802.1X IAS Switch 3750

Similar Messages

• 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

  I configured the Switch 3750 and ACS for 802.1x authentication.
  when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
  The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
  What is the most possibly problem?
  Thx in advance!!!
  The configuration is Sw3750 is:
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default line
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet1/0/18
  description Link to test 802.1x
  switchport access vlan 119
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key keepopen0
  In the ACS:
  Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
  user setup -->real name:test1, password: test1.
  Attached is the debug information

  What do you see in acs failed attempts?

• Lwapp capwap AP to act as a supplicant on a 802.1x enabled switch port

  Hi
  All our switchports is configured to validate the connected device with 802.1x
  However when a wireless accesspoint, that is running FlexConnect, is connected I have to make a "mac bypass" on the AP mac addess and add the multihost command to the port config.
  I really like to move away from the mac bypass, but keep the multihost command, and install a certificat on the AP. Have anyone any ideas about how to get the AP itself to auth?

  Hi,
  The AP can act as 802.1x supplicant if it is connected to a 802.1x enabled switch port.
  Cisco unified APs however supports only EAP-FAST as the EAP method.
  Here is a config example, hope it'll be useful.
  http://goo.gl/HMbiHL
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco 1252s with regular 802.3af PoE switches - what are the impacts?

  Does anyone have any real-life experience with deploying the 1252s on regular 802.3af PoE switches?  I have a few 1252s one some 3560 PoE ports and the show up with "low power" alarms.
  I am wondering what the real world impact is with this scenario.  The 1252s have both 2.4 Ghz and 5.0 Ghz radios in them and I have HT enabled on the controller.
  I'm wondering what capabilities I am losing by running on 802.3af power besides the annoyance of the alarms.
  Thanks in advance!

  Sorry in advance for the book I have just written.
  I have three 1252s on 75 feet of Cat5e cable running to a 3560 PoE switch. Sometimes, but not always, I see a low power alarm on the access point(s). This is in a small building that is built like a fortress so the RF environment is somewhat challenging. I am watching WCS closely and see all three 2.4 GHz radios powered all the way up to power level 1. I notice that two of the 5GHz radios are on power level 1, and one is on level 3. I thought that RRM would not power anything down until you had at least four access points as RF neighbors. I believe I read that in a Ciscopress book and it seems to be true everywhere in our network when I look at buildings with 3 or less WAPs.
  The building in question does not have any other buildings close by with any 5GHz radios in operation - or at least I didn't see any when I did the survey.
  I'm wondering if the power setting of the radios is also related to the length of the Cat5e cabling. Seems to me a shorter run would have less resistance than longer runs, allowing the radio to have more power.
  My main concern is not this building in question, since we went for coverage and not client density in the design. We several other buildings on the radar, all libraries, which are going to be both RF challenging (bookshelves, furniture, cubicles, cubbies) and client-density challenged. These buildings have hundreds of WLAN clients in them at times - and I mean devices, not just people.
  Someone else told me (reputable source) that channel bonding is not an option when on 802.3af power. Makes sense, actually. I would never even think of bonding in the 2.4 GHz range for obvious reasons, but up in the 5GHz range it is a definate possibility in these buildings. Seems to be that we might be shooting ourselves in the foot by not using 802.3at power in these buildings.
  If channel bonding is disabled and the upper two MCS rates (using 800ns guard interval) of 117 and 130 are disabled, then I'm looking at maximum MCS rate of 104 Mbit/s compared to 270 Mbit/s with 802.3at with channels bonded in the 5GHz range.

• 802.1x MDA LLDP Disabled on Switch (3750) but detected on phone?

  I have been playing around with 802.1x and some IP phones.  The test senario we have is that LLDP is globally disabled on the switch and enabled on the phone.  When the phone boots up a non-LLDP enabled device is allowed to use the data vlan to boot and learn (via DHCP) the voice vlan.
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389460
  We found that if LLDP is disabled on the switch it still detects LLDP on the phone and blocks the LLDP enabled phone from using the data vlan.  This causes the phone to "hang" waiting for DHCP.
  Turning LLDP off on the switch port did not seem to help as the switch tests for LLDP reguardless and then blocks access to the data vlan.  It seems like *if* LLDP is disabled on the switch it should treat all devices as non-LLDP devices and allow the use of the data vlan.  Even if the device (IP Phone) is capable of LLDP.
  Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(55)SE8, RELEASE SOFTWARE (fc2)

  Turned out that this was being caused by not having a valid DATA vlan set (leaving it in vlan 1).  It looks like with MDA you cannot assign the data VLAN the phone will use to boot in a Radius reply.  It has to be assigned manually?
  Is there another way to tell the switch to allow the phone on data vlan 20 for a short period of time?
  interface x/y/z
   switchport access vlan 20
   switchport mode access
   switchport nonegotiate
   switchport voice vlan 60
   switchport port-security maximum 5
   switchport port-security
   switchport port-security aging time 2
   switchport port-security violation restrict
   switchport port-security aging type inactivity
   authentication event fail retry 1 action authorize vlan 20
   authentication event no-response action authorize vlan 20
   authentication host-mode multi-domain
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   mab
   snmp trap mac-notification change added
   dot1x pae authenticator
   dot1x timeout quiet-period 3
   dot1x timeout server-timeout 2
   dot1x timeout tx-period 5
   dot1x timeout supp-timeout 2
   spanning-tree portfast

• 802.1x on Cisco 3750 switch: How to stop retrying the authentication for the un-authorized guests

  Hi experts,
  I'm trying to stop the authentication retry for the guests. They won't have the credential to be authorzied and will be put in the guest VLAN. However the switch seems by default always retries the authentication every 15 seconds or so. It's fine if the guests are few but I'm implementing it at a hotel where most users are guests (like 1000 of them at the same time...).
  I really need to turn it off or at least find some timer to decrease the frenquency... It's urgent because the hotel is about to open... The following is the config I put on an interface:
  switchport access vlan 1055
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 657
  ip access-group ACL_PortIso_IDF21 in
  authentication event fail action authorize vlan 1055
  authentication event no-response action authorize vlan 1055
  authentication host-mode multi-domain
  authentication port-control auto
  authentication violation protect
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout tx-period 2
  dot1x timeout supp-timeout 2
  dot1x max-reauth-req 10
  dot1x timeout held-period 300
  no cdp enable
  spanning-tree portfast
  spanning-tree bpduguard enable
  no ip igmp snooping tcn flood
  Thanks!

  Elly,
  Soon I will have a Windows laptop plugged in. Then I will be able to run the wireshark. Now I have to run the "debug dot1x packets" since the attached device is a phone.
  So first I "clear dot1x session int f3/0/13". After a couple of "failure" eventually it will show this:
  "%AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa3/0/13"
  (Weird... why it's showing "success"? Anyway when the authentication restarts again after several minutes there won't be any "sucess" any more, as shown in my previous text file. They are)
  Then I have the debug turnned on:
  .Jan 25 12:47:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  INDJWSW01-2104#
  .Jan 25 12:47:21: EAPOL pak dump Tx
  .Jan 25 12:47:21: EAPOL Version: 0x3  type: 0x0  length: 0x0005
  .Jan 25 12:47:21: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
  .Jan 25 12:47:21: dot1x-packet(Fa3/0/13): EAPOL packet sent to client 0x5600009F (0019.f302.a378)
  INDJWSW01-2104#
  .Jan 25 12:47:23: EAPOL pak dump Tx
  .Jan 25 12:47:23: EAPOL Version: 0x3  type: 0x0  length: 0x0005
  .Jan 25 12:47:23: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
  .Jan 25 12:47:23: dot1x-packet(Fa3/0/13): EAPOL packet sent to client 0x5600009F (0019.f302.a378)
  INDJWSW01-2104#
  .Jan 25 12:47:25: EAPOL pak dump Tx
  .Jan 25 12:47:25: EAPOL Version: 0x3  type: 0x0  length: 0x0005
  .Jan 25 12:47:25: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
  .Jan 25 12:47:25: dot1x-packet(Fa3/0/13): EAPOL packet sent to client 0x5600009F (0019.f302.a378)
  INDJWSW01-2104#
  .Jan 25 12:47:27: %DOT1X-5-FAIL: Authentication failed for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  .Jan 25 12:47:27: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  .Jan 25 12:47:27: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  INDJWSW01-2104#
  .Jan 25 12:47:27: %AUTHMGR-5-START: Starting 'mab' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  .Jan 25 12:47:28: %MAB-5-FAIL: Authentication failed for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  .Jan 25 12:47:28: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'mab' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  .Jan 25 12:47:28: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  .Jan 25 12:47:28: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
  Then the message will repeat and repeat forever... It seems that the switch Tx the packets first... Any ideas???
  Thanks!

• 802.1x authentication switch and AD

  Hello,
  I want to know if Cisco has solved the problem (MD5) between ACS and Active Directory?? because I want to configure 802.1x in a switch and it will integrate with Active Directory (Data Base)
  The Solution is:
  Switch <--> ACS (Authentication)<--> AD (Data Base)
  Also i want to know if exist any solution no NAC Appliance that can use 802.1x integrate with AD in switch infraestructure??
  Best Regards

  I have hit the same challenge, where I need to authenticate the users against AD and I don't want to use the local CiscoSecure Database in ACS. For hundreds of users, there is no way I'm going to manage a database in ACS for user access. I have to manage the users in AD. I opened a case with Cisco and MS-CHAP is not supported by Cisco ACS, as I was provided this URL link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/o.html#wpxref846
  Additionally, I was directed to the URL: http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K24308566
  I'm so stuck...there has to be way to use IEEE 802.1x with an external database such as LDAP.

• RADIUS failover not working in wired 802.1x (CATOS switch)

  I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?
  Any help is appreciated. Here is my config:
  #version 8.4(7)GLX
  #radius
  set radius server 10.30.XX.XX auth-port 1812 primary
  set radius server 10.18.XX.XX auth-port 1812
  set radius timeout 30
  set radius key EE08361
  Set dot1x system-auth-control enable
  set port dot1x 5/27 port-control auto
  all radius and dot1x settings are at their default values
  Any takers??!

  I have the same setup as yours. I use Steelbelt
  radius 6.0.1 on Linux and I have Cisco 2960
  catalyst. I use 802.1x over Ethernet with
  PEAP, as seen below:
  C2960#sh run int g0/23
  Building configuration...
  Current configuration : 133 bytes
  interface GigabitEthernet0/23
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  dot1x guest-vlan 668
  end
  C2960#
  C2960#sh run | inc dot
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  C2960#sh run | inc radius-
  radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx
  radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx
  C2960#
  Everything works and when I shutdown the
  radius server process on host 192.168.15.10,
  "sbrd stop", it still works with the secondary
  radius server 10.250.97.26.
  The difference between yours and mine is that
  I am running IOS instead of CatOS.
  System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
  David

• 802.1x with Switch SRW2024-Web

  Hi@all,
  i want to implement a port based NAC with Windows Server 2008 NPS acting as RADIUS and some Linksys/Cisco SRW2024 - WebView Switches, using EAPoL and MD5-Auth.
  (SRW2024: http://www.cisco.com/en/US/products/ps9989/index.html)
  I am able to authenticate any Supplicant and open the port on the switch. But i've a probem with de VLAN-ID.
  I only wan't to authenticate the user on the Switch-Port. All incoming traffic is unttaged an the Switch should tag the frames with configured PVID in Access Mode. But the switch doesn't either tag with configured PVID nor tag with the RADIUS-attributs:
  Tunnel-Type -> VLAN
  Tunnel-Medium-Type -> 802
  Tunnel-Privat-Group-ID -> <VLAN-ID>
  anyone an idea, what i'm doing wrong?

  Well, i don't understand the world anymore....after the switch was accepting the radius-attributes,
  i removed the radius-attributes again...since that, the configured PVID in access-mode are working also.
  sometimes these switches driving me crazy.

• 802.1x caused Switch to hang - Memory too low

  Hi all,
  Anyone experienced this before while turning on flex authentication (802.1x, MAB, Web Auth), causing the switch too hang. When the switch hang, I can't even telnet to switch or even console into the switch. The message I am getting from the console is "Memory too low, please try again later".
  It happens weeks after 802.1x was enable on the switch, can anyone share their experience on this? Thanks.

  Any luck with this??
  We have quite a few 4500's doing the same thing.

• 802.1X on switch 2950

  Hi,
  I tried to configure 802.1X on a 2950 switch, i can't connect from a pc.
  That's what i did on:
  * ACS
  aaa client ip IP_Switch
  authenticate : radius (ietf)
  key : xxxxx
  a certificate has been created on a ca server and installed on the acs (on same machine, i choose "use certificate from storage")
  * WIN XP
  Type EAP : PEAP
  Secured password : EAP-MSCHAP V2
  * SWITCH
  aaa authentication dot1x default group radius
  interface fastethernet0/1
  switchport mode access
  dot1x port-control auto
  radius-server host IP_ACS auth-port 1645 key xxxxx
  I created user (same as used for logging on the client) on ACS, i always get "authentication failed"

  Hello stephen,
  Is the IP communication between the switch and the radius server fine ? Is the radius server on a seperate segment ? Once u have this setup, u just need to define the username/password on the radius server and see if authenticates thro the switch. do a debug aaa authentication, debug dot1x events/packets etc to see what happens when the user logs in !!!
  configs:
  aaa new-model
  aaa authentication dot1x default group radius local
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  interface FastEthernet1/0/47
  switchport access vlan 777
  switchport mode access
  dot1x port-control auto
  dot1x timeout tx-period 15
  dot1x guest-vlan 10
  dot1x reauthentication
  spanning-tree portfast
  ip dhcp snooping trust
  If authentication phase passes, the user will be put in VLAN 777. if there is any guest plugging into this PC, without a dot1x client, he will be put on guest vlan 10..
  Hope this helps.. all the best. rate replies if found useful..
  Raj

• VoIP configure on edge switch 3750

  Greeting
  I am testing no cisco phone on 3750:
  interface FastEthernet1/0/6
  description testing
  switchport access vlan 100
  switchport mode access
  switchport voice vlan 101
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  priority-queue out
  mls qos trust dscp
  auto qos voip cisco-phone
  macro description cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  service-policy input AutoQoS-Police-CiscoPhone
  end
  and found that "switchport port-security"
  will drop the phone's dhcp discovery packets.
  When phone first time power on, it can get ip address from dhcp server; but, when you log out from current phone number, and the phone start to get ip address from dhcp again, the switch will drop the dhcp discover packets which the phone used to communicate with dhcp server.
  I tried to increase max number to 6 (switchport port-security maximum 2) but it is not useful.
  I did show port-security int command, and there is only one mac address on the interface.
  I have also checked the mac address, and I can not see any violated to the security rules.
  Could any one advice me:
  - what the cause ?
  - how can I debug it?
  - if possible to fix it without disable the port security?
  Any comments will be appreciated
  thanks in advance

  Great thanks for the reply, I have found the problem. the problem is the "switchport port-security aging time" has to be lower than 2. I have set it to 1 min.
  Another question, we have been asked to set qos trust dscp, as:
  mls qos trust dscp
  can I get advice, if it will cause the workstation (PC/server) which plug into this port to get high priority treatment?
  Please advice.
  Many Regards

• CISCO SWITCH 3750 IP ACCOUNTING

  Hi Everyone
  Can anyone tell me if the ip accounting is support in the 3750 switch.
  Switch Ports Model              SW Version            SW Image                 
  *    1 26    WS-C3750-24P       12.2(55)SE9           C3750-IPBASEK9-M 
  The switch accept the command but when I executed show ip accountig don´t show me anything.
  The command is configured under the VLAN interface and it´s the default gateway of that VLAN.
  interface Vlan199
   description RED DE GESTION
   ip address x.x.x.x 255.255.255.224
   no ip redirects
   no ip unreachables
   ip accounting output-packets
   no ip mroute-cache
  end
  BOG-AME-CORE-C3750-24Px1#show ip accounting 
     Source           Destination              Packets               Bytes
  Accounting data age is 0

  Hey Peter,
  Looks like its an unsupported command for 3750, see the link:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750e_3560e/software/release/12-2_55_se/configuration/guide/3750escg/swuncli.html
  HTH.
  Regards,
  RS.

• VoIP with Switch 3750

  Hi,
  I have a doubt. The company wants to implement VoIP, but the core switches are Cisco 3750. Is it possible to implement it with these switches?.
  Any experience in this task will be appreciate it.
  Thanks
  Wladimir

  Well Wladimir,
  you could implement it in one step or in several steps. It depends on several parameters I do not know, like time frame, staff, size, maintainance windows, etc.
  Be aware that implementing VoIP will most likely require QoS on at least the trunk ports and all ports, where VoIP traffic is passing.
  VLAN implementation would be the base for any traffic, So I would make sure to design and implement rapid spanning tree per VLAN first.
  Make sure the root bridges are selected carefully. Test failure scenarios.
  Increasing the number of VLANs should not pose any problem, so this could be an ongoing process, while you plan your VoIP implementation.
  VoIP needs a LOT more than just switch design. Have a look at the VoIP SRND (www.cisco.com/go/srnd). If you have no experience with setting up VoIP get professional help, if your budget allows it. Make sure your staff is properly trained to support the new network.
  Just a few recommendations to get you onto the right track - I still might miss some important points, as I do not know your requirements and network in great detail.
  Hope this helps nevertheless. Please use the rating system.
  Regards, Martin

• Etherchannel between stack switches[3750] and standalone switch[3560]

  Hi,
  I have 2*3750 switches in stack as core and 1*3560 switch in access layer. I want to enable ether channel between stack switch[3750A & 3750B] and 3560 switches.
  Have connected  2 links from 3560 switch to stack switch, one link to 3750A and other link to 3750B. Will it work in this way as per my requirement? 
  or i should enabled stacking on 3560 switch too and configure cross-stack ether channel between 3750 stack and 3560 stack. i refered few cisco documents, but the cross stack etherchannel configuration example has 3750 at both end stacks.
  Rgds...
  VikramS

  Hi,
   This should work fine as per you set up, the 3750 stack will be acting as one switch, which means that the ether-channel configuration should be straight forward. There is no need to stack the 3560 for this to work, also the 3560 are not stackable.
  Hope this helps.