Cisco Switching/Routing :: 2960 - Web Authentication On Switches For 802.1x Incompatible Clients
Apr 2, 2013
I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.
The configuration:
sh ip admission configuration
Authentication Proxy Banner not configured
Consent Banner is not configured
I have an existing stack of 4 x 2960-S switches connected by stack cables.I would like to add another 2960-S switch to the stack but am unable to as the 2960-S will only allow 4 x 2960-S switches per stack.how I would add the 5th 2960-S switch to the existing stack of 4 x 2960-S switches.
I have configured ssh on a 2960 to use public key authentication. Now that I can securely log into ssh without a password Is it possible to disable password authentication so that it is impossible to login without the key?
I am seeing the following behavior when computers move from one switch to another with dot1x ONLY when there is a 'stupid' switch in between.
computer -------- 'stupid' switch ------- 2960
dot1x is working fine but when the computer is disconnected, the port still shows the authentication session id so when the computer connects to another port or switch, authentication succeeds but traffic doesn't pass. While I'm almost certain that the culprit is the 'stupid' switch that doesn't clear the session id, I have already tried another one and the problem remains so I'm actually just asking for a confirmation that all these 'stupid' switches present this behavior and if there is a workaround in this case.
I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.
I have a Catalyst 2960 switch (2960-8TC-L) and running Software version 12.2(53)SE1.I mange to configure SSH to the switch and add addition user as well.Now I need to configure this switch password less log in with public key SSH authentication.
I configured several Linux servers and Workstations for the public key SSH authentication.So far I could not figure out how to do this in CISCO switch. Following link {URL} how to do this.But ip ssh pub key- chain command never work showed invalid command.
I am using a 3750 as a default gateway for multiple Vlans on a few 2960 switches. The trunk lines are configured and working and I have assigned ip addresses to each of the Vlan interfaces on the 3750. My issue is that I can only ping the ip address on the Vlan interface of the 3750 if I have a working computer plugged directly into the Vlan on the 3750. I only have 3 vlans on the 3750 that have hosts directly connected (vlans 2, 10 and 40) the other vlans ( 20 and 70) don't have any clients plugged into them on the 3750 but the hosts reside on 2 different 2960s that connect via trunk ports. How do I keep the vlan interface on the 3750 switch pingable when I don't have hosts directly connected in that vlan on the 3750? (yes, I have enabled ip routing on the 3750)
We have 3 layer LAN architecture, layer 1 of 6500(IP routing), layer 2 of 4500(L2 switch only), layer 3 of 2960(L2 Switch)In a Single (2960 and 4500) Switch Port Avaya IP phone and PC are connected.Now, the requirement is that, Qos need to be configured for Voice traffic and Data traffic should be in default class of service.We plan to use COS value in Switch 4500 and 2960. We made a sample configuration as below
### For 4500 Switch class-map match-all VOIP-Access-2MB match cos 3 5 class-map match-all VOIP-Uplink-20MB match cos 3 5
[code].....
check these configurations are correct as per standard and if there is any other method of configuration?What need to be configured in L3 Switch(6500)??In 2960, it doesn't support ingress QoS, what impact it will make when compare to 4500? do users experiance any difference?
Company I work for just moved into a new location. We have two data closets which are patched as independent entities, with no Ethernet tie connection. These closets are roughly 100 feet apart.
There is a fiber connection that runs between both closets, that the previous tenant used to connect the switches. I have placed a Cisco 2960 switch in each location, and added one mini SFP gbic's to each switch. After attaching both sides, neither light up. I do a sh inter gig1/0/49 on each and shows 'down down' (not admin down).
What is the trick on getting these to communciate, do I need to configure these ports, and are they supposed to light up?
What I am trying to accomplish is to get the one closet that is completely cut off, communicating by logically stacking, or 'daisy chaining' via fiber.
I turned off the lights and popped the fiber out, and I do see a faint red light (I did not look straight into it), so I think the fiber is active.
I have 4506e core switch to which 10 other 2960 switches are connected.I want to upgrade thier IOS. how can upgrade it, can I upgrade it one by one or all at a time?
We are deploying the ISE MAC address authentication by-pass (mab) feature in our network as an alternative to port security on the switch port. Works well except for certain devices e.g. printers, snmp modules, and Unix/Linux Operating systems which can range from 5-10 minutes to never in authentication/opening the port.
I am aware that private-vlans are not supported on edge switches like 2960 series - so my question is would it be possibel to ceate private vlans on say just the core switch which would be a 3570 or 4506 that supports private vlans and then just trunk these to the edge like normal vlans?what I need to achive is to have edge port not able to communicate to each other even across switches - which cannot be done using 'protected' port so need the private vlan feature?
I have a customer with Cisco 7940 and 7960 IP phones that they do not plan to replace. They do want a new LAN and are looking at the Catalyst WS-C2960S-48FPD-L and WS-C2960S-24PD-L as access layer devices.
these switches support the Cisco pre-standard PoE required by the 7940 and 7960 IP phones.
We ordered 4x cisco 2960 switch with LAN Lite software by mistake. Can we upgrade them to Lan Base?When I change boot image I get Error: hardware not supported by firmware.
I need to connect 4 Floor Building with 4 Cisco 2960 - 48 ports switch each other and it needs to be through a fiber. So all PCs connected to each switch would reach the LAN/WAN from the other switch. (attached is the image here with)
I see that the 2960 has 2 SFP ports each port of each switch should connect each other or how?
My simple question is:
1. What cable / patch code I have to use = Single-mode or Multimode? ( distance for each switch will not more then 25 mts)
2. Do I have to use SFP or SFP+ module?
3. What kind of SFP/SFP+ module I have to use = Single-mode or Multimode?
4. What kind of connector should patch code have = LC / SC or ?
5. How to connect each switch with redundancy like ...each switch should be interconnected with each other or I have to choose Cisco 3750G which has more then 2 SFP ports (option#1 & opetion#2 = attached here with) =
Best practice for connecting cisco switches over fiber.
We had core(4503), distribution(3750), and access switches(2960) in our environment. Currently we configured the clock manually in each switch, but a reboot of the switch resets the clock also. We are planning to make a single switch as a NTP servers and others are clients to synchronise the correct time even after a reboot of the access switches.
For a simple ether channel to work between 2 switches I have configured ports 1 and 2 on both cisco 2960 switches with the channel-group option like this:
interface FastEthernet0/1 channel-group 1 mode on ! interface FastEthernet0/2 channel-group 1 mode on
I thought the port-channel 1 would get automatically created but it didn't, should it? And under the port-channel interface should I set this as a trunk or do I do this on the 2 fa interfaces on each switch?
I am aware that private-vlans are not supported on edge switches like 2960 series - so my question is would it be possibel to ceate private vlans on say just the core switch which would be a 3570 or 4506 that supports private vlans and then just trunk these to the edge like normal vlans?
what I need to achive is to have edge port not able to communicate to each other even across switches - which cannot be done using 'protected' port so need the private vlan feature
I configured port security on my 2960 switches with the following commands: [code]
The problem is that when I should change someone's PC, first I disable port-secirity, then I clear all the mac addresses learned on the interface, then I plug the new PC and enable port-security. The new PC couldn't connect to the network and it's mac address has not be learned on the interface. Why?Which commands should I use to clear an old mac address and enable port-security with the new mac address.
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
I need to replace an older 3560 with a new 2960-S and am wondering if the SX SFPs I already have will be compatible with the 2960-S. [code] I cannot find any way to get the part numbers of the SFPs.
I have a scenario where 15 c500 switches and 5 2960 8 port switch connected to 4507R core switch. There are 10 dhcp pools created on the 4507.
Eg: ip dhcp pool XXXX network xxxx.xxxxxxx default-router x.x.x.x
Now the default router is directed to vlans created on the switch i.e vlan 101, 102, 103 and so on. Now the remaining switches connected are configured to be in the same vlan. So the systems connected to the edge switches will get the DHCP ip automatically, Now my problem is after sometime (may be 2 or 3 hrs) all the edge switches are losing configuration automatically even though it's not restarted, even after saving the config on to nvram, everytime I connect the console and check all the saved config is lost?
I recently upgraded a few 2960 switches to 15.0(1)SE, and while they are working fine, I did notice a strange syslog message upon boot-up that wasn't previously there. [code] I did some cursory searching via google but nothing useful presented itself.
There are two Cisco 4900M L3 switches and two Cisco 2960 L2 switches. I need to configure the two L3 switches to operate as a redundant pair, as the servers connecting to them are connecting using bonded interfaces, which can only have one default gateway. So these two L3 switches need to have the same Vlan interface 1, 2 and 3 IP's set onto them.How are the two L3 switches made aware of each other? via a normal trunk? Is there some special configration for configuring a mated/redundant pair of switches? or are they both just configured as though they were the same switch, but linked?
I have a problem with DHCP. I have two 2960 connected with a port channel on ports 47 and 48 as trunk with native vlan 10. I only have this one vlan. In port 1 of sw 1, I have a C800 as DHCP server.
I have an AP autonomous with single ssid on vlan 10. When I connect the AP to sw1, I receive dhcp with no problems.When I connect the AP to sw 2, I’m not getting IP by DHCP.I have DHCP snooping working on vlan 10 on both devices.
The ports where I connect the AP are access ports on vlan 10 config as trusted.The trunk ports are also configured as trusted.The port 1 of ws 1 that goes to the C800 is also configured as trusted.
figure out why I’m not getting IP by DHCP when I connect the AP to the SW 2.The only I notice is that when I connect the AP to sw 2, I get on SW 1 the message of packet drop by option 82, but even after configuring ip dhcp snooping information option allow-untrusted on both switches, the problem persists.
I configure 3750 stack switch as core and 2960 stack switches as access layer switches.I connected my laptop to one of my core stack in VLAN 10 and I am pinging to one of my server in VLAN 1. What will be the minimum latency at the time of inter VALN routing
