AAA configuration on switches 2960

Similar Messages

• AAA authentication on switch

  We are configuring 802.1x for wired client. ISE is our AAA server. While configuring, i came across 3 different command sets
  1) radius-server host  <primary aaa server> auth-port 1812 acct-port 1813 
      radius-server host  <secondary aaa server> auth-port 1812 acct-port 1813 
      radius server key <shared_key>
  2) aaa group server radius < RADIUS group name>
       server <Primary Radius Server IP> auth-port 1812 acct-port 1813
       server <Secondary Radius Server IP> auth-port 1812 acct-port 1813
  3)  aaa server radius dynamic-author 
       client <Primary Server> server-key <radius_key>
       client <Secondary Server> server-key <radius_key>
  Now, we already created aaa server group in step 2. 
  what is the significance of step 3. if i don't add client under dynamic-author, what effect it will have on overall configuration. Will CoA affect in posture due to this
  Thanks,
  Aditya

  Hello Aditya-
  The commands in step #3 configure the NAD (In your case the switch) to accept CoA (Change of Authorization) which is used for 802.1x based network authentications. If you are only interested in configuring the switch for device administration then you don't need those commands, however, if you are planning on deploying 802.1x then you do need them. For more info check out this link:
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html
  Thank you for rating helpful posts!

• AAA on 3750 switch

  How to disable AAA on 3750 switch which has got screwed up due to missing of tacacs-server key command in older configuration. I believe RMON mode will not work...

  Hi ,
  I beleve you are able to log in to the switch. If that is the case then issues these commands,
  no tacacs-server host [ip]
  no tacacs-server key [key]
  no aaa authentication login default group tacacs+ local
  no aaa authorization exec default group tacacs+ if-authenticated
  no aaa authorization commands 1 default group tacacs+ if-authenticated
  no aaa authorization commands 15 default group tacacs+ if-authenticated
  no aaa authorization config-commands
  If you have accounting also, do the same. And finally
  no aaa new-model
  But incase you are not able to login to the box using tacacs or local login then you need to do password recovery.
  Thanks,
  Jagdeep

• Cisco Switches (2960 Series) Management

  We are managing these devices using HP OpenView Network Node Manager (Ver. 7.5) on HP-UX platform.
  What are the known problems, limitations on its initial discovery and on later stages of managing the same ?

  The Cisco Catalyst 2960 Series supports the Cisco IOS LAN BASE software image. This software image is a rich suite of intelligent services that is also available in a crypto image at no additional charge.
  Cisco Network Assistant also offers centralized management and configuration of Cisco switches and other Cisco devices such as routers and wireless access points. With Cisco Network Assistant, in addition to configuring multiple switches at a time, you can configure Cisco wireless access points, and invoke the Device Manager on Cisco routers and access points. Cisco Network Assistant can be downloaded (available at no cost).
  This URL should help you:
  http://www.cisco.com/en/US/products/ps5931/index.html

• How to connected mgmt port on switch 2960 -XR

  Hi guys,
  I need of a technical support  to resolve a issue with some Switch 2960-XR and its MGMT Port installed on our infrastructure.
  I'd like to reach it via ssh connection to management them from a remote station (my PC), some guides found on Internet suggested me to use a extenal Hub/switch and a PC dedicated for that like this:
  |SW1 mgmt port|------|H|
  |SW2 mgmt port|------|U|-------- PC
  |SW3 mgmt port|------|B|
  I've also tried to patch the mgmt port on a port tagged with a management VLAN but it's not worked.
  I ask you if there is a way to reach that SW using mngt port  without use another external SW, thanks in advance for your support 

  Our network is hybrid, we have CIsco Sw and IBM Sw.
  For the IBM solution the configuration of mgmt port is inband (data) and use an interface called IP2 where assigning an IP address we can manage via ssh the sw. In this case we've created a dedicated Vlan 15 and assigned as IP 10.10.10.15/24 to the interface IP2. 
  In Cisco Sw the only ways I know is either to create a dedicated Vlan with an IP or using Out of band, but in this case I've to use an external Sw.
  Which is the best solution to have the management port on Cisco Sw without to use out of band?
  thanks

• TACACS for AAA on Cisco Switch

  I have configured our switches for TACACS authentication however it does not seem to be working. I know it is trying as if I remove the secondary login option (local) I am denied access completely but I see no log on the ACS server. Any ideas?, oh and this is going across an any to any VPN

  Can you log into your switch, and turn on the debug aaa authentication, and debug tacacs.
  Then go ahead and issue a test aaa group.. command to test the authentication, do you see it timing out? Are you using a source interface for this traffic? is that source interface inside the lan to lan intersting traffic?

• Port-channel configuration 3560X and 2960S

  Hello,
  I am trying to connect a 2960 swith to 3560X using port channel. I have configred the switches with the following configratuion and connected them with straight ethernet cable, the link came up and then it went int err-disable state. I re-enabled the links and connected them using one cross over cable it connected and remained connected for a whole day in my lab. When I shut down both switches and took them the server room and connected both ports using cross over cable it came up and then went into err-disable state. Bellow is my configuration, can you please point out to me what I am missing: (no VTP domain configured on any of the switches)
  ------------------2960 configuration----------------------
  interface Port-channel1
  switchport trunk native vlan 999
  switchport mode trunk
  interface GigabitEthernet1/0/51
  switchport trunk native vlan 999
  switchport mode trunk
  channel-group 1 mode on
  interface GigabitEthernet1/0/52
  switchport trunk native vlan 999
  switchport mode trunk
  channel-group 1 mode on
  ------------------3560X configuration-------------------------------
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport mode trunk
  interface GigabitEthernet0/23
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport mode trunk
  channel-group 1 mode
  interface GigabitEthernet0/24
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport mode trunk
  channel-group 1 mode on
  Thank you.

  Hi,
  Your condig looks good and straightthrough cable should work just fine.  Can you do the following:
  take the interfaces out of the portchannel
  shut the portchannel
  shut the interfaces
  add the interfaces to the portchannel
  "no sh" the PO and test again?
  This should bring up the interface and the portchannel
  HTH

• ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (ex., 5 min) using the SLA?

  I have ASA 5505 8.4.  How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
  Or as something else to implement it?
  My configuration for SLA monitor:
  sla monitor 123
   type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
   num-packets 3
   timeout 3000
   frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability

  Hey cadet alain,
  thank you for your answer :-)
  I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
  Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
  3
  Nov 21 2011
  18:29:56
  77.xxx.xxx.99
  59068
  80.xxx.xxx.180
  80
  TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
  The attached file is only the show running-config
  Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
  Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
  Regards.
  Chris

• "Server either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error driving me nuts!

  OK; have been trying to setup a test VM based RDS deployment for a few days now with no luck.
  this error mentioned above:
  "Server <server name> either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error is driving me nuts!
  I have removed and re-added the RD Virtualization Host role numerous times, each time having the "create a virtual switch" checkbox selected, but it did NOT create any virtual switch.
  I created the external virtual switch manually and tried to create the desktop collection again, no luck with the same error.
  a few questions:
  1. you don't assign IP to a switch! you assign IP to Network Interfaces. why does the error puts it like this?! it is technically wrong.(yeah yeah I know all about how you'd assign IP to managed switches in real world to telnet into them and manage them.
  you know better than me that it is not the case here!)
  2.the RDS Virtualization hosts are using their wifi card as the card for the virtual switch. could that be the reason? I even disabled their unplugged wired NIC just to make sure that the wifi is the only available option for the RDS wizard to use for the
  virtual switch creation; but it didn't use it and it didn't create any virtual switch automatically.
  3.if WIFI nic is indeed the reason, is it your suspension or an official documents is there somewhere stating so (that the WIFI NICS on a Virtualization hosts are not supported as the hub for a virtual switch).
  4.what are the properties of the virtual switch the RDS requires? does it have to be external? why can't it work even with my manually created external switch?
  5.how would I fix it?
  P.S: the environment is made up of 2 laptops, having windows 2012 R2 trial installed on them, using their wifi to connect to the out world. no cable is plugged into their wired NIC card.

  Hi,
  Thank you for posting in Windows Server Forum.
  The simplest short term solution was to connect each computer to a small switch that had no other connectivity. This brought up the link light on the external NIC and allowed the creation of the collection to complete. You need to use an external switch. You
  can create one external switch which might fix the problem.
  Please check below article for information.
  VDI Deployment Error About Virtual Switch
  In addition please referthis article for information regarding virtual switch.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Need help with AAA configuration

  I am trying to configure AAA on my network devices. I am using TACACS+ with an ACS (3.2) server. I have setup two user groups in the ACS server, one with enable priviledges and one without. I am able to get the AAA configuration to work when telnetting into the devices. However, when logging into the console port, the user group with enable priviledges do not go directly into enable mode as the telnetted users do. How to fix this?

  Hi,
  You will need to use the following command :-
  aaa authorization console
  This command will not show up on the help.
  Regards,
  Vivek

• Switch 2960-x

          i want to know if  this model (WS-C2960X-48TS-LL ) from switch 2960-X with lan lite support DHCP server  ?

  Hi!
  I don't think L2 Access switch will be act as DHCP server, but you can check it here (based on IOS ver.)
  http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp
  Feature info: search for: DHCP server / view image-detail.
  P.S. strange it shows DHCP SERVER even with lanlite ios. probably Feature Navigator is not the best source
  Have a nice day,
  Dmitry

• Could I configure local switching between sub-interface and global interface on ASR9k?

  Could I configure local switching between sub-interface and global interface on ASR9k?

  For 2 interfaces it is probably best to use an xconnect. It is faster and saves system resources (eg mac learning doesnt apply to xconnect).
  Config example:
  l2vpn
   xconnect group link
    p2p link
     interface Bundle-Ether100.4321
     interface Bundle-Ether500.4321
  EFP config:
  interface Bundle-Ether100.4321 l2transport
   encapsulation dot1q 4000
   rewrite ingress tag pop 1 symmetric
  interface Bundle-Ether500.4321 l2transport
   encapsulation dot1q 2000
   rewrite ingress tag pop 1 symmetric
  This example shows that you can link 2 EFP's with different vlan's together if you'd pop the tags.
  If the EFP's are of the same vlan, then popping the tag can be done but not a must. In general it is recommended to always pop vlan tags so there is a standard EFP design, but not for any technical reasons.
  When you use a bridge domain and using a BVI, you MUST pop the tags as the BVI has no notion of a vlan tag and wants to see "plain ethernet".
  regards
  xander

• AAA on 2960G switch

  I am trying to get a new 2960g to work with tacacs. After adding to the tacacs server and restarting the services I still do not get prompted for user name. What gives?
  aaa new-model
  aaa authentication login default group tacacs+ enable
  aaa authentication login localport line
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization exec localport none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default stop-only group tacacs+
  tacacs-server host 192.xxx.xxx.xxx
  tacacs-server directed-request
  tacacs-server key 7 xxxxxxxxxxxxxxxxx
  radius-server source-ports 1645-1646

  Joel
  I see the aaa configuration includes the default method list and a localport method list. Can you clarify what uses the localport method list? make sure that your access attempts are not using this, since that would mean that they are using local authentication and not TACACS.
  There are a couple of things to check which may help figure out the problem.
  Can you verify connectivity from the 2960G to the TACACS server? It does not appear that you have specified the source address in the config, so you should determine which address the 2960G is using to get to the TACACS server and do an extended ping specifying the server as destination and specifying the source interface for the ping as whatever is the source for the TACACS packets.
  Are the TACACS requests getting to the server? Can you check in the logs on the server and see if it recognizes the request? If you look in the failed attempts report do you see these requests? If so there should be an indication of why it failed. Common problems are requests coming from a source address different from what is configured for the device on the TACACS server or mismatched values for the shared key between the server and the device.
  Please check on these and let us know what you find.
  HTH
  Rick

• Packets input or output in switch 2960

  Hi all,
  How to know have packets input or output of one port in switch 2960 Catalyst. Thanks you!

  Thank for your answer.
  I have some problems involved Cisco Catalyst 2960 Switch.
  I am using a device which includes Marvell PHY chip 88E1111. The device can send and receive PTP packet to and from my PC.
  Now, I want to connect the device and the PC to Cisco Catalyst 2960 Switch, which will help me trace all of packets in the network . The test scenario is below:
  -          Switch: Cisco Catalyst 2960
  -          Tracer: Wireshark software
  -          PC: Windows 7-64 bit, plugging in Switch port 1 (interface 1)
  -          Device: FPGA board, plugging in Switch port 2 (interface 2),
  operating mode: 1000Mbps, Fullduplex, no auto-negotiation, no auto power efficient-ethernet.
  -          Interface 2 of the Switch is static set by the device’s MAC
  address , which ensures the Switch known the device’s MAC.
  I suffered a problem. Although the RJ45 TX status led are on, there is not any packet sent to the Switch. I have no idea in this case.
  Could you give me an advise please.

• Switch 2960 http

  warm greeting, I require to administer or enable by HTTP switch 2960. Somebody could to send the steps to do this activity,
  My email is [email protected]
  thank you very much,
  John Jairo Osorio

  conf t
    ip http server
  end
  wr