802.1x with Switch SRW2024-Web

Similar Messages

• Cisco 1252s with regular 802.3af PoE switches - what are the impacts?

  Does anyone have any real-life experience with deploying the 1252s on regular 802.3af PoE switches?  I have a few 1252s one some 3560 PoE ports and the show up with "low power" alarms.
  I am wondering what the real world impact is with this scenario.  The 1252s have both 2.4 Ghz and 5.0 Ghz radios in them and I have HT enabled on the controller.
  I'm wondering what capabilities I am losing by running on 802.3af power besides the annoyance of the alarms.
  Thanks in advance!

  Sorry in advance for the book I have just written.
  I have three 1252s on 75 feet of Cat5e cable running to a 3560 PoE switch. Sometimes, but not always, I see a low power alarm on the access point(s). This is in a small building that is built like a fortress so the RF environment is somewhat challenging. I am watching WCS closely and see all three 2.4 GHz radios powered all the way up to power level 1. I notice that two of the 5GHz radios are on power level 1, and one is on level 3. I thought that RRM would not power anything down until you had at least four access points as RF neighbors. I believe I read that in a Ciscopress book and it seems to be true everywhere in our network when I look at buildings with 3 or less WAPs.
  The building in question does not have any other buildings close by with any 5GHz radios in operation - or at least I didn't see any when I did the survey.
  I'm wondering if the power setting of the radios is also related to the length of the Cat5e cabling. Seems to me a shorter run would have less resistance than longer runs, allowing the radio to have more power.
  My main concern is not this building in question, since we went for coverage and not client density in the design. We several other buildings on the radar, all libraries, which are going to be both RF challenging (bookshelves, furniture, cubicles, cubbies) and client-density challenged. These buildings have hundreds of WLAN clients in them at times - and I mean devices, not just people.
  Someone else told me (reputable source) that channel bonding is not an option when on 802.3af power. Makes sense, actually. I would never even think of bonding in the 2.4 GHz range for obvious reasons, but up in the 5GHz range it is a definate possibility in these buildings. Seems to be that we might be shooting ourselves in the foot by not using 802.3at power in these buildings.
  If channel bonding is disabled and the upper two MCS rates (using 800ns guard interval) of 117 and 130 are disabled, then I'm looking at maximum MCS rate of 104 Mbit/s compared to 270 Mbit/s with 802.3at with channels bonded in the 5GHz range.

• 802.1X with Guest vlan support IOS version ???

  I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
  please reply to my question.

  Tkank for your help.
  Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
  but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
  ex) TW_14F_A_C2950_32.8#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
  Running Standard Image
  24 FastEthernet/IEEE 802.3 interface(s)
  Model number: WS-C2950-24
  please, reply for my question

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• 802.1x with Vlan assignment and IP phone and PC

  I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
  For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
  However I have read that I can not enable 802.1x on a trunk port.
  How could I configure this?
  I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
  Thanks

  You should configure the port as an access port with an aux-vlan. Here's an example:
  interface GigabitEthernet2/2
  switchport access vlan 701
  switchport mode access
  switchport voice vlan 702
  load-interval 30
  qos trust device cisco-phone
  qos trust cos
  auto qos voip cisco-phone
  dot1x pae authenticator
  dot1x port-control auto
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree portfast
  spanning-tree bpduguard enable
  service-policy output autoqos-voip-policy
  Hope this helps,

• 802.1x with the 6901 IP Phones

  Hello Experts,
  We  are testing the 802.1x with the 6901 IP Phones. And we can see on ACS  "EAP Session Timeout" In the logs, and cansee that the EAP Username used  by the phone is CP-6901-SEPB8BEBF220041.
  How ever following issues are stopping us to deploy it fully.
  How to enter password in IP Phone since It does not have LCD screen.
  Wetried IVR option, but it gives pin as an option, Is this Pin used as passwordfor 802.1x authentication.
  Dowe use any default password for this to work.
  Thanks in advance for the help.
  Regards
  Ronak Patel

  Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).
  I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.
  Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.
  If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.
  Hope this helps,

• 802.1x authentication switch and AD

  Hello,
  I want to know if Cisco has solved the problem (MD5) between ACS and Active Directory?? because I want to configure 802.1x in a switch and it will integrate with Active Directory (Data Base)
  The Solution is:
  Switch <--> ACS (Authentication)<--> AD (Data Base)
  Also i want to know if exist any solution no NAC Appliance that can use 802.1x integrate with AD in switch infraestructure??
  Best Regards

  I have hit the same challenge, where I need to authenticate the users against AD and I don't want to use the local CiscoSecure Database in ACS. For hundreds of users, there is no way I'm going to manage a database in ACS for user access. I have to manage the users in AD. I opened a case with Cisco and MS-CHAP is not supported by Cisco ACS, as I was provided this URL link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/o.html#wpxref846
  Additionally, I was directed to the URL: http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K24308566
  I'm so stuck...there has to be way to use IEEE 802.1x with an external database such as LDAP.

• Lwapp capwap AP to act as a supplicant on a 802.1x enabled switch port

  Hi
  All our switchports is configured to validate the connected device with 802.1x
  However when a wireless accesspoint, that is running FlexConnect, is connected I have to make a "mac bypass" on the AP mac addess and add the multihost command to the port config.
  I really like to move away from the mac bypass, but keep the multihost command, and install a certificat on the AP. Have anyone any ideas about how to get the AP itself to auth?

  Hi,
  The AP can act as 802.1x supplicant if it is connected to a 802.1x enabled switch port.
  Cisco unified APs however supports only EAP-FAST as the EAP method.
  Here is a config example, hope it'll be useful.
  http://goo.gl/HMbiHL
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• 802.1x with VLAN assignment on Catalyst 2950T-48-SI

  I will really appreciate if you can confirm me if the C2950T-48-SI will support the following features.
  - IEEE 802.1x with VLAN assignment
  - SSHv2
  - SNMPv3
  The data sheet for the Cisco Catalyst 2950 Series Switches with Standard Image mentions all the above and more features for the 2950T-48-SI, but at the same time the power point presentation, (Cisco Catalyst 2950 Series Switches, and the tool Sofware advisor say that those features are only supported with the Enhanced Image.
  If your those feature are supported by the Standard Image, would you please also inform the last IOS version supported.
  Thanks a lot.

  SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
  802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
  SNMPv3 is supported.
  HTH
  Andy

• 802.1x with AD support via ACS 4

  Hello ,
  I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
  Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
  Thanks.
  Karthik

  Hi Karthik,
  The SSL handshake will fail in our experience for any of the following reasons:
  - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
  - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
  - CRL checking is enabled and the CRL has expired or is inaccessible
  If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
  Hope that helps
  Andy

• 802.1x with alcatel phone with cisco acs 5.0

  Hi All, can any one  has done the implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.
  when trunk mode is enabled I can not configure 802.1x on trunk interface. does any one help me to get rid of this situation..
  Thanks

  Hi,
  Did you find any solution?. Did you tried with the command switchport voice vlan?.
  Regards,
  Mauricio

• WoL over 802.1X with Vlan Assignement

  Hello
  I have a switch 3560, and an ACS v4
  In phase of test i have an infrastructure with 802.1X PEAP with automatic VLAN assignation by the ACS according to the Machine.
  My question is:
  it possible to implement Wake One Lan on 802.1x with a assigantion of vlan not statics (i.e. without use of command Switchport access vlan XXX)
  PS: if I do in statics the VLAN on a port Wake one Lan work without Pb with 802.1X

  Ok, on interface 0/19 :
  Switchport mode access
  speed 100
  duplex Full
  dot1x pae authenticator
  dot1x port-control auto
  dot1x control-direction in
  spanning-tree portfast
  The software use is like "wolcmd" with configuration of
  MAC address of the PC
  IP of the PC (give by DHCP reservation)
  Subnet mask
  Remote port Number : 7
  The authentication on ACS work fine and on ACS whe have this field
  [064] Tunnel-Type
  value : VLAN
  [065] Tunnel-Medium-Type
  Value : 802.
  [Tunnel-Private-Group-ID]
  Value : 69
  In fact, the only difference between config is assignation static or dynamic of VLAN
  I don't know if this what you wan't
  thanks

• 871 802.1x with vlan assignment aka dynamic vlan

  you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
  I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
  Using 12.4(6)T advanced IP.
  I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
  Has anybody got this to work? Any info much appreciated
  Greg Turner

  SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
  802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
  SNMPv3 is supported.
  HTH
  Andy

• How to switch off web cam?

  Hello
  Does anybody know how to switch off web cam? It interferes me when I touch it with my mouse accidentally.
  Thanks

  Hi roxol,
  > It interferes me when I touch it with my mouse accidentally
  Im a little bit confused about this How you can touch it with the mouse?
  Furthermore your posting is not very detailed. I miss some important informations about your notebook and OS.
  At the moment I can only say that you should reinstall the webcam driver. The newest version you can find on the Toshiba website.

• Catalyst Express 500 802.1q with non-Cisco Phones

  This weekend we spent hours trying to get 802.1q tagging to work on a VLAN with ShoreTel phones. The user interface on this switch seems to only allow "Cisco-Voice" VLAN, without any specifics. This didn't work. The specs on this switch say that the .1q is supported, but we couldn't figure it out. The more expensive switches were easier to configure for Voip QoS.
  Can anyone advise me on the tricks to getting this to work with the lower end Catalyst Express 500? Or does this switch only support 802.1q with Cisco phones?

  Cisco IP Phone uses CDP to let the ip phone know what vlan it's suppose to be (via voice-vlan). shore tel would definitely not use CDP since CDP is cisco proprietory, so it's voice vlan must be defined on it, I rememer Avaya being the same way. So, having said that, just make sure that the Shore tel Ip phone are in the right vlan. what does not work anyway? shore Tel IP Phone will not come up? Will not get it's configuration from it's software PBX? Use the smartport configuration on CE500.
  Please rate all posts.