Cisco AAA/Identity/Nac :: Configure IEEE 802.1x Port-based Authentication On Switches / Preferable 2960 Series
Aug 14, 2011
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).
I have cisco 2504 WLAN controller with 7.4 IOS. My query is can I configure the MAC authentication with certificate based. And without using any external servers like Radius, ACS and LDAP.
I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise. Also previously I could define IP pools on ACS 4 but can't seem to do that now. Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?
I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
AD.com Group : Corporate's User : 1. C_USER1 2. C_USER2 3. C_USER3 4. C_USER4 5. C_USER5
[code]....
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.
I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN. Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request. We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value. The SIM cards cannot be used in other devices, only their matched device. The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?
I have configured the cisco 2960 switch with AAA & the radius server is free radius. I am able to login into the switch when radius server is working.But when radius server is not reachable, in that particular condition the switch doesn't move to local authentication configured on the switch.
aaa new-modelaaa group server radius radiuss server 10.1.0.215 auth-port 1812 acct-port 1813!aaa authentication login default group radiuss enableaaa authentication login CONSOLE localaaa authentication enable default group radiusaaa authorization exec default group radius if-authenticated
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
I want to implement port-based and MAC-based in these two switches: 2960 & 3560 (both of them have this IOS version: 12.2(55)SE1). And I haven't found a way to implement both of them at the same time. This is what I got:
ip dhcp use subscriber-id client-id ip dhcp subscriber-id interface-name ip dhcp excluded-address 192.168.0.0 192.168.0.2 ip dhcp excluded-address 192.168.0.251 192.168.0.255
[code]....
With this configuration I can use port-based, but not MAC based. If I remove the first two lines and change the last line for this one:
address 192.168.0.7 client-id 0112.ae1d.af58.60
Then, the computer with that MAC address got the correct IP, but then the port-based doesn't work. Also, I got this line in the interface what I want to use MAC-based:
[Env on my lab investigation] supplicant - W7 with cert authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/ authentication server 2x - W2008/NPS like a RADIUS server
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question] What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts? Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34.
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this: interface FastEthernet0/24 switchport access vlan 6 switchport mode access switchport voice vlan 20 ip access-group webauth in(code)
I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.
I'm trying to configure Catalyst 2960 series 8 port switch in my office. I have just plugged in switch and started and then put Ethernet cable (which is coming from the wall port (LAN) into CONSOLE (switch). and connected my laptop's ethernet cable to switch's 1x por
Cisco Catalyst 2960 series,i want do a SNMP request over OID. When the output should be like this: Portnumber and VlanID. Is there a OID for this output?
I have a Catalyst 2960 switch (2960-8TC-L) and running Software version 12.2(53)SE1.I mange to configure SSH to the switch and add addition user as well.Now I need to configure this switch password less log in with public key SSH authentication.
I configured several Linux servers and Workstations for the public key SSH authentication.So far I could not figure out how to do this in CISCO switch. Following link {URL} how to do this.But ip ssh pub key- chain command never work showed invalid command.
I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.
The configuration:
sh ip admission configuration Authentication Proxy Banner not configured Consent Banner is not configured
I recently purchased a cisco 300 series 10 port managed switch and a synology 1511+ diskstation. When trying to bond the 2 ethenet ports into link aggregation mode on the diskstation, i am recieveing an error that's "failing to establish IEEE 802.3ad connection".
From what i understand, the switch should allow this by defealt, but i am unable to determine why it's not allowing it.
I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.
using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
I am trying to configure the interface using the following commands: [code] similar result is obtained while trying to configure a auth-fail vlan. the full configuration file is attached.
I'm administrator of small network. I wish to replace my old switches by new SG300-10 and SG300-16 managed switches. I have big trouble in my network because everyone can assign IP his neighbour (or any IP) to his network card. I have policy that IP is 172.16.1.X with x is home number. Could I do that IP based ACL assigned to port where is cable from home example 29, permit only IP 172.16.1.29 (mas 255.255.254.0) (from specified port only permit packets with specified source IP (LAN user IP) other (if user set not his IP) is denied) ?
I want know that before buying equipment. How to configure that ?
I think IPv4 Based ACE, action: permit, source IP: 172.16.1.x (nr of home), widcard 0.0.0.0, destination: any, protocol: any, source port: any ?
and in ACL Binding, I have to bound this ACL to port where user whose IP is in ALC is connected?
we are using 2960 cisco switch asn we are trying to configure port security.we are able to configure MAC base port security, but unbale to configure IP base port security.can any one guide us can do IP base port security like MAC port security. if not which switch will support IP and Mac base port security.
Is there a way to configure an email notification for a specific authentication failure? Specifically, I'd like to see if I can have an email notifcation sent to me when failure reason is "13017 Received TACACS+ packet from unknown Network Device or AAA Client".
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators. Could this be an issues with the username/password format in the Radius packet from the Cisco?