Cisco Security :: 3750 Switch Not Forwarding EAPoL To RADIUS Server
May 27, 2010
I have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
Config and debug file attached.
I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
View 5 Replies
ADVERTISEMENT
Aug 13, 2012
'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.Then the enable password.
View 1 Replies
View Related
Feb 24, 2013
There are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.
The ports are configured for 802.1x, auth order of MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).
When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated. When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.
If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.
View 3 Replies
View Related
Aug 13, 2012
I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.Then the enable password.
View 1 Replies
View Related
Nov 14, 2012
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.We do not know whether we configured switch in proper way or do we need to modify it. [code]
View 5 Replies
View Related
Nov 6, 2012
I have a 3750 catlyst switch in my network and it is like a distubation switch,And for the nating and dhcp nomadix is using as gateway in the same network. for one of my local PC i need to config the port forwarding in 3750 switch. How to config the port forwarding on 3750 switch,
View 3 Replies
View Related
Apr 13, 2011
I can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across
View 4 Replies
View Related
Apr 20, 2005
I am configuring TACACS Authentication on Cisco 3550 switch .It has Version 12.2(25)SEA IOS image. A strange thing is happening, whenver I am enabling AAA new-model on this switch, and then after enabling I see ruuning-config . It shows me this
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
no tacacs-server directed-request
tacacs-server key 7 xxxxxx
radius-server source-ports 1645-1646
* included here to hide the specific information I dint specified any RADIUS server , why it is showing me radius-server source-ports 1645-1646 after enabling AAA New-Model As soon as i give "no aaa new-model", this parameter also vanishes. I think this is the only reason I am not able to do tacacs authentication.
View 9 Replies
View Related
Dec 29, 2011
I have an ASA 5510 that I want to connect to 2 isp (one of my private network uses the isp1, and all others the isp2). Excluding the 5510 does not accept PBR(policy based routing), i saw that you could put a router, like cisco 2811 in front of the ISP. my questions are : can i put a switch 3750 in place of the 2811 router? , I have vpn connections in isp1, this architecture is compatible?
View 2 Replies
View Related
Jan 8, 2012
I have a 1250 AP connected to an Switch Cisco 3750. We have a SSID(v lan 1 - native) which get an IP Address from our DHCP Server(located in a Windows 2003 server). I added a new SSID in VLAN 2 and I would like no to use the DHCP Server but to make the AP get an IP Address from the pool I created in the own AP (ip dhcp pool Guest) but every time I try to connect the new v lan, it doesn't get an ip address.
Follow the settings of the AP.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
[Code]...
View 10 Replies
View Related
Aug 1, 2012
We have Dell M6220 blade server that server is connected to cisco 3750 switch. I am trying to configure LACP in 3750 for two port which are connected to Dell M6220 server switch. The channel-group 2 mode active commande is not taking then its showing the error protocol mismatch and if i run show int port-channel 2 command the port channel status is showing down. The Dell server switch is on simple mode. below i have attached the required details.
Switch#show int port-channel 2
Port-channel2 is down, line protocol is down (notconnect)
Hardware is EtherChannel, address is 0000.0000.0000 (bia 0000.0000.0000)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
[code]...
View 2 Replies
View Related
Feb 27, 2012
When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?
View 1 Replies
View Related
Feb 21, 2012
I have had several complaints from around the firm where by mobile devices are being bumped off the PSK secured network (All other SSID networks are operating A-OK). Both Android and iPhone devices are being affected, the device will just loop until it reconnects, sometimes up to 20 minutes of trying to establish a connection. It will eventually connect so the key is not the issue.I've attached a debug of a device which fails to connect and then shortly after is successful.
Controller 5508 v7.0.116.0
AP 3502i IOS 12.4(23c)JA2
View 4 Replies
View Related
Sep 19, 2012
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
View 4 Replies
View Related
May 4, 2011
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF class class-default set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1 service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Type=2 Name=Acct-Status-Type Format=Enum
[Code]......
View 1 Replies
View Related
Jan 6, 2013
I recently got a refurbished external (USB) wireless adapter by Netgear. It's the WNA3100 but who knows what they did to it while refurbishing it.
I tried using it to connect to the wireless network at my university, and I got the above-displayed error. So what's the deal? This RADIUS thing is not a new technology, right? So any modern wireless adapter should be able to handle it. Why would this thing not support it?
Secondly, if it doesn't work, that's alright. I need a second wireless adapter anyway, so I could use this one at home where the RADIUS thing is not an issue. But how do I make sure this does not happen again with another one that I buy? I can't seem to find anywhere in the specs anything about this compatibility. For instance, I believe I want to get this one next:URL
View 15 Replies
View Related
Feb 28, 2011
My company ordered NAC and ACS 1120 My question is Can i configure 802.1X security through ACS server and NAC in layer 2 Inband Virtual Gateway.for campus switches.Is it the good design to have double security for switch ports. 1st is 802.1X and 2nd is NAC in layer 2 INBAND VG?
View 1 Replies
View Related
May 1, 2012
Any free radius server for lab purpose?
View 5 Replies
View Related
Jan 25, 2012
Does anyone have or know of a tried and true method of configuring a Windows Server 2008 box to provide authentication/accounting services for Cisco devices. I've read a few websites already and a lot of them seem to be geared toward VPN and some of the settings each site goes through are different.I've got NPS installed and a RADIUS client configured with the shared key. Right now I'm in the process of creating the Network Policy which only allows a Windows "admin" group to log in. Curious about the "Constraints" section where the NAS Port Type is selected and the "Settings" section where the service-type and vendor specific options are configured.
View 18 Replies
View Related
Oct 15, 2012
How to configure Radius server on router in packet tracer
View 1 Replies
View Related
Jun 8, 2011
i have problem with my 3 new cisco AP1252AG and Radius server (windows 2000 IAS).On the 3 AP, i have two ssid :,One with Wpa pre-shared key,the other one with EAP/radius,the one with preshared key works well but the other have some trouble, here is the error message ,i have check the shared secret in radius and ap and it's ok.The error appears randomly.
View 1 Replies
View Related
Nov 2, 2011
i have an issue to connect a trunk between cisco switch and extreme switch i have many vlans that i want to cross via a link between cisco 3750 switch and a Extreme Alpine 3800 switch
View 12 Replies
View Related
Dec 15, 2011
I have a non-cisco router with a public WAN address. This is conencted to a 3750 switch internally. The switch is the default gateway for all VLANs, and the gateway router has static routes back to the 3750. The Router provides NAT, no NAT is done on the switch.My requirement is to port forward port 29 000 so that I can access a server on VLAN4 via this port.
So, I have: Router: Port 29000 map to 192.168.4.1 (Switch VLAN4 address)
The question is, how do I route port 29000 from the 3750 to the server on 192.168.4.42 ? what exactly I should add in order to port forward port 29000 incoming form my router, to my server on 192.168.4.42.
View 17 Replies
View Related
Sep 2, 2012
which is the best RADIUS server for 802.1x wired authentication?
View 1 Replies
View Related
May 13, 2013
I am trying to configure a WAP4410N, with latest firmware, for disabled security (i.e.: no WEP/WPA, user passwords etc) but enable MAC authentication control using RADIUS.If I test the WAP using disabled security and disabled authentication control, the WAP works fine. When I enable the RADIUS MAC authentication (ensuring I have entered the correct RADIUS server details) nothing happens, the WAP connection just fails. Also, the RADIUS server doesn't log any attempts from the WAP to connect.Is there a known problem with this WAP simply not working with RADIUS under this configuration?
View 1 Replies
View Related
Mar 7, 2012
I am testing a Aironet1040 in AP setting. During the process of trial run of GUI on this 1040, I saw a local radius setting and it can set something like FAST-EAP.
Is it after using this setting (plus other steps), I can set this Aironet1040 as an AP with the capability of simple Radius Server for authentication purpose?
If not by this way as I mentioned above, can Aironet1040 be set as simple Radius Server? This is because if it can set as simple Radius Server and not need to work with an external Radius Server, that would be great and save trouble to find another server.
View 5 Replies
View Related
Jan 24, 2013
I am currently trying to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me coming up trumps with success so far.
My steps for radius:- (i think this part ive actually got ok) [URL]
Steps for the wireless profile on a win 7 client:- this has me confused all over the place [URL]
My 1130 Config:-
[code]
Current configuration : 3805 bytes
!
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
[Code].....
View 14 Replies
View Related
Oct 28, 2012
I have a 2811 router and how to configure a RADIUS server using the CLI.
View 3 Replies
View Related
Nov 19, 2012
We are retiring our current radius server. It is windows 2003 IAS server (also a DC) that we use for 802.1X authentication. We are moving to server 2008r2. I have already installed NPS and Network Authentication services on the server.
On the existing IAS server I exported the settings (using iasmig reader.exe) and was able to import the profiles (I see the 5500 as a radius client etc) Our 5500 is still pointing to the old server.
Is it as simple as changing the ip of the RADIUS server to point to the new server? It looks like I actually have to add the new server and create a new pres hared key on the NPS server but only find documents on adding a new 5500 (vs flipping it to a new NPS server).
View 9 Replies
View Related
Mar 6, 2013
Can the 2504 WLC be configured to work with one RADIUS Server for Authentication of Management Users and with a second server for 802.1x EAP-TLS certificate authentication for the end users.
Management Users will authenticate on RADIUS Server 1.Wireless End users will request 802.1x EAP-TLS authentication certificate from AAA server 2.
View 5 Replies
View Related
May 18, 2011
getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC. Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
View 2 Replies
View Related
Apr 7, 2013
Is there any way to set up our ISE to provide Radius instead of acting as Radius Proxy? In our Company we use ACS 4.2 to provide AAA via Tacacs+ and this works proper with all our Cisco-Switches. Now we are testing the ISE 1.1.1 as NAC-Solution.
I know how to set up the ISE as 'Radius Proxy', configuring the Sequences and Policies, but till now we are using only Tacacs+ for AAA. The current version of ISE does not support Tacacs+ and I don't want to set up a Radius-enviroment in ACS if not necessary. Somewhere ( I think the specs) I read, the ISE is a merge of ACS and NAC. So in my Opinion there should be a way to provide AAA via Radius on the ISE without ACS and without 'Radius Proxy'.
View 2 Replies
View Related
Nov 18, 2012
I have two 3750-X configured to be a stack and I am planning to re-rack these somewhere else. What I would like to know is what are the effects of having the master switch itself lose power? Does it immediately just make the member take over master (there should be no election since there are only 2 switches??) and there would be no loss of connectivity?
View 1 Replies
View Related
