Cisco AAA/Identity/Nac :: Implementing Mac-auth On Selected Ports Between An HP ProCurve 2510 And ACS 5.3?
Apr 15, 2012
I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:
Logged At:
April 16,2012 1:20:48.080 PM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure:
Username:
002655886b3d MAC/IP Address:
00-26-55-88-6b-3d Network Device:
[code].....
The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D
View 1 Replies
ADVERTISEMENT
Sep 2, 2011
Our ACS 5.2 is authenticating ASA VPN users with Radius. I would like to use the ACS to authenticate ASA administrator logins with Tacacs. When I modify the ASA Network Device by checking the Tacacs box in addition to the Radius box, ASA VPN authentication stops. Running original 5.2 without any patches on ESX. platform. I thought 5.2 supports radius and tacacs on the same device?
On subsequent tests found that just opening the ASA Network Device and closing the window will also stop the ASA RADIUS from working. Logs don't show any attempt by the ASA to connect and I'm sure that's wrong. To fix it, I reselect all ACS policy items and save the same settings. Sounds like a bug?
View 1 Replies
View Related
Apr 15, 2013
I have some older devices on the network that only support RADIUS (not TACACS) for authentication and would like to have them use SecureACS 5.3
I understand that by default, ACS only supports TACACS for device administration. So I'll get this error when trying RADIUS:
11033 Selected Service type is not Network Access
Description:
RADIUS requests can only be processed by Access Services that are of type Network Access
Resolution Text: Verify that the Service Selection Policy rules are correct
However, even after adjusting the Service Selection rules and seeing hits, I still see the same message in the logs, as if it has no affect.
View 1 Replies
View Related
May 22, 2012
I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
View 12 Replies
View Related
Sep 30, 2012
After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.
View 5 Replies
View Related
Jun 24, 2012
In ACS 5.3 radius authentication report I want to show the called-station-id attribute. (this was appearning on failed and passed auth in ACS 4.2). The value of called-station-id appears in the details. However, I want it to appear as a column with the report.
View 2 Replies
View Related
Oct 13, 2011
We have customer with implementation ACS5.2 in Windows environment. Now they want to implement IP phones in the network.
View 0 Replies
View Related
Jun 11, 2012
I'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.
View 7 Replies
View Related
May 15, 2011
Im trying to configure a 7204 for radius login authentication, although the router is also configured with radius for VPN access. How can I configure it for both using 2 different raidus servers? the login via radius is working fine on another router, although that one is not doing VPN access so there's no conflict.
My config:
aaa group server radius RADIUS_AUTH server x.x.3.11 auth-port 1645 acct-port 1646
aaa authentication login networkaccess group radius local
[Code]....
For some reason, this does not work. I cannot access the router and authenticate via x.x.3.11 radius server. I think there's a conflict between the VPN and the login authentication but im unsure how to resolve this.
View 3 Replies
View Related
Apr 29, 2012
We are deploying ACS 5.2 to replace our ACS 4.2 in production. I have two wireless networks setup as WPA2-Enterprise. One points at the ACS 4.2 and the other at the ACS 5.2. Both use the same SSL certificate with the same CN. Both authenticate Windows 7 clients. However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2. The error it gives is:
11051 Radius packet contains invalid state attribute
It also shows no authentication method (most of the time).
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be. On those requests, I get error:
24444 Active Directory operation has failed because of an unspecified error in the ACS.
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
View 3 Replies
View Related
Sep 28, 2011
Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing. Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication? As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS. In my case, this would include the AD servers overseas that we do not want to use.
View 1 Replies
View Related
Oct 12, 2011
I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
[code]....
View 1 Replies
View Related
Jan 17, 2012
At a college we have Ciscos 2960 and are trying to setup VLAN tagging and also using RST or MST. The traffic on the jack should get tagged vlan 248.We were told by the college that Ciscos in the labs will not work with the Alcatel switch that provides access to the lab. That Alcatel is in Bridge 1x1 mode. The college will not change the configuration on the Alcatel.We got the Ciscos to do VLAN tagging and can get network access. However the spanning- tree is not read properly. Cisco does not properly read the Alcatel's RSTP (since the Alcatel is doing tagging on the BPDUs). It places the root of the spanning tree under vlan1 instead of vlan248.
The college strongly recommends HP Procurves and we are using that as test.The following is the configuration on the HP and it works with no effort (it reads the spanning-tree information as MST)We will end up getting HPs instead, if the Cisco cannot work with the Alcatels.
View 3 Replies
View Related
Nov 27, 2011
I have a dell vostro 2510 vista.Am able to connect to internet wirelessly no problem but when i move laptop out of wireless range and plug in ethernet cord I cannot connect. Have 1394 net adapter and it tests ok with troubleshooting?
View 2 Replies
View Related
Feb 19, 2012
In one location we have a HP 2510-48 port switch which we need to connect to a Cisco 3560 switch. The problem I have is that we have issues connecting fibre to the HP switch, so I have decided to attached a CAT 5 to Fibre convertor at this end and another to the cisco switch.
My question you can not connect a HP switch to a Cisco switch, is this true or do I just need to confirgure something on the ports.
View 2 Replies
View Related
Jun 8, 2011
We will be upgrading from 4.x to 5.x and need to verify if any needed ports will have to be alllowed through the firewalls. Is there a list of required ports somewhere, I have searched but am coming up empty-handed.
View 2 Replies
View Related
Apr 12, 2013
I am setting up six ISE 3355 appliances 3 in one datacenter 3 in another. They have just installed a new server farm infrastructure using Nexus 5596 and Nexus 2248TP top of rack switches.I have been looking for documentation on how to do NIC teaming on the 3355 or some way to connect Gig0 to FEX101 and Gig1 to FEX102. Or do I just setup a port channel using LaCP between the two different FEX groups?
View 1 Replies
View Related
Aug 22, 2012
laptop could not connect to wifi. Other laptops can connect to this same wifi but this one can't. tried laptop on other routers and it was able to connect. The error message displays" Windows cannot connect to the selected network.The network may no longer be in range...." tried the solution on microsoft but didn't work. Tried changing the ssid of the wifi then scanned for it. it showed that it was changed. The laptop can detect the wifi but it can't connect to it.The laptop is running on windows xp.
View 2 Replies
View Related
Jun 19, 2011
chrome has an application that auto translates any text that is selected, directly in the browser.is there something similar for IE7? I dont wanna install some toolbar or any visible program, just a program similar to the chrome application, that translates selected text and displays it in a pop up.
View 3 Replies
View Related
Jan 24, 2013
url...Yesterday all of a sudden my computer wouldn't load up a lot of websites. A lot of my favorite sites to visit now for whatever reason only load to a certain point than stop. The first picture is from Steam, the second is from a browser. It doesn't matter the browser, because it doesn't load on any I've tested.
View 2 Replies
View Related
Oct 9, 2011
Windows is unable to connect to the selected network." The network may no longer be in range. refresh the list of available networks and try to connect again." Your in range of the network (right in the same room as the wireless access point). And when you refresh the list, the network still shows up there.It seems that it will only connect to Routers which use WEP security and not ones which use WPA. I have looked on the Toshiba site for the Wireless Drivers to see if there is any updated ones and used the Driver Update Utility on Intel's download site and that tells me that the latest wireless driver is installed.
View 4 Replies
View Related
Jul 29, 2012
Unfortunately I do not remember the model and the switch is a couple of hours away without remote access.I have 4 vlans on a procurve switch.
VLAN1 - Network Devices (Server, printers, WAPs)
VLAN100 - Admin (Office workers)
VLAN200 - Teachers
VLAN300 - Students
There is a server doing DHCP. There are 4 ranges of IPs 1 for each VLAN.
The router is on Port 44. VLAN 1, 100, 200, 300 - Tagged
The Server is on Port 46. VLAN 1 - Untagged
The WAPs are on Ports 1, 11, 31 VLAN 1, 100, 200, 300 - Tagged
All other ports are on VLANs 100, 200 or 300 - Untagged
The WAPs all have VLANs 100, 200, 300. Each VLAN on a different SSID.
I have IP helper with the server IP on VLANs 100, 200, 300.
There are IPs from the different subnets on their respective VLANs in the switch.
The gateway for each subnet is on a different subinterface on the router.
The router is a linux box. (Untangle)
The WAPs are not able to talk to the server, therefore no computers on the wireless networks can get an IP.The server can only talk to the router if I change port 44 to untagged.What combination of tagged and untagged ports do I need to make everything talk?
Do I need to put the VLANs on the subinterfaces of the router?
View 1 Replies
View Related
Dec 18, 2012
Windows is unable to connect to the selected network. The network may no longer in range. Please refresh the list of available networks, and try to connect again.This message poped up during connecting to a wireless network[CODE]
View 1 Replies
View Related
Mar 13, 2013
Is there a software that can be used to disconnect internet connection on selected system on a lan
View 2 Replies
View Related
Jul 18, 2011
I have configured stack with 2 sge2010p switches. I want to connect this stack to the HP procurve switch using port agregation (LAG) technique. I want to use one ge port on each sge switch.How to configure it? Will it work witch port agregation on procurve?
View 2 Replies
View Related
May 17, 2012
i have got the below long on the acs 5.2,one the vpn client user connect to asa 5510
Description
Selected Shell Profile is DenyAccess
Resolution Steps
Check whether the Device Administration Authorization Policy rules are correct
View 1 Replies
View Related
Dec 1, 2012
I have 3 switches
Catalyst 2960
Catalyst 3750
Hp procurve 1410 24g
I want to link them using fiber as they are almost 50 meters apart. What connectors should I use and what fiber optic cable can be connected to those connectors.I have found these connectors and cables on internet will these work
GBM-7000-S85 - 1000Base-SX, multi-mode, 550m, 850nm GBIC transceiver
SC to SC Multimode Duplex High Speed Fiber Optic Ethernet Patch Cable 62.5/125
View 1 Replies
View Related
Jan 22, 2013
We have two publicly routable gateways attached to our A5500 switch that are expecting untagged traffic.
We currently have VLAN 10 as the untagged VLAN for Gateway 1, and VLAN30 as a tagged vlan for Gateway 2. Since both gateways are requiring untagged traffic, I need to make sure all ingress traffic from Gateway 2 gets tagged as VLAN30, while all egress traffic gets untagged.
The tricky part is they must come over the same port so I can't just tag it that way. I get the feeling this will require some static routes or VLAN Interfaces on the switch, but I'm not sure where to start.
View 15 Replies
View Related
Apr 17, 2012
I have 2 procurve switches
2848
2650
Procurve stacking? Is that just a way too manage both switches together?
Or is it for combining both switches together?
Or is that called something else in procurve speak?
Or is that feature not actually available etc?
Next to learn how to breakup the 2848 into multiple switches.
View 18 Replies
View Related
Jun 18, 2011
I'm trying to configure Hp1810-24G and pfsense firewall with no success. I' would like to create two virtual lan on swich which share same internet connection. To simplifing I suppose
vlan 2 port 1-12
vlan 3 port 13-23
port 24 pfsense lan connection
What altready I do on pfsense I create vlan 2 called 1STVLAN VPID 2 and vlan 3 called 2NDVLAN VPID and assigned to them to LAN pfsense real port enabled and gived a static ip to them on HP procure I create two vlan with
vlan 2 port 1-12 untaged 13-23 Excluded 24 tagged
vlan 3 port 1-12 exluded 13-23 untagged 24 tagged
the problem is that I don't be able to speak with pfesense (ping failed on real lan ip and virtual lan ips) so I don't have also internet connection.The ethernet card i'm using are old (i have built the pfesense computer on spare parts that I have at home) so can be a driver issue?
View 1 Replies
View Related
Apr 20, 2005
I am configuring TACACS Authentication on Cisco 3550 switch .It has Version 12.2(25)SEA IOS image. A strange thing is happening, whenver I am enabling AAA new-model on this switch, and then after enabling I see ruuning-config . It shows me this
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
no tacacs-server directed-request
tacacs-server key 7 xxxxxx
radius-server source-ports 1645-1646
* included here to hide the specific information I dint specified any RADIUS server , why it is showing me radius-server source-ports 1645-1646 after enabling AAA New-Model As soon as i give "no aaa new-model", this parameter also vanishes. I think this is the only reason I am not able to do tacacs authentication.
View 9 Replies
View Related
May 17, 2012
I am trying to connect to the internet using an external wireless device (Netgear model:MA101), I have managed to install the drivers and my wireless network is coming up as an option! For some bizarre reason when I try and connect the following messages appears: "Windows is unable to connect to the selected network. The network may no longer be in range. Please refresh the list of available networks, and try again"I then refresh and try to connect but the message constantly appears I have rebooted my computer in case it needs to reset after installing the driver for the wireless device.
View 2 Replies
View Related
May 17, 2012
We had a core switch (Cisco 4503), distribution switches(Cisco 3750) and access switches in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured due to initial design poblems. Recently one of the rogue user in vlan 1 connected to one of the access switch send rogue arp packets to the network (suspecting arp packet with interface vlan 1 ip of core switch with wrong mac-address (gateway ip of vlan 1)) and resulted in a prolonged network outage for the vlan 1. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack like enabling DAI in the switch. I have checked the DAI implemenation feasibility with my knowledge and found that it is not possible to configure to the access switches(Cisco 2960) in which the user directly connected. But found that Distribution switch connected to that particular access switch seems to be able to configure since DAI commands are available to configure in switch.
Is it possible to block ARP packets with the interface vlan 1 IP Address with rogue mac-address by configuring DAI in the above mentioned Distribution switch and the port connected to the mentioned access switch?
View 2 Replies
View Related
