802.1x port security auth MXP and C series with Cerficiates

Similar Messages

• Javax.security.auth.Subject and weblogic.security.acl.User

  Hello,
  We are trying to move some old authentication code (Weblogic 5.1) to JAAS
  which comes with Weblogic 6.1. Here is my problem:
  I can succesfully authenticate the Subject through my RDBMS Realm. But then, the rest of my code uses weblogic.security.acl.User
  and not javax.security.auth.Subject for authorization and other tasks. So, how can I extract weblogic.security.acl.User from javax.security.auth.Subject?
  I tried subject.getPrincipals(), since User indirectly implements Principal, but it comes back empty.
  Any suggestions?

  Hello,
  We are trying to move some old authentication code (Weblogic 5.1) to JAAS
  which comes with Weblogic 6.1. Here is my problem:
  I can succesfully authenticate the Subject through my RDBMS Realm. But then, the rest of my code uses weblogic.security.acl.User
  and not javax.security.auth.Subject for authorization and other tasks. So, how can I extract weblogic.security.acl.User from javax.security.auth.Subject?
  I tried subject.getPrincipals(), since User indirectly implements Principal, but it comes back empty.
  Any suggestions?

• Port Security MIB on SF, SG series switches

  I need to setup some parameters related to port security features on my SG, SF series switches via SNMP. I've found that it is possible with port security MIB (1.3.6.1.4.1.9.9.315). I found out my devices has support of this MIB downloading archive with MIBs from cisco site. But when I try to read some parameters from this MIB via SNMP, for example "cps if port security status" (1.3.6.1.4.1.9.9.315.1.2.1.1.2) device answers with: "No Such Object available on this agent at this OID". But it is possible to do with web-interface in Security->Port Security section
  How is it possible to read/write such type of parameters ?

  The OID you mentioned cpsIfPortSecurityStatus has Read-Only permissions and hence you cannot set anything.
  You can only poll this object to know the operational status of the port security feature on an interface, which will result from one of the three status :
  1 : secureup
  2 : securedown
  3 : shutdown
  For more details check OID Translation.
  You can only set values which has Read-Write permissions, like cpsIfPortSecurityEnable, using which you can enable port security on an interface.
  Tell us what you want to achieve using SNMP Set operation?
  Also, I am not sure if these MIB features are completely implemented on 29xx/35xx/37xx devices.
  But are present in 45xx and 65xx series switches.

• Troubleshooting SharePoint Auth prompts and Anonymous access with Fiddler - Is there a better way?

  I've troubleshooted (troubleshot?) many SharePoint sites for anonymous and random authentication prompts. It usually winds up being something not checked in or published, but sometimes it's something more random, like a survey list based on a template from
  another site prompting for auth even when configured for anonymous access, but when created manually, question by question, works fine for anonymous, and other random things I've run into in the past. In these situations, I almost always break out Fiddler,
  and then almost always move on to the tried and true method of "trying different things" until getting it to work.
  Because Fiddler almost never, in my experience, produces actionable results pointing at a specific file or problem. Am I alone? And if not, does anyone have anything better they've used over time?
  Thanks!

  That is as close as you're going to get to the element that isn't loading, although if it is a reference in a page, you should see the error when attempting to load the reference.
  Trevor Seward, MCC
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Air Port in my Imac and Airport Express with my 360

  Hi all,
  Not sure if Im being nieve but I am trying to set up a network between my Imac and an airport express, with the ulitmate goal of connecting my Xbox 360 to that network. My imac has an airport card and Ihave tried doing the WDS setup any help that any one can offer would be great.
  Thanks

  G'day Duane,
  Just clarifying things here, is it still possible to connect a 360 (via MS' networking adaptor) to a wireless network created by an iMac's built-in airport? Currently I'm using a network encrypted by a WEP password which works all fine and dandy with my MacBook. On the 360, it recognises the network, allows me to enter the password and connects, only to tell me when testing the XBL connection that the wireless network is not connected. The same problem happened when I took off the security. Is there a way around this apart from connecting an ethernet cable to my MacBook/directly into the router?
  Cheers in advance,
  -Tom

• Javax.security.auth.login.Configuration.setConfiguration() fails with  java.lang.SecurityException: No Permission to set the Configuration

  Hi All,
  I have a custom security class (deployed in an application) that uses JAAS
  to login, i have to set the Configuration in my security handler like this
  Configuration.setConfiguration(new MyConfiguration());
  This fails with
  java.lang.SecurityException: No Permission to set the Configuration
  How do i give this class the permission to set configuration???
  Thanks,
  Ako

  nobody knows?

• Port security and 802.1x (ISE)

  Hi everyone,
  I'm implemmenting ISE in a network with Port Security enabled.
  According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.
  I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.
  Someone?
  Thanks!

  Hi Neno,
  Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.
  Please find below logs from switch - 
  Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY
  Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT
  Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3
  Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Can you guide us how to fix this one
  Regards
  Pranav

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• How can I find out the server port for a secured FTP site and creating a FTP Connection Manager

  I have to create a FTP Task to go out and get the files that our 3rd party vendor will be dropping on a secured FTP site. I have all the credentials to access that Secured FTP Site and have successfully done so through FileZilla.
  Now I need to set-up a FTP Task to go out and get their files and in so doing create a FTP Connection Manager. Is there any way I can determine the
  Server Port number from the Secured FTP site? I let it default to 21 and tried the Test Connect and it failed.
  Thanks for your review and am hopeful for a reply.

  Hi ITBobbyP,
  SSIS has a built in FTP task, while this only works for the FTP protocol, it doesn’t support SFTP. But there are some free clients like WinSCP and
  SSIS SFTP Task Control Flow Component
  available in the CodePlex which can invoked from SSIS.
  References:
  SSIS SFTP Task Control Flow Component approach
  WinSCP approach
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• Problem with hp laser jet 9050 mfp and port security

  Hello,
  I activaded the port-security configuration in all the printers that we have. I've noticed that all the printers send an ethernet package that includes the same mac address 1a3c.30a9.5a8f  in all the cases and this makes the port go to shutdown. I have changed the configuration to a restrict mode to avoid the shutdown in the printers.
  But it keeps sending the message. So I want to know if its the switch doesn't know how to interpretate it or if its a problem with the printer?
  The switch i have is a Catalyst 4500-RE and here it's a log from the issue.
  Nov 11 12:40:22 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet4/24.
  Nov 11 12:01:45 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet3/25.
  Nov 11 12:03:58.757 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port FastEthernet7/16.
  Thanks for the help.

  Hi,
  this address has got the U/L bit set and even flipping the bit doesn't get any result in the IEE OUI database.
  Can you post sh port-security address output.
  Regards.
  Alain

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Port-security and Nexus 1000v

  Is there really any true need for port-security on Nexus 1000v for vethernet ports? Can a VM be assigned a previously used vethernet port that would trigger a port-security action?

  If you want to prevent admins or malicious users from being able change the mac address of a VM then port-security is a useful feature. Especially in VDI environments where users might have full admin control of the VM and can change the mac of the vnic.
  Now about veths ports. A veth gets assigned to a VM and stays with that VM. A veth is only released when either the nic on the VM is deleted or the nic is assigned to another port-profile on the N1KV or a port-group on a vSwitch or VMware DVS. Now when the veth is released it does not retain any of the piror information. It's freed up and added to a pool of available veths. When a veth is needed for a VM in either the same port-profile or a different port-profile the free veth will be grabbed and initialized. It does not retain any of the previous settings.
  So assigning a VM to a previsously used veth port should not trigger a violation. The MAC should get learned and traffic should be able to flow.

• NAC and switchport port-security

  Dear,Friends
  I have NAC working on Out-Of-Band Vitual Gateway.
  When I Enable Port Security on the CAM, this don't work very well.
  I need allow two mac-address for interface, one workstation and one phone.
  The first User is authenticated and placed in the correct VLAN according to the group. Total MAC Addresses increases the workstation and the phone correctly.
  Switch#sh port-security interface gigabitEthernet 1/24
  Port Security                          : Enabled
  Port Status                            : Secure-up
  Violation Mode                       : Shutdown
  Aging Time                            : 0 mins
  Aging Type                            : Absolute
  SecureStatic Address Aging   : Disabled
  Maximum MAC Addresses     : 2
  Total MAC Addresses            : 2
  Configured MAC Addresses    : 0
  Sticky MAC Addresses          : 0
  Last Source Address:Vlan      : fcfb.fbca.2c65:89
  Security Violation Count         : 0
  After if I:
  - change of user
  - bounce the interface
  - plug another workstation on interface
  Anything happens, and port remains on Access VLAN.
  Somebody Know How Can I fix this problem?
  Regards

  Could you please elaborate on your question? I don't understand what's exactly the problem.

• Port-security MAC address restrictions and flexconnect

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

• About TACACS+ and 802.1x port authentication

  Hi
  Is it true? TACACS+ will not work with 802.1x port authentication because EAP is not supported in TACACS+,
  Where to find the documents about Tacacs+ doesn't support EAP?
  Regards,
  Thanks.

  Correct, TACACS does not support EAP, check the following links:
  https://cisco.hosted.jivesoftware.com/message/7901
  http://www.rfc-editor.org/rfc/rfc1492.txt