Cisco AAA/Identity/Nac :: C3750 What Would Cause NAC To Untrusted And Trusted IP Address
Oct 4, 2011
We have c3750s running NAC 4.8. Occassionally, a workstation will flap between the untrusted and trusted vlans. We updated the NIC drivers on the workstation, we verified SNMP was functioning correctly on the switch, and we allowed the phones to act as the pass-through between the workstation and the switch. What could cause the workstation IP Address to not redirect to a TRUSTED VLAN from the NAC_UNTRUST VLAN? All updates have been downloaded to the workstation.
View 1 Replies
ADVERTISEMENT
Jun 6, 2011
I'm installing ACS4.2 in our lab domain and want to leverage the corporate domain for authentication. The one way trust is in place, but there is a facet that I'm not clear on in regards to the installation requirement.
I'd like to install ACS on a lab domain member server, but I'm not sure that will work. The installation docs seem to imply that a member server must be in the same domain as the authentication server, but its not very clear. if I want to use the one way trust to the Corporate Domain, am I required to install ACS on the domain controller of the Lab Domain?
View 3 Replies
View Related
Jun 23, 2011
we have coonection between c3750 and wlc 5508 and it shows that mac address flaps between two interfaces of c3750. [code] two ports are trunking and one port is for management purposes and the other port is for the all other vlans. But it shows that it flaps always. And i think WLC uses one mac address for all device and not for port specific and that causes problem.
View 6 Replies
View Related
May 31, 2013
I have 3 ws-c3750-48ps in a stack and i'd like to enable dot1x on the stack I entered the commands: [code] I also have dot1x enabled on several interface on the 2nd and 3rd switches in the stack with these commands [code] dot1x successfully works on these ports and I see the logs in acs, heres where the problem comes in when i try to enable dot1x using the above commands on any interface on the first switch in the stack it doesn't work its like the switch doesn't support dot1x. I'm assuming that there is a bug in version 3 but after googling I didn't come up with much.
View 6 Replies
View Related
May 9, 2013
We are deploying the ISE MAC address authentication by-pass (mab) feature in our network as an alternative to port security on the switch port. Works well except for certain devices e.g. printers, snmp modules, and Unix/Linux Operating systems which can range from 5-10 minutes to never in authentication/opening the port.
View 2 Replies
View Related
May 31, 2013
Is there any way to Mirror a CISCO C3750 Switch Port Taffic to a remote Host IP Address?I know Port Mirror (SPAN/RSPAN) can copy one Interface Packet to another Interface. But I am looking for a way to miror Switch Port Packets to a remote Host (having Public IP Address and running Wirehark). Is it possible?
View 9 Replies
View Related
Oct 25, 2012
I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.
View 8 Replies
View Related
Jan 21, 2013
I've seen a bunch of discussions on the untrusted server cert error with self signed certs. But I have a valid wildcard that I use on my ASA. How do I make that work with out the untrusted server cert error?
View 5 Replies
View Related
Apr 12, 2011
If I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.Also, is the ACL applied to the interface because the ACL's name is the name of the interface?
View 2 Replies
View Related
Dec 16, 2011
I have bought and installed a 2048bit certificate from Thawte on a ACE20-MOD-K9 module. The appliance can't use it and gives the following error: "This certificate cannot be verified up to a trusted certfication authority."I have contacted Thawte about this and they suggest to install an intermediate certificate from Thawte on the module, but I can't find such a certicicate for Cisco on their site. Also I'm not sure how to go about implementing such an intermediate certificate on the ACE.
View 1 Replies
View Related
Nov 14, 2011
I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.
The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24. I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.
inside works just fine but no traffic is going out of inside2, not to outside or to inside.
View 8 Replies
View Related
Sep 14, 2012
I am in need of a Static IP alternative (My ISP chooses not to offer the service). I do not need the Static IP to access my own devices. I need to access other networks as a "trusted" user.
View 10 Replies
View Related
Feb 6, 2011
We have some Windows 7 clients that are running the 4.8 agent. NAC will process the user and move them to the trusted vlan. However, the agent stays open and appears to keep running/processing something. THe user can minimize the agent and work normally, and a reboot appears to fix the issue.
View 5 Replies
View Related
May 30, 2011
How can I change the IP Address of cisco ACS 5.2 itself through the web?
View 3 Replies
View Related
Apr 6, 2013
I need to change the IP address of existing primary cisco ACS 4.2 (windows based). What is the required procedure to change the IP address?
View 4 Replies
View Related
Sep 30, 2012
Is it possible to create an ip address pool for ip address assignment in ACS 5.3, like it used to be possible in 3.x and 4.x?
View 2 Replies
View Related
May 10, 2012
We recently had to rebuild our ACS server. Now when we have an 802.1x authentication failure and look at the RADIUS logs for the specific user, it does not show us the MAC address of the device the user tried to login with. We use this all the time because users have PDAs and other mobile devices that they save their passwords on. Then when they change their domain password on their laptop, they don't change it on their PDA which then tries to authenticate them using the wrong password and eventually locks them out. We need to see the MAC address so we can pinpoint which device is causing the lockout. The report I am generating is when you go to this location: Monitoring & Reports > ... > Reports > Catalog > User > User_Authentication_Summary
View 4 Replies
View Related
Mar 9, 2011
Customer is running acs4.2 and need to upload thousands of mac addresses in ACS database for MAB. how can this be done? does cisco suport csv file import in acs4.2 or any other utility?
View 1 Replies
View Related
Aug 23, 2012
A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
View 5 Replies
View Related
Jan 13, 2013
I want to use RADIUS (of Secure ACS 5.3) to authenticate users within an ISP environment. Users log connect to a network using a point to point connection (L2) and then they are sending a RADIUS request to get IP adresses. Secure ACS is not quite easy to look through in that case.
View 3 Replies
View Related
Jun 26, 2012
I'm currently evaluating a scenario where AAA request are load balanced across multiple ACS 5.3 instances. The application delivery controller runs in L3 mode, which naturally causes the original packet's source IP address to be replaced by a randomly selected proxy address.As far as RADIUS is concerned, I can perfectly determine the originating NAS by means of a 'Device Filter' condition. Unfortunately, ACS seems to lack the possibility of achieving the same for TACACS+. According to the user manual, only the actual IP address from the received packet is taken into account. I've also come across the 'NAS-Address' attribute in the protocol dictionary, but it can't be used in a custom condition either.how to retrieve the initial device IP address from a TACACS+ request in order to use it for further policing?
View 8 Replies
View Related
Aug 1, 2012
i would like to use the ACS 5.3 as TACACS Proxy. Basically it works. But when checking the logs on the destination TACACS Server (ACS 4.2) i see that all requests (Source-NAs) came from the IP of the TACACS-Proxy. Not from the original source IP.
This is useless for my scenario, because on the destination TACACS Server the policies are built on the NetworkDevices Groups and AAA Clients = source IPs.
View 2 Replies
View Related
Mar 29, 2012
I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
The radius server is returning the correct parameters, I think.
It´s a Cisco 892 Integrated Service Router. Code...
View 2 Replies
View Related
Jul 7, 2010
using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
View 8 Replies
View Related
Jan 20, 2013
We have Cisco 3750G switches and have them setup to use Cisco ACS 5.2.0.26.5. Some switches after they are restarted and we know that the config is saved the server address for the AAA authentication is dropped. We are running IOS c3750-ipbasek9-mz.122-40.SE. I have started to upgrade switches to c3750-ipbasek9-mz.122-50.SE5 to fix an issue with reporting high drops in Solarwinds.
View 6 Replies
View Related
Aug 8, 2011
My company requires each user dial-in must be a fixed IP; The old acs4 can,but I cannot find the same configration item in the ACS5.2
View 2 Replies
View Related
May 9, 2010
I am trying to configure the ACS with AD in the identity store but am running into the following issue.I enter the AD Domain Name and username and password and hit the 'Test Connection' button and receive a DNS error stating that it 'Cannot resolve network address'.I have logged into the CLI and test to the domain name from there and it works fine.
View 5 Replies
View Related
Aug 23, 2012
I cannot sponsor a guest account using his/her email address. When I try to create a guest account, its show as file attached.
For example,
email.m@email-me.co.xx ->>>>>> cannot create
email.me@email-me.co.xx ->>>>>> can create
ISE version 1.1.1.268
Patch version 1
View 4 Replies
View Related
Feb 12, 2012
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
View 13 Replies
View Related
Sep 17, 2011
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I dont't know how to do it.
I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this:
Step 1Add a static IP attribute to internal user attribute dictionary:
Step 2Select System Administration > Configuration > Dictionaries > Identity > Internal Users.
Step 3Click Create.
Step 4Add static IP attribute.
Step 5Select Users and Identity Stores > Internal Identity Stores > Users.
Step 6Click Create.
Step 7Edit the static IP attribute of the user.
I just do it,but it's not work.When I use EasyVPN client to connect ASA 5520,user could success to authentication but will not get the static IP address which I configure on Internal Users,so the tunnel set up failed.I try to Configure a IP pool on ASA for ACS users get IP address,and use EasyVPN client to connect ASA , everything is OK,user authenticate successed.but when I kill IP pool coufigurations and use the "add a static IP address to user "configurations,EzVPN are failed. how to use ACS 5.2 to create a static ip address user for remote access VPN?
View 7 Replies
View Related
May 9, 2013
Why I can't get the "cdpInterfaceExtTable" by SNMP ? The other CDP info are correct, only this table is empty.
I found the configuration method in CLI:
interface GigabitEthernet3/0/13
switchport priority extend cos 5
interface GigabitEthernet3/0/14
switchport priority extend cos 5
But I still can't get anything back when I walk this node,
View 2 Replies
View Related
Dec 10, 2012
I was thinking of upgrading the IOS of a number of c3750 stack (roughtly about 50-100 stacks around the country)...I would like to know is this feasible?
My CiscoWork NMS is connected with a low bandwidth (2Mbps) management link. I was thinking if I upgrade via CW2k, then RME will take "ages" to push the IOS to the stack, right? Is this feasbile for 100+ stack of switches?
View 5 Replies
View Related
Mar 5, 2012
I have a VMware workstation on my host computer (windows 7) and the VMware workstation has a virtual machine (windows 7) on the host. We were trying to allow internet access only to the Virtual machine, i.e. to minimize exposure of the host to the internet. I tried to use Vlan Access Control list with MAC ACL to deny the host virtual machine from accessing the internet and allow all other traffic including the virtual machine. The configuration works for some time and after some time when the virtual machine continously pings the c3750 switch (wher the VACL is implemented), the host also pings the c3750 switch and re-establishes connection with the internet. But when we configured the c3750 switch to deny the VM and allow all other traffic, it works fine. It seems like the host automatically finds a way to get arround the VACL.
View 0 Replies
View Related