802.1X un-authenticated user and guest VLAN

Similar Messages

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• WAP321 and Guest VLAN

  I am struggling to remember how to configure a small biz client of mine who just purchased four of these WAP321 APs. They want to have two SSIDs one being for private LAN access along with internet and one that can only access the internet. With that said I setup the private SSID to be on VLAN 1 (default or basically untagged) and the guest SSID on VLAN2. At this point my problem would lie in the fact that since that since packets on the guest SSID are tagged with VLAN 2 it is not going to receive an IP address from the DHCP server which is actually a Windows server on the private LAN. THis makes sense but I think in other situations I have simply utilized the layer 3 switch and setup a DHCP scope on the switch which leaves us without any need to access an internal DHCP server. Can this be configured on the WAP321 access points...ie provide DHCP services to a specified VLAN...in this case VLAN 2?
  In either event, the switches are managable and have VLAN capabilities but no VLANs have been setup. Each ports sees all packets on any VLAN. What is the best way to set this up? Oh and the firewall/router is a medium end SonicWALL, not sure if that matters.
  Thanks for any assistance in advance.

  Hi [email protected], thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. I apologize for the delay; in this case the server should be able to assign DHCP to Vlan2 once you setup the pool of address. I advise you to check all the devices if there are created the Vlan2, also check if there is any access rule for Vlan2.
  If you assign multiple DHCP servers you can get few issues with the addresses. I advise you try to assign DHCP from one server to avoid any issues.
  I hope you find this answer useful
  “Please rate useful posts so other users can benefit from it”
  Greetings, 
  Johnnatan Rodriguez Miranda.
  Cisco Network Support Engineer.

• Afpd with users and guests

  Hi everyone !
  I have some trouble for configuring an afpd server.
  I want a guest access to
  - box folder (rw)
  - data (r)
  and users access to
  - box folder (rw)
  - data (rw)
  - user folder (rw)
  (with all folder executable, of course)
  Sounds simple, but it's not...
  afpd.conf:
  - -noddp -uamlist uamsdhx.so,uamsguest.so -unixcodepage utf8 -maccodepage UTF8-MAC
  AppleVolumes.default:
  "/mnt/soho_storage/samba/shares/Adrien" "Adrien" allow:Adrien,Marie@Poopy deny:admin options:usedots,upriv perm:0777 cnidscheme:dbd
  "/mnt/soho_storage/samba/shares/Boite" "Boite" options:usedots,upriv perm:0777 cnidscheme:dbd
  "/mnt/soho_storage/samba/shares/Data" "Data" options:usedots,upriv perm:0775 cnidscheme:dbd
  "/mnt/soho_storage/samba/shares/Marie" "Marie" allow:Adrien,Marie@Poopy deny:admin options:usedots,upriv perm:0777 cnidscheme:dbd
  But I never get write permission, except the one who drop files.
  That's very annoying.
  I'm sure it's quite simple, but I can't figure out why it doesn't work.
  By the way, I don't know the netatalk version, what's the command to get it ?
  Thanks a lot,
  Adrien

  Hi Raja,
  Is there any discrepency in the prevelages between the individual users and the group they belong to.
  Sandeep Reddy Enti
  HCC
  http://hyperionconsultancy.com/

• PowerShell script to check permissions given to "NT Authority\All Authenticated Users" and..

  Hi there,
  On my SharePoint site - some places (Sites/Lists etc) have given permissions to "NT Authority\All Authenticated Users"
  We need to remove these permissions and instead give permissions to "Forest1\Domain Users" and "Forest1\Domain Users"
  PowerSHell script to do above will be appreciated.
  Thank you so much.

  Hello,
  In order to check whether "NT Authority\All Authenticated Users" are present in your site use this reference - Link
  Remove permission script reference - Link
  Finally grant permission script reference - link
  Kindly mark it as answer if it helps you.
  -Hatim

• WLC 5508 integration with fortigate and Guest Vlan

  Hi
  I have 5508 Cisco WLC and i want to connect my wlc one port to fortigate (FW) for direct internet.
  And other port in WLC i will connect on Cisco Core Switch for other SSID's and for management. Now the question is how to divide port in WLC 5508, how to point layer 3 traffic if don't configure switch port as trunk.
  Kindly what will be best solution.

  sh etherchannel 99 sum
  Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      N - not in use, no aggregation
          f - failed to allocate aggregator
          M - not in use, no aggregation due to minimum links not met
          m - not in use, port not aggregated due to minimum links not met
          u - unsuitable for bundling
          d - default port
          w - waiting to be aggregated
  Number of channel-groups in use: 38
  Number of aggregators:           38
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                   Gi2/2/4(P)     
  Last applied Hash Distribution Algorithm: Fixed
  Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

• 802.1.x guest VLAN problem

  Hi,
  I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
  I'm using XP sp2 with:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
  cantModeDWORD Value = 3
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
  deDWORD Value = 0
  Could someone give some help,please.
  Thanks
  BR

  The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
  As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
  I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
  *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
  *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
  *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
  Hope this helps.

• 802.1X with Guest vlan support IOS version ???

  I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
  please reply to my question.

  Tkank for your help.
  Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
  but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
  ex) TW_14F_A_C2950_32.8#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
  Running Standard Image
  24 FastEthernet/IEEE 802.3 interface(s)
  Model number: WS-C2950-24
  please, reply for my question

• HREAP and Dynamic VLAN assignment (MS NPS)

  Hi All
  Just a quick rundown of what I am trying to achieve.
  We have a Cisco 5508 WLC (running AIR-CT5500-K9-7-0-116-0.aes). At the moment the WLC is controlling only 1 AP (Cisco 1142N LWAP). I want this AP to be placed at a remote site, and users that authenticate via the RADIUS (MS Windows 2008 NPS) server must be assigned their respective VLANs based on the Active Directory groups they belong to (staff, student, or guest).
  The AP and dynamic VLAN assignment works 100% if the AP is in local mode. Authentication works, and dynamic VLAN assignment works. As soon as you change the AP to HREAP mode, dynamic VLAN assignment stops working, and the client gets assigned an IP of whatever VLAN is assigned to the SSID under the HREAP tab. Allow AAA Override is enabled on the main SSID that I am broadcasting.
  I have read in some of the discussions that HREAP does not support dynamic VLAN assignment, but I haven't seen why this is not supported. Is this true with the latest version of WLC software as well? I cannot see why local traffic destined for a local resource must be sent via a WAN link to the controller, and then back over the WAN link again. This seems very inefficient.
  Is there anybody that can confirm if this is in fact an HREAP limitation, and why (if so) it is a limitation, please? Any info would be much appreciated.
  Regards
  Connie

  Do you perhaps know if there are plans for this limitation being addressed in the near future?
  We are looking to deploy wireless from end-to-end in all 6 of our sites, and you biggest competitor was penalized because they do not support this feature. It seems we're going to have to apply the same penalty in this respect to Cisco as well.
  Thanks for the feedback, though!
  Regards
  Connie

• Wired guest vlan with ISE

  Hi all,
  For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
  Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
  Thanks
  Sent from Cisco Technical Support iPad App

  I will try to answer all of your quesitons:
  1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
            - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
  2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
            - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
  3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
            - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

• Adding a guest VLAN to 1240s

  I have some Cisco 1240 Access Points which are not centrally managed.  I want to add 802.1Q trunking so as to be able to provision a guest VLAN.  But a trick is that these APs are in some very high ceilings.  I would like to provision the new trunking and guest VLAN without having to remove them from the ceiling.  Someone suggested I just make the native VLAN save as existing and make the port to which attaches a trunked port.  But when I did this I lost
  connectivity to the Access Point.  Access came back as soon as I made the switch port an access port.  Can someone suggest a recipe for how I can add the trunking and guest VLAN without having to get into the ceilings to remove them and configure them via console or other?  Thank you. 

  Stephen Rodriguez wrote:Create your config then tftp it to the start config. Then when you are ready reboot the AP and change the switch port. SteveSent from Cisco Technical Support iPhone App
  You can do that but you need to be careful because if there is something wrong with the config and you can't reach the AP then you can't correct the config via tftp back again and you have to unmount the AP.
  It is better you start doing the config with the easist AP to unmount from the ceiling.
  You need to configure sub-interfaces in your current AP to support multiple VLANs.
  Hope those links will help you:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  https://supportforums.cisco.com/docs/DOC-14496
  Amjad

• Authenticated Users & Users missing from Root

  Hello,
  Environment: MDT 2013, 2008 R2, Windows 7 x86.  MDT is located on Windows 7 x86 and is not integrated with SCCM or WDS.
  Process: Separate build, capture, and deployment task sequences.
  Problem:  After deployment the Authenticated Users and local Users are missing from the root (e.g., c:).  The only security permissions assigned to the root are SYSTEM, domain account, Local Administrator.
  This causes problems once joined to a domain due to the fact Authenticated Users have no permissions forcing a given user to have a temporary account.  So far, only a partial workaround is identified and is undesirable in the long-run.  The workaround
  is to manually add Authenticated Users as well as the Local Users to the root and delete the domain account but the system will only allow partial inheritance through the file structure.  Delete all entries for a particular user in the registry (e.g.,
  PolicyGUID, ProfileGUID, ProfileList).  Afterwards, log in to the machine with an account within the domain administrator group.
  Additional information shows the registry Profilelist entries for a user maintains partial access with a value of 204; this includes the user and a domain account within the administrator group.  The domain account present after deployment has a value
  of 0.  Two accounts have the expected value of 256 and they are the local and domain administrator account.
  Also, if the same image is deployed using the PE environment the accounts are as they should be.  The groups added are: Authenticated Users, Localmachine\Users, SYSTEM, Localmachine\Administrators.
  The questions are: why would the Authenticated Users and Local Users accounts be missing?  Why is the account used to deploy added?
  Help is very appreciated, and thank you.

  Hello, Nicholas the sysprep and capture is completed by a default template from MDT LTI sequence.  The answer file used is the default provided by MDT.  No attempt is made to capture from winpe because this simply negates the point of the MDT process. 
  However, applying the same image from winpe there are no permission issues and all the appropriate groups are assigned to the root.
  With returning to the office this fine morning, I ran icacls on a machine:
  C:\Users\Administrator>icacls c:\
  c:\ No mapping between account names and security IDs was done.
  (I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
  Successfully processed 1 files; Failed processing 0 files
  Thank you for the continued effort, Nicholas.  With the additional icacls information I will delve into the general error provided.

• Grant to a specific user and deny for all other users

  I have 100 users. Out of 100 users, i have windows & sql authentication users. I have a view "SQL_CONFIG_V" and want to give access to "corp\abc" (windows authentication user) and "poc" (sql authentication user) and all
  system user id's(by default) like sys, information_schema etc. I want to deny all other users to see view defintion or alter this view "SQL_CONFIG_V" except the users that i specified here.

  You can deny access to those users to the database, or they are have the access but you do not want them to SELECT that specific view? Do the users members of db_owner role?
  GRANT SELECT on viewname TO freddie
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence