Cisco 3550 Problem
I have a number of C3550 switches in the field and one of them seems to have a problem showing Interface statistics on some fast Ethernet ports.
Most ports are running at 100Meg Full-duplex, but some fail to show any "5 minute rate" stats when I do a show interface command. You can only determine the data rate throughput by doing succesive show int commands at set time intervals and counting the difeerence in the total packets received/transmitted sections.
Has anyone seen this elsewhere? Is this a known problem as I can't see any reference to this as a problem on TAC
The IOS version is 12.1(13)EA1a
There was a known issue for interfaces with low rate of pps(<40 pps) because of the way the counter is implemented. Look at the following bug which is in a Closed state(not resolved)
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdz06305
Change the load-interval to 30 seconds and see if this makes any difference.
Similar Messages
-
UPDATE: Deal of the Week - Cisco 3550 24 port PoE Switch
Well that didn't last long...our "Deal of the Week" this week sold out in 1 day, so we figured we better do another deal for everyone. - - - Cisco 3550 24 Port PoE Switch - $65.00 --- www.cablesandkits.com/DOW
How might you use PowerShell Direct, the latest addition to the PowerShell family that's coming with Windows 10 and Windows Server 2016? Consider this:Have you ever tried to make a configuration changeon a Friday afternoon, right before beer o’clock, and you couldn’t get access to the machine you needed to change? This problem might be caused by out-of-datesecurity settings, a network change, or something else.PowerShell Direct will work, even when otherwise things would stand in your way.According to Petri, the new software will change the way you operate "between hypervisorhost and guest virtual machine in a secure way." No more "faffing about to get security settings configured, holes poked in firewalls," or remoting in – PowerShell Direct gives you a direct way to open a session on any guest computer in seconds.
If you have Windows... -
Hi,
I am unable to run IP Routing command on my Cisco 3550 switch . Do upgrading of IOS will help me ?
regards
NeoHi ,
here is the output
Switch-1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC13, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Tue 20-Sep-05 10:05 by antonino
Image text-base: 0x00003000, data-base: 0x00351FFC
ROM: Bootstrap program is C3500XL boot loader
Switch-1 uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:c3500xl-c3h2s-mz.120-5.WC13.bin"
cisco WS-C3548-XL (PowerPC403) processor (revision 0x01) with 16384K/1024K bytes of memory.
Processor board ID FAA0428Y13Q, with hardware revision 0x00
Last reset from power-on
Processor is running Enterprise Edition Software
Cluster command switch capable
Cluster member switch capable
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:02:B9:9C:23:00
Motherboard assembly number: 73-3903-04
Power supply part number: 34-0971-01
Motherboard serial number: FAA04299A9E
Power supply serial number: PAC042800LS
Model revision number: A0
Motherboard revision number: B0
Model number: WS-C3548-XL-EN
System serial number: FAA0428Y13Q
Configuration register is 0xF
Switch-1#
Switch-1#
Switch-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch-1(config)#ip routing
^
% Invalid input detected at '^' marker.
Switch-1(config)#ip r?
radius rcmd
Switch-1(config)#
regards
Neo -
i hav got Cisco 3550-12T, in that i hav created VLAN 2,3,4 & 5. now my requirement is VLAN 2 can communicate all VLAN's, where VLAN 5 should only communicate VLAN 2 & vice versa & VLAN 3,4 should only communicate VLAN 2 & vice versa. how do i proceed, by default if i enable "ip routing" i can able to communicate, but i do i filter the packetz as i said above?
Hi,
You can do it using extended acl's fro denying traffic from Vlan 3,4 to vlan 5. This can also be done using Vlan MAPS. Please go through the link below:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550scg/swacl.htm#wp1082557
regards,
-amit singh -
Can i set IP address in Cisco 3550-12T in any one of the Gigabit Interface, being a layer 3 switch, it is possible, but when i entered the ip address 192.168.1.1 255.255.255.252 in gigabitEthernet 0/1 i get a message IP addresses may not be configured on L2 links why is that so? I enabled IP Routing & tried without enabling also, but still i get the same message. Thanks in advance.
Hi Anand,
Though it is a layer 3 switch but default behaviour of ports are layer 2.
To make it layer 3 you have to first give "no switchport" command.
int gig0/1
no switchport
ip address
HTH
Ankur -
Assign VLAN from freeradius to Cisco 3550 Switch
Hi All,
I am trying to assign VLAN from freeradius to the a cisco 3550 switch but it's not working.
I keep getting those lines in the cisco switch debug:
3w6d: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
3w6d: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
What does it mean? Any idea how to solve this?
Below freeradius conf and switch debug.
Thanks.
Configuration on freeradius users file:
wassim Cleartext-Password := "wassim"
Tunnel-Medium-Type:1 = IEEE-802,
Tunnel-Type:1 = VLAN,
Tunnel-Private-Group-Id:1 = 100
Cisco Switch debug log:
3w6d: RADIUS: authenticator 99 15 53 A6 AB B7 0B 75 - 9F A7 5F 27 8F F1 2E 67
3w6d: RADIUS: NAS-IP-Address [4] 6 192.168.1.8
3w6d: RADIUS: NAS-Port [5] 6 50023
3w6d: RADIUS: NAS-Port-Type [61] 6 Eth [15]
3w6d: RADIUS: User-Name [1] 8 "wassim"
3w6d: RADIUS: Called-Station-Id [30] 19 "00-15-F9-F8-4E-97"
3w6d: RADIUS: Calling-Station-Id [31] 19 "00-1A-80-3F-F6-A1"
3w6d: RADIUS: Service-Type [6] 6 Framed [2]
3w6d: RADIUS: Framed-MTU [12] 6 1500
3w6d: RADIUS: State [24] 18
3w6d: RADIUS: DB C1 1C E7 DE C7 09 5E 75 5E 5B 0F 23 3A 54 E7 [???????^u^[?#:T?]
3w6d: RADIUS: EAP-Message [79] 69
3w6d: RADIUS: 02 06 00 43 15 00 17 03 01 00 38 BF 71 FC FA 04 [???C??????8?q???]
3w6d: RADIUS: BE DC FD CC 03 D2 7F 8B 09 63 2C B2 AE D8 AC 61 [?????????c,????a]
3w6d: RADIUS: 64 21 2B 00 ED 0E 6E E8 B0 49 50 6B 99 B8 88 A4 [d!+???n??IPk????]
3w6d: RADIUS: 36 C6 FD B9 F0 77 2D 82 28 0A 37 D1 D4 73 B4 59 [6????w-?(?7??s?Y]
3w6d: RADIUS: F9 37 E6 [?7?]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS: A2 59 A3 DE A6 98 5F 78 25 12 59 BB 4D B8 74 F0 [?Y????_x??Y?M?t?]
3w6d: RADIUS: Received from id 1645/123 192.168.1.57:1812, Access-Accept, len 186
3w6d: RADIUS: authenticator C0 31 7F D7 A6 D4 1F C8 - 27 AA F0 99 EA 1F 92 C3
3w6d: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
3w6d: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
3w6d: RADIUS: Tunnel-Private-Group[81] 6 01:"100"
3w6d: RADIUS: Vendor, Microsoft [26] 58
3w6d: RADIUS: MS-MPPE-Recv-Key [17] 52
3w6d: RADIUS: 86 8B 3E 74 76 E7 CB 9A 8F EF F5 9C 16 2E 88 1A [??>tv????????.??]
3w6d: RADIUS: 12 3B 80 A6 E9 9B B6 6F E6 63 C8 AA B0 DB 0E 76 [?;?????o?c?????v]
3w6d: RADIUS: 61 C1 6A 5D 62 BD 72 BE 78 C8 9D 4D A7 3F 54 35 [a?j]b?r?x??M??T5]
3w6d: RADIUS: 40 DC [@?]
3w6d: RADIUS: Vendor, Microsoft [26] 58
3w6d: RADIUS: MS-MPPE-Send-Key [16] 52
3w6d: RADIUS: 8A 61 97 87 78 FD CA 16 8D F0 ED 75 C0 70 93 AE [?a??x??????u?p??]
3w6d: RADIUS: 71 EF 5A 21 53 35 A4 88 F9 84 16 83 10 43 6E 9E [q?Z!S5???????Cn?]
3w6d: RADIUS: AB A7 8B 56 6C 42 0D AB 09 1D 82 D3 CB 7E 6C B8 [???VlB???????~l?]
3w6d: RADIUS: 56 58 [VX]
3w6d: RADIUS: EAP-Message [79] 6
3w6d: RADIUS: 03 06 00 04 [????]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS: 82 4B 64 0F 07 64 59 18 0F 27 07 95 A5 15 09 33 [?Kd??dY??'?????3]
3w6d: RADIUS: User-Name [1] 8 "wassim"
3w6d: RADIUS: EAP-login: length of eap packet = 4
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: Tunnel-GID, [01] 100
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to upI believe you should be using the numerical values in your fields, look at this one :
http://www.scribd.com/doc/75788651/52/X-with-VLAN-Assignment
Tunnel-Medium-Type:1 = 6
Tunnel-Type:1 = 13
Tunnel-Private-Group-Id:1 = -
Remote Access VPN on Cisco ASA Problem
Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276 -
Cisco 3905 problem / remote site
Hi all!
Information:
I have CUCM 8.6.2.20000-2 and many Cisco IP Phone 3905 (SIP). Some of them deployed in central office and some in remote sites.
Phone information:
Boot Version: 3905.0-0-0-01-01
DSP Version: 12.0.0.8
Application: 3905.9-2-2-0
Symptoms:
In remote sites only!
The phone is registered and working fine. However, after few hours idle state I lift the handset, dial any number and nothing happens. Drop the call and try again 2-3 times. After that either call passed or get permanent busy tone (need to reboot the phone to work again).
The phone is marked as registered on CUCM and I hear dial tone when lifted the handset.
I cannot collect debug messages from phones, because as soon as I login via telnet it going work fine.
There is no such problem in central office.
Phones print following messages in terminal all the time:
17:07:10:302 x [CENTRAL] CDP/LLDP-MED CB function is called
17:07:26:491 [sip] 03:58:24.490 pjsua_acc.c SIP outbound status for acc 0 is not active
17:07:26:495 [sip] 03:58:24.494 pjsua_acc.c "п°п╦я┘п╟п╦п╩ п я┐пЇя▄п╪п╦пҐ"<sip:[email protected]:5060>: registration success, status=200 (OK ), will re-register in 120 seconds
17:07:26:502 [sip] 03:58:24.500 pjcu.c pjcu_on_reg_state2(), Account["п°п╦я┘п╟п╦п╩ п я┐пЇя▄п╪п╦пҐ"<sip:[email protected]:5060>] : OK, status=200
17:07:26:506 x [pcu] pcuRcvHandler(CALL), SRV_EV, eid=0, cid=65535,
17:07:26:510 x [pcu] [pcux_insrv_cb():7071] CUCM_DateTime:Mon, 27 May 2013 11:07:26 GMT
17:07:26:511 x [pcu] Sync time from server: Mon, 27 May 2013 11:07:26 GMT
17:07:26:515 x [pcu] [set_svr_type][1599] Bfe active_server_idx=0, serverType=0
17:07:26:515 x [pcu] [set_svr_type][1602] Aft serverType=0, Server Number=2
17:07:26:531 [ipps] ----- PCU: CC_SRV, pid=0, eid=0, cid=65535 -----
17:07:26:532 [ipps] In func: remoteNtyEvtProcess(), lib = 0, cid = 65535, ntyEv = 0
17:07:26:533 f [ipps] In func: remoteNtyEvtProcess(), recv inservice nty, svrType = 0, cause = 0
17:07:26:534 f [MMI] <RCV>: In func: ui_nty(), lid = 0, cid = 65535, ntyEv = 0
17:07:26:535 x [CENTRAL] IPPS CB function(RegStatus) is called (1) with Line (0)
17:07:26:536 f [ipps] In func: mlcu_isKpmlEnabled(), KPML value = 3, blRet = 1
17:07:26:537 x [CENTRAL] Enter FSM: State(STANDBY) | Event(REGISTER_OK) | Cause(0)
17:07:26:540 x [CENTRAL] Unexpected event REGISTER_OK (cause=0) at STANDBY state
17:07:26:541 x [CENTRAL] Waiting event in STANDBY
17:07:58:990 x [CENTRAL] CDP/LLDP-MED CB function is called
17:08:39:022 [sip] 03:59:37.021 pjcu.c pjcuRcvHandler(KA), KA_REQUEST, eid=-1, p1=192.168.70.1:5060
17:08:39:040 [sip] 03:59:37.036 pjcu.c pjcu_rpt_ka_status(), target(192.168.70.1:5060): status=1, id=27
17:08:39:044 x [pcu] pcuRcvHandler(KA), KA_RESPONSE, eid=0, addr=192.168.70.1:5060, status=1
17:08:39:050 x [pcu] [pcu_polling_sipserver_thread():1478] mark!
17:08:54:130 x [CENTRAL] CDP/LLDP-MED CB function is called
Thanks for your help.There are 2 versions of firmware on cisco.com. cmterm-3905.9-2-1-0 is the default firmware going with CUCM 8.6.2.20000-2 for 3905 phones and cmterm-3905.9-2-2-0 I've installed recently. Both versions of firmware with same problems.
Some new information. I get traffic dump with wireshark.
INVITE sip:[email protected]:5060;transport=tcp SIP/2.0
Via: SIP/2.0/TCP 192.168.70.86:3457;rport;branch=z9hG4bKPjdp3HjFLs7Dy03RL9ce.16qung.tOq5O3
Max-Forwards: 70
From: "............ .............." ;tag=5a25b465-747b-4c31-a020-1a9636827427
To: sip:[email protected]
Contact: ;+sip.instance="";+u.sip!devicename.ccm.cisco.com="SEP10BD18DD3F59";+u.sip!model.ccm.cisco.com="592"
Call-ID: e9edcc43-6a9b-42b8-8efc-99f702b313d1
CSeq: 28324 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
User-Agent: Cisco-CP3905/9.2.1
Supported: replaces,join,sdp-anat,norefersub,extended-refer,X-cisco-callinfo,X-cisco-serviceuri,X-cisco-escapecodes,X-cisco-service-control,X-cisco-monrec,X-cisco-config,X-cisco-sis-4.0.0,X-cisco-xsi-7.0.1
Expires: 900
Accept: application/sdp
Allow-Events: kpml,dialog
Remote-Party-ID: "............ ..............";privacy=off
Content-Type: application/sdp
Content-Length: 294
As you can see phone trying to invite [email protected]:5060, BUT I dial 7103 DN from 7102. So where are other numbers? Bug? -
10.4.8 and Cisco/VPN problem solved
Hi,
This and related issues have arisen in threads on the past month, regarding the Cisco VPN v 4.9005 (and perhaps other VPN software) not working the same after the 10.4.8 upgrade. The problems relate to either not making a VPN connection, or data transfer after the successful connection is made, once the upgrade happened.
The workaround was to run the Network Setup Assistant every time to do the connection properly before launching the VPN. But this is a pain.
The eventual solution was simple, although effecting it was not straightforward. It was necessary to do a clean install of the VPN client. This is something that I could not accomplish manually, despite suggestions from the discussion group as to which files to remove, because it was difficult to find all the files that the install put it. But, at least on my machines, it could be done by command line in Terminal - cd to /usr/local/bin, ls vpn_uninstall to see if it is there, and if so, sudo ./vpn_uninstall.
I don't know if other machines can do this or if this was part of our local IT install, but IT WORKED. I AM FREE!
Waynethat's odd....
I'm running cisco client 4.6.04 on OS X 10.4.8 and VNC without any problems...
the only difference is my radius server is an NT box, but I can AFP and VNC to my Mac on that network. -
New 2.4 Macbook and Cisco VPN problems?
Is anyone else using the new MacBook Pro's with Cisco VPN? I cannot get the software to work, I get an error 51 "unable to connect to VPN subsystem" at every launch. I've ininstalled and reinstalled the cisco software, I'm using the latest VPN 4.9. I've got a 2.3 macbook pro sitting right next to it, and it runs the cisco software fine. Something with the Santa Rosa set? Any help would be greatly appreciated. I have no other network issues. All the software is up to date, system, cisco, etc. Thanks...
Fixed my own problem, appears it's Parallels related, after I reinstalled the new parallels 3.0, cisco started working fine. Whew....;-) Hope this helps others.
-
AD Machine Authentication with Cisco ISE problem
Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy. -
First, i want to apologize for my English.
I have a wireless network, which connects areas isolated by the sea.
One of the repeaters have connection problems.
There is a picture that illustrates my problem.
The repeater in red, was installed recently. Because of the distances are added to each output TNC an amplifier of 1 watt.
The problem arises when the bridge that connects to the repeater, it begins to traffic on the network.
The repeater is disconnected, leaving the bridge and repeater offline.
We believe that the problem is caused by the fact that this link is at 12 meters above sea level. And we think that we could solve that problem by adding two amplifiers to the Master AP.
Any suggestion.You did not include the config files for the 1310's, did you set the distsnce prameter for the radio on the root bridge. for longer distances the AP needs to adjust the time out values.
http://cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/command/reference/cr38main.html#wp2481270
Hope this helps.
Bill -
I have this error when I start my router
System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
Copyright (c) 2003 by cisco Systems, Inc.
Bad RAM at location 0x00000000: wrote 0x00000000, read 0x00000400
Which is the problem? How can I fix it?RAM is creating problem or you can say that not compatable just change your RAM ( If 2 RAMS are placed in Router then unplugged ram 1 by 1 like unplug 1st RAM and check then place 1st RAM back and unplug 2nd RAM and then check
i m sure your problem will solve
Hope this will help you
if yes then rate this article -
Hi I bought a Cisco E900 wireless router in the last week. Its blocking certain websites .Its even blocking where a user has to sign in yahoo answers page or to sign in even the yahoo mail.
Please help me Its urgentI have a broadband connection with ADSL modem. The modem and router are connected as ofcourse seen from the documentation correctly. I am getting excellent signal strength in my laptop also
I can access many other sites without any problem.Its just with some sites that are causing problem like yahoo sign in pages(but the yahoo page is accessible,from that when I click sign in or mail link it doesn't load). Also with UHRS web entry login I am experiencing issue, this site also loads but when I use its sign in button nothing happens just that site stays without any action.
Do u want me to share the snapshot , because only it says is the usual error display with browser ie
the web page is not available.
Please help to solve this issue as soon as possible -
I am experiencing a problem with a Cisco Router 7204VXR with the fastEthernet interface. The board is model PA-2FE-TX (FE2/0 and FE2/1): the FE2/1 seems to work correctly, while I have problems with the FE2/0. After putting it up and as soon as a data traffic greater than a ping passes through it, the interface becomes "frozen", still remaining up. Sometimes this fact causes problems also to the other interface (FE2/1).
I also replaced the board, but the problem remains. I observed the presence of a lot of collisions (in half-duplex mode), while in full duplex-mode neither a ping works.
Thanks in advance for your helpHi, I suppose that u want to see the counters on the fa 2/0 while is working, but unfortunatelly i' ve setted it down few days ago couse it was causing some prob to the other interface fa 2/1 (on the same slot) and i had to reboot the router then. It was losing some packets!
Anyway the interface 2/0 was giving me many collision and deferred packets while it was still active!
If u want i can tell u the others board mounted on the router. Or something of other u want to know!
Maybe you are looking for
-
HTML online editor and accented letter
Hi all gurus, please forgive the nooby question, I'm a newbie about Portal and I've searched sdn forum without success for the following task. Strictly; I have to publish an HTML file in an iview of the Portal. This task was accomplished quite easily
-
Spry Horizontal Navigation Bar
A horizontal navigation bar was created using Spry in CS3. The navigation bar needs to be lengthened. Does anyone know how to lengthen it so it spreads across the page?
-
Free Keynote templates can be found at the following url: http://etc.usf.edu/presentations/ David Moore eMac/MacBook Pro/ Mac OS X (10.4.9)
-
Hi Friends, We have assigned activities with work centers, but after creating routing and we are not getting the activities in routing therefrore in CK11N, we are not getting these activities. Please suggest how can we get the activity in routing. Kr
-
I am trying to purchase Creative Suite CS6 Design Standard. I own a Max OSX. I live in Germany. When I try to order for Germany, it gives me only an option for Windows, not Mac. How can I order?