Cisco Switches :: Sf-300 48port Failing 802.1x Re-authentication?
May 11, 2011
I have an issue with the sf-300 switch model, which i am depolying in lapsafe trolleys. The approach is to wake the laptops from the guest VLAN (20) with WOL have them authenticate with 802.1x and use DVA to put the ports in VLAN14 so updates can be pushed to them over night.
I have configured 802.1x, guest vlan and DVA which works initially, all host wake from WOL, the laptops successfully authenticate and are assigned to the VLAN (14). This remains stable for a time then the hosts fail reauthentication. I have also noticed that when a host is disconnected from a port and patched into another port the initial port remains in the authenticated state and the new port authenticates the client but the hostnames are missing on the 'authenticated hosts' page of the GUI, DVA fails. The ports display a port-failure message for a time then moves to failed reauthentication.
The only way I can get it to work again is to reboot the box. From the logs I can see the macs of laptops being rejected and I can also see attribute 26 being ignored. See log below. I am unsure as to why host are initially authenticated but reauthentication fails, is it not the same process?.
I have 11 of these switches and have configured 6 which all display the same behaviour. These switches are not CISCO I do not understand why they have badged them. The protocols/standards are implemented differently. If you incuded 'general ports' as an answer in a CISCO exam you would fail. There are also other issues I have noticed with these boxes, I am not impressed!.
View 3 Replies
ADVERTISEMENT
Feb 8, 2013
How to configure SF300 48port switch as DHCP Server or not.
My Configuration as below
I have 8 vlan configure in SF300 (SVI with ip address) isit possible to configure dhcp server and how i can apply access-list to restrict with other vlans.
View 6 Replies
View Related
Feb 16, 2012
I am not sure why but when I try to connect with my IPSEC VPN client, authentications are failing. The ldap test passes on the ASA but when I try to login, the VPN client gives me authentication failure even though debugs show authentication was successful.User 'test1' should be able to authenticate based on group membership.User 'test2' shouldn't be able to.I already removed the attribute-map to see if that was the problem but I am still failing authentication.
View 9 Replies
View Related
Jan 5, 2012
ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting
View 6 Replies
View Related
May 2, 2012
I have a new 2911 that I am trying to bring up but local authentication is failing. I know I have typed the username and password correctly but no go. When I try to http in it is failing as well. I even create a "Cisco, Cisco" account. I have a console connection and even that is failing.
View 4 Replies
View Related
Mar 3, 2012
I'm somewhat new to ACS and am trying to complete a migration from 4 to 5.3.Currently, I've got ACS joined to my (2003) domain, and it shows status connected (although the test connect fails). I have aaa working without issue for TACACS, but all RADIUS authentication is currently failing. Logs show the message below: "24401 could not establish connection with acs active directory agent"I'm not seeing anything telling in the logs on the domain controllers.
View 1 Replies
View Related
May 5, 2011
I just purchased and installed this switch. It has firmware version 1.0.0.19 with boot version 1.0.0.1. I want to update te firmware to 2.0.0.8. Perhaps I am not doing something correct because when I try to update it I receive an error message that tells me the file is an illegal software format. Here is what I did. Under file format went to update firmware select http, update the chose the 2008.ros file. Start the upgrade but it fails.
View 1 Replies
View Related
Jun 11, 2013
We have an issue where switches are failing weekly in a switch closet. In the past month we have gone through several 3750G switches and a couple 4510s. The power supplies have eventually made a popping noise and had to be replaced. on the 4510s we've tried two chassis and gone through several power supplies.The switches have been behind UPS systems so should be receiving conditioned power.Could load from the PoE devices really be causing this? I wouldn't think it's power since they are behind a UPS.
View 5 Replies
View Related
Jul 24, 2011
The connection of the computer before is activating.. after how many days of using,it losses the internet connection.. what is the possible reason for this?
View 1 Replies
View Related
Sep 13, 2012
I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
Reason: 0x70004
Reason Text: The network stopped answering authentication requests
Error Code: 0x0
If I connect same hosts on Catalyst 2960 switch, they work successfully.
View 2 Replies
View Related
Nov 26, 2011
I want to secure my routers & switches using ACS server (win server 2003 platform)i prefer Radius how to set it up lets say my ACS server ip addy 192.168.100.100 & key cisco both how to set up ACS for the router/switch & commands for router/switch ALSO, i wanna keep open a back door. if some ACS server is down, i want, ppl can log into router/switch using SSH (local user/pass) but only when ACS is down?
View 4 Replies
View Related
Aug 21, 2012
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators. Could this be an issues with the username/password format in the Radius packet from the Cisco?
View 5 Replies
View Related
Feb 19, 2012
RADIUS authentication SF300-24P
We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
View 33 Replies
View Related
Jan 26, 2012
The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server. The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:EAP-TLS, EAP-FAST, PEAP Smart Card, I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works. In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.
View 2 Replies
View Related
Jun 14, 2011
I use 802.1x to authenticate the company-network devices - authentication works fine. I do not use dynamic V LAN --> static V LAN-config on 802.1x ports --> authenticated devices have access to the network.
Is it possible to use a guest-V LAN? un authenticated devices should connect to an other v lan than authenticated devices.
One more question: Is MAC-authentication also possible?
Switch: SLM2008T V01
Firmware is: 1.0.1.0
View 1 Replies
View Related
May 21, 2012
I have an SG300 authenticating telnet login to a RADIUS server. It allows me to log in at Priv level 1. when I try and enter Priv 15 mode, I'm prompted for a password which I don't appear to be able to set anywhere or know.
If I remove RADIUS and go back to Local authentication, telnet logs me in at Priv15 immediately.
View 3 Replies
View Related
Apr 13, 2010
I have a Catalyst 2960 switch (2960-8TC-L) and running Software version 12.2(53)SE1.I mange to configure SSH to the switch and add addition user as well.Now I need to configure this switch password less log in with public key SSH authentication.
I configured several Linux servers and Workstations for the public key SSH authentication.So far I could not figure out how to do this in CISCO switch. Following link {URL} how to do this.But ip ssh pub key- chain command never work showed invalid command.
View 2 Replies
View Related
Dec 6, 2011
I am unable to successfully authenticate my SG200 to either a Cisco ACS or Windows2008 RADUIS server. (C3750x on the same network authenticates fine).
Q1. Is this feature (management login authentication to a RADIUS server) supported on the SG200?
Q2. Is so is there any configuration guidance available for both the SG200 and CSACS / WindowsServer2008 NPS?
I hav not got as far as 802.1x uthentication yet, but config example of this would laso be useful.
View 1 Replies
View Related
May 9, 2013
We are deploying the ISE MAC address authentication by-pass (mab) feature in our network as an alternative to port security on the switch port. Works well except for certain devices e.g. printers, snmp modules, and Unix/Linux Operating systems which can range from 5-10 minutes to never in authentication/opening the port.
View 2 Replies
View Related
Oct 11, 2012
I have configured a Microsoft Server 2008 R2 with Radius Server and connect it with a Cisco SG300 Switch.
If a new device connect to the switch it goes automatically to the guestnet. If a device with the correct certificate and a valid useraccount connect to the switch, the deivce goes in to the local company network.
Now my problem: If I connect a device which is in the domain and which have installed the correct certificate and want to login with a new domain user (which is not cached in windows) I can not login.
The following message appears: "There are Currently no Logon Servers Available"
I think the problem is that the authentication process only starts after a user have succsess logged in in windows.
Now I search for a solution which allows me to conntact the Logon Server for Domain Login before the User has logged in.
View 1 Replies
View Related
Mar 22, 2012
configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.
View 1 Replies
View Related
Sep 19, 2012
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
View 4 Replies
View Related
Apr 2, 2013
I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.
The configuration:
sh ip admission configuration
Authentication Proxy Banner not configured
Consent Banner is not configured
[Code].....
View 6 Replies
View Related
Aug 14, 2011
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
View 1 Replies
View Related
Jan 13, 2011
When I select Job Broser I get the following crash, LMS 3.2, server has been restarted but I continue to get the error. [code]
View 4 Replies
View Related
May 1, 2011
I'm running a Cisco 891 it has both crypto maps and ipsec VTI's running on the external interface. The cryto maps are for sites that do not have a cisco router and the Tunnels are for the sites that use crypto maps work perfectly fine. But I much prefer using unnels as it gives a routable interface, ospf works ect.
The tunnel interfaces will periodicly fail (Line protocol down) at no set interval, they will then not come back up again. To bring them back up I either have to shutdown and then re-enable the interface or run "clear cry ses rem *.*.*.*"
Logging with isakmp and ipsec errors provides the following:
55801: *May 1 10:31:16.015: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.55802: *May 1 10:31:16.015: ISAKMP:
[Code].....
View 3 Replies
View Related
Nov 29, 2012
My VRF Collector job has started failing. I have attached the contents of the vnmcollector.log file after setting debug level to DEBUG.
View 1 Replies
View Related
Aug 5, 2011
I've got a fully working 877w that I'm trying to get to boot from tftp, but I just can't seem to get that going.I have a tftp server running and can copy images back and forth without any trouble.I have this in my config:boot-start-markerboot system tftp c870-advipservicesk9-mz.124-24.T2.bin 192.168.1.200boot-end-markerDuring the boot process I get an error message that says there is a missing or illegal ip but I really don't see how that can be as my tftp server is 192.168.1.200 just like my config says.
View 16 Replies
View Related
Oct 3, 2012
My tunnel had been running fine for a couple of months. Now, not so much.Here is some debug.
View 6 Replies
View Related
Mar 31, 2013
Any issues upgrading the IOS on a 921 router.How can i create a certificate for the new IOS? I've never had to do this for other IOS 15 upgrade?I've confirmed the IOS is not corrupt and if i upgrade the router in ROMMON the router boots correctly.
View 1 Replies
View Related
Mar 13, 2013
Im preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
Firewall (Primary)
Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
Compiled on Wed 28-Nov-12 10:38 by buildersSystem image file is "disk0:/asa911-k8.bin"Config file at boot was "startup-config"
[Code].....
View 5 Replies
View Related
Sep 4, 2011
config collection is failing.in detail its partial success(config fetch is success but archieve is failed).
View 1 Replies
View Related
Mar 20, 2012
I'm currently unable to upgrade certain devices since Cisco Prime incorrect believes there is not enough room in the flash partition.For example.
Getting the following error messsage trying to upgrade some Cisco 871 routers: "Catastrophic - SWIM1200: Selected Flash partition requires minimum (28 MB) to upgrade selected software/image."The images are around 18 MB in size. Why does Cisco Prime thinks its 28 MB in size? Bug?
View 1 Replies
View Related
