AAA and 3560 Switch + CNA
Hi
Has anyone got this to work?
CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
I cant get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
this is the aaa conf.
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs enable
aaa authentication enable default enable group tacacs+ none
aaa authorization exec default group tacacs+ local
aaa authorization exec no_tacacs none
aaa authorization commands 15 default group tacacs+ if-authenticated local
aaa authorization commands 15 no_tacacs none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip http server
ip http authentication aaa
Hi
No. I get the prompt for username and password.
and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I cant live with that.
Similar Messages
-
Private vlans and 2960 and 3560 switch
Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?
Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network??? -
Two 2911 routers and 3560 switches (load balancing and redundancy)
Good day, Sir !
I have a model with hierarchical model. Two routers 2911 and two core switches 3560, two providers.
I want to design redundancy scheme. Can you advice me how is better to do it ? here you can find image with topology, can you say is it good idea to connect with devices in this way ?
Hope on you help ! Thank you !!!Hi,
If you want to configure redundancy in your network on LAN you can use HSRP and from the WAN side depending on the connection with the provider you can either use BGP or any IGP.
If you want to have load balancing as well with redundancy you can define differnt HSRP group for different vlan and on the wan with BGP you can use multipath option or with IGP you can manipulate the route matric.
Thanks & Regards
Sandeep -
Configuration of GBIC on 2950 and 3560 switches
Can someone please advise how to configure a "GBIC T Base Port" on a 2950 switch. I have 2 off and would like to load share and provide redundacy. All documentation that I am aware of does not indicae that they support etherchannel configuration.
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify a physical interface to configure, and enter interface configuration mode.
Valid interfaces include physical interfaces.
Up to eight interfaces of the same type and speed can be configured for the same group.
Step 3
switchport mode {access | trunk}
switchport access vlan vlan-id
Assign all interfaces as static-access ports in the same VLAN, or configure them as trunks.
If you configure the interface as a static-access port, assign it to only one VLAN. The range is 1 to 4094.
Step 4
channel-group channel-group-number mode
{{auto [non-silent] | desirable [non-silent] | on} | {active | passive}}
For more detail see Etherchannel configuration Guide:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swethchl.htm -
Setting 3550 and 3560 Switched to Non-Negotiate
On some of the older models of the 3550 switches I was able to set the SFP interface to non-negotiate. I do not notice that command available in the documentation anymore. Does it still exist?
Hello,
Do you have access to any of the switches in question? You can always use the context help under the interface
(config-if)#switchport ?
On my 3550 the nonegotiate is an option.
HTH
Regards,
James -
Etherchannel between stack switches[3750] and standalone switch[3560]
Hi,
I have 2*3750 switches in stack as core and 1*3560 switch in access layer. I want to enable ether channel between stack switch[3750A & 3750B] and 3560 switches.
Have connected 2 links from 3560 switch to stack switch, one link to 3750A and other link to 3750B. Will it work in this way as per my requirement?
or i should enabled stacking on 3560 switch too and configure cross-stack ether channel between 3750 stack and 3560 stack. i refered few cisco documents, but the cross stack etherchannel configuration example has 3750 at both end stacks.
Rgds...
VikramSHi,
This should work fine as per you set up, the 3750 stack will be acting as one switch, which means that the ether-channel configuration should be straight forward. There is no need to stack the 3560 for this to work, also the 3560 are not stackable.
Hope this helps. -
Dacl on ACS 5.1 and Catalyst switch 3560
Dear all
I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
This authrization profile is used on access policy.
I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
Steps:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11025 The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
11003 Returned RADIUS Access-Reject
DACL:
deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
permit ip any any log
Thanks on advance,Dear Tiago
I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
Dec 13,10 10:29:00.513 AM
00-23-AE-7A-58-A6
00-23-AE-7A-58-A6
Default Network Access
Lookup
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
22056 Subject not found in the applicable identity store(s).
Dec 13,10 10:28:29.186 AM
#ACSACL#-IP-Guest-4cfcc14d
Dot1x-3560-Switch
1.2.3.4
TESTACS
Dec 13,10 10:28:28.726 AM
acstest
00-23-AE-7A-58-A6
Default Network Access
PEAP (EAP-MSCHAPv2)
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
Thanks, -
DHCP and voice vlan on Cisco 3560 switch
Greetings,
I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
1. Using the Cisco 3560 as a DHCP server - Config examples. Do I need to use different subnets for the voice and data vlans?
2. Layer 2 CoS QoS - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
Your assistance will be appreciated.Hi ,
Cisco recommends that you have a separate vlan for voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
Here is the config guide for setting up IOS DHCP server:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
Here is the LAN qos recommendations:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009 -
Hi All,
Where do I configure primary AAA and secondary AAA at ISE?
According to deployments guide Fig 1-6. Dispersed Deployment
http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
If we are using AD.. then AAA solution is RODC?
Thanks,
JohnHello,
Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
Please refer to below link which might help you.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html -
Cable interconnecting Cat. 3550 and 3560
What would be an appropiate cable connecting the 3550 catalyst and the 3560?
3550 has 2 gbic ports, while the 3560 has 4 spf module slots.. Can the Cisco Catalyst 3560 Series switches support the GigaStack® or StackWise technology?
A. The Cisco Catalyst 3560 switches do not support the Cisco GigaStack Technology on the Catalyst 3550, 2950G, and 3500 XLs or the Cisco StackWise technology available on the Catalyst 3750. However, a cluster of any combination of these platforms can be managed via a single IP address using the Cisco Network Assistant (CAN) software. There are more details on CNA later in this document. -
Can we use a mixture of 3550 and 3560 in a daisy chain. What i mean is
1.if i want to connect 4 switches in a daisy chain can two of them be 3550's and the other two be 3560's.
2. If i ahve 2 3550's in a daisy chian can i add one more 3560 to the same chainit may be more beneficial to aggregate 3 of the switches to one via the GB/SFP ports.
ie:
switch1-3560 >> switch2
switch1-3560 >> switch3
switch1-3560 >> switch4
having correctly sized ports for aggregated bandwidth will be required.
you can also perform daisy chaining as you've asked. -
Embeded Event Manager on cisco 3560 switch
Can someone help me please? I have EEM configured on cisco 3560 switch. The configuration is below. I want that switch inform me through email when device with particilular IP address become unavailable. For some reason this configuration is not good and I can't tell why. I already try to debug this with debug event manager action mail but didn't see any output .
ip sla 11
icmp-echo ip address
frequency 20
ip sla schedule 11 life forever start-time now
event manager applet device-TEST
event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.6.11 get-type exact entry-op lt entry-val "2" poll-interval 20
trigger occurs 5 period 120
action 02.0 mail server "ip address" to "[email protected]" from "[email protected]" subject "device is down"The mail part looks good, I'm not sure you are hitting the trigger right.
Why not do a track on the ip sla instead of the snmp stuff?
Here's a good example of that.
https://learningnetwork.cisco.com/blogs/network-sheriff/2009/06/19/writing-your-first-eem-applet -
WLC Flexconnect with AAA and MAC authentication
hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyrilIf you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid. -
MAC Addressess not showing on my new 3560 switch
I have a Cisco 3560 (Switch B) switch I just introduced into my network. The gigabit ports are trunked from another switch (Switch A) to a Cisco 6509 WS (Main Switch).
crpf4bsw3#show cdp neighbors
Device ID Local Intrfce Holdtme Capability Platform Port ID
crpf4bsw2.mdch.com
Gig 0/1 124 S I WS-C3560-4Gig 0/4
crpcorsw1.mdch.com
Gig 0/4 127 R S I WS-C6509-EGig 2/8
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,19,124,150,160,164,168,224
switchport mode trunk
mls qos trust dscp
spanning-tree link-type point-to-point
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,19,124,150,160,164,168,224
switchport mode trunk
mls qos trust dscp
spanning-tree link-type point-to-point
The trunk ports are working just fine. I have configured all necessary remote management with no issues. However, my access ports are not working. I have set them up exactly the same as the adjacent switch A and it works just fine, but the same configuration on the new switch has not been able to pull IP information. I have provided information as to how the switch access ports are configured on both Switch A (working) and Switch B (not working). I should note that I tried this with a Cisco 7940 phone and it got stuck on "configuring IP" then I tried it with my laptop and it pulled a 169 IP address. Both were direct connections into switch B. When I run a show mac-address-table, neither device shows up in the table. Only the gig port MACs. Any thoughts? Please let me know if you need any more information.
interface FastEthernet0/3
switchport access vlan 124
switchport mode access
switchport voice vlan 224
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enableHi Mike,
It looks like you're guiding me in the right direction. I did a "show port security interface fa0/2" on the new switch and nothing was out of the ordinary with the exception of the 0 MAC addresses learned. But then I did a "show spanning tree vlan 224" Here's what I found:
Switch A (existing switch):
crpf4bsw2#show spanning-tree vlan 224
VLAN0224
Spanning tree enabled protocol rstp
Root ID Priority 4096
Address 0012.44cc.68e0
Cost 8
Port 1 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32992 (priority 32768 sys-id-ext 224)
Address 0013.60aa.7400
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
Gi0/1 Root FWD 4 128.1 P2p
Fa0/1 Desg FWD 19 128.3 Edge P2p
Fa0/2 Desg FWD 19 128.4 Edge P2p
Fa0/3 Desg FWD 19 128.5 Edge P2p
Fa0/4 Desg FWD 19 128.6 Edge P2p
Fa0/5 Desg FWD 19 128.7 Edge P2p
Fa0/6 Desg FWD 19 128.8 P2p Peer(STP)
Interface Role Sts Cost Prio.Nbr Type
Fa0/7 Desg FWD 19 128.9 Edge P2p
Fa0/8 Desg FWD 19 128.10 Edge P2p
Fa0/9 Desg FWD 19 128.11 Edge P2p
Fa0/10 Desg FWD 19 128.12 Edge P2p
Fa0/11 Desg FWD 19 128.13 Edge P2p
Fa0/12 Desg FWD 19 128.14 Edge P2p
Fa0/13 Desg FWD 19 128.15 Edge P2p
Fa0/15 Desg FWD 19 128.17 Edge P2p
Fa0/19 Desg FWD 19 128.21 Edge P2p
Fa0/20 Desg FWD 19 128.22 Edge P2p
Gi0/4 Desg FWD 4 128.28 P2p
Fa0/29 Desg FWD 19 128.33 Edge P2p
Fa0/30 Desg FWD 19 128.34 Edge P2p
Fa0/31 Desg FWD 19 128.35 Edge P2p
Fa0/32 Desg FWD 19 128.36 Edge P2p
Fa0/33 Desg FWD 19 128.37 Edge P2p
Fa0/34 Desg FWD 19 128.38 Edge P2p
Fa0/35 Desg FWD 19 128.39 Edge P2p
Fa0/37 Desg FWD 19 128.41 Edge P2p
Fa0/38 Desg FWD 19 128.42 Edge P2p
Fa0/39 Desg FWD 19 128.43 Edge P2p
Fa0/40 Desg FWD 19 128.44 Edge P2p
Fa0/41 Desg FWD 19 128.45 Edge P2p
Interface Role Sts Cost Prio.Nbr Type
Fa0/42 Desg FWD 19 128.46 Edge P2p
Fa0/43 Desg FWD 19 128.47 Edge P2p
Fa0/44 Desg FWD 19 128.48 Edge P2p
Fa0/45 Desg FWD 19 128.49 Edge P2p
Fa0/46 Desg FWD 19 128.50 Edge P2p
Switch B (new switch):
Spanning tree instance(s) for vlan 224 does not exist.
So with this new information, and with my trunk configurations above, what did you mean by a disconnect on the trunk? -
AAA configuration on switches 2960
Hi
I have introduced the following configuration of AAA in the switches of series 2950 and works very well,
but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.
Is needed some additional configuration of AAA in switches 2960?
Thanks.
tacacs-server host y.y.y.y
tacacs-server key xxxxx
aaa new-model
aaa authentication login acceso-consola group tacacs+ line
aaa authentication login acceso-telnet group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line con 0
exec-timeout 0 0
login authentication acceso-consola
line vty 0 4
login authentication acceso-telnetMaria
Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.
Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?
I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.
If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.
HTH
Rick
Maybe you are looking for
-
Quantity Tolerance limit for goods receipt
Hello Friends, We are working on the stock transport order scenario, and the steps are as below 1. Stock Transport Order 2. Outbound Delivery 3. Post Goods Issue 4. Inbound Delivery 5. Goods Receipt In our scenario, we were not maintaining any price
-
Content presenter: datasource based on CMIS query with URL parameters
Hi all, I am trying to create a page containing a content presenter taskflow that is based on a CMIS query containing URL parameters. In my component properties I define the following query for my datasource: +SELECT * FROM ora:t:IDC:GlobalProfile WH
-
Interval Since Last Panic Report: 160613 sec Panics Since Last Report: 4 Anonymous UUID: 7DE4E3A8-CD0A-471B-9715-9DF44FC912F8 Wed Jan 4 13:11:16 2012 panic(cpu 0 caller 0xffffff80002c266d): Kernel trap at 0xffffff8000316
-
Some problems about oracle.sql.CharacterSet.java
When I debugging a program,which should execute an insert statement into Oracle database,but I found there's missing Oracle.sql.CharacterSet.java source file,and some errors occur: java.sql.SQLException: ORA-01400: cannot insert NULL into ("EPICS"."I
-
Can you share an album without transferring the photos?
I have two Macs with ALMOST identical iPhoto Libraries. If I create an album on the iMac, is there any way to transfer the album attributes to the MacBook (which already has the photos, just not in an album)? When I tried it through sharing, I clicke