Cisco Switching/Routing :: C2969-48PST-L - PC Will Fail Authentication Intermittently

Jun 19, 2012

I have a c2969-48PST-L switch running IOS Version 12.2(55) SE. The switch is configured for 802.1x authentication. The radius server is a Cisco ACS 5.2. We are using PEAP and allowing EAP-TLS and EAP-MS-CHAPv2. Windows 7 PCs (HP Elitebooks) are using the "windows" supplicant and configured to 802.1x authentication is enabled using Microsoft Protected EAP (PEAP), we are not validating any certificates and the authentication method is Secured password (EAP-MSCHAP v2). What is occurring every so often is that the PC will fail authentication (intermittently) and the ACS shows the reason as being 5411 EAP session timeout. This is a pretty generic message according to TAC. The interesting part to me is the Authentication Method showing on the ACS when the authentication fails is simply PEAP. However, when it does not fail the Authenication Method is shown as PEAP (EAP-MSCHAPv2). We have the Cisco TAC looking at the ACS and they are saying the issue is the client not reponding to the request correctly from the switch.if the version of IOS softare on the switch maynot be handling the communication to the ACS correctly. I have wireshark traces of a successful authenication and unsuccessful one. There does seem to be any difference from the client side at all.

View 1 Replies


ADVERTISEMENT

Cisco Switching/Routing :: Difference Between IOS Of Catalyst WS-C2960-48PST-S And WS-C2960-48PST-L?

Apr 8, 2012

I want to know what is the different between IOS of the catalyst WS-C2960-48PST-S  and the IOS of catalyset WS-C2960-48PST-L.a want to upgrad the IOS of a WS-C2960-48PST-S with the IOS of  WS-C2960-48PST-L (because this reference has a LANBASE version of IOS).

View 4 Replies View Related

Cisco Switching/Routing :: WS-C3750X-48T-S - Error On Default IOS / Authentication Fail

Feb 8, 2012

I am getting the below error on my new switch though I can’t find out A. why I am getting the error and obviously B. how to resolve said error as I need to ensure I am operating under the letter of the law and compliance.  The switch is a WS-C3750X-48T-S running C3750E-IPBASEK9-M, per my research IP base is the correct IOS for a T-S switch, the label on the outside of the switch matches the show ver (WS-C3750X-48T-S) so I know that IPBase is the right IOS for the hardware.  Could it be that I don’t have the license file installed? Below is what I get when I do a show license.  Lastly is there a place that I can find what IOS ships default with what switches, not version but type like c3750e-ipbasek9-mz.150-1.SE vs c3750e-ipbase-mz.150-1.SE
 
Error“%ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization.  This product may contain software that was copied in violation of Cisco's license terms.  If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet.  Please contact Cisco's Technical Assistance Center for more information.”

[code].....

View 3 Replies View Related

Cisco Switching/Routing :: WS-2960-48PST - To Use 4 Ports At A Time

Feb 25, 2013

I have an doubt about some port in 2960.He have 2 SFP and 2 Fixed Ethernet. Can I use these 4 ports in the same time? Use 2 Ethernet and the 2 SFP with Fiber?

View 2 Replies View Related

Cisco Switching/Routing :: License For Upgrading C2960-48PST-S To L Version

Dec 8, 2011

I want to know is there is an license for upgrading the C2960-48PST-S to the "L" version (Lan Base).

View 2 Replies View Related

Cisco Switching/Routing :: 2960 48PST - How To Identify If Switch Port Is Burned Via Cli

Jan 21, 2013

Is there a way to identify if a switch port is burned via CLI? I have a 2960-48PST switch and some ports don't provide power to a PoE device connected. When I change the port, the device turns on.

View 3 Replies View Related

Cisco Switching/Routing :: 2901 LAN Interface Shuts Down Intermittently

Jun 6, 2013

I recently installed a cisco 2901 router. The router is connected to hosts using a SG 200-50 50-Port Gigabit Smart Switch
 
Problem is the router internal interface keeps shutting down without notice and randomly. At that time I cannot ping the interrface from a LAN PC even though I can ping other hosts on the LAN. The ISP link is okay since I can put a static IP on my computer and access the net.

View 8 Replies View Related

Cisco Switching/Routing :: 5508 WLC And Nexus 7K - Clients Cannot Obtain IP Address Intermittently

Jan 22, 2013

I have a strange behavior between a WLC 5508 (version 7.0.116.0) and NEXUS7010.
 
WLC
The WLC is configured in DHCP Bridging Mode (it sends DHCP requests without change)
 
Nexus
The VLAN interface is configured as follows
 
interface Vlan501
  ip access-group acl-int-vlan501-in-1 in
  no ip redirects
  ip address 10.12.56.4/21
  ip ospf network broadcast
  ip router ospf 100 area 10.23.0.0
  hsrp 51
   
Clients can not obtain an IP address intermittently. If I deactivates the ACL when the problem appears(when the client can not obtain an IP@) the probleme is resolved
 
Note: Before the WLC was connected to Catalyst 6500 and worked properly for 2 years (with same configuration)
 
I saw this note about differences between DHCP relay on the NEXUS7000/NXOS an Ip helper one the 6500/IOS URL. Do you think the problem may come from the DHCP relay or ACL on the NEXUS.

View 2 Replies View Related

Cisco :: 1310 - 802.1x Authentication Fail Through WLC But OK On Autonomous APs

Jun 5, 2013

I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
 
Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
 
But on the WLC, supplicants can't auth on Radius server.I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.When clients try to authenticate, I get these messages where xxx is login:

-AAA Authentication Failure for UserName:821 User Type: WLAN USER
-AAA Authentication Failure for UserName:200 User Type: WLAN USER
-AAA Authentication Failure for UserName:209 User Type: WLAN USER
 
Security info on client page is:

Security Policy CompletedNo ###Policy TypeWPA###Encryption CipherTKIP-MIC###EAP TypePEAPSNMP NAC State Access ###Radius NAC State8021X_REQD .

What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.

View 10 Replies View Related

Cisco Firewall :: 5540 - Remote VPN Authentication Fail?

Mar 15, 2011

wht would be change on configuration of remote access VPN on asa 5540.
  
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,

[Code].....

View 3 Replies View Related

Cisco :: WLC 4402 Web-authentication Fail With External RADIUS Server

Jul 3, 2007

I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.  WLC 4402 version 4.1.171.0 [URL]

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Http Radius Authentication Fail In 12.2.58 And 15.0.1 For 2960

Aug 18, 2011

Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
 
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
  
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local

[Code].....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: C2960 Doit1x Monitor Mode / Client Fail Authentication

Mar 21, 2013

I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
 
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]

View 3 Replies View Related

Cisco AAA/Identity/Nac :: C3560E / Authentication Event Fail Action Authorize VLan

Jul 15, 2012

when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
 
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
  
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
  
port config:

interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500

[code]....

View 3 Replies View Related

Cisco Switching/Routing :: Web Login Fail With 3750

Jul 28, 2012

I can access to Cisco 3750 with SSH, but fail to login to web http with the same login.I am able to get the login prompt, the login error I get is "The server at level_15_access requires a username and password."Below is my switch config:username admin privilege 15 secret 5 $1$xsdfajiwuoeirlkajsd.

View 1 Replies View Related

Cisco Switching/Routing :: 4900 HSRP For LAN Fail-over

Jan 23, 2012

Planning to implement HSRP in layer 3 switch.

We have two numbers of Cisco 4900 ME Switches. Basically want LAN failover from these devices. There are about 400 users in our network. I have attached rough network topology for your reference(I am not good at Microsoft Visio). Need to know implementation of the HSRP in these switches. Two distribution switches(Cisco 4900 ME Switches) are connected to 4 Access switches and these are connected to the LAN.

View 2 Replies View Related

Cisco Switching/Routing :: Dup Packet Fail With WS-C4506-E

Dec 20, 2011

What the message below means?  It's from our WS-C4506-E log running Version 03.01.01.SG.
 
Dec 20 16:27:26.182: (Suppressed 851 times)Dup Packet Fail for Sw PortDec 20 2011 16:27:28.068 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet4/22, changed state to upDec 20 2011 16:27:29.070 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/22, changed state to upDec 20 2011 16:29:13.738 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/22, changed state to downDec 20 2011 16:29:14.738 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet4/22, changed state to downDec 20 16:42:37.173: (Suppressed 162 times)Dup Packet Fail for Sw PortDec 20 2011 16:42:39.071 UTC: %LINK-3-[Code]....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Accounting Setup On WLC 440x / 5508 ACS Takes It As Authentication Request And Fail

Dec 8, 2011

accounting in ACS 5.3. When I setup accounting on WLC 440x / 5508 ACS takes them as an authentication request and fail.
 
Here are some logs what I see in acsview:
 
Dec 9,11 6:05:11.783 PM
Radius authentication failed for USER: navrka2  MAC: a.b.c.d  AUTHTYPE: Radius authentication failed
 ACS Session ID:
dc2aaa1v/112555963/420
Audit Session ID:
0a9a01d7000001fd4ee23a3d
Tunnel Details:

[code]...

View 4 Replies View Related

Cisco Switching/Routing :: 1841 Dual ISP Fail Over Using Track

Jan 9, 2012

we are trying to configure 1841 with dual Internet connection with failover using track.

View 4 Replies View Related

Cisco Switching/Routing :: C6506-E / TestAclPermit Fail In WS-X6748-SFP?

Dec 7, 2011

in my C6506-E installed module WS-X6748-SFP with WS-F6700-DFC3BXL
 
last time a see errors:

18:42:49: %DIAG-SP-6-TEST_RUNNING: Module 3: Running TestAclPermit{ID=23} ...
18:42:51: %DIAG-SP-3-TEST_FAIL: Module 3: TestAclPermit{ID=23} has failed. Error code = 0x1
  23) TestAclPermit -------------------> F
 Current bootup diagnostic level: minimal
Module 3:
Overall Diagnostic Result for Module 3 : MINOR ERROR
Diagnostic level at card bootup: minimal

[code]...

View 4 Replies View Related

Cisco Switching/Routing :: Router 2900 Fail After Power Outage

Apr 22, 2013

I recently copied a configuration from a router 2800 to a 2900. After a power outage no one can connect outside of the network through the new router. Before the outage all was fine. I put back the old router and all is fine which eliminates any cable or switch error. I have the router totally disconnect. I notice the configuration is in place.  My question is there any diagnostics that I can run to see if there is any hardware failure. It seems to boot up fine.

View 1 Replies View Related

Cisco Switching/Routing :: 7606 Sup720 With MSCF / Upgrade To 122-33.SRE6 Fail?

Mar 25, 2012

I faced with problem while i was attemping to upgrade CISCO7606 (R7000) from 12.2(33)SRE1 to 12.2(33)SRE6.
   
rommon 2 > boot c7600s72033-advipservices-mz.122-33.SRE6.bin
Loading image, please wait ...  
Invalid device specified
Booting from default device  
Initializing ATA monitor library...
string is bootdisk:c7600s72033-advipservices-mz.122-33.SRE1.bin

[code].....

View 3 Replies View Related

Cisco Switching/Routing :: 6500 - Power-Redundancy Mode Combined And Power Fail

Feb 28, 2011

I have a 6500 chassis with 2 power supplies. At the moment  I am using the default configuration:
 
power-redudancy mode redundant
 
The problem is that an inserted module is in "power deny" state due too insufficient power.
 
I know, that It's not a good idea to change into combined mode (loss of redundancy), but my customers requested this anyway.
 
So I will change to combined mode. So here's the 1 million dollar question: "Which modules will go into power deny, if one of my power supplies fails?"
 
The 6500 config guide states:
 
"Power supply is removed withredundancy disabled
• System log and syslog messages are generated.
• System power is decreased to the power capability of one supply.
• If there is not enough power for all previously powered-up modules, some modulesare powered down and marked as power-deny in the show power oper state field."
 
Well, do you know if there's any way to configure some kind of priority? E.g. I definetly don't want by 10Gig Module or WiSM module to be in power deny. Can i statically make sure, those module will be powered on for sure? Like: "power enable module slot_number" How is this calculated? Or is random?

View 3 Replies View Related

2960-48PST-S Need PoE Up To Around 50 Meters

May 8, 2011

I have a new site needing PoE for their VoIP system as well as the usual LAN config.I haven't used Cisco PoE switches for a good couple of years now and was wondering what you think of the 2960-48PST-S?

I will probably need PoE up to around 50 Meters and will be using PoE on most of the 48 ports over CAT5e 100Mbps with 1Gbps upload is fine so these switches do seem to tick all the boxes but I’m not sure if there are better options?

View 1 Replies View Related

Cisco Switching/Routing :: How Long It Will Be Until We See OSPFv3 Authentication In NX-OS

Jun 6, 2013

How long it will be until we see OSPFv3 authentication in NX-OS? We now have it in both IOS and IOS XR, but the latest releases of NX-OS still do not support it.

View 0 Replies View Related

Cisco Switching/Routing :: Dot1x Authentication On 3750?

Oct 6, 2009

I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"

View 8 Replies View Related

Cisco Switching/Routing :: AAA Authentication On 6509 Switch?

Apr 1, 2013

I am trying to use a Tekradius Windows2008 server to aaa authenticate switch admin logins. The Radius server and 6509 loop0 are in a management VRF "netman". I can happily ping to and from the Server and loopback0 interface without issue. I have also tested the radius server account using RadiusNT on a workstation. I get an accept reply with the following variables..
 
shell:priv-lvl=15
NAS-Prompt
 
Here are the relevant parts of my config as far as I can see..
 
aaa new-model
aaa group server radius SRADIUS
server-private 192.168.1.101 auth-port 1812 acct-port 1813 key cisco
ip vrf forwarding netman
ip radius source-interface Loopback0
!
aaa authentication login default group SRADIUS local

[code]...

View 1 Replies View Related

Cisco Switching/Routing :: AAA Authentication On 6509 Switch

Sep 20, 2012

Im having a strange problem on a 6509 switch. I am trying to use a Tekradius Windows2008 server to aaa authenticate switch admin logins. The Radius server and 6509 loop0 are in a management VRF "netman". I can happily ping to and from the Server and loopback0 interface without issue. I have also tested the radius server account using RadiusNT on a workstation. [code]

View 8 Replies View Related

Cisco Switching/Routing :: NTP Authentication On Nexus 7000?

Mar 3, 2013

I am configuring NTP on a new Cisco Nexus 7000 running version 6.1(2). NTP is working properly between the access switches and Nexus, however when configuring Authentication, NTP is not working anymore.
 
confguration:
 
Nexus 7K server
============= 
ntp server x.x.x.x
ntp peer q.q.q.q
ntp server e.e.e.e
ntp server r.r.r.r
ntp source-interface  Vlanx

[code]...
 
why NTP authentication is not working !!!!! on Nexus 7000

View 3 Replies View Related

Cisco Switching/Routing :: 6500 - Tacacs Authentication?

Feb 17, 2012

All ip's and any identifying numbers have been change to protect.
 
I have a 6500 series switch that for some reason will not authenticate to the tacacs server.  When you try, you get a password authentication failure.  However, it will let you use the configured username and secret to log in thru ssh.  And the enable secret to get into privileged mode.  Tacacs key is correct, btw.we will call the server vlan 300 and the admin vlan 400.the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
 
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work.  I changed the tactics source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine.  ip routing is turned on.  There are entries for both the server vlan subnet and the ad-min vlan subnet in the routing table.  There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan. 

I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isn't working.  I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN.  I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.

View 1 Replies View Related

Cisco Switching/Routing :: Nexus 7000 Cannot Get AAA Authentication To Work

Dec 5, 2011

I cannot get the AAA tacacs+ authentication to work on my Nexus 7000.

View 4 Replies View Related

Cisco Switching/Routing :: C3750 Switches MAC Address Authentication

May 9, 2013

We are deploying the  ISE MAC address authentication by-pass (mab) feature in our network as an alternative to port security on the switch port. Works well except for certain devices e.g. printers, snmp modules, and Unix/Linux Operating systems which can range from 5-10 minutes to never in authentication/opening the port.

View 2 Replies View Related

Cisco Switching/Routing :: Dot1x Authentication Not Working On 2950

Mar 14, 2011

I have issue with 2950 switch dot1x config is not working , but on 2960 its working fine .Below are the configs from both switches and a debug dot1x all snap, what may be the issue with 2950 switch ...
 
on 2950======>
aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius

[Code].....

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved