Cisco Switches :: ESW 520 802.1x Re Authentication
Sep 13, 2012
I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
I have an issue with the sf-300 switch model, which i am depolying in lapsafe trolleys. The approach is to wake the laptops from the guest VLAN (20) with WOL have them authenticate with 802.1x and use DVA to put the ports in VLAN14 so updates can be pushed to them over night.
I have configured 802.1x, guest vlan and DVA which works initially, all host wake from WOL, the laptops successfully authenticate and are assigned to the VLAN (14). This remains stable for a time then the hosts fail reauthentication. I have also noticed that when a host is disconnected from a port and patched into another port the initial port remains in the authenticated state and the new port authenticates the client but the hostnames are missing on the 'authenticated hosts' page of the GUI, DVA fails. The ports display a port-failure message for a time then moves to failed reauthentication.
The only way I can get it to work again is to reboot the box. From the logs I can see the macs of laptops being rejected and I can also see attribute 26 being ignored. See log below. I am unsure as to why host are initially authenticated but reauthentication fails, is it not the same process?.
I have 11 of these switches and have configured 6 which all display the same behaviour. These switches are not CISCO I do not understand why they have badged them. The protocols/standards are implemented differently. If you incuded 'general ports' as an answer in a CISCO exam you would fail. There are also other issues I have noticed with these boxes, I am not impressed!.
I want to secure my routers & switches using ACS server (win server 2003 platform)i prefer Radius how to set it up lets say my ACS server ip addy 192.168.100.100 & key cisco both how to set up ACS for the router/switch & commands for router/switch ALSO, i wanna keep open a back door. if some ACS server is down, i want, ppl can log into router/switch using SSH (local user/pass) but only when ACS is down?
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators. Could this be an issues with the username/password format in the Radius packet from the Cisco?
We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server. The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:EAP-TLS, EAP-FAST, PEAP Smart Card, I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works. In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.
I use 802.1x to authenticate the company-network devices - authentication works fine. I do not use dynamic V LAN --> static V LAN-config on 802.1x ports --> authenticated devices have access to the network.
Is it possible to use a guest-V LAN? un authenticated devices should connect to an other v lan than authenticated devices.
One more question: Is MAC-authentication also possible?
I have an SG300 authenticating telnet login to a RADIUS server. It allows me to log in at Priv level 1. when I try and enter Priv 15 mode, I'm prompted for a password which I don't appear to be able to set anywhere or know.
If I remove RADIUS and go back to Local authentication, telnet logs me in at Priv15 immediately.
I have a Catalyst 2960 switch (2960-8TC-L) and running Software version 12.2(53)SE1.I mange to configure SSH to the switch and add addition user as well.Now I need to configure this switch password less log in with public key SSH authentication.
I configured several Linux servers and Workstations for the public key SSH authentication.So far I could not figure out how to do this in CISCO switch. Following link {URL} how to do this.But ip ssh pub key- chain command never work showed invalid command.
We are deploying the ISE MAC address authentication by-pass (mab) feature in our network as an alternative to port security on the switch port. Works well except for certain devices e.g. printers, snmp modules, and Unix/Linux Operating systems which can range from 5-10 minutes to never in authentication/opening the port.
I have configured a Microsoft Server 2008 R2 with Radius Server and connect it with a Cisco SG300 Switch.
If a new device connect to the switch it goes automatically to the guestnet. If a device with the correct certificate and a valid useraccount connect to the switch, the deivce goes in to the local company network.
Now my problem: If I connect a device which is in the domain and which have installed the correct certificate and want to login with a new domain user (which is not cached in windows) I can not login.
The following message appears: "There are Currently no Logon Servers Available"
I think the problem is that the authentication process only starts after a user have succsess logged in in windows.
Now I search for a solution which allows me to conntact the Logon Server for Domain Login before the User has logged in.
configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius server 10.15.10.20 auth-port 1812 acct-port 1813 ! aaa authentication login default group corp-radius local aaa authentication login radius-localfallback group corp-radius enable aaa authorization exec default group radius
I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.
The configuration:
sh ip admission configuration Authentication Proxy Banner not configured Consent Banner is not configured
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
If I have two stackable switches one switch uplinks to one 6509 core switch and the other connection uplinks to another 6509 core switch, and also the other stackable switch does not connect to the core switches. Because I am using hsrp and also we are not using vss then one uplink to the core is not in used only ones is so then how does creating an etherchannel between does two uplinks to both core switches benefit me in anyway such as more bandwith and using both uplinks at the same time or I'm I wrong?
Vlan 10 is the management VLAN, and it uplinks to our border router.Vlan 20 is the workstation VLAN, and all workstations point to the switch as their default GW? Vlan 30 is the ip phone VLAN, and all phones use this as their gateway.
I would like to put a LAG between said switches, we have some servers on the ip phone switch that need to be accessed by the workstation clients, and the single 100mb link through the router is probably not going to be enough.As I understand it, because the switches have different networks on them, a simple lag will not work. I did create a lag, and assign ip addresses to each side, however in that mode, it doesn't appear I can block vlan 10 from transiting the LAG, and with out that block I will end up with a logical loop, and spanning-tree will block one of the uplinks, or the LAG itself.
If I have two stackable switches were only one stackable switch has two uplinks one uplink goes to one core 6509 switch and the other uplink goes to the other 6509 core switch can a Layer 3 etherchannel be used if each uplink go to a different core switch, by the way hsrp is running between both switches and also can you give an example how data will be routed from the stackable switch through the ethernetchannel to one of the core switch accross the WAN to another core switch?
I have a stack of 6 switches and I want to add another over the gbit connector using fiber. I already connected but I can acces the network from the new switch. I don't have any issues on my Stack all resources are available Do I need to do some special setup or connection to enable this? Can be stacked like the others? I already usen the 2 stacking port can i Add another switch?
we just received 5 new SF200-48 Smart Switches for small business. I noticed only way I can configure them is by using the web gui. Is there a way to enable good old CLI?
now we have 2 switches: SF300-24..on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following [code] And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3..How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
I was looking for configuring QOS for two VLANS i have created. these will be for voice traffic vlan 22 and video traffic vlan23. i also have three other vlans for pc's, wireless devices and our cnc machines. we have 5 switches that are all SG30028P's with a single switch doing the intervlan routing (operating at layer 3). all of the switches are trunked back to the main switch and ive been through the guide written on how to do this on a single switch which i dont think is layer 3.
I'm replacing 2 3COM 4500 Swithes with the SG300-52 Cisco switch. We have 3 VLANs, 10, 20, 100. The switch is set for Layer 3 and I have setup DHCP relay. what settings i should set on the Cisco for the following setups:
I'm setting up an SNMP poller to retrieve the ARP table (ipNetToMediaPhysAddress) from my SF300 switches. I can retrieve the table from SF300-24P and SF300-48P switches running Firmware Version 1.0.0.27, but get garbage for the MAC address when retrieving that same table on the same model switches running Firmware Version 1.1.1.8. Is there an outstanding defect on this code level? How can I retrieve the table showing the IP address to MAC address mappings?
We have several of the SG300 Serices switches. We use them to route VLAN traffic to Remote Offices, Internet Connections, and WiFi Access Points.In one remote office we have a SG300-10 setup to route the HQ Network and the remote Office Subnet. The SG300 is Connected to HQ via Fiber and has multiple Tagged VLANs on it. If I do speed tests over the Fiber Link on the Incoming Tagged Netwotk I get Decent performance, 80Mbs. If I switch to a networtk that is not priginating from HQ, and have the SG300-10 route packet, I get dismal performance. 15-20Mbs.
I Fireded up a New SG300-28P FW v1.2.7.76. Added a the HQ VLAN 101 and new VLAN 1025 . Mapped some Tagged and untagged ports for each. Switch was connected to HQ Network as untagged VLAN 101. I put a laptop on an Untagged VLAN 101 port. Ran some tests, cam back with 750-850Mbs. Great. Put the same laptop on a Tagged 101 Port, Configured the NIC for Tagged VLAN 101, Same test, same Speeds, 750-850Mbs.I then Configured laptop for Tagged VLAN 1025. Connected to tagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!
I then Configured laptop for Untagged VLAN 1025. Connected to unagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!It was only the Laptop and the Connection to the HQ net on the SG300-28P. Why is the performance of this unit soooooo poor when it needs to route?Other Switches have FW v1.0.0.27 or FW v1.1.2.0. They have Similar speed issues. All Configured for Layer 3.
does the SG300 switches can be used with Microsoft NLB in Multicast mode?I know on traditional Catalyst switches you can statically "map" IP's to mac's and then to multiple ports but this doesn't seem to work correctly on the SG switches - it gives an error about the mac not being not Unicast?
We have a project in which we are using 34 Cisco SG200-18's each with a MGBLX1 (LC Single Mode Fiber) SFP mini-GBIC.All the fiber's come back to one building where we must "bridge" all 34 fiber connections. What hardware should be used to accomplish this? A L2 switch? For example, a 12 port SFP Switch with Fiber SFP's accepting the first 12 fiber connections, then other switch with SFP for the next 12 and so on, until there is a overall capacity of 36 and having patch cables between the 3 switches?
what cisco or non cisco hardware would work with these SF200-18's to accomplish this?
Any snmpset commands to add, modify and delete vlan table entries on SG300-10 switches? I checked url... however this information is apparently only valid for catalysts. The latest firmware is installed and the provided MIB files are used.
I looking to buy SGE 2010 swith, but I have some question:
1. Can I use 4 SFP ports and stack of two switches at the same time. 2. Is it possible to use for stacking ports other than 24, 48? 3. What is maximum possible number of ports to use for stacking (can I get more than 1Gb thruput).
I'm going to have several SG300-28P switches to setup. I'll need to create multiple vlans for data, voice, and wireless traffic. I have the following questions in setting up this configuration:
1) For managing the switches via IP, will LAN1 be the default management network? Should I create a seperate VLAN for managing the switches?
2) For uplinking the switches together, I plan to trunk a port to connect the switches together. What's the configuration on the trunk port to forward all vlans from one switch to another?
3) On some ports, I want to configure a trunk for two vlans (Data and Voice) where the phone has a pass through for PC. The phone supports tagging for the PC and the VoIP traffic. For example on port 10, would VLAN 100 and 300 be set to tagged?
We had a SGE-2010, just purchased 2 (two) SGE-2010P. I want to stack the switches (all 3) (unless there is a better way). Not sure what is needed hardware wise, and how to physically wire the switches. Had switches years ago (diff brand) that used a special cable that connected the switches. It seems that is not the case here. I have not used fiber in networking before so I am new to that part, I’m willing to learn, just need pointed in the right direction.Can all three switches be stacked, (1) SGE-2010 & (2) SGE-2010P? I THINK I need to use the GBIC port 4 to stack, I understand 1 port is enough if two switches are used, but what about three or more switches.What are the other GBIC ports used for? Will I be better off (can I ) use the GBIC ports LAG (2 ports) to the other switches? Or would regular ports work just as well?
I'm having alot of trouble trying to connect more that one LAG between two SG300-52 switches.Basically i have configured both switches with the same vlans. For 2 of the vlans i would like to connect them together between the two switches using LAG. Switch1 has Vlan 5 (ports 1-12) & Vlan 10 (Ports 25-36) with LAG configured on ports 1-2 and ports 25-26. I have setup the second switch identical to the first. But when i connect the LAG's there is no connectivty. If i disconnect one LAG the other starts working.Can you only have i interconnect LAG between switches?
