802.1x MDA with Cisco 3750, ACS and Avaya phones
Hello,
What is the minimum software level on the C3750 to support the 'device type class=voice' AV-pair returned by ACS? I found 12.2(35) introduced MDA, but also I found 12.2(40) required for dynamic voice VLAN on MDA ports.
What i observe is :
- phone connects
- phone is dot1x authenticated in data VLAN and gets its DHCP address there
- DHCP advertises (option 242) the voice vlan id
- phone reauthenticates in voice vlan
- phone reacquires a new DHCP address, now in voice VLAN
so far so good ... and we start using the phone
- pc behind phone starts and enters credentials
- pc authenticates ok (in data vlan)
but 3750 shuts the port down per security violation ("new mac-address found").
The mac-address of the phone stays in the data vlan's mac table, despite the phone moved correctly to the voice vlan. This macaddress excludes the 'new' pc mac-address, causing a shutdown of the port.
NB : "setting port-security max mac-addresses" to say 5 does not change anything to this behavior.
Can anybody give some hints?
Tx.
Searching further, I found that 12.2(40) requirement for dynamic voice VLAN on MDA ports only applies to dynamically provisioning the voice vlan ID by radius, applying the (65)tunnel (medium) type and (81) tunnel private groupid attributes. So, obviously, MDA support with 'static' voice vlan assignment by switchport configuration *should work* with our 12.2(35), *
So, the question remains : why does the data VLAN keep an entry with the phone's MAC address in its MAC table?
Tx.
Similar Messages
-
Hello Everybody,
I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
Thanks in advance and regards....Hello Scott,
Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
Thanks and regards... -
Please help! i have just update my iphone 4s with 7.4 update and my phone is now asking for a password which i dont have. I have tried my keypad lock i used before the update and also my itunes password and neither work, how do i rectify this ???
Did you buy this iPhone new from an authorized seller?
-
Could apple send me an iPad air. All my friends are making fun of me because I'm stuck with the old device and no phone. I've had app problems with apple before so I think that it would only be fair to get a newer device. Thank You Apple
First we aren't Apple just normal users just like you.
Second provide Apple a feedback or send them a mail.
Third they will never send you a free iPad Air.
If you want one you have to buy it. (go for refurbished if the device is too expensive) or look for special prices.
Contact iTunes support if you have a problem with an App. -
Was skiing with a lifeproof on and my phone did not get wet. On the ride back my phone was struggling to send/receive messages and had trouble opening apps. The screen froze and I hit the sleep button; since then, it has not turned on. Any suggestions on what to do?
It probably got too cold and shut down. Warm it to room temperature, then hold the HOME and SLEEP buttons at the same time until an Apple logo appears.
-
Is Firefox compatible with Window Surface Pro and Win Phone 8
Is Firefox compatible with Window Surface Pro and Win Phone 8
A user posted here the other day who is using a Surface Pro 2, with Windows 8.1, so that should work basically the way it works on a desktop or laptop.
Windows Phone, I don't think so. -
Battery symbol with a red x and my phone won't turn
i have the curve 8520... it was working earlier today I changed my sim card so I put my phone shut off. After this when I switched on my hand set...... then I found a battery symbol with a red x and the phone is not booting OS. I am not sure what that means but my phone won't turn on and won't charge. I tried taking the battery out and now it turns on but the symbol is still there and the loading bar is on the screen and it won't change. I also took outmy sim card & memory card. Please help me...
Hi AnupamSingh
Welcome to Blackberry Support Forums
Have you Installed any Application recently before this problem ? If you have then start your device on safe mode and uninstall or undo any changes that you think may be responsible for the problem ,Check this Knowledge base :
KB17877 : How to start a BlackBerry smartphone in Safe Mode.
Click " Like " if you want to Thank someone.
If Problem Resolves mark the post(s) as " Solution ", so that other can make use of it. -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu -
Boot camp with Cisco VPN client and smart card
Looking at a Macbook or Macbook Air and the only reason I need to run windows is to be able to access my work network through the Cisco VPN client and my Smartcard then use remote desktop. From my understanding if I run Bootcamp it should work am I correct? Im going to an Apple store tomorrow hopefully they can help too.
Thanksmrbacklash wrote:
Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
Message was edited by: BobTheFisherman -
Problem with Cisco 861W router and outgoing VPN
We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
Here is the Access Point Configuration:
Current configuration : 2100 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname obap
enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
no aaa new-model
dot11 syslog
dot11 ssid OLIVER
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXXXXXX
username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid OLIVER
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner login ^CC
% Password change notice.
Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
^C
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
cns dhcp
end
obap#
Here is the Router's Configuration:
Current configuration : 5908 bytes
! No configuration change since last restart
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname obrouter
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1856757619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1856757619
revocation-check none
rsakeypair TP-self-signed-1856757619
crypto pki certificate chain TP-self-signed-1856757619
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool ccp-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.49.160.10 216.49.160.66
default-router 192.168.0.1
ip cef
no ip bootp server
ip domain name brushhog.com
ip name-server 216.49.160.10
ip name-server 216.49.160.66
license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Any help would be appreciatedHello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router. -
Cisco Secure ACS and Windows NLB
Hi,
I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
Thanks,
NeilNeil,
ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
Regards,
~JG -
Cisco call manager and ip phone software.
Hi everybody.
Does Cisco call manager also include software required for ip phone? Or software for ip phone needs to be installed on tftp server and it does not come with cisco call manager.?
thanks and have a great weekend.Hi Sarah,
by ip phone software, do you mean Cisco IP Phone Agent software?
if yes, then you need to have Customer Response Solution (CRS) and Call Manager together to setup ip phone software (services).
check this link for further info:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a00801c5765.shtml
plz Rate if it helped.
Soroush. -
Hello Guys,
I am running Cisco Call Manager 7.0. I ahve 2 Avaya 4620 IP Phones and want to add them to my existing VOIP network. How do I go about doing this? All of my other phones are Cisco 79xx.I tkink you can add avaya phone to cisco environment as a thirt party sip phones.
-
Mixed environment with Cisco 3750 and SRW248G4
Dear Community,
as mentioned above in the subject field, we are evaluating Linksys for Business products.
We are using Cisco products (i.e. Cisco WS-C3750G-12S-S) for core networking, due to new investment planning, we are evaluation how to upgrade our access switches.
In fact, we would like to implement Linksys by Cisco products, SRW248G4 specific. These devices should be connected over fibre cabling using Linksys by Cisco MGBSX1 optical modules.
So for these reasons, I have to check, if this design is going to work. May you give any feedback to this?
Thank you in advance.Ni hao Seng,
Without an understanding of what you are trying to achieve I can however say the following;
I have used the wonderful SRW platform (SRW2008P) in my network for two years now. I have no difficulty in setting up VLAN tags and trunking to a traditional Cisco equipment.
Most of the problems I have seen is not understanding how to setup VLANs correctly. I can appreciate that as VLANs took me a long time to understand.
I think for the benefit of the good people out there that use this community, I should put together a Video on Demand that goes through creating a VLAN that shows how to setup VLANs on a SRW switch, taking into account the three modes the switch ports can be set in (access,general and trunking modes).
regards Dave -
Catalyst 3750 , ACS and Downloadable IP ACL
Hi,
We installed a ACS v4.1 , we were trying to limit the access to authenticated users by using Downloadable IP ACL in a Catalyst 3750 with IOS version ipbasek9-mz.122-25.SEE4. The authentication part works fine with a external database (Wins AD) , but we want to limit the access to the network of some groups.
This can be done using Downloadable IP ACL ?
Thanks for any helpYes, DACL's can be user here. To use a downloadable IP ACL on a particular AAA client, the AAA client must:
.Use RADIUS for authentication.
.Support downloadable IP ACLs.
Examples of Cisco devices that support downloadable IP ACLs are:
.PIX Firewalls
.VPN 3000-series concentrators, ASA and PIX devices
.Cisco devices running IOS version 12.3(8)T or greater
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs
40/user/c.htm#wp696809
Please note that downloadable ACLs are not supported on cat based switches.
If downloadable ACL's through shared profile doesn't work, define a cisco av-pair to create the downloadable acls.
Give this a try and see if it works. The format for the av-pair ACL is:
ex
ip:inacl#1=permit ip 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255
Regards,
~JG
Do rate helpful posts.
Maybe you are looking for
-
I downloaded something that was told to me to get to put some of my itunes songs onto my android phone. I think it synced my account, though. Whenever i click on a song an exclamation point comes up and something pops up and says "could not be used b
-
In Photoshop CS5, why can't I open files?
-
Hi all. I m getting an error in my program " Program ZMRO030_GET_WBS is not Unicode Compatible, according to its program attributes. What does that mean? Helpful answers will be rewarded by Points. Naveen Rana
-
Error message 1602 whilst trying to restore Apple TV
I have a rapid flashing white light on Apple TV and have seen various comments saying that connecting ATV to my Mac with micro USB and restorign ATV via iTunes will correct the problem. Have tried this but get after trying to verify restore I get fai
-
Is there such a thing as a jpod?
I was listening to the 3rd quarter broadcast over breakfast this morning and i though I heard someone talk about a jpod during question time Is this a new product?