Cisco Switching/Routing :: 2960 - Dot1x Authentication Session Id Not Clearing
Nov 2, 2011
I am seeing the following behavior when computers move from one switch to another with dot1x ONLY when there is a 'stupid' switch in between.
computer -------- 'stupid' switch ------- 2960
dot1x is working fine but when the computer is disconnected, the port still shows the authentication session id so when the computer connects to another port or switch, authentication succeeds but traffic doesn't pass. While I'm almost certain that the culprit is the 'stupid' switch that doesn't clear the session id, I have already tried another one and the problem remains so I'm actually just asking for a confirmation that all these 'stupid' switches present this behavior and if there is a workaround in this case.
View 0 Replies
ADVERTISEMENT
Oct 6, 2009
I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"
View 8 Replies
View Related
Mar 14, 2011
I have issue with 2950 switch dot1x config is not working , but on 2960 its working fine .Below are the configs from both switches and a debug dot1x all snap, what may be the issue with 2950 switch ...
on 2950======>
aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius
[Code].....
View 1 Replies
View Related
May 17, 2012
I'm dealing with a 4506 switch that whn I try to apply "sh auth sess int xx" I get "Invalid Input Detected" ... Is there any way that I can get the authenticated session over a port even if I can't apply "sh auth sess int"?
View 1 Replies
View Related
Sep 11, 2012
We have a pair of CSS 11503 installed in our DC. Stickiness is configured for one of the application since long back and was working pretty fine till last couple of months. Since last two months, we observed that CSS is not distributing sessions the way it suppose to be. Mostly, it forwards the session to same server even though request is coming from different sources. Once we refresh the sessions manually, it starts working fine. We have to do this exercise manually every alternate day.
View 1 Replies
View Related
Nov 16, 2011
I have configured ssh on a 2960 to use public key authentication. Now that I can securely log into ssh without a password Is it possible to disable password authentication so that it is impossible to login without the key?
View 2 Replies
View Related
Oct 13, 2011
I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.
View 7 Replies
View Related
Apr 2, 2013
I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.
The configuration:
sh ip admission configuration
Authentication Proxy Banner not configured
Consent Banner is not configured
[Code].....
View 6 Replies
View Related
Feb 2, 2009
Is there any way to clear a single ARP cache entry on the 6500 switch ?
View 8 Replies
View Related
Jan 18, 2010
I have 3750 switch (WS-C3750G-24TS-S1U) with IP Services version
Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 28 WS-C3750G-24TS-1U 12.2(46)SE C3750-IPSERVICESK9-M
on the switch, I have configured aaa new-modelaaa authentication dot1x default group radius dot1x system-auth-control but i am not able to implement the command under interface
Switch(config)#int gigabitEthernet 1/0/20Switch(config-if)#do?down-when-looped
dot1x commands are not available under the interface config. Is the IOS version is compatible with dot1x?
View 5 Replies
View Related
Jan 24, 2010
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies
View Related
Jan 17, 2013
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
View 6 Replies
View Related
Dec 6, 2012
We're having an issue with the command "cts dot1x" when applied to an uplink interface.It basically kils the connection with this command is applied. Once you remove it, everything is back to normal, the platform is a cisco 3750x.
View 5 Replies
View Related
May 7, 2012
we're having an issue with the command "cts dot1x" when applied to an uplink interface. It basically kils the connection with this command is applied. Once you remove it, everything is back to normal, the platform is a cisco 3750x.
View 0 Replies
View Related
Sep 17, 2012
I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.
I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:
Switch(config-if)#switchport voice vlan 123
Command rejected: Gi7/20 is Dot1x enabled port.
let me know what should I do to get dot1x working?
Note: I have connected a laptop directly to the port and dot1x is working fine.
View 5 Replies
View Related
Feb 7, 2012
I have an existing stack of 4 x 2960-S switches connected by stack cables.I would like to add another 2960-S switch to the stack but am unable to as the 2960-S will only allow 4 x 2960-S switches per stack.how I would add the 5th 2960-S switch to the existing stack of 4 x 2960-S switches.
View 12 Replies
View Related
Feb 11, 2013
I have a 24 port 2960-S that is not communicating with a 2960-LST that it is directly connected to over fiber. The link is up on the LST but will not come up on the -S. What command should I use to bring up this link? I have tried no shut from the (Config-if)# prompt.
View 3 Replies
View Related
Aug 27, 2012
For guest clients , we have configured guest vlan and applied external web authenication on WLC 5508 , the session timeout value is 2700secons . When a client open a browser to internet page , wlc will redirect to URL and get the login page . After completed the login , he can go to internet page .
We find the iPhone and ipad clients will get the login page again ahfter ~ 5 mins , it is mismatch with session timeout value 2700 sec (45 mins) .
View 5 Replies
View Related
Nov 21, 2011
I have configured SPAN session on 2960 switch, source port being a VLAN and destination being one of the fastethernet ports. All I see in the capture is control traffic (HSRP, RIP, Syslog, DNS..etc). However I dont see any real data traffic being captured. Below is how I have SPAN configured..
monitor session 1 source vlan <vlan_id> both
monitor session 1 destination interface fa0/42
View 1 Replies
View Related
Aug 30, 2012
I will use function of span in sup70-3b.How many session can use in sup720-3b? For example, 2 or 4 session.
View 1 Replies
View Related
Jul 12, 2012
I have a need to capture some traffic but my core 6513's are already using the limit of 2 span sessions. I can't edit any of the sessions either because I want to source traffic from vlans and you can only do one or the other. Is using a VACL with 'switchport capture' on the destination interface an option ? E.g. I want to source traffic from vlan 10,20,30,40 and send the all to interface Gi10/10 ? Is there any caveats ? I dont need to be too granular with the ACL's but just capture all traffic in those vlans.
View 2 Replies
View Related
Aug 20, 2012
i have just set up a monitor session with a 3750 stack .Simple enough task you would think.But i only seem to be seeing broadcast packets !!Now there is definitely unicast traffic being used on the host i am monitoring.I have done the basic commands
-monitor session 1 dest int fas 5/0/24
-monitor session 1 src int fas 5/0/34
View 1 Replies
View Related
Apr 20, 2012
I am having trouble with my Cisco SG300 switch big time. I have two servers with IP addresses 10.17.0.11 and 10.17.0.29 sitting on the same switch which is a Cisco SG300. I initiate a file transfer from 10.17.0.11 to 10.17.0.29. I could see lots of Dup Acks and retransmissions which means something is wrong in the connection. Further, I could see the session initiation a bit bizarre. I could see two SYN packets sent from 10.17.0.11 to 10.17.0.29 and also two SYN ACK packets returned by 10.17.0.29. The switch forms part of a network but since both the servers are sitting on the same switch I suppose the rest of the network doesn't come into play when one server talks to the other.
See also the number of Dup Acks and retransmissions. The two switch ports connecting the servers have speed and duplex set to auto negotiate, flow control is enabled. What could cause this sort of problem?Could it be any setting on the switch or the servers' NICs?Or could it be a bad switch that causes this?
View 4 Replies
View Related
Jun 9, 2013
I'm setting up a montitor session on a NEXUS 7K as below.we are receiving in 150M of data and 0 data going out port 9/25.but port 4/24 shows 300M to the span port?
View 1 Replies
View Related
Mar 6, 2013
I tried to clear monitor session on 6500 and keep on getting the following error:
%Another session parameters or permit-list is being configured %Please wait for another configuration to complete.
how i can go about clearing the monitor session.
View 9 Replies
View Related
Jun 9, 2012
On 2921, how do you quite service-module session and get back to the router?
View 3 Replies
View Related
Nov 21, 2011
I tried to clear monitor session on 6500 and keep on getting the following error:
%Another session parameters or permit-list is being configured %Please wait for another configuration to complete.
how i can go about clearing the monitor session.
View 1 Replies
View Related
Mar 3, 2013
rsbd7k01-p-vdca(config)# monitor session 2
rsbd7k01-p-vdca(config-monitor)# source vlan ?
<1-3967>
rsbd7k01-p-vdca(config-monitor)# source vlan 1 - 3967
ERROR: vlan 33-3967: Number of source vlans exceeds maximum
rsbd7k01-p-vdca(config-monitor)#
View 3 Replies
View Related
Feb 28, 2012
I have 100+ 3750's that are running various IOS, some stacked and some not, and all seem to have the same problem.If I attempt to paste a configuration into the terminal session I get booted after about 10 to 15 lines. This happens when using SSH and Telnet. Telnet will go a little further before I'm booted. After I'm booted it sometimes takes a minute before I can log back into the switch. Any issues pasting configs into a 3750 via a VTY session?
View 4 Replies
View Related
Dec 29, 2011
I console into switch 1 (or router, it doesn't matter) and everything is fine. From that session I SSH to switch 2 (or router). The session on the second device has a noticable delay when I type.Next I SSH to switch 1, then SSH to switch 2 from that session. Everything works fine.Finally, I console to switch 1, and telnet to switch 2. There is no delay.So it appears the delay only occurs when I open an SSH session while consoled into a device. It didn't matter what switch 1 and switch 2 were - I had 3560Gs, 4900Ms and a 3845 router. There's no special configuration on the console or vty ports - when I do a "show line console" and "show line vty 0" the output is basically the same.
View 2 Replies
View Related
Jun 6, 2012
Need to confirm if this is default behaviour of 4507 with 2 supes.When i console in to standby supe gives message console session is disabled?
View 4 Replies
View Related
Jan 9, 2012
I have a switch 4948, with version 12.2.31.sga4 ( I dont found bug about monitor session) and we try to made port mirroring with a monitor session from a VLAN and port belong at this VLAN have traffic input and output, but in the destination port, I always see it output traffic..
Global command
Red-127#sh run | in moni
monitor session 1 source vlan 1127
[Code].....
View 3 Replies
View Related
May 9, 2012
we want to record voip telephone?Presently im using wireshark on a laptop to test the rspan session
Here is how it's configured
CORE_SWITCH is
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3750G-24TS 12.2(52)SE C3750-IPBASEK9-M
2 52 WS-C3750G-48TS 12.2(52)SE C3750-IPBASEK9-M
[code]....
Ive created the vlan 33 on my core switch and remote SPAN VLANs 133 Core switch is vtp server so i double checked on all switch and vlan 33 and 133 are present When i listen to conversation with wireshark we are only recoding voice of the one who is answering and we don't hear the other person talking?
View 3 Replies
View Related
