Cisco AAA/Identity/Nac :: Configure IEEE 802.1x Port-based Authentication On Switches / Preferable 2960 Series

Aug 14, 2011

I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 4.2 Certificate Based Authentication And Windows 7

Jan 9, 2012

We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).

View 4 Replies View Related

Cisco Wireless :: 2504 -configure MAC Authentication With Certificate Based

Jan 8, 2013

I have cisco 2504 WLAN controller with 7.4 IOS. My query is can I configure the MAC authentication with certificate based. And without using any external servers like Radius, ACS and LDAP.
 
May I know, If there is a option on WLC…

View 4 Replies View Related

AAA/Identity/Nac :: ACS 5.3 RADIUS Authentication Based On IMESI & MSISDN Attributes

Jan 9, 2012

I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise.  Also previously I could define IP pools on ACS 4 but can't seem to do that now.  Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: WLC 7.4 / ISE Authentication Via Active Directory Based On SSID And AD Group?

Apr 15, 2013

I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
 
AD.com Group : Corporate's User : 1. C_USER1
2. C_USER2
3. C_USER3
4. C_USER4
5. C_USER5

[code]....
 
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Authentication Based On IMEI And MSISDN Attributes

Apr 19, 2011

I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN.  Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request.  We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value.  The SIM cards cannot be used in other devices, only their matched device.  The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
 
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: AAA Authentication With 2960

May 17, 2011

I have configured the cisco 2960 switch with AAA & the radius server is free radius. I am able to login into the switch when radius server is working.But when radius server is not reachable, in that particular condition the switch doesn't move to local authentication configured on the switch.
 
aaa new-modelaaa group server radius radiuss server 10.1.0.215 auth-port 1812 acct-port 1813!aaa authentication login default group radiuss enableaaa authentication login CONSOLE localaaa authentication enable default group radiusaaa authorization exec default group radius if-authenticated
 
radius-server host 10.1.0.215 auth-port 1812 acct-port 1813 key 7 071F285C422948514117171
radius-server retransmit 2
 
line con 0 exec-timeout 5 0 privilege level 15 password 7 14341B1B7D6F0417626173455E47060F login authentication CONSOLEline vty 0 4 access-class 91 in exec-timeout 5 0 password 7 106D004F2C3B7B7F757E6A64812812d transport input sshline vty 5 15 access-class 91 in exec-timeout 5 0 password 7 106D000A061845jsajtqwkd327E6A64  transport input ssh

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco Switching/Routing :: Port / MAC Based DHCP For 2960 And 3560

Jan 3, 2012

I want to implement port-based and MAC-based in these two switches: 2960 & 3560 (both of them have this IOS version: 12.2(55)SE1). And I haven't found a way to implement both of them at the same time. This is what I got:
 
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
ip dhcp excluded-address 192.168.0.0 192.168.0.2
ip dhcp excluded-address 192.168.0.251 192.168.0.255

[code]....
 
With this configuration I can use port-based, but not MAC based. If I remove the first two lines and change the last line for this one:

address 192.168.0.7 client-id 0112.ae1d.af58.60

Then, the computer with that MAC address got the correct IP, but then the port-based doesn't work. Also, I got this line in the interface what I want to use MAC-based: 

ip dhcp server use subscriber-id client-id

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 2960 - 802.1x EAP-TLS With NPS / W2008 Authentication Result Timeout

Jun 21, 2012

[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
 
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
 
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts? Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34.

[Code] ........

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Http Radius Authentication Fail In 12.2.58 And 15.0.1 For 2960

Aug 18, 2011

Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
 
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
  
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local

[Code].....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 2960 - Central Web Authentication With Switch Not Working

Mar 27, 2012

on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
 
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
 
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)

View 12 Replies View Related

Cisco Switching/Routing :: Configure Tacacs Authentication For Http In 2960

Oct 13, 2011

I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.

View 7 Replies View Related

Cisco Switching/Routing :: 2960 - DHCP Server Port-Based Address Allocation

Nov 15, 2012

Does the 2960 switches with LAN-Lite support DHCP Server Port-Based Address Allocation?

View 1 Replies View Related

Cisco WAN :: Switches 2960 Series No Internet Access?

Mar 29, 2011

I have a problem I have Cisco 2960 series switches with ip address 10.10.10.2 255.255.255.0 works but can not connect to the Internet

View 1 Replies View Related

Cisco :: Catalyst 2960 Series 8 Port Switch?

Oct 18, 2012

I'm trying to configure Catalyst 2960 series 8 port switch in my office. I have just plugged in switch and started and then put Ethernet cable (which is coming from the wall port (LAN) into CONSOLE (switch). and connected my laptop's ethernet cable to switch's 1x por

View 16 Replies View Related

Cisco Security :: SNMP OID For VLAN And Port 2960 Series

Jan 19, 2011

Cisco Catalyst 2960 series,i want do a SNMP request over OID. When the output should be like this: Portnumber and VlanID. Is there a OID for this output?

View 1 Replies View Related

Cisco Switches :: 2960 - Password Less Log In With Public Key SSH Authentication

Apr 13, 2010

I have a Catalyst 2960 switch (2960-8TC-L) and running Software version  12.2(53)SE1.I mange to configure SSH to the switch and add addition user as well.Now I need to configure this switch password less log in with public key SSH authentication.

I configured several Linux servers and Workstations for the public key SSH authentication.So far I could not figure out how to do this in CISCO switch. Following link {URL} how to do this.But ip ssh pub key- chain command never work showed invalid command.

View 2 Replies View Related

Cisco Switching/Routing :: 2960 Stackable Switches Instead Of One 4500 Series?

Dec 11, 2011

I have a design for my infrastructure and i'm thinking to choose 4 or 5, or more, 2960 series  in a stack mode instead of one 4500 series?

View 6 Replies View Related

Cisco Switches :: IEEE 802.1v Support On SMB Switches?

Nov 6, 2012

Is IEEE 802.1v supported by some Cisco SMB switch ? Which model ?

View 3 Replies View Related

Cisco Switching/Routing :: Enable Multicast On 2950 / 2960 Series Switches?

Dec 8, 2011

How do you enable multicast traffic on 2900 series switches?

View 7 Replies View Related

Cisco Switching/Routing :: 2960 - Web Authentication On Switches For 802.1x Incompatible Clients

Apr 2, 2013

I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.
 
The configuration:
 
sh ip admission configuration
Authentication Proxy Banner not configured
Consent Banner is not configured

[Code].....

View 6 Replies View Related

Cisco Switches :: 300 - IEEE 802.3ad Connection

Oct 26, 2011

I recently purchased a cisco 300 series 10 port managed switch and a synology 1511+ diskstation.  When trying to bond the 2 ethenet ports into link aggregation mode on the diskstation, i am recieveing an error that's "failing to establish IEEE 802.3ad connection".
 
From what i understand, the switch should allow this by defealt, but i am unable to determine why it's not allowing it.

View 2 Replies View Related

AAA/Identity/Nac :: 3750 Using AV-Pairs To Add A Description To Port Based

May 9, 2013

I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 - IP Pool Allocation Based On NAS Port IP Address

Jul 7, 2010

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
 
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
 
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
 
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure User Authentication Via TACACS On UCS 1.4 With ACS 5.2

Aug 18, 2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2?  My TACACs connection works, and my user authentication is successful, but i can only get read-only rights.  I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
 
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
 
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Configure Guest Vlan And Restricted On 2960

Apr 17, 2011

I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
 
I am trying to configure the interface using the following commands: [code] similar result is obtained while trying to configure a auth-fail vlan. the full configuration file is attached.

View 4 Replies View Related

Cisco Switches :: SG300 -10 / 16 - IP Based ACL Assigned To Port?

Aug 9, 2012

I'm administrator of small network. I wish to replace my old switches by new SG300-10 and SG300-16 managed switches. I have big trouble in my network because everyone can assign IP his neighbour (or any IP) to his network card. I have policy that IP is 172.16.1.X with x is home number. Could I do that IP based ACL assigned to port where is cable from home example 29, permit only IP 172.16.1.29 (mas 255.255.254.0) (from specified port only permit packets with specified source IP (LAN user IP) other (if user set not his IP) is denied) ?
 
I want know that before buying equipment. How to configure that ?
 
I think IPv4 Based ACE, action: permit, source IP: 172.16.1.x (nr of home), widcard 0.0.0.0, destination: any, protocol: any, source port: any ?
 
and in ACL Binding, I have to bound this ACL to port where user whose IP is in ALC is connected?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS V5.2 / Can Configure User Authentication Logs To Be Viewed On WCS

Jul 18, 2011

I have some queries regarding on the report generation for on Cisco ACS v5.2.
 
1) Can we schedule to run a customized report on ACS and then email the report to the user?
 
2) Can we run a users authentication trend report based on the AD directory group rather than individual user.
 
3) Can we configure user authentication logs to be viewed on WCS.

View 6 Replies View Related

Cisco Switches :: How To Configure Dynamic Inspection For 300 Or 500 Series

Mar 6, 2013

How config dynamic alp inspection for 300 or 500 series ? I find in admin guide it's no simple to do.

View 8 Replies View Related

Cisco WAN :: 2960 To Configure Switch Port Security

Apr 7, 2012

we are using 2960 cisco switch asn we are trying to configure port security.we are able to configure MAC base port security, but unbale to configure IP base port security.can any one guide us can do IP base port security like MAC port security. if not which switch will support IP and Mac base port security.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: 13017 Way To Configure Email Notification For Specific Authentication Failure

May 14, 2011

Is there a way to configure an email notification for a specific authentication failure?  Specifically, I'd like to see if I can have an email notifcation sent to me when failure reason is "13017 Received TACACS+ packet from unknown Network Device or AAA Client".

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1 Authentication With Avaya / Nortel Switches

Aug 21, 2012

Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators. Could this be an issues with the username/password format in the Radius packet from the Cisco?  

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved