1841 whose LAN interface is showing status as "Fastethernet 0/1 is up , line protocol is down" the duplex and speed settings in the Router are in Auto mode and the Router was working fine till now , when i changed the duplex settings to duplex full , speed 100 the ping replies comes back with 5-6 replies then the link dies again..
View 1 Replies
View Related
Jul 8, 2011
We have a 6 spoke DMVPN setup. Five of the six spokes work fine. On the 6th spoke, a 2911, we have created a Tunnel0. Other spokes and the hubs can ping it's ip, but it can't ping itself. When we do a show interface it shows the Tunnel 0 is up, but the protocol is down. What does that mean?
View 4 Replies
View Related
Aug 27, 2012
I work for a Wireless ISP and the device impacted is the back haul radio into the site. I have swapped from a 2950T to a 3550. Replaced the radio, PoE, patch lead. We have re ran the cable up the tower using shielded outdoor cable with a drain wire which has been earthed to an earthing block in the cabinet. We have other devices on the tower not experiencing the issue. We suspect cable interference however am now at a loss to diagnose further.
[Code]....
View 3 Replies
View Related
Jul 11, 2012
Have been battling a router connection to new ATT t1 connection. Router was configured and sent from sister company to this new location. We have had ATT tech test circuit and it tests good, had cat5 cable tested from ATT to router, it tests good. I continue to get serial up/ line protocol down status though and cant communicate to it from wan.
View 4 Replies
View Related
Feb 14, 2012
I have a Cisco 4500 Sup 6 engine and I have two 48 port fiber line cards installed. When I do a show interfaces I do not see any of the Fiber cards. This is a new out of the box 4500 and I installed the Sup 6 Line card in Slot #1, And the two 48 port Fiber cards in Slots 2 and 3. Am I missing something, is there a command or set up procidure for the line cards. I just assumed they were plug and play
View 2 Replies
View Related
Aug 22, 2011
I have a console access to a Cisco 4500 series router over Cisco access server, which has following "line con 0" configuration:
View 8 Replies
View Related
Apr 22, 2012
I have 2 x WS-X4548-GB-RJ45 Catalyst 4500 Enhanced 48-Port 10/100/1000 Base-T (RJ-45) line cards in a 4500 chassis with 2 x WS-C4507R-E E-Series Super visor engines. We would like to create a layer 3 ether channel from a access layer switch terminating on our 4500 chassis. Can we configure the ether channel from the access layer switch such that one port on the ether channel is on one line card and the other one is on the other line card?
View 2 Replies
View Related
Mar 25, 2013
I wonder are 4500-E series line cards (i.e. WS-X4648-GB-RJ45, WS-X4748-UPOE+E and WS-X4606-X2-E) supported on 4507R chassis? Datasheet says "Classic line cards may be deployed in both classic and E-Series chassis with either classic Cisco Catalyst 4500 Series supervisor engines or with the Cisco Catalyst 4500E Series Supervisor Engine." But it says nothing about E-Series line-cards being (or not) supported on classic chassis (like 4507R).
View 3 Replies
View Related
Feb 24, 2013
I have encounterd a broplem on my Cisco 805 model.
When i use the command "show ip interface brief" the status shows "up" but the protocol is "down" on my serial interface.
The link between my to sites is down after this happend.
View 1 Replies
View Related
Mar 28, 2013
I am using the Self RADIUS server in my Cisco ACS SE 4.2 appliance S. I have an AAA client C that interacts with S by means of the RADIUS protocol. This works fine, in that S correctly carries out authentication chores on username/password (PAP and CHAP) pairs received from C, sending back to C the corresponding Access-Accept packet when the authentication succeeds, or Access-Reject when it doesn't.
I have been able to import a set of three VSAs into S. Each of those attributes is of string type. I then configured in S a single user U with password P so that, whenever a U/P pair received in S from C is authenticated by S, S should send back to C, in the Access-Accept packet, the three attributes with the following values: [code]
With this setup, when an authentication is successfully completed by S, C receives 53 bytes worth of data from S every time. I am attaching a typical example, already disassembled. I have disguised the actual vendor ID, for legal reasons, but the rest is exactly as it was when received in C.
According to the disassembly, what we got is an Access-Accept packet, as expected. Its length is 53 bytes - again as expected, for this is the only packet that C has received from S here. However, the packet is incomplete, for attribute #3 is missing its value field.
Looking into the whole packet in more detail, it can be seen that while the wire format for the first attribute, namely, Frame-IP-Address, is correctly constructed, the remaining are not. For example, the sequence of bytes corresponding to the attribute #1 reads 1a 09 00 00 xx xx 2c 61 62 63. I believe that this is incorrect; it should be 1a 0a 00 00 xx xx 2c 61 62 63, for the wire format for this attribute consists of 10, not 9, bytes. I tried a few variations on the values for the attributes, and the results are always substantially the same, in that the wire formats for these attributes are always incorrect.
This all probably implies I have done something wrong when importing the VSAs into S, and/or when configuring things on S. I am therefore attaching the csv files I used to import my VSAs into S; as before, names and vendor ID are disguised, but their lengths are exactly the same as in the undisguised file. I used two csv files: One to import the vendor ID, and the other to import the VSAs under that vendor ID. As for user U, in S's administration GUI I clicked on User Setup and selected user U, moved to the bottom of the screen, where the attributes for this particular vendor were present,introduced the values for each attribute mentioned above, and made sure that button in front of each attribute was ticked.
View 2 Replies
View Related
Oct 4, 2011
We have 3560 switch with following IOS. version 12.2(55)SE3 and image name is C3560-IPSERVICESK9-M. On one of the interface we need to know what are traffic is flowing.
Do we have "ip nbar or ip route-cache" support on this switch IOS? Is there any other way to find out which protocol traffic is flowing through that interface.
View 1 Replies
View Related
Jul 31, 2012
I have coome accross a few sites that I see some unknown protocol drops on the internal interface connecting to the switch
View 3 Replies
View Related
Feb 15, 2012
I have been having following situation on my WAN facing interface on Cisco2911 where the same number of broadcast, multicast and unknown protocol drops is happening. Not sure but some applications are struggling to run over on the WAN.
[code]....
View 4 Replies
View Related
Oct 28, 2008
I have a 1801 router connected to a 3550 switch with a regular 802.1q trunk, and I am curious as to what may be causing the unknown protocol drops on the connected router interface.
The switch is without any configuration at all except the following for the trunk configuration on the interface connecting to the router.
Switch:
-interface FastEthernet0/1
-switchport trunk encapsulation dot1q
-switchport mode trunk
Router:
-Interface FastEthernet8
-switchport mode trunk
There is nothing connected to the switch other than the router so the dropped traffic must be originating from the switch itself.The unknown protocol drop counter on the router increments by one every 30 seconds, and I tried using a packet sniffer but nothing noticeble showed up.
I read elsewhere on these forums that it might be udld, but that is not enabled by default, and just to be sure I tried disabling it on the interface and as expected it said it was not enabled, so I am ruling that one out.I also read that it could be because the router is recieving traffic from other protocols than IP, but I do not see how it applies in this case.
what does a 3550 send every 30 seconds that my 1801 does not understand?Could it have something to do with STP?
View 6 Replies
View Related
Oct 27, 2012
I do terminal monitor on my 4500 switch.I can't see the status of the interface ( when it become up or down)What is the problem? I need to add a command?
View 3 Replies
View Related
Nov 27, 2012
We are using 3825 Cisco router with IOS version 12.4(24)T2. The unknown protocol drops on our GigabitEthernet0/1 interface is increasing. This interface is connected to our modem. What could be causing this unknown protocol drops?
cnshaccent-gw-2#sh int GigabitEthernet0/1
GigabitEthernet0/1 is up, line protocol is up
Hardware is BCM1125 Internal MAC, address is ffff.ffff.ffff (bia ffff.ffff.ffff)
[Code]....
View 1 Replies
View Related
Mar 10, 2011
I'm migrating ACS 4.2 to ACS 5.2 for a customer and I'd like to find a service selection for TACACS+ protocol coming from an ASA.I use TACACS+ for device administration but also for AAA of internal users internet access.I also use RADIUS for vpn remote-access, without problems.How to distinguish through the ACS service selection ?
View 24 Replies
View Related
Oct 31, 2010
I replaced an ACS certificate that had been installed as follows:
1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)
2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".
3. Install the certificate on the ACS. Restart ACS service.
4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"
5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.
6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
OS: Win 2003 sp2Cisco ACS: Release 4.2(0) Build 124
View 4 Replies
View Related
Jul 22, 2012
We recently had a contractor deploy a 4500 catalyst switch with a WS-x45-SUP7-E. After installation and configurations, HP openview is detecting a "downed" interface on the 4500 chassis that is not in the configuration. I have attached an image with the interface circled. We assumed that it may be a configuration issue with openview, however after running diagnostics with a network analyzer, the same ip address for the down interface is still detected. Is this some sort of internal virtual interface on the SUP7?
View 4 Replies
View Related
Apr 15, 2012
12 users, 3 servers, 5 smartphones/tables on the WiFi (existing AP), future VPN server (maybe 5 simultaneous inbound VPN connections at the most with at least one client using a Mac), Cisco Gigabit small business switch.Internet access, VPN connectivity, and firewall (reporting, close/open ports for custom applications as needed)I was originally going to select an ASA5505-50 user device for the above client. The device is highly regarded on the Internet, offers a command line interface, priced right for the budget and should perform all duties required by the client.However, the addition of the RV180W to the Cisco product line has me questioning my choice.
1)Does the RV180W offer a command-line interface?
2)Is the RV180W limited in the number of users it can support without having to purchase additional user licenses?
3)How are firmware/software upgrades handled with the RV180W?
4)What will the client be giving up if they choose the RV180W vs. the ASA5505?
View 1 Replies
View Related
Aug 27, 2012
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
View 6 Replies
View Related
Jan 19, 2012
Is the ADSL line interface on Cisco 877W not initialising a known issue? This interface on my router has been in this state for more than one month, with the rest of the router seemingly operational. The interface was connected directly to my ADSL broadband and worked well for two years. But then, about a month ago, the interface went down. I saw the exact moment this happened recorded as a syslog message. The only information was that the interface status had changed to down.
Initially I thought this was a matter of reload the router and all will be well. Did not happen. Then I thought my broadband connection was to blame. However, this option was quickly ruled out. So I went on to exhaust all troubleshooting options, including reflashing the router with the saved image and totally changing the configuration. Still no change. I have had to go back to my old BT home hub for internet access. In terms of speed this actually works a lot better than the Cisco router. But I would still rather have the router connected to my broadband line. What can I do to bring the ADSL interface back to life?
View 3 Replies
View Related
