Cisco AAA/Identity/Nac :: ACS 4.2 Setting Up Hot Desk With Dot1x With Ip Phone
Aug 12, 2012
Is it possible to set up a multi use port that will use dot1x to authenticate several laptops, only 1 connected at a time, but I need the phone to automatically connect without having to make changes to the phone config as I don't have access to the Cisco call manager to set up the authentication.
Setup would be using catalyst 3650x at the access layer, various Cisco ip phones models and a Cisco acs 4.2 server doing the authentication. The laptops would be plugged in through the phone. The switch is already in use and setup and using both data and voice vlans, but now I need to enable it for several users. The acs is already setup to authenticate our wireless network so I'm planning on using the same setup for the wired side.
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status. The server is Juniper IC4500.
This weekend we have upgraded the ios on quite a few switches on a larger site, the site is a mix of 2960 and 3560 switches and the previouse ios versions were 12.2.44 on most switches but some had an older 12.2.25.On monday when we came into work we got a call that most of the ports on these switches were an amber color and most people could't use the network.After some investigation we discovered that we had a problem with dot1x so for a quick solution we just removed it from the switches and restarted all the ports with no dot1x enabled,[code]
I have 3 ws-c3750-48ps in a stack and i'd like to enable dot1x on the stack I entered the commands: [code] I also have dot1x enabled on several interface on the 2nd and 3rd switches in the stack with these commands [code] dot1x successfully works on these ports and I see the logs in acs, heres where the problem comes in when i try to enable dot1x using the above commands on any interface on the first switch in the stack it doesn't work its like the switch doesn't support dot1x. I'm assuming that there is a bug in version 3 but after googling I didn't come up with much.
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
I recently purchased a Cisco RV180W VPN router and would like to enable the VPN (specifically IPSec) capabilities so that I can connect via my Android 4.0 (Samsung Galaxy S3) phone. I need step by step instructions (I'm quite unfamiliar with Cisco routers) to configure both the router and my Android phone to do this. I've actually been able to configure the RV180W to work with PPTP (and connect via my phone with PPTP), but would prefer to use IPSec.
I have an HP 735n Desk PC running Win XP Home with SP 2. It reached a point of only starting under "Safe Start" so out of final desperation, I used (F10) System Recovery. The computer is starting AOK now and I have recaptured a lot of data by uninstall/install of programs where I'm told "Your Data Has Not Been Affected". However, when I reached the point of needing to reconnect to the internet VIA a wireless home LAN utilizing a D-Link DIR-615 (ver 3.21) Router with (1) computer connected thru a USB Adapter WUA-2340 (all working fine) I reinstalled a USB Adapter DWA-125 (ver A1) {Which had been working OK} and I get message "No Internet Connection Available" altho' all other indicators are "GO" The Device is working properly and net work indicators are all showing the D-Link USB Adapters on both my Compaq (with Win 7) and the HP (with XP) are working. I have worked on computers for years and never needed to do a System Recovery before and I have NEVER had any trouble getting on a network nor the internet before. REMEMBER, the HP W/XP CANNOT BE USED TO DOWN LOAD. It won't go on line! I can use my Compaq if we can make CD's, DVD's, or Flash Drive copies of anything needed for transport to the HP.
How to do implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.when trunk mode is enabled I can not configure 802.1x on trunk interface.
authenticate phone Mitel in ACS 5.2. I tried to authenticate a PC wich is behind of phone Mitel, but it doesn´t working.the solution work fine with vlan mapping.
This configuratión work fine with Phone Cisco but not for phone Mitel, and I had used this templace by both.
I have deployed the NAC Solution. NAC Software version = 4.8.2 and Agent version = 4.8.3.1.The solution is working fine but the Cisco IP Phone CP9951 is getting restart after applying NAC (or port profiles) at some time interval. Time is not fixed but it doesn't seem stable. Sometimes, it is just disconnected while using the Phone and sometimes when you log-off or restart the PC.The Cisco IP Phone CP8945 is working fine in all cases.We are getting the message of "Phone not registered" and active call is getting disconnected.
i got the ACS 5.1 at work..after migrating the data from 4.1 a lot of data got changed into the 4.1 so I needed to reset my configuration (since i played around with the 5.1)after doing so, I can't access the web page, to start the configuration again tried the administrator-setup but it didn't work,
I have ACS 5.2 and JUNOS 10.6.x I setup 2 classes eng-class and ops-class with read/write and read-only permission here is my configuration on JUNOS
set system login class eng-class idle-timeout 15 set system login class eng-class permissions all set system login user engineer full-name “Regional-Engineering” set system login user engineer uid 2001 set system login user engineer class eng-class set system login user engineer authentication plain-text-password xxxxxxx
[code]....
I have 2 separate Authorization policies for engineer and operator group.Result,
1. engineering group is working fine.
2. the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.
3. Web authentication is not also working for bot group.
I’m going though dot1x implementation using Cisco WLC 2500 series and ACS 4.2 but I have problems with joining to the SSID. I revised the configuration many times as attached but don’t know what is wrong
log 2013.02.05 17:34:02= (Cisco Controller) > (Cisco Controller) >debug dot1x all enable (Cisco Controller) >*apfMsConnTask_2: Feb 05 07:27:19.865: 00:26:c7:3b:dc:d8 apfMsAssoStateInc *dot1xMsgTask: Feb 05 07:27:19.867: 00:26:c7:3b:dc:d8 Station 00:26:c7:3b:dc:d8 setting dot1x reauth timeout = 0 *dot1xMsgTask: Feb 05 07:27:19.867: 00:26:c7:3b:dc:d8 Stopping reauth timeout for 00:26:c7:3b:dc:d8 [code]...
I have 3750 switch (WS-C3750G-24TS-S1U) with IP Services version
Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 28 WS-C3750G-24TS-1U 12.2(46)SE C3750-IPSERVICESK9-M
on the switch, I have configured aaa new-modelaaa authentication dot1x default group radius dot1x system-auth-control but i am not able to implement the command under interface
Switch(config)#int gigabitEthernet 1/0/20Switch(config-if)#do?down-when-looped dot1x commands are not available under the interface config. Is the IOS version is compatible with dot1x?
I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"
I have issue with 2950 switch dot1x config is not working , but on 2960 its working fine .Below are the configs from both switches and a debug dot1x all snap, what may be the issue with 2950 switch ...
on 2950======> aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius
I am seeing the following behavior when computers move from one switch to another with dot1x ONLY when there is a 'stupid' switch in between.
computer -------- 'stupid' switch ------- 2960
dot1x is working fine but when the computer is disconnected, the port still shows the authentication session id so when the computer connects to another port or switch, authentication succeeds but traffic doesn't pass. While I'm almost certain that the culprit is the 'stupid' switch that doesn't clear the session id, I have already tried another one and the problem remains so I'm actually just asking for a confirmation that all these 'stupid' switches present this behavior and if there is a workaround in this case.
We're having an issue with the command "cts dot1x" when applied to an uplink interface.It basically kils the connection with this command is applied. Once you remove it, everything is back to normal, the platform is a cisco 3750x.
Trying to authenticate a Wireless 1242 AP to a switch port with Dot1x enabled. It seems like the switch can't get the mac or doesn't ever start authentication for the port when I plug in an ap. The ap is configured to pull dhcp on start for fa 0, however never gets an address, even though the port should fail into guest network after auth fails.Any thoughts,, a debug only shows this...
*Mar 1 00:19:27.127: %IF-3-VLAN_NOT_CONFIGURED: Received dot1Q VLAN tagged packet on interface which does not have VLAN configured.
we're having an issue with the command "cts dot1x" when applied to an uplink interface. It basically kils the connection with this command is applied. Once you remove it, everything is back to normal, the platform is a cisco 3750x.
Hardware: Cisco 3750 switch and Cisco autonomous access point (AIR-AP1142N-E-K9).Requirement: A single broadcast SSID; use dot1x to assign vlan 98 to authenticated clients (computer certificate); assign vlan 3 (guest) if the authentication fails.I can achieve assigning a guest vlan on authentication failure when using a wired connection by using the following command on the interface:authentication event fail action authorize vlan 3 I'm after a way to achieve the above using the wireless access point. The main point is that internal users cannot access vlan 3 as they have a valid certificate and that guests do not have to authenticate.
I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.
I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
!interface GigabitEthernet2/34 switchport mode access ip arp inspection limit rate 30 authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 6 spanning-tree portfast ip verify source vlan dhcp-snoopingend
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon LDAP:Externalgroups groupname1 Result Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
