is it possible to use the asa dhcp server function to assign based on mac address (yet)? I have read numerous places that it was not possible (as of 8.2) at least, but I am workin in 8.4. I should have mentioned that I've already tried commands (asa 5510 btw)
View 4 RepliesI've setup VLANs for voice traffic for each floor of our building with a class C. I'm currently having an issue where the 3rd floor can no longer get an IP on their Cisco phone.
Per the debug, I get an ASSIGNMENT_FAILURE DHCPD: due to: POOL EXHAUSTED.
A 'sh ip dhcp pool' reveals 145 leased addresses on that subnet, which I confirmed by running a 'sh ip dhcp binding' command. The 'ip dhcp excluded-address' command is only configured for 20 addresses, so even with that I should have plenty available IP's in the pool.
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key *
group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000
---snapshot Ping test to DHCP-Server 10.1.1.200----
ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
I have configured dhcpd in an ASA 5505 and every thing is working. I am testing it to give me a warning when the address pool is about to be finished or it is empty. But don't konw how to do it. if I run the "debug dhcpd packet", i get that the address pool is empty.
View 3 Replies View RelatedCisco 1811W router, IOS 15.1(4)M6, DHCP server not working on internal VLAN but configuration looks OK to me. [code]
View 1 Replies View RelatedI work from home and log into my work using a token I get into my work server but it keeps freezing and boots me out. If this makes sense. I have to use my mums laptop windows 7.
View 2 Replies View RelatedI want to remotely access Cisco 500 switches via TELNET and WEB BASED from a server. I dont know the ip addresses for Cisco 500 switches which are configured as backbone which the ip address assigned on the network is static ip address. Specifically I want to get their configuations inorder to get their specified assigned vlans on the network. I know the ip addresses for their specified cisco 500 switches' gateways. I know that cisco 500 switches can be accesses through web. Is there other ways to solve the problem apart from going onsite and connect to the cisco 500 switches using network cable since cisco 500 swithes dont have console ports?
View 1 Replies View RelatedXYZ Corporation currently employs eight people but plans to hire 10 more in the next four months. Users will work on multiple projects, and only those users assigned to a project should have access to the project files. You’re instructed to set up the network to make it easy to manage and back up. Would you choose a peer-to-peer network, a server-based network, or a combination of both?
View 1 Replies View RelatedI'm trying to connect Switch 3560 to NTP Server based on Linux, the NTP is working fine but the switch is sync with the Server:
address ref clock st when poll reach delay offset disp
*~10.0.0.70 208.53.158.34 3 42 64 377 1.7 -2.49 0.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Clock is synchronized, stratum 4, reference is 10.0.0.70
nominal freq is 119.2092 Hz, actual freq is 119.2093 Hz, precision is 2**18
[code].....
But server has on time and the Switch another. I test this NTP with CUCM and is working fine, the issue is with ther server?
Does the 2960 switches with LAN-Lite support DHCP Server Port-Based Address Allocation?
View 1 Replies View RelatedHow do I...add a dos based computer to a network running windows 2003
View 1 Replies View RelatedIn the settings, there is a spot in which you can set the range of IPs to assign to connected computers and other devices. This particular option is available under the "LAN" options. What I am seeing is that the only IP that is assigned within the range is the one and only device hardwired to the router. Everything else is being assigned IP addresses outside of the range. Am I missing something? I was under the assumption that any IP addresses assigned dynamically would be within the range whether they were wired or wireless
View 10 Replies View RelatedThe Wireless_Employees authorization profile,assign vlan 666 for wireless employees.ISE is passing VLAN 666 to the WLC - see attachement Radius Auth-VLAN666.jpg then I look on the WLC at a wireless employee who has successuflly connected to the network, WLC is still placing him in the pre-configured VLAN 7.
1. can VLAN be pushed from ISE to the WLC (code 7.2.103) for specific user session?
I have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy? Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.Can it be done ? ACS version is 5.2.
View 1 Replies View RelatedI have gotten the assignment of constructing a fictional network for my school.. and i cannot quite agree with myself upon which equipment i should choose.. its supposed to be all cisco. i need to supply 5000 users all in all, but only 300 on this site. i need to know which connections would be the most reasonable to use and of course which routers "if any" and switches i need.. (+ additional modules if needed) i have tried to make a visio representation, but i just think something is way off.
View 6 Replies View RelatedI was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead?
View 3 Replies View RelatedI have just upgraded our WLC from 4.0 to 7.0 (via 4.2). Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?
I'm having a strange issue with a Cisco 3845 ISR router. I am setting up basic ACL and NAT but 2 issues occur. When using pat (overload) and a static nat assignment on the same subnet, the host with the static assignment has no wan connectivity except for icmp. The host is not reachable via the wan and the static public ip. Running show ip nat translations show the correct inside local and inside global addresses. The other issue is when applying an extended ACL to the outside or WAN interface coming in. No host on the inside has connectivity (icmp, tcp etc.) even to the gateway. I've cleared out all the ACL's as well as the ipsec tunnel settings and created only the nat overload and a single static assignment with the same results.I'm posting the running config below.
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...
I have a home desktop, home laptop, and work laptop that I use. I have Ultra VNC setup on my work laptop that allows me to remote into that machine when I am traveling for work. I have always been able to use the external IP address (not private) to login into the machine with no problem. This week, for some reason, I can no longer do that. When I started doing some discovery, I noticed that when I have all 3 machines booted up at home that the exact same external IP address is assigned to all 3 machines. The internal IP addresses are all different as they should be.Shouldn't each machine have a seperate external IP address assigned as well? Or is this working the way it should? I didn't change any setting on my router or DSL model. But I think the conflict that VNC is having on my work laptop is that it has the exact same IP as the destination computer and it fails. I can remote in if I use the private IP address (192.168.x.x) just fine.
View 1 Replies View RelatedI want to use RADIUS (of Secure ACS 5.3) to authenticate users within an ISP environment. Users log connect to a network using a point to point connection (L2) and then they are sending a RADIUS request to get IP adresses. Secure ACS is not quite easy to look through in that case.
View 3 Replies View Relatedmy admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
View 1 Replies View RelatedI'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. IAS and AD is running on Windows Server 2003.Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately,[code] I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.
View 16 Replies View Relatedhow I can assign a static IP to a user in ACS 5.2. I am able to do it in ACS 4.2, but I don't see the same options under 5.2. General idea is that users authenticate from our VPN appliance via RADIUS, and upon authentication, their static IP is passed back to the VPN device. I can attach an arbitrary field to my local users by going to System Administration -> Configuration -> Dictionaries -> Identity -> Internal Users, but how do I get that IP address passed back when the user is authenticated via Radius?
View 1 Replies View RelatedI've got a network of several AIR-LAP-1242G LWAPP access points controlled by a 2112 WLC. I assign static IP addresses to each LWAPP, but every few weeks, a couple of them (at random) revert back to grabbing a DHCP-assigned dynamic address for themselves, despite the fact that they're supposedly solidy configured to have static IPs. What's going on here? Is this a bug in their firmware or the WLC's firmware? If I reboot the APs, then they come up with their static IPs, but after running some random number of days/weeks, will spontaneously change their own management IP addresses and grab a DHCP address for themselves.
The 1242G APs version numbers reported by the WLC's web GUI are:
"Software version" 5.2.193.0
"Boot version" 12.4.13.0
"IOS version" 12.4(18a)JA2
"Mini IOS version" 3.0.51.0
The 2112 WLC is running software version 5.2.193.0
Does the WAP4410N support Dynamic VLAN assignment by means of 802.1x authentication?
The reason why I ask this; I am able to configure a SSID on a WAP4410N with WPA2-Enterprise, in combination with 802.1x PEAP network authentication. I can succesfully connect Windows, Windows RT, Windows Phone, iOS and Android devices. But.. I am unable to designate them to another VLAN based on access/connection policies. For example; I want mobile devices such as iPhone and Windows Phone to be assigned to a specific VLAN. The Wireless Access Point (authenticator) must be able to support that.
This is my setup:
Spplicants: Windows 8 / iPad / ...
Authenticator: WAP4410N
Authentication Server: Microsoft NPS (Network Policy Server)
I used 802.1x PEAP (Protected EAP) with password (domain user) authentication. In fact, the suplicants communicate with 802.1x to the authenticator. The authenticator communicates with RADIUS to the authentication server. NAP is not in between. It's just plain 802.1x authentication.
wether dynamic VLAN assignment is supported?
We are using WiSM WLCs and WCS to control a variety of 1131,1142 and 1252 APs utilising AP groups.
I've noticed on WCS that the power of certain APs is at a low setting, even though the APs surrounding them are also at a low setting. This is causing some gaps to appear on the heatmaps. I was under the impression that the WLCs would regulate the AP power to compensate for any gaps. Currently the global TX power level assignment method algorithm is set to automatic every 600 sec.
Now, obviously I could change this to fixed (not ideal as I may not want all my APs to run at max power all the time) or to on demand (also not ideal due to the increased admin).
Is there a way I can verify that the automatic power levels are adjusting as they should? Why are there gaps appearing in my heatmaps?
*NB It's not just the gaps on the heatmaps, I'm getting reports of dropping wireless signals from users hence me looking at the heatmaps and they just happen to correspond.
WLC version 6.0.199.4
WCS version 7.0.172.0
Is it possible to disable DCA for a couple of APs and manually force the channels assignment ?
View 3 Replies View Relatedis it possible with LMS 4.0 and VLAN Port Assignment also to configure auxiliary vlans?
1. I selected Configuration > Workflows > VLAN > Configure Port Assignment.
2. Selected my device (a test switch WS-C3560-8PC-S)
3. Clicked List Ports
All ports were listed, port Fa0/1 has only a native vlan, the ports Fa0/2 - 8 have native and voice vlans (auxiliary) configured manually.
So when I want to configure the voice vlan for Fa0/1 the voice vlan is set as the native one.
Is it only possible to configure the native vlans with the VLAN Port Assignment of LMS 4.0 ?
I am configuring 802.1X in a 3560 Switch, my Radius server is a Microsoft IAS, when I connect a station of a guest user, the guest-vlan is not assigned in the port, and I have these logs:
May 8 21:23:02: dot1x-ev:Received an EAP Timeout on FastEthernet0/8 for mac 0000.0000.0000
May 8 21:23:02: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not
[Code].....
When the users connect their laptop they are getting a authentication prompt but the switch is not changing the VLANs on the port after successful authentication.Below are the logs on the switch
Jan 28 2013 17:21:32.417 CST: RADIUS: Framed-MTU [12] 6 1500
Jan 28 2013 17:21:32.417 CST: RADIUS: Called-Station-Id [30] 19 "E4-D3-F1-0B-C6-0A"
Jan 28 2013 17:21:32.417 CST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-A8-BD-1D"
Jan 28 2013 17:21:32.417 CST: RADIUS: EAP-Message [79] 45
[code]....
I have a deployment of AIR-CAP35021 APs. They are in 2 buildings with multiple floors. They are installed in a row down the hallways. I want to increase the power levels by using the controller and not configuring the APs individually. I have set the TPC value to -50 but I still do not reach the outer walls of the floors in some areas. I need to know what to set the Max Power Level Assignment or Min Power Level Assignment to to get the APs to power up some more. If the MAX value is 30 and the default is 30 then how to adjust that value?
View 5 Replies View RelatedI have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right? Doesn't this limitation significantly reduce the usefulness of the DVA feature?
I`m working on Dynamic Vlan Assigmenton the basis of end user authenticatedwhoc are part of specific AD Group in c ampus enviorment.Objective: Need to assign the vlan on switch port on the basis of authenticated users OU Group in Active Directory. Eg: There are 2 OU groups in AD, Sales and Administration. Authenticated user in Sales group should get Vlan 10 and user in Admininstration Group shoudl get Vlan 20.
Components:
Cisco 3750x/Cisco 4500
ACS Version 5.2
Microsoft AD