configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.
View 1 RepliesI've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius.I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switchI think this is because we're using "single use" tokens for maximum security with RSA Secure-ID and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server (okay on the first authentication, but each time after it's going to want a different token code)
(if there's a way to get the switch to just authenticate once instead of multiple times against the radius server) For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2
I have a CiscoWorks LMS 2.6 and i would like to know if the new Switches Catalyst 2960-S Series are supported with this LMS version?
View 1 Replies View RelatedCurrently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?
View 2 Replies View RelatedI am setting up an LDAP identity store over ldaps in ACS 5.1. I specify that the connection uses secure authentication and provide the Root CA certificate. When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test?
View 2 Replies View RelatedWe added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS
[Code].....
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies View RelatedI've been conducting research on configuring 3 distribution switches in my network which are Cisco Catalyst 4507's to communicate with our core over layer 3. Our core switch which is already configured at Layer 3 for intervlan routing is a Cisco Catalyst 6509.
I've got the configuration portion complete and all devices are able to communicate my only question is about QoS. Do I have to configure QoS at the layer 3 interfaces for voice, if so how is that completed. We have several vlans and separate the vlans for each building by voice and data. We only configure ports on the access switches with voice vlans for QoS and we use the auto qos option on these interfaces.
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators. Could this be an issues with the username/password format in the Radius packet from the Cisco?
View 5 Replies View RelatedWe are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
View 1 Replies View RelatedI have a 2960S Catalyst switch in my LAN, with the firewall and the servers in the same VLAN (vlan 3).All the servers and the firewall are in the vlan 3 are in the "192.168.19.0/24" subnet, the firewall has the IP "192.168.19.1".I can land on the firewall with a VPN (192.168.130.0/24) which has a complete view on the subnet 19/24.I can access, manage and get SNMP information of the Catalyst from the servers but I can't do the same from the VPN.Is there some feature I need to enable on the switch in order to allow 192.168.130.0/24 to access it?
View 4 Replies View RelatedI have a pair of switches stacked:
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
1 52 WS-C2960S-48FPS-L 15.0(1)SE C2960S-UNIVERSALK9-M
* 2 52 WS-C2960S-48FPS-L 15.0(1)SE C2960S-UNIVERSALK9-M
When I try to enable ip sla responder on the stack I get:
%SYS-3-HARIKARI: Process IP SLAs Responder top-level routine exited
I have been able to find a bug in the toolkit. Should ip sla responder be supported on the stack as above?
Just I have upgraded some 2960S to IOS 15.0(2)SE from a IOS 15.0(1)SE3 and the catalyst don't switch any IPv6 traffic. Don't work any RA and also don't work any unicast IPv6 traffic from any interface. I can see some references to IPv6 changes in the FHS (First Hop Security) in the Release Notes, but no any reference to changes in the configuration.
The switches don't have any IPv6 specific configuration and the sdm is the default templata. Returning to 15.0(1)SE3 everything work ok.
On Catalyst 2960, and 3560E this IOS version seem to work fine with IPv6.
i want upgrade my catalyst 2960S and 3560x at midnight, but i am worried about config loss. If i upgrade my switch throught web interface, will need I reconfigure the switch?
View 2 Replies View RelatedI have a new problem with Catalyst 2960S. We have four switch in a stack and now I get the message:
“%PLATFORM_RPC-3-MSG_THROTTLED: RPC Msg Dropped by throttle mechanism: type 37, class 14, max_msg 32, total throttled 73968 (hostname1-2)”
Traceback= 13A686C 160862C 160E0B4 15E2088 184FD48 18467B8
sh switch de
Switch/Stack Mac Address : 68bd.abc9.0000
H/W Current
[Code]....
we have Catalysts 2960S for switching in our Wireless high capacity backbone network. As agregation switch we are using 3560x.
I just need to know, if are these 2960S good solution for igmp snooping for whole IPTV stream. It put only a range from backbone and put out on another port. But just specified multicast addresses.
Imput will be 239.128.0.10 to 239.128.0.20 on Gi 0/1,Output wil be 239.128.0.10 - 15 on Gi 0/24
IPTV will be separated on different VLAN for eg VLAN 20,Is needed any priorization configured od switches?,The capacity for IPTV is around 500 mbps
I recently tried to manually format the flash on a model WS-2960S-48TS-L switch running IOS version 15.0(2)SE. While executing the operation I got the following error - mifs[8]: Failed to create superblock %Error formatting flash (I/O error).As a result the flash is no longer accessible by the switch. I spoke with Cisco and they indicated that a switch reload would remount the flash and make it accessable again but the .bin file would need to be reloaded using the xModem recovery procedure (what a pain).The next IOS version 15.0(2)SE1 will supposedly fix this bug but it has not been released yet. In the meantime if you are running 15.0(2)SE you may want to hold off performing a "format flash:" function on a 2960S.
View 3 Replies View RelatedWe are using catalyst 2960S Lan Base IOS on Radio towers. We just bought 50 Accest points, thas are GPS synchronized. Problem is the APs need to be connected on L2-mac betwen each other. But at this time we are using port isolation on each switch (tower) by protected port function to isolate clients from each other.
My question is, is possible to specifi a Mac addresses in specific vlan thats can comunicate betwen protected ports? On tower is one Master unit and others are slave. I thing there is only 1 dirrection comunication - from master to slave.
specifying Cisco devices and I've made an error.I have 2 Catalyst 2960S switches (C2960S-24PS-L).Based on this snippet of web copy from the Cisco website:What's new for the Cisco Catalyst 2960-S Series Switches with LAN Base Software: # 10 and 1 Gigabit Ethernet uplink flexibility with Small Form-Factor Pluggable Plus (SFP+), providing business continuity and fast transition to 10 Gigabit Ethernet I bought a cable assembly "SFP-H10GB-CU3M" (3 meter copper twinax cable with 10GB SFPs on each end). Unfortunately, it appears after more careful reasearch that my specific model 2960S's are not directly compatible. , can I force these 10GB SFPs down to 1GB and get them to work with my switches or do I need to return and repurchase?
View 1 Replies View RelatedI just bought a Catalyst 2960S to test out the feature "Port-Based Address Allocation" which is required for our factory. I followed the instruction from Cisco IOS and did all the steps but I could not get it to work, my network client did not received the expected IP address that I configured.
View 8 Replies View RelatedMulticast is not working between our two datacenter, we have catalyst 2960S (two stacked) as the internal lan switch, and catalyst 3560E as the external switch, same configuration for both datacenters.The two sites are connected using metro, the external switch (3560) is doing qinq and encapsulate the data from the internal switch with the metro vlan (611).
IGMP snooping is disabled for all switches, although we prefer to enable it for the internal switches.For each datacenter there is a different firewall which also act as the router, we are using fortigate as the firewall.Following is the important configuration section:
Port 43 in the internal switch is connected to the external switch (both sites):
interface GigabitEthernet1/0/43
switchport mode trunk
load-interval 30
Port 3 in the external switch connected to the internal switch (both sites):
interface GigabitEthernet0/3
switchport access vlan 611
switchport mode dot1q-tunnel
no cdp enable
no cdp tlv server-location
no cdp tlv app
Port 8 on the external switch connected to the metro link (both sites) vlan 350 is the internet and 611 is the metro:
interface GigabitEthernet0/8
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 350,611
switchport mode trunk
vlan 611 on external switch:
interface Vlan611
ip address 192.168.168.2 255.255.255.0
no ip route-cache
no ip mroute-cache
I have several 2960s and 3750s and two 6506 (ws-cac-3000w) recently move to new location The power outlet is the same ,but Volt is different current 2960/3750 use this(one phase 3 wire) 220v and new location change to (from 3 phase 4 wire -> one phase 220v)6506 current using(one phase 3 wire) and will be change to (from 3 phase 4 wire -> one phase 220v)
I had search doc about power supply /cable , only show support single phase 220 v ,but not description vlot between each wire !!Does new location power outlet suit for 2960/3750s power and 6500 ws-cac-3000w ?!? Do I need chane power outlet back to current using?
I am administering a Catalyst 2960S switch and I would like to connect several computers to it. Some of those each have a static IP address. For a few of them, I would like the switch to dynamically assign an IP address to them via DHCP. Is the switch capable of doing this? If so, how can I do it? I tried looking through Cisco Network Assistant and I couldn't find it. Some web pages have suggested I telnet into the switch and issue commands like "ip dhcp ?" to see what commands are possible. I can telnet in and if I type but I get an "Unrecognized command" for both "ip ?" and "ip dhcp ?". This makes me think I'm reading the wrong web pages. I did come across the term "DHCP snooping". It seems relevant, but very difficult for me to grasp.
View 9 Replies View Relatedafter upgrading about 35 Catalyst 2960 and Catalyst 2960S to IOS 15.0(2)SE2, we experience a memory leak on several switches. After some days / weeks the switches are not accessible via Console/Telnet/SSH/Web any more. Only SNMP seems to work properly.Attached users do not experience any decrease in service.
Trying to connect to the console, we get following error message:
"% Low on memory; try again later"
The only (temporary) solution is to reboot the switch. The behavior is similar to Bug CSCts52797.With regards to the Bug notes this bug should only affect Catalyst 2960 with 64MB of RAM and should already be solved with IOS 15.0(2)SE2.
We experience the erroneous behavior with
-WS-C2960-48TC-S running IOS 15.0(2)SE2
-WS-C2960S-48LPS-L running IOS 15.0(2)SE2
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
Are there any best practices for preventative maintenance on Catalyst Chassis switches. Looking to build a PMI schedule for a customer. Or is there evidence not to perform it at all. Things like re-seating line cards, cleaning fan exhausts, etc.
View 1 Replies View RelatedI've just made a purchase for a Cisco 2960 8 port switch ( Exact model: WS-C2960PD-8TT-L ), I reckon this is what I need to set up my network, so far I've gone through the Express Set-up and configured it through there with no problems. I've set up the hardware in the following manner:
-Internet Modem
>Port 8 on Switch
->Port 1 on Switch goes to 1252 Cisco AP
->Port 2 on Switch goes to Linksys VOIP home Router
I let it start up and can connect to the internet through the AP, and through the router. (I'm posting through the AP-Switch set-up right now.) However, once I connect to the AP with a second client. It refuses to let the second client connect/not give an internet connection, as it would a direct connection to the modem.I'm going to assume this is due to NAT not being configured through the command line on the switch yet.
I am testing a ACS 5.2 in our lab environment, I am testing port security for policy based VLAN and ACL assignment. The problem I am having is with the 2960S switches; in my current setup it is working but it doesn't seem to me like it is the way that it should be working. I have a downloadable ACL in the ACS defined and associated to an Access policy and it is working correctly. The problem is, from what I understand, I have to assign a default ACL on the switchport? So what I have assigned on the switchport is ip access-group 10 in. The downloadable ACL from the ACS is also called 10. Do I really need to match the ACL on the switchport with the ACL name I have created in ACS? That doesn't seem like it's dynamic if that is the case? What is the ACL that I should apply to the switch port (if any) in order for the downloadable acls that I configure in the ACS to work no matter what port the user is patched into?
View 2 Replies View RelatedWe are deploying a Microsoft Exchange 2010 server environment, which will have a ACE 4710 front end. What we are finding is that if a server goes down, a client will need to re-authenticate to a new server. The server team has informed me that if they use Microsoft SLB this does not happen. They have also mentioned that we are getting basic authentication, rather than NTLM. As a result I have read several posts/articles which mention forcing NTLM on the ACE, but none go into real detail.
A couple of official Cisco documents point to having the Exchange Server, and Client both set to use NTLM. So on the server you do not need to select MAPI encryption. I am told this is not an option here, because a multitude of clients are supported, from Outlook 2003, through to 2010.
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies View RelatedI need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
Im trying to Connect a 2960-S Catalyst Switch to a 3560 Catalyst Switch. It worth pointing out im newish to switching although i know some commands and what they do This is my first time connecting 2 switches together.
They are connected via a crossover cable and have green lights flashing on the connected ports When i run "show CDP neighbours it sees the new switch Unable to ping new switch...just timesout Here is the the interface on the 3650
GigabitEthernet0/40 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 001b.532f.8428 (bia 001b.532f.8428)
Description: Uplink to Switch 2
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
[Code]....