Cisco Switches :: SG300-28 RADIUS Accounting Firmware 1.0.0.27 And 1.1.2.0

Jan 27, 2012

I am using the CISCO SG300-28 with firmware version 1.0.0.27. I enabled RADIUS authentication and accounting. Authentication is working but there are no accounting requests/replys (Accounting on, accounting off, accoun ting start, accounting stop) when running RADIUS in debug mode. I also did a packetcapture and there are no accounting packets.
 
So i updated the firmware image up to version 1.1.2.0. When I now want to configure accounting in RADIUS settings then there isn't any option to set an accounting port.
 
Ich checked the data sheet of the switch and it says that accounting is supported:
 
===============================================
802.1X: RADIUS authentication and accounting, MD5  hash; guest VLAN; unauthenticated VLAN, single/multiple host mode and  single/multiple sessions [URL]
===============================================
 
I did a second packet capture with the new firmware image and there are still no accounting packets.
 
The RADIUS server is configured correct for accounting because when using another NAS like a WLAN-AP with DD-WRT accounting is workings. It is working with pfsense Captive Portal (an open source firewall and routing solution with a hotspot portal).

View 4 Replies


ADVERTISEMENT

Cisco Switches :: SG300 - Telnet And RADIUS Authentication

May 21, 2012

I have an SG300 authenticating telnet login to a RADIUS server.  It allows me to log in at Priv level 1.  when I try and enter Priv 15 mode, I'm prompted for a password which I don't appear to be able to set anywhere or know.
 
If I remove RADIUS and go back to Local authentication, telnet logs me in at Priv15 immediately.

View 3 Replies View Related

Cisco Switches :: SG300-28 - Dynamic VLAN And Free Radius Log

Aug 21, 2012

I am using several SG300-28 Switches with firmware version 1.1.2.0.I have dynamic VLAN enabled. As RADIUS server I am using free radius 2.1.12.Authentication is only based on the MAC address. (I configured that on the switches)On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches). I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address. 

In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on free radius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the free radius log then this MAC address was successfully authorized.
 
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN. If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP. This is happening randomly on nearly all my PCs.
 
Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.

View 14 Replies View Related

Cisco Switches :: SG300-20 - Radius Idle And Session Timeout Does Not Work

Jan 25, 2012

I have an SG300-20 here for testing (firmware: 1.1.2.0, boot version: 1.0.0.4, language version: 1.1.1.6 English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).
 
The setup is the following: I have a no name access point plugged in to switch port gi1. The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout  does not work.
 
Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would work for me also if I could just remove an authenticated user from a port, but I did not find a command to do that.
 
As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all mush reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.
 
So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?
 
I enclose the relevant part of the running config.

interface range gi1-2
dot1x host-mode multi-sessions
exit
vlan database
vlan 2-4
exit

[code]....

View 2 Replies View Related

Cisco Switches :: SG300 On 1.1 Firmware Has Double-Login On SSH

Jan 4, 2012

We just upgraded our Sg300 series switches to the new IOS so we can get CLI access. The upgrade went fine but it seems we have two login prompts, the first being completely unnecessary as you can just hit return to get by it. IE here is the progression: 
 
1. Connect SSH

2. Receive a "login:" prompt. Anything can be entered here, including just return

3. Login banner is displayed

4. Username Prompt is then displayed. Valid username required

5. Password Prompt displayed - Valid password required

6. Now at CLI 1. Connect SSH

I am trying to get rid of that first login prompt (IE Step 2) as it is causing issues with our configuration software. I have tried every line and authentication command I can think of, the only thing that gets rid of it is using none authentication which obviously we can't stay with. how did you get around it?

View 2 Replies View Related

Cisco Switches :: SG300-28P DHCP Server With New Firmware?

Jun 15, 2012

we are looking to use the new firmware's DHCP server feature to setup different DHCP scopes for 5 different VLANs configured on the switch. I see where to turn this on and setup the scope however I can't clearly see where I can assign the specified scope to each VLAN on the switch.

View 6 Replies View Related

Cisco Switches :: SG300-28P DHCP Server With New Firmware

Apr 9, 2013

we are looking to use the new firmware's DHCP server feature to setup different DHCP scopes for 5 different VLANs configued on the switch.  I see where to turn this on and setup the scope however I can't clearly see where I can assign the specified scope to each VLAN on the switch. 

View 1 Replies View Related

Cisco Switches :: SG300 Firmware Upgrade - How To Reload 1.0.0.27 Using CLI

Jul 27, 2011

I've been having a problem with a brand new SG300-10 switch that I posted about yesterday. I checked the firmware and it was at 1.0.0.27 and the lastest is 1.1.0.73. So I backed up the current firmware and loaded the 1.1.0.73 version and it seem to be CLI based only, with no web GUI.
 
If so is there an easy way to reload the 1.0.0.27 using the CLI? There is nothing in the CLI docs that I can see unless it's buried.
 
The release notes for 1.1.0.73 don't say it's CLI only either, maybe something just went wrong but the CLI seems to be functional.

View 2 Replies View Related

Cisco Switches :: SG300-28 In Boot Loop After Firmware Upgrade

Jun 22, 2012

After performing a firmware upgrade on an SG300-20 switch from ver 1.1.0.73  to 1.2.5.70 the switch now boots up with the following error and resets:
 
30-Aug-2011 10:47:33 %L1Mngr-F-PARAMTOOLONG: csco-sb parameter %s is too long.
 
The attached file contains a full output of the console boot process. I have tried loading different versions from the console, but all produce the same error.

View 8 Replies View Related

Cisco Switches :: SG300-20 - Password Lost After Firmware Update V1.2.7.76

Aug 31, 2012

I have a problem. Yesterday I have upgraded both my SG300-20 switches to firmware v1.2.7.76. Now I cannot login on of my switches, unknown username and password. I am absolutly sure I have the password, because they are the same and I just upgraded it. I have re-booted the switch, but without any luck.

View 1 Replies View Related

Cisco Switches :: SG300 / Switching Firmware (Active Image)

Apr 16, 2013

I have a question regarding SG300 series small business switches.If I switch between the two possible images, will the configuration get lost or is the configuration the same independent of which image I choose?

View 1 Replies View Related

Cisco Switches :: Convert SRW2048 Software To SG300 Firmware?

Aug 14, 2011

I believe the SRW series is the same basic hardware as the SG300 series.Is there a way to upgrade the firmware on the SRW series using the SG300 firmware?
 
The SG300 firmware is much more usable. Also I'd rather have consistency as we have the older SRW2024/48 and the newer SG300 switches.

View 2 Replies View Related

Cisco Switches :: SG300-28Ps - 1.3.0.59 Firmware / PoE Indicators No Longer Lit?

Mar 28, 2013

I installed the 1.3.0.59 on a couple of SG300-28Ps.  On the Status and Statistics page, the PoE indicators no longer lit. Physically, on the front of the switch, they did still light.  I didn't yet reboot to factory defaults to see if that clears it, because I don't feel like entering the config again this early in the morning. But I am willing to test that, if needbe.
 
When reverting the image back to 1.2.9.44 (tested) or possibly earlier, the ip default gateway must be re-entered (if it was configured). Even if ip-default gateway x.x.x.x shows up correctly on a 'show run', the switch will not obey it, and on the IPv4 settings page it will report the operational default gateway as blank. This came as a surprise becauset he switch suddenly wouldn't talk to the VPN anymore.

Logging onto the switch locally, going to the IPv4 settings, ticking the radio button back on User Defined and typing it back in cleared that up. It appears this cropped up because the syntax for specifying the default gateway changed in 1.3.x but it's still odd that the config shows correctly in console but not in the gui.

View 19 Replies View Related

Cisco Switches :: SG300-10 / SF302-08P - Missing Mirror Configuration On Firmware 1.1.2.0?

Jan 21, 2012

I have several SG300-10 and SF302-08P switches running with L2-mode, and after I upgraded their firmware to 1.1.2.0, they began to record the following logs every one hour.

- Severity: Warning

- Description: %COPY-W-TRAP: The mirror-config file is illegal due to failure of previous copy operation/s to mirror-config.Also I found that I didn't see the Mirror Configuration file on the Configuration File Table in the Configuration Files Properties page. 

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Command Accounting For Radius On ACS 5.2?

May 26, 2011

is command accounting for Radius supported on ACS 5.2 ? provided vendor's radius implementation supports this capability.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Radius Accounting From ASA And Juniper?

Apr 10, 2013

i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?

View 2 Replies View Related

Cisco Wireless :: WLC 5508 Radius Accounting

Jun 5, 2013

I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
 
For example:
 
1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
 
2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
 
Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Radius Accounting Error Message In ACS 5.3

Jul 2, 2012

I have an error when i try to generate radius accounting.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Database Failure Radius Accounting?

Jul 31, 2012

on the dashboard of the "Monitoring & Report Viewer" I see a lot of system alarms related to the database.The explanation of the alarm says to look at the Collector logs for the details.

View 3 Replies View Related

Cisco VPN :: ACS 5.1 Anyconnect Session Accounting Via Radius Or Syslog

Feb 22, 2013

Need deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?
 
Any appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
 
I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - No Start Records In Radius Accounting Reports

May 26, 2011

I do not see any start records in Radius Accounting reports but do see only Stop records ?
 
btw I am running ACS 5.2

View 2 Replies View Related

Cisco App :: ACE 20 - Set Up Serverfarm For Radius Server To Load Balance Ldap Udp Accounting Packets?

Jan 10, 2013

I have a Cisco ACE 20, and I´m trying to set up a serverfarm for my radius server to load balance ldap udp accounting packets. The ACE has an LDAP authentication probe but I see no native way of setting up an LDAP accounting probe, without resorting to probe scripting.

View 2 Replies View Related

Cisco Switches :: SG300-28 GUI Different Than Online SG300-48 Simulator

Aug 29, 2011

These are our first switches and seems like GUI is lot different than the online. Out intervlan routing is o not working. I am absolutely sure that I setup the switch in L3 mode since it allows me to create mutiple interfaces. I am hoping that this GUI issue is related to interVLAN routing.
 
Below is the blog I started for InterVlan issue [URL]
 
This is the link for online simulator and what I see in its IP tab. I know this switch is not SG300. [URL]
 
This is what I see on our switch.
 
Our switch version
switchd64684#show version                                                                                                                                              
SW version    1.1.0.73 ( date  19-Jun-2011 time  18:10:49 )
Boot version    1.0.0.4 ( date  08-Apr-2010 time  16:37:57 )
HW version    V01

View 1 Replies View Related

Cisco Switches :: SG300-28P And SG300-52 Web Managing - Fans

May 26, 2011

1) I have a Cisco SG300-28P. I plan to add a SG300-52. Would it be possible to manage the new switch through the SG300-28P web browser ?

2) There are 2 fans in the POE model SG300-28P. How many fans are they in the non POE switch SG300-52 ?

View 2 Replies View Related

Cisco Switches :: SG300-28 Uplink To Another SG300-28?

Feb 8, 2012

Can I connect a single Cat5e cable between two SG300-28 and link them?  If so what must I configure?

View 1 Replies View Related

Cisco Switches :: Difference Between SG300-28P And SG300-52

Jul 25, 2012

I have SG300-28P that I am using as layer-3 switch. Recently I ran in to SG300-52 switch and even though loading same firmware doesn't give me option to do layer-3 switching. For SG-300 I see options in GUI to create vlan interfaces under IP information section, while SG300-52 has IP information option only under the management section.let me know if these are 2 different hardware types and L3 is not possible on SG300-52. If its possible to enable L3 switching on SG300-52?

View 2 Replies View Related

Cisco Switches :: Accounting On Small Business SF300-08?

Jun 26, 2012

The "Cisco Small Business 300 Series Managed Switches Administration Guide" and the data sheet indicate that this switch can do accounting requests with a Radius server. On the SF300 switch interface/CLI, there is only the authentication port, the accounting port can not be set (and nothing is sent by the switch to the default port). I suppose that the SF300-08 does not handle accounting. Maybe I have to change for another model.

View 4 Replies View Related

Cisco Switches :: Replacing 3COM 4500 Switches With SG300-52?

Nov 21, 2011

I'm replacing 2 3COM 4500 Swithes with the SG300-52 Cisco switch. We have 3 VLANs, 10, 20, 100. The switch is set for Layer 3 and I have setup DHCP relay. what settings i should set on the Cisco for the following setups:
 
3COM Setup
#
interface GigabitEthernet1/0/1

[Code].....

View 2 Replies View Related

Cisco Switches :: SG300 Switches Have Poor Performance In Layer 3?

Jan 1, 2013

We have several of the SG300 Serices switches. We use them to route VLAN traffic to Remote Offices, Internet Connections, and WiFi Access Points.In one remote office we have a SG300-10 setup to route the HQ Network and the remote Office Subnet. The SG300 is Connected to HQ via Fiber and has multiple Tagged VLANs on it. If I do speed tests over the Fiber Link on the Incoming Tagged Netwotk I get Decent performance, 80Mbs. If I switch to a networtk that is not priginating from HQ, and have the SG300-10 route packet, I get dismal performance. 15-20Mbs.
 
I Fireded up a New SG300-28P FW v1.2.7.76. Added a the HQ VLAN 101 and new VLAN 1025 . Mapped some Tagged and untagged ports for each.  Switch was connected to HQ Network as untagged VLAN 101.  I put a laptop on an Untagged VLAN 101 port. Ran some tests, cam back with 750-850Mbs. Great.  Put the same laptop on a Tagged 101 Port, Configured the NIC for Tagged VLAN 101, Same test, same Speeds, 750-850Mbs.I then  Configured laptop for Tagged VLAN 1025. Connected to tagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!
 
I then  Configured laptop for Untagged VLAN 1025. Connected to unagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!It was only the Laptop and the Connection to the HQ net on the SG300-28P. Why is the performance of this unit soooooo poor when it needs to route?Other Switches have FW v1.0.0.27 or FW v1.1.2.0. They have Similar speed issues. All Configured for Layer 3.

View 10 Replies View Related

Cisco Switches :: SG300 Switches Can Be Used With Microsoft NLB In Multicast Mode

Dec 18, 2011

does the SG300 switches can be used with Microsoft NLB in Multicast mode?I know on traditional Catalyst switches you can statically "map" IP's to mac's and then to multiple ports but this doesn't seem to work correctly on the SG switches - it gives an error about the mac not being not Unicast?

View 2 Replies View Related

Cisco Switches :: VLAN Management Via SNMP On SG300-10 Switches

Aug 7, 2011

Any snmpset commands to add, modify and delete vlan table entries on SG300-10 switches? I checked url... however this information is apparently only valid for catalysts. The latest firmware is installed and the provided MIB files are used.

View 8 Replies View Related

Cisco Switches :: Multiple VLANS And SG300-28P Switches Setup?

Aug 20, 2012

I'm going to have several SG300-28P switches to setup.  I'll need to create multiple vlans for data, voice, and wireless traffic.  I have the following questions in setting up this configuration:
 
VLAN 1 Management
VLAN 100 Data
VLAN 200 Wireless
VLAN 300 Voice 
 
1) For managing the switches via IP, will LAN1 be the default management network?  Should I create a seperate VLAN for managing the switches?
 
2) For uplinking the switches together, I plan to trunk a port to connect the switches together.  What's the configuration on the trunk port to forward all vlans from one switch to another?
 
3) On some ports, I want to configure a trunk for two vlans (Data and Voice) where the phone has a pass through for PC.  The phone supports tagging for the PC and the VoIP traffic.  For example on port 10, would VLAN 100 and 300 be set to tagged?

View 3 Replies View Related

Cisco Switches :: SG300-52 Multiple Lags Between Switches?

Jan 19, 2012

I'm having alot of trouble trying to connect more that one LAG between two SG300-52 switches.Basically i have configured both switches with the same vlans. For 2 of the vlans i would like to connect them together between the two switches using LAG. Switch1 has Vlan 5 (ports 1-12) & Vlan 10 (Ports 25-36) with LAG configured on ports 1-2 and ports 25-26. I have setup the second switch identical to the first. But when i connect the LAG's there is no connectivty. If i disconnect one LAG the other starts working.Can you only have i interconnect LAG between switches?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved