Cisco :: AP1242 Ag As A Supplicant On Interface Switch
Jul 15, 2012How to configure LAP 1242AG to authenticate it self as a supplicante on the 802.1x interface switch ?
View 5 RepliesHow to configure LAP 1242AG to authenticate it self as a supplicante on the 802.1x interface switch ?
View 5 RepliesFirst, my configuration, (then the problem down below):
I have an Aironet 1142 with multiple SSIDs [mapped to V LANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is up linked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960.
Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator switch; it just has a manually-configured trunk port to the user-area 2960 [for now; I'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native V LAN, and all is well [so it seems]. The Aironet dot11Radio is configured for two SSIDs and mapped to V LANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for V LAN 1 [but NOT the wireless user V LANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID V LANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong]. Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but I'm willing to be persuaded otherwise, based on sound advice]. Ok, now the problem:
Users on the guest wireless SSID (V lan 20) say they cannot connect. Yep, classic. V LAN 20 is trunk and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that V LAN. I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (V LAN 10) has full access. Am I running into a problem with "multi- host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a V LAN 20 host on this SSID, but no uni cast traffic!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp_snoop.txt
ip dhcp snooping
[code]......
I recently configured a Cisco AP 1242, software version 12.4, via the web interface using the default Cisco credentials. At that time I setup an administrator account with read/write access and changed the Cisco to a read only access. Now went I attempt to login to the web interface it won't accept the administrator password. It will except the administrator password in a telnet session however. So via the telnet session I setup another user with privileged exec level access and that wont work on the web interface either. The Login box keeps coming back requesting a password. Strangely enough, I can login to the web Interface using admin username, with the Cisco password; but I can't do anything, and I also can't view everything. I've tried the following:
I've turned on SSH and created a certificate in the AP, but the login box continues to pop on the https://url.I've attempted to setup a user with a non-encrypted password, but have been unsuccessful.I've tried a different browser - login box continues to pop.I've made sure the web interface is activated in the API've tried a differnet computerI've tried disabling password-encryption service. Reset the enable password , I've successfully setup other 1240 APs but must have done something wrong on this one.
I'm trying to find if the 3500 AP will contains an 802.1X supplicant, so the AP can be identified and authorized by an ACS when it is connected to a secure access switch.I can find plenty of info on WPA2 & 802.1X for the wireless clients, but I'm struggling to find anything on 802.1X for the AP itself.
View 1 Replies View RelatedIs possible to configure a Lightweight Access Point LAP1242AG as 802.1x supplicant using Microsoft NPS radius server that not use EAP-FAST authentication method? Can I use PEAP in NPS radius?
View 6 Replies View RelatedI have a brand new AP1242.. the issue is that i can't access it by Console nor by GUI on it's default IP Address 10.0.0.1.
View 0 Replies View RelatedI am in the process of configuring Network Access Protection and just found out you can apply user based ACLs in the Network Policy. Will this work with a Cisco AP1242 in Autonomous mode? I saw some configuration guides for configuring User ACLs using the wireless controllers but not just Radius.
I have added the Vendor Specific Attribute of "Cisco-AV-Pair with two values of
-priv-lvl=15
-ip:inacl#10=deny icmp any any
I would expect all traffic to be denied when the user logs in due to the explict deny at the end of an ACL but I am not seeing that so I was unsure if Per-User ACLs work on standalone AP1240s.
I could add another rule to allow other traffic but I just want to see if the ACL would apply on a per-user/per-session bassis on the AP1200.
I am having trouble getting the bridge to work. The setting is as follows: I have to buildings, separated by a road. Distance is apx 35-40 meters. From the main building there is a network which I am trying to extend to the other building by a wireless bridge. I am using two 1242 (autonomous) for this. I have also external directional antennas (7Db) mounted on a pole 8 meters above ground on each buildings. These are of course directed to eachother. The antennacabel used between the ap's are shielded Cisco-cables.
The config on the root AP:
dot11 ssid Valhalla01
authentication open
authentication key-management wpa version 1
[Code].....
Im looking for possibilities to remote recognize attached antennas to AP1242. I have a lot of devices which not working properly. I think most of them have only one antennas installed , but I cant be sure if its fitted into primary connector. Do You have any idea how to check numbers of attached antennas and if only one if its fitted into primary connector?
I want to disable diversity when I'll find APs with only one antennas.
I have an AP1242 near a couple of conference rooms. I get complaints when we have a large contingent in there and some try to download documents. The bandwidth consumption is meage - less than 2Mbps. But there could be say 50 people in those training rooms. I see no errors at the FE interface on the AP but I do see a good number of Transmit Discards.
Are 50 users connected to an AP1242 simply more than should be expected of the device? 802.11g is the radio.
Are transmit discards indicative of some kind of configuration problem? The users in these cases are generally very close to the access point - within a few feet even.
If it is indicative of a configuration problem would that be an issue of the configuration of the laptop wifi cards or a problem at the AP?
Do AP1242 access points support Kron commands?
View 4 Replies View RelatedI have 1242 Configured with 12.4.21a-ja1 and I have many of these. however I have 4 on the same location that have just started rebooting. The crashinfo logs ell me that cmd: PASSWORD statement not printed..Dont know if thats the issue....but something is wrong.. We are running SNMP and thats about it...
View 1 Replies View RelatedWe need to get the MIB /OID information for 6500 series switches. Especially we need to monitor the Gig interface “input & output” traffic rate for every second.Switch model: WS-C6509-E / SUP 720 We tried the below value but not getting proper output. MIB:- 1.3.6.1.2.1.2.2.1.10.2 Also we would like to know whether there would be any impact on running the below global command “snmp-server hc poll <in msec>” in 6500 series switch.
View 4 Replies View RelatedOur ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
I am connecting the inside interface to an upstream switch and therefore will need to assign a static IP address to the inside address as I did below:
#sho int ip brief
Vlan1 123.123.123.123 YES manual up up
I will also use this to manage the ASA. I am having a problem with the network configuration of the inside interface as I can't ping the gateway and/or the in IP of the inside interface.Do I need to add any routes?
we are using the catalyst 3550 L3 for BGP routing. For e.g. Gi 0/4 is our internal interface tha we want "switch".
We need on Gi 0/5 the same network that is on gi 0/4.
How is it possible? Make it like a 2 port mini switch. Or make a bridge of these 2 interfaces without any complicated reconfiguration needed?
I'm a networking newbie, but I bought the SG 200-08 switch to do Link Aggregation with and I can't access the web interface. I'm on a mac running 10.7.3, and I've tried Firefox and Safari. I've also tried on a friends PC with Internet Explorer 8.On the mac, I can go into the terminal and can see that the switch has the correct IP address and is seen on both ethernet ports.
View 2 Replies View RelatedI'm a networking newbie, but I bought the SG 200-08 switch to do Link Aggregation with and I can't access the web interface. I'm on a mac running 10.7.3, and I've tried Firefox and Safari. I've also tried on a friends PC with Internet Explorer 8.
On the mac, I can go into the terminal and can see that the switch has the correct IP address and is seen on both ethernet ports:
? (192.168.1.254) at 2c:36:f8:4f:fc:8 on en0 ifscope [ethernet]
? (192.168.1.254) at 2c:36:f8:4f:fc:8 on en1 ifscope [ethernet]
either accessing the web interface or with setting up the Link Aggregation on the switch some other way.
we have 100 Cisco 881 routers in our network and they all work fine to Linksys, 3Com, etc switches. The problem we have encountered is interfacing to Netgear switches. Netgear switches use autosensing on their ports and it does not seem to be compatible with MDIX autosensing on the Cisco 881 4 port LAN hub that is standard on the 881 router. Would a cross over cable resolve the problem? Since both run autosensing MDIX they never synch - so likely a cross over would not do much. I see this with all types of Netgear smartswitches. If you put a small switch between the Netgear switch and the 881 Cisco router everything works fine except for getting port 9000 traffic through.
View 5 Replies View RelatedI have a PIX 535 connected through OFC to Cisco 2960 Switch.
PIX end - G0 (SC type Connector) - Switch End - Gi1/0/28 (LC type connector)
When I am pinging from either side, I am getting packet drops. CRC error is increasing at PIX interface.
Speed settings, tried with
auto - auto
auto - nonegotiate
nonegotiate - auto
nonegotiate - nonegotiate
But no improvements. When its connected with SC - SC connector, its working fine.
Switch also working fine when connected LC - LC.Switch OS is 15.x version.
Cisco PIX Security Appliance Software Version 7.0(4) <system>
Device Manager Version 5.0(4) Cisco PIX Security Appliance Software Version 7.0(4) <system>Device Manager Version 5.0(4)
I have two 3750 switch.switch A(main) and switch B is connected by OFC but i have another wireless link for backup.Now if OFC goes down then i manually connect wireless link with switch B for this reasons i am faceing a lot of problem. I want without any changing of cable if my primary link goes down then my backup link automaticaly goes up and vice versa .
Switch-A port gi1/0/9 and Switch-B port gi1/0/9 is connect by OFC Switch-A port gi1/0/8 and Switch-B port gi1/0/8 is connect by Wireless link (backup) i attach my network diagram kindly find the attachment file.
I have a pair of 5505's in transparent mode and connected them to C2960S. The inside interface (which is VLAN5 on the switchport) keeps dropping, going in to error state. There is no log reference in the switch and the interface shows as UP. The standby ASA has no problem, both interfaces on the switch is up. As soon as I failover the units over, the active node inside interfaces drops.
View 2 Replies View RelatedI currently have a Cisco 2621 powering a network at our co-location facility... It's a simple setup and is working well. The colo provides a redundant HSRP uplink, so I have their two uplinks going into a Dell switch. From that Dell switch I have a uplink into FastEthernet0/0 on the 2621, configured with my routing network, and then FastEthernet0/1 gets an address from my block of routable IP. FastEthernet0/1 then plugs into another Dell switch where I have all my servers connected. The servers get public routable IP addresses and use the address on FastEthernet0/1 as their default gateway.
It's time to upgrade off the 2621, so I aquired a Cisco 2811 which has two FE interfaces, as well as a modular HWIC-4ESW switch. My question is, can I get rid of the Dell Switch A in the setup above and just use the internal switch on the 2811 to accomplish the same thing? And I if I did this, would my two uplinks from the colo plug into ports 1 and 2 of that HWIC, and then port 3 would physically connect into FE 0/0? Or can I logically do that via configuration in the Cisco? I'm not sure how all this works and haven't received the new router yet, so I thought I'd get a head start and reach out to the experts.
My second question is unrelated, but each port on the HWIC switch cannot be configured as a network interface right? I'm pretty sure they can't as they aren't considered network interfaces but just thought I'd ask.
Is there a way to change interface numbers on a 3750 stack but, still retain the config of the physical port?
For instance:
I would like to take the top switch, which has the ports numbered g2/0/1 - 52 and change them to be g1/0/1 - 52. And the bottom switch, which has ports numbered g1/0/1 - 52 and change them to be g2/0/1 - 52. Basically, just swap the interface numbers but, not effect any interface configurations.
I am trying to configure 802.1x wired on a 3560 switch and don't see the required commands under the interface. I am running c3560-ipbasek9-mz.122-55.SE6.bin. I was thinking it might not be available on the ipbase image, but I do have the commands on a 3750g running the ipbase image, so I'm not sure about that.
View 4 Replies View RelatedI have a brand new SG500-28P sitting on my desk.
The swtich is configured and going to operate in L3 mode. All ports are still assigned to the default VLAN ID 1. I have created several new VLAN's. Once I configure and aplly an IP Interface to a certain VLAN the swtich becomes inaccessable right away. I am pretty sure I am not pulling my own VLAN under my connection. Every port is inaccessable. I have to pull the power plug and restart the swtich with its saved configuration. Even when I add another IP interface to the default VLAN 1, same issue. I have tried lot's of things, but can't get it to work properly. I have just upgraded to the latest firmware.
I have configured dozens of SG300 swtiches which is very easy. This one does not work with me.
last day i went to one client for the installation of C(WS-C4507R+E)
current ios :cat4500e-ipbase-mz.122-53.SG2.bin
there is only one sup engine installed and redundant slot is empty.
I installed one ethernet module in the slot 6 and it get detected working fine. I also want to install one fiber module but that module is only supported by 12.2 54 sg or later ios version.so i need an ios upgrade.
For the ios upgrade I decide to do it through svi interface For that i igive an ip address to vlan 1 (192.168.1.2) and plug cable in gigabit 6/1 and added that port into valn 1.
my laptop's ip is 192.168.1.1 @ this point i faced a rare problem the PING IS NOT WORKING.(switch is directly connected to my laptop).
Then i create another VLAN (2) and add that port into vlan 2 still ping is not getting.last thing i tried is that making that gigabit port into a routed port and result is same.
Is it possible to establish a interface dialer on a layar 3 switch?Or is it only interface for routers?I have a c3750 switch (WS-C3750G-24T), and when i try to establish a dialer interface i get an error message:
[code]...
I have coome accross a few sites that I see some unknown protocol drops on the internal interface connecting to the switch
View 3 Replies View RelatedI am trying to make my LAN to work at home. Its pretty small but I am bearly an smart user, noobie if so.I have a Motorola Cable Modem model SB5101 receiving the internet from Shaw Cable.from there I have an ethernet cable to my switch (Cisco SE2500) from there I have two ethernet cables coming out, one goes to my PC and the other one goes to an Airport Extreme so our laptop.I am just here double checking this info... sice this is an unmanaged switch I guess there is no way of accesng an interface to make this happen.I just hate spending the money in something I wont be using just because I dont know whats going on.
View 7 Replies View RelatedI am looking for a way to bind between a switch interface (cat 3750X) and a DHCP server reply.The switch can operate as the DHCP server .a PC connected to interface Gi 1/0/1 will lways get IP address 10.0.0.1 because it is connected to interface Gi 1/0/1, a PC connected to interface Gi 1/0/5 will lways get IP address 10.0.0.5 because it is connected to interface Gi 1/0/5 and so on... (no matter the source MAC address who sends the DHCP request).
View 8 Replies View RelatedI am not getting interface up/down logs in my switch console through show logging command. Switch model cisco WS-C4506-E and IOS :- cat4500e-ipbasek9-mz.122-53.SG3.bin. I have done below mention configurations, we can't configure logging level beyond informational. [code]
View 4 Replies View RelatedWe are using Cisco Router 1841 and users reporting issue related to VoIP. After investigation, seeing input errors on Router LAN interface, but there is no error on connected switch interface. [code]
View 2 Replies View Related