Cisco AAA/Identity/Nac :: Dynamic ACLs On 2960S Switch Using ACS 5.2
Apr 20, 2011
I am testing a ACS 5.2 in our lab environment, I am testing port security for policy based VLAN and ACL assignment. The problem I am having is with the 2960S switches; in my current setup it is working but it doesn't seem to me like it is the way that it should be working. I have a downloadable ACL in the ACS defined and associated to an Access policy and it is working correctly. The problem is, from what I understand, I have to assign a default ACL on the switchport? So what I have assigned on the switchport is ip access-group 10 in. The downloadable ACL from the ACS is also called 10. Do I really need to match the ACL on the switchport with the ACL name I have created in ACS? That doesn't seem like it's dynamic if that is the case? What is the ACL that I should apply to the switch port (if any) in order for the downloadable acls that I configure in the ACS to work no matter what port the user is patched into?
View 2 Replies
ADVERTISEMENT
Feb 4, 2012
I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius.I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switchI think this is because we're using "single use" tokens for maximum security with RSA Secure-ID and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server (okay on the first authentication, but each time after it's going to want a different token code)
(if there's a way to get the switch to just authenticate once instead of multiple times against the radius server) For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2
View 2 Replies
View Related
Mar 18, 2012
I am using 802.1x authentication with multi-domain ports; Phone and PC connected to phone. The phones are Nortel (Avaya) and the PCs are Dell/HP Laptops. All are configured for Certificate authentication and this works well. However we sometimes get some ports stuck in Guest mode. when a non certificated laptop connects to a phone port and fails authentication, the data port is placed in the Guest VLAN. However when the laptop disconnects the port isn't reset and remains in the guest state. When a subsequent good laptop connects and attempts to authenticate the switch ignores this and leaves the data port in the Guest VLAN. he switch is a 2960S with Version 12.2(58)SE2 IOS.
The port is configured as follows:
!
interface GigabitEthernet1/0/15
description DANS Port
switchport access vlan 1807
switchport mode access
switchport voice vlan 1855
priority-queue out
[code]....
I placed the AAA, dot1x, eap and auth debug on for all events and then connected a good laptop, the only debug message I got were as follows:
Mar 19 16:17:01.391 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:01.653 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:02.654 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
[code]....
I would have expected the auth function to have reacted to the EAP packets sent by the good client when it connected and performed eap authentication but it didn't, all it did was say the ports in Guest mode and left the laptop in this VLAN.
View 2 Replies
View Related
Dec 20, 2012
They have a /28 wan adress coming from ISP, that gives out 100Mbps, going to a Cisco 2960S switch (ver. 12.2) the switch is only holding 1 vlan. Connected to the 2960 are 3 firewalls/routers from other manifactors, each creating their own network. The customer wishes for a solution where each final FW/router gets minimum 33% and maximum 100% of the bandwidth, depending on how much each final Fw/router are in use.
View 1 Replies
View Related
Oct 15, 2012
Is it possible to implement ACLs in layer3 switch??
View 4 Replies
View Related
Jan 1, 2012
We had an power shutdown activity last week, due to which one of the core switch was turned off and ON .After the core switch was turned ON, we had found some of the ACLs missing which were bounded in VLANs. We had given write command before this power shutdown activity.We need to find the root cause for the same.
Switch Model-WS-CISCO-6509-E.
View 3 Replies
View Related
Jan 15, 2013
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice
View 4 Replies
View Related
Mar 22, 2012
configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.
View 1 Replies
View Related
Dec 10, 2012
I have a 2960S Catalyst switch in my LAN, with the firewall and the servers in the same VLAN (vlan 3).All the servers and the firewall are in the vlan 3 are in the "192.168.19.0/24" subnet, the firewall has the IP "192.168.19.1".I can land on the firewall with a VPN (192.168.130.0/24) which has a complete view on the subnet 19/24.I can access, manage and get SNMP information of the Catalyst from the servers but I can't do the same from the VPN.Is there some feature I need to enable on the switch in order to allow 192.168.130.0/24 to access it?
View 4 Replies
View Related
Dec 5, 2012
I am gettning warning messages in ISE saying
Cause:Dynamic Authorization Failed for Device: 0002SWC003 (switch)Details:Dynamic Authorization Failed
It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1. My end devices are none-802.1x. I can't figure out what is causing this error.
The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
View 8 Replies
View Related
May 7, 2013
How often does ACS 4.1 purge dynamic users from it's user group after inactivity?
We're trying to disable access to certain resources via a NAR, and finding that some users are not in the ACS dynamic user database, despite that, at one point in the past, they have used it.
Am I correct in assuming that a user that has never authenticated via an ACS-controlled resource would not be in the database?
View 6 Replies
View Related
Apr 16, 2012
I have 6 cisco switches already on my network and I just got a 2960S PoE switch that I need to enable for VoIP. The voice vendor is coming in to setup our phone system for VoIP and I need to enable this new 2960S 48 port switch for the VoIP phones, I don't know how to do that, or other taskes needed for this project.
I was told that I need to uplink the new 2960S with the Catalysy 4507R using an ethernet cable and to "trunk the ports" and enable the 2960S as a VTP client - ok great - how?
I was told I also need to use the switch port voice VLAN command for the new VLAN - again, great - but how?
I actually was able to telnet into the switch and I gave it an IP and I created a new vlan but thats all. We are using non Cisco IP phones.
View 4 Replies
View Related
Aug 13, 2012
I have a cisco catalyst 2960-s PoE switch. I have a web access to the switch and am able to get statistics on each port. However, I am wondering if there is a way to have a diagram of the trafic on each port?
Also, what is the best way to monitor the trafic on a router ( i have a cisci 1811W)
View 9 Replies
View Related
Apr 29, 2013
I have a running setup having 2 Cisco 2960s 24 TS switch with Stack configuration. Now I want to add one more same Cisco switch. My questions are:-
1) How can I do this...(Should follow the same process as I did before.
2) Could I do this without impacting the service. i.e. without rebooting the switch.
3) What should be the connection archiecture as of now since there is two switch so it is connected 1 -1 and 2-2. but for 3 switch should we require to change the connectivity.
View 1 Replies
View Related
Jan 21, 2013
I use the Switch 2960S support PoE and 10 access points cisco.I have one more question:
-- If all 10 access points cisco use copper cable to connect to 2960S, 5 access points use power adapter and 5 access points use power from Switch. How Switch 2960S will provide power for 10 AP or switch 2960S will understand and only provide power for 5 APs?
View 3 Replies
View Related
Dec 11, 2012
We have a Cat2960-S Series PoE+ currently running 12.2(55) SE5 ios with SW image C2960S-UNIVERSALK9-M.We want to upgrade the ios to the lastest version but found there are 2 version: 12.2(53) SE2 and 15.0(1) SE.Which is the best & suitable for upgrade?
View 3 Replies
View Related
Apr 18, 2012
I was just curious about something with upgrading a 2960s stack.
To copy the image to the switches in the stack I use: Switch# archive download-sw tftp://x.x.x.x/filename
Does this also set the image as the boot image or do I still need to issue the boot system flash command?
can I just issue this command on the master switch and reload and the new config will be pushed to the rest of the switches?
View 5 Replies
View Related
Jun 5, 2013
After i have already configured my cisco switch 2960 , i configured my console as the below [code] after i reboot my switch , i found that the switch asked me for username . However i did not configure username , how can i solve this problem , without password reset . I have already configured 15 switch , 100% this problem will be in all switches.
View 19 Replies
View Related
Sep 29, 2011
When will Campus Manager support the 2960S switch series?
View 2 Replies
View Related
Jan 20, 2013
I have hybrid network in which I want to configure VLAN on Cisco 2960 S switch. I have unmanged switch where my DHCP server and other servers are connected. Now I created two VLANs on cisco 2960S and they don't talk each other, but as soon as I connect unmanaged switch to 2960S switch, both VLANs start communicating which I don't want. I want to listen server traffic from unmanaged switch from both VLANs but simultaneously I don't want to communication between two VLANs.
View 10 Replies
View Related
Oct 3, 2012
I have enabled syslog on my Cisco 2960S swtich as shown below -
-logging facility local6
-logging host 10.11.12.122 transport tcp port 514
I have sent the port to TCP since that is what is configured on the SYSLOG server which is a CENTOS 5.8, running rsyslogd.I have tested the rsyslogd locally and it work.However i want to send any and all log messages in the buffer to my syslog server and it is not working.there is no firewall on the CENTOS and the ASA firewall filter is enabled for outgoing traffic.
View 5 Replies
View Related
Jan 28, 2013
When the users connect their laptop they are getting a authentication prompt but the switch is not changing the VLANs on the port after successful authentication.Below are the logs on the switch
Jan 28 2013 17:21:32.417 CST: RADIUS: Framed-MTU [12] 6 1500
Jan 28 2013 17:21:32.417 CST: RADIUS: Called-Station-Id [30] 19 "E4-D3-F1-0B-C6-0A"
Jan 28 2013 17:21:32.417 CST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-A8-BD-1D"
Jan 28 2013 17:21:32.417 CST: RADIUS: EAP-Message [79] 45
[code]....
View 1 Replies
View Related
May 30, 2013
I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
The device it is referring to is my NAD, a WLC 5508 running 7.2.111.3
I have looked at the logs and I cannot see anything in the logs which corresponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
What are the components and the logging level that I should set to get some more detail about this error?
At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Run time AAA & prrt-JNI.
I do not want to enable too much debug logs, so what is the specific element that I should be debugging.
I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
View 3 Replies
View Related
Nov 9, 2012
Unable to access switch from outside the local network. Can get to all routers and PC's
View 2 Replies
View Related
Sep 21, 2012
I have a problem with extending the LAN on a client site . They are looking to extend the LAN with a 2960S-series switch. Already in place is a 4510 switch which the 2960 is connected to via fibre. The 2 switches are both set up but there is no connectivity as I cant ping between them or anything. The management VLAN on the 2960 shows line up, protocol down, which I believe means the VLAN is enabled but there is a form of physical mismtach on the ports. I have attached the configs of both switches. I feel it might be a problem with GBIC module compatibility. The SFP installed on both ends of the switch are GLC-SX-MMD. On the 4510, the SFP sits in a twingig converter (CVR-X2-SFP) but there is no light on it at all when the cables are plugged in.
View 40 Replies
View Related
Jun 4, 2012
I have a stack of 2960S (c2960s-universalk9-mz.122-55.SE2.bin) and the master has failed (used to have a priority of 14). The second switch has become master (priority 1) as can be seen below: [code]
If I connect a new blank 2960S (same IOS) through the stack ports, will the master sync its config to the new one without causing problems?As I understand the new blank switch will also have a priority of 1 and will by default be numbered as 1. So if the config is correctly synced and I later on want to make switch 1 the master, I need to set the priority: [code]
View 4 Replies
View Related
May 9, 2012
I config mdix on port gi1/0/7 as mdix auto IT does not show in running config.Is there any way or command which i can use to verify mdix on port?
View 2 Replies
View Related
Nov 23, 2012
I`m working on Dynamic Vlan Assigmenton the basis of end user authenticatedwhoc are part of specific AD Group in c ampus enviorment.Objective: Need to assign the vlan on switch port on the basis of authenticated users OU Group in Active Directory. Eg: There are 2 OU groups in AD, Sales and Administration. Authenticated user in Sales group should get Vlan 10 and user in Admininstration Group shoudl get Vlan 20.
Components:
Cisco 3750x/Cisco 4500
ACS Version 5.2
Microsoft AD
View 1 Replies
View Related
Apr 11, 2013
I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:Connect the phone and let it boot up(takes a while) and authenticate with MAB.Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan) However, the following scenario doesn't work:The computer is already connected to the phoneThe phone is then connected to the switch What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config: network-policy profile 1voice vlan 90!interface GigabitEthernet0/12switchport mode accessnetwork-policy 1authentication control-direction inauthentication event fail retry 1 action authorize vlan 60authentication event server dead action authorize vlan 60authentication event no-response action authorize vlan 60authentication event server alive action reinitializeauthentication host-mode multi-domainauthentication order mab dot1xauthentication priority mab dot1xauthentication port-control autoauthentication periodicauthentication violation replacemabdot1x pae authenticatordot1x timeout tx-period 5dot1x max-reauth-req 1spanning-tree portfast!Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).
View 2 Replies
View Related
Jun 19, 2011
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****
[code]......
View 4 Replies
View Related
Jan 5, 2012
One of our clients is replacing some of their aging network components with 4 Cisco 2960S switches. Unfortunately in this case, my skills of switch configuration are greater than my skills of network design. I have a really crude network diagram of their basic network layout (4 servers, 4 switches, and a number of endpoints).
How would you experts design the physical connections in such a way as to facilitate some redundancy?
View 18 Replies
View Related
Sep 23, 2012
I have a live 28port Catalyst 2960S switch. By live I mean that there is an essential piece of equipment plugged into this switch that can suffer little to no downtime. Over the course of time the number of devices patched into this location has increased to exceed the 24 ports available and we have had to resort to adding unmanaged switches to fill the need. We have acquired an additional 2960 & stacking modules that I would like to stack together, keeping the existing switch as the master. It is my understanding that the stacking modules are hot-swappable and that this member switch can be added without bringing the master switch down, thus creating zero down time for the financial server that is connected.
The steps I believe that need to be followed are as such: write mem to existing switch and backup to our TFTP serverinstall the stack module in the existing (while powered up) and new (while powered down)place the 2 redundant FlexStack link cables on both switchesthen simply power the member switch on After boot the member switch will get it's OS and configuration from the master and I can begin moving CAT5 cables from the unmanaged switches to the stack.
View 2 Replies
View Related
Apr 11, 2012
I have a Cisco 2960S stack and I'd like to tune the timers so that packet loss is minimal if a switch fails.To simulate a failed switch I have reloaded it while running a continuous ping to a management address on the stack's SVI: [code] As I see the same results when a ping is directed through the single switch (switched), and through the firewall (routed), I'm inclined to think that this is due to the stack failover timers on the Catalyst 2960S.Is it possible to change the stack failover timers (i.e hold down, failover etc), to speed up the failover process?
View 1 Replies
View Related
