Cisco Switching/Routing :: C2969-48PST-L - PC Will Fail Authentication Intermittently
Jun 19, 2012
I have a c2969-48PST-L switch running IOS Version 12.2(55) SE. The switch is configured for 802.1x authentication. The radius server is a Cisco ACS 5.2. We are using PEAP and allowing EAP-TLS and EAP-MS-CHAPv2. Windows 7 PCs (HP Elitebooks) are using the "windows" supplicant and configured to 802.1x authentication is enabled using Microsoft Protected EAP (PEAP), we are not validating any certificates and the authentication method is Secured password (EAP-MSCHAP v2). What is occurring every so often is that the PC will fail authentication (intermittently) and the ACS shows the reason as being 5411 EAP session timeout. This is a pretty generic message according to TAC. The interesting part to me is the Authentication Method showing on the ACS when the authentication fails is simply PEAP. However, when it does not fail the Authenication Method is shown as PEAP (EAP-MSCHAPv2). We have the Cisco TAC looking at the ACS and they are saying the issue is the client not reponding to the request correctly from the switch.if the version of IOS softare on the switch maynot be handling the communication to the ACS correctly. I have wireshark traces of a successful authenication and unsuccessful one. There does seem to be any difference from the client side at all.
I want to know what is the different between IOS of the catalyst WS-C2960-48PST-S and the IOS of catalyset WS-C2960-48PST-L.a want to upgrad the IOS of a WS-C2960-48PST-S with the IOS of WS-C2960-48PST-L (because this reference has a LANBASE version of IOS).
I am getting the below error on my new switch though I can’t find out A. why I am getting the error and obviously B. how to resolve said error as I need to ensure I am operating under the letter of the law and compliance. The switch is a WS-C3750X-48T-S running C3750E-IPBASEK9-M, per my research IP base is the correct IOS for a T-S switch, the label on the outside of the switch matches the show ver (WS-C3750X-48T-S) so I know that IPBase is the right IOS for the hardware. Could it be that I don’t have the license file installed? Below is what I get when I do a show license. Lastly is there a place that I can find what IOS ships default with what switches, not version but type like c3750e-ipbasek9-mz.150-1.SE vs c3750e-ipbase-mz.150-1.SE
Error“%ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization. This product may contain software that was copied in violation of Cisco's license terms. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.”
I recently installed a cisco 2901 router. The router is connected to hosts using a SG 200-50 50-Port Gigabit Smart Switch
Problem is the router internal interface keeps shutting down without notice and randomly. At that time I cannot ping the interrface from a LAN PC even though I can ping other hosts on the LAN. The ISP link is okay since I can put a static IP on my computer and access the net.
I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
But on the WLC, supplicants can't auth on Radius server.I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.When clients try to authenticate, I get these messages where xxx is login:
-AAA Authentication Failure for UserName:821 User Type: WLAN USER -AAA Authentication Failure for UserName:200 User Type: WLAN USER -AAA Authentication Failure for UserName:209 User Type: WLAN USER
I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user. WLC 4402 version 220.127.116.11 [URL]
I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]
when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
I can access to Cisco 3750 with SSH, but fail to login to web http with the same login.I am able to get the login prompt, the login error I get is "The server at level_15_access requires a username and password."Below is my switch config:username admin privilege 15 secret 5 $1$xsdfajiwuoeirlkajsd.
We have two numbers of Cisco 4900 ME Switches. Basically want LAN failover from these devices. There are about 400 users in our network. I have attached rough network topology for your reference(I am not good at Microsoft Visio). Need to know implementation of the HSRP in these switches. Two distribution switches(Cisco 4900 ME Switches) are connected to 4 Access switches and these are connected to the LAN.
I recently copied a configuration from a router 2800 to a 2900. After a power outage no one can connect outside of the network through the new router. Before the outage all was fine. I put back the old router and all is fine which eliminates any cable or switch error. I have the router totally disconnect. I notice the configuration is in place. My question is there any diagnostics that I can run to see if there is any hardware failure. It seems to boot up fine.
I have a 6500 chassis with 2 power supplies. At the moment I am using the default configuration:
power-redudancy mode redundant
The problem is that an inserted module is in "power deny" state due too insufficient power.
I know, that It's not a good idea to change into combined mode (loss of redundancy), but my customers requested this anyway.
So I will change to combined mode. So here's the 1 million dollar question: "Which modules will go into power deny, if one of my power supplies fails?"
The 6500 config guide states:
"Power supply is removed withredundancy disabled • System log and syslog messages are generated. • System power is decreased to the power capability of one supply. • If there is not enough power for all previously powered-up modules, some modulesare powered down and marked as power-deny in the show power oper state field."
Well, do you know if there's any way to configure some kind of priority? E.g. I definetly don't want by 10Gig Module or WiSM module to be in power deny. Can i statically make sure, those module will be powered on for sure? Like: "power enable module slot_number" How is this calculated? Or is random?
I have a new site needing PoE for their VoIP system as well as the usual LAN config.I haven't used Cisco PoE switches for a good couple of years now and was wondering what you think of the 2960-48PST-S?
I will probably need PoE up to around 50 Meters and will be using PoE on most of the 48 ports over CAT5e 100Mbps with 1Gbps upload is fine so these switches do seem to tick all the boxes but I’m not sure if there are better options?
I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"
I am trying to use a Tekradius Windows2008 server to aaa authenticate switch admin logins. The Radius server and 6509 loop0 are in a management VRF "netman". I can happily ping to and from the Server and loopback0 interface without issue. I have also tested the radius server account using RadiusNT on a workstation. I get an accept reply with the following variables..
Here are the relevant parts of my config as far as I can see..
aaa new-model aaa group server radius SRADIUS server-private 192.168.1.101 auth-port 1812 acct-port 1813 key cisco ip vrf forwarding netman ip radius source-interface Loopback0 ! aaa authentication login default group SRADIUS local
Im having a strange problem on a 6509 switch. I am trying to use a Tekradius Windows2008 server to aaa authenticate switch admin logins. The Radius server and 6509 loop0 are in a management VRF "netman". I can happily ping to and from the Server and loopback0 interface without issue. I have also tested the radius server account using RadiusNT on a workstation. [code]
I am configuring NTP on a new Cisco Nexus 7000 running version 6.1(2). NTP is working properly between the access switches and Nexus, however when configuring Authentication, NTP is not working anymore.
Nexus 7K server ============= ntp server x.x.x.x ntp peer q.q.q.q ntp server e.e.e.e ntp server r.r.r.r ntp source-interface Vlanx
why NTP authentication is not working !!!!! on Nexus 7000
All ip's and any identifying numbers have been change to protect.
I have a 6500 series switch that for some reason will not authenticate to the tacacs server. When you try, you get a password authentication failure. However, it will let you use the configured username and secret to log in thru ssh. And the enable secret to get into privileged mode. Tacacs key is correct, btw.we will call the server vlan 300 and the admin vlan 400.the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work. I changed the tactics source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine. ip routing is turned on. There are entries for both the server vlan subnet and the ad-min vlan subnet in the routing table. There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan.
I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isn't working. I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN. I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.
We are deploying the ISE MAC address authentication by-pass (mab) feature in our network as an alternative to port security on the switch port. Works well except for certain devices e.g. printers, snmp modules, and Unix/Linux Operating systems which can range from 5-10 minutes to never in authentication/opening the port.
I have issue with 2950 switch dot1x config is not working , but on 2960 its working fine .Below are the configs from both switches and a debug dot1x all snap, what may be the issue with 2950 switch ...
on 2950======> aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius