Assign IP by Radius
Hello,
I need that the Radius Server (Radiator) assign an IP address to the client that connects to one AP1100 (IOS 12.2).
Despite the Radius register that send the IP Address to client, thiss don't accept the IP.
** Sending to 172.29.3.1 port 21672 ....
Code: Access-Accept
Identifier: 242
Authentic: <181>&r<1>|<128><9><220><212><134>Y<241><235><146>_u
Attributes:
User-Name = "[email protected]"
Framed-IP-Address = 172.28.1.220
Framed-IP-Netmask = 255.255.0.0
Tunnel-Type = 1:VLAN
Tunnel-Medium-Type = 1:Ether_802
Tunnel-Private-Group-ID = 1:100
The TCP/IP config of the client Wireless LAN tries to obtain the IP in automatic mode.
Is a special configuration necessary on AP for that Radius can assign the IP address for the client?
Thanks,
Nuno.
Hi a_vazquez
I am having a similar problem. My setup is with Cisco AP 1200 (2.4 + 5.0GHZ) and a FUNK SBR radius server. The setup is in a lab scenario as we are at the design stage.
The client (HP notebook with W400 wireless card) is configured for LEAP authentication and dynamic WEP via the radius server.
My problem is that the SBR radius server assigns an IP address to the client, but the client does not seem to get the IP address. The SBR shows in its configuration and also in a sniffer trace that it has assigned an IP address, yet the client does not recieve it.
One thing i noticed in the sniffer trace is "unknown attribute 79, 80 and 88. apart from that i cant see whats stopping the IP address from getting to the client.
a static Ip address on the client works fine and we have full connectivity with all devices.
Can someone help please???
Thanks
Ali
Similar Messages
-
SSL VPN IP Address Assignment from IAS radius server
Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?
Hi,
I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
If you have any question do not hesitate to contact me. -
Cisco-assign-ip-pool RADIUS VSA is an integer?
Hi all,
I'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.
So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
As far as I can remember, we used to put pool *names* within ip:addr-pool (something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
So how should we configure the values for this attribute in ACS 5?If your NAS is "RADIUS (Cisco IOS/PIX)" it will use a Cisco-AVPair attribute with "ip:addr-pool=poolname" inside it.
If your NAS is just about any other RADIUS type, it will use attribute 88, Framed-Pool.
Use the dictionary Radius-Cisco and then select cisco av-pair in the radius authorization profile.
After that configure:
ip:addr-pool=poolname
The pool should be defined on the device itself like ASA. The ACS will only push the name of it.
Jatin Katyal
- Do rate helpful posts - -
802.1x authetication with dynamic Vlan assignment by a radius server
Hi
At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized".
So far so good.
But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.
Any help would be appriciated.Hi Wouter,
Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra -
ASA 5505 VPN Group Policies (RADIUS) and tunnel group
I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).
Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
Session Type: WebVPN
Username : kaisaron78 Index : 1
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 518483 Bytes Rx : 37549
Group Policy : RemoteAC Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:59:33 CEDT Mon Aug 18 2014
Duration : 0h:00m:23s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none
Asa5505# sh vpn-sessiondb webvpn
Session Type: WebVPN
Username : manintra Index : 2
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 238914 Bytes Rx : 10736
Group Policy : SSLPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:01:02 CEDT Mon Aug 18 2014
Duration : 0h:00m:05s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none
As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
! RADIUS SETUP
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
! LOCAL POLICIES
group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!END
I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
Any help will be more than appreciated.
Cesare GiulianiOk, it makes sense.
Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
Thank you again for your precious and kind help, and for your patience as well!
Cesare Giuliani -
Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
Thanks for any help...
KelvinAccess Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
ip access-list extended guest
permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
deny ip any any
Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network? -
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
FlexConnect, EAP-TLS and dynamic VLAN assignments
I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
I have some questions:
- What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
- I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
- I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. ThanksI'll give this a shot:)
For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
64 (Tunnel-Type) should be set to VLAN (Integer = 13)
65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
You can find this by searching on Google.... A lot of examples out there
v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
Hope this helps.
Sent from Cisco Technical Support iPhone App -
Authentication Host-Mode Multi-Auth not working
hi
In my lab environment I configured 802.1x with "Multi-Auth" mode for multiple clients on a single protected port to be authenticated agains Microsoft NPS AAA server.
Switch ports configured with Single-Host or Mult-Host options are working fine but "Multi-Auth" mode its not working. My hardware details and configurations are as follows
Catalyst Model = WS-C2960S-24TSL running IOS 12.2(55)SE2
Current configuration : 10423 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
aaa new-model
aaa group server radius NPS
server-private x.x.x.x auth-port 1645 acct-port 1646 key <removed>
aaa authentication dot1x default group NPS
aaa authorization network default group NPS
aaa session-id common
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport mode access
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
switchport voice vlan 98
authentication host-mode multi-auth
authentication order dot1x mab webauth
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
interface GigabitEthernet1/0/7
switchport access vlan 5
switchport mode access
authentication host-mode multi-host
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface Vlan5
ip address x.x.x.x x.x.x.x
interface Vlan98
no ip address
radius-server vsa send accounting
radius-server vsa send authentication
end
My debug log for Authentication, dot1x and AAA is as follows.
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 98, data VLAN 5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Setting domain ALL to UNATHED
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: dot1x-ev(Gi1/0/5): Interface state changed to UP
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Enabling dot1x in switch shim
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Link UP
*Mar 1 01:58:51.360: AAA/BIND(00000004): Bind i/f
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Assigned AAA ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Retrieved Accounting Session ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Allocated new Auth Manager context (handle 0x83000002)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Adding method dot1x to runnable list for Auth Mgr context 0x
*Mar 1 01:58:51.360: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0000000000000002006CD0E0
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Sending START to dot1x (handle 0x83000002)
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: initial state auth_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_initialize_enter called
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_disconnected_enter called
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: idle during state auth_disconnected
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_initialize_enter called
*Mar 1 01:58:51.360: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle
*Mar 1 01:58:51.360: dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)
*Mar 1 01:58:51.360: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Created a client entry (0x4100002D)
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Received handle 0x4100002D from method
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'
*Mar 1 01:58:51.360: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/5
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x4100002D
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_enter called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_connecting_action called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0x4100002D
*Mar 1 01:58:51.365: dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 1 01:58:51.365: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_enter called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_authenticating_action called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0x4100002D
*Mar 1 01:58:51.365: dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 1 01:58:51.365: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:58:51.365: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:58:51.365: EAPOL pak dump Tx
*Mar 1 01:58:51.365: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:58:51.365: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:58:51.365: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_request_action called
*Mar 1 01:58:53.352: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:58:54.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:22.188: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:22.188: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:22.188: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:22.188: EAPOL pak dump Tx
*Mar 1 01:59:22.188: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:22.188: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:22.188: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:53.016: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:53.016: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:53.016: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:53.016: EAPOL pak dump Tx
*Mar 1 01:59:53.016: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:53.016: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:53.016: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received an EAP Timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x4100002D
*Mar 1 02:00:23.844: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_timeout_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_timeout_action called
*Mar 1 02:00:23.844: dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x4100002D
*Mar 1 02:00:23.844: dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_exit called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authc_result_enter called
*Mar 1 02:00:23.844: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AUTHC_RESULT from dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authc Result: no-response
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Existing AAA ID: 0x00000004
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AAA ID 0x00000004 from method
*Mar 1 02:00:23.844: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
*Mar 1 02:00:23.844: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending AUTHZ_FAIL to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received Authz fail for the client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Authc Failed' to 'Failed over'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending DELETE to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Deleting client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) No more runnable methods
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Authc Failed' to 'No Methods'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Building default attribute list for unresponsive client
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Signalling Authc fail for client 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.844: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'No Methods' to 'Authz Failed'
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Signalling Authz fail for client 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) dot1x_switch_authz_fail: Called for GigabitEthernet1/0/5 and 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Setting domain DATA to UNATHED
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-SYNC (Gi1/0/5) Syncing update for context (0000.0000.0000)
*Mar 1 02:00:23.849: AUTH-EVENT: Started Auth Manager tick timer
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Started 'restart' timer (60s) for client 0000.0000.0000
*Mar 1 02:00:23.849: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x4100002D
*Mar 1 02:00:23.849: dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)
*Mar 1 02:00:23.849: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held
*Mar 1 02:00:23.849: dot1x-ev:Delete auth client (0x4100002D) message
*Mar 1 02:00:23.849: dot1x-ev:Auth client ctx destroyed
*Mar 1 02:00:23.849: dot1x-ev:Aborted posting message to authenticator state machine: Invalid clientMultiauthentication Mode
Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
•The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
NOTE :
•Only one voice VLAN is supported on a multiauth port.
•You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
for more information :
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html -
802.1x Auth-Fail VLAN --- XP does not recognize
With Auth-Fail VLAN configured on Cisco 3550 the Switch successfully configures the port to the configured auth-fail vlan upon unsuccessful authentication. The PC even gets the IP address from DHCP.
However, the Windows XP network icon on the task bar continues to display as if it is trying to configure the network. The popup text displays "Attempting to authenticate" whereas the PC is fully connected and able to communicate on the network.
Any idea...????I am performing machine authentication against MS AD. It does get an ip address from the authentication VLAN but not before minor delay...(have seen up to a minutes delay in some cases).
The following is working fine in my case:
Machine Authenticaiton (S) ---> User Auth (S) then all is good.
Machine Auth (S) ---> User Auth (F) transition to Auth Fail VLAN
Machine Auth (F) ---> Machine is in AuthFail VLAN then User Auth (S) Machines transitions to correct access VLAN (or RADIUS assigned VLAN).
There are times when the behaviour is a bit variable in terms of VLAN assignment. Reading the IOS guide it makes sense if you are not assigning VLAN through RADIUS then switch sometimes tends to leave the port in the currently assigned VLAN, which depending on the port state (success/fail) could be the access VLAN or the AuthFail VLAN. -
802.1x per host authentication under one port with multi-host access by hub
Dear,
While multi-host connect to one port by hub, it seems that in multi-host mode, after one host passed the authentication, the port change state to up, and the other hosts do not need to authenticate any more. And in single host mode, only one host could access to the network under one port.
In the situation with multi-host access to one port by hub, is it possible that we could control per user access by authentication for each?
We did some test on 3550, it seems that the 3550 doesnot support what we need. And what about 4506?
Thanks!Multiauthentication Mode
Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
•The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
NOTE :
•Only one voice VLAN is supported on a multiauth port.
•You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
for more information :
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html -
Migration to 802.1x for large scale Ethernet network
Hi all,
I have a very large wired-only Ethernet network which I would like to migrate to 802.1x for stronger authentication of end users. The problem I have is that there are long chains of legacy swtiches which do not support 802.1x (the topology of the network is a complete tree of switches). As far as I know, 802.1x is port based.
So here is the issue:
- the replacement of all switches will take a very long time, but I would like to have all end users authenticated asap
- switches supporting .1x will initially only be located at the roots of the tree. There will still be legacy switches not supporting .1x between end users and newer switches.
- authentication of users on a port of a new switch will be shared between several end users.
Do you know if it possible to enable authentication of all users but having only enabled 802.1x in some more central locations first?
Cheers,
BenoitIEEE 802.1x Authentication
These are the IEEE 802.1x authentication configuration guidelines:
?When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.
?If you try to change the mode of an IEEE 802.1x-enabled port (for example, from access to trunk), an error message appears, and the port mode is not changed.
?If the VLAN to which an IEEE 802.1x-enabled port is assigned changes, this change is transparent and does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an IEEE 802.1x port is assigned to shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.
Try these links:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1025090
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml -
Dot1x re-authenticate & dot1x initialize
Hi,
Im trying dot1x with critical authentication plus MAC authentication bypass,
on Cat2960 with SEE2.
Its onfigration is the following;
aaa new-model
aaa authentication login cisco local
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
dot1x critical eapol
interface GigabitEthernet0/11
switchport access vlan 101
switchport mode access
dot1x mac-auth-bypass
dot1x critical
dot1x critical recovery action reinitialize
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
radius-server dead-criteria time 5
radius-server attribute 32 include-in-access-req format %h
no radius-server attribute nas-port
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 test username TEST idle-time 1
radius-server source-ports 1645-1646
radius-server key Cisco(%$%
radius-server vsa send accounting
When RADIUS server is down after a client is authenticated and the 2 commands,
dot1x re-authenticate int and dot1x initialize int are issued,
it does not change to critical auth state, remaining authorized by server with
dot1x re-authenticate command.
This result is correct?
CCO says,
Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/sw8021x.htm#wp1194433
If the port is already authorized and re-authentication occurs, the switch puts
the critical port in the critical-authentication state in the current VLAN,
which might be the one previously assigned by the RADIUS server.
Please give me any help.
Thanks,Debug on dot1x initialize;
C2960#dot1x initialize int g0/11
Aug 8 00:50:00: dot1x-ev:dot1x_exec_init_interface: Initializing Authenticator instances on GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:00: dot1x-ev:vlan 101 vp is removed on the interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_addr_remove: Removed MAC 0000.3926.0384 from vlan 101 on interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_vlan_assign_client_deleted on interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
Aug 8 00:50:00: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
Aug 8 00:50:00: dot1x-ev:Created a default authenticator instance on GigabitEthernet0/11
Aug 8 00:50:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down
Aug 8 00:50:01: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:No reply attributes received from AAA for 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, authenticating port GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:dot1x_switch_critical_vlan_policy: No Critical Auth VLAN defined for
port GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:Updating feature config
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:01: dot1x-ev:vlan 101 vp is added on the interface GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:Received successful Authz complete for 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address
Aug 8 00:50:01: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.
Aug 8 00:50:01: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11
Aug 8 00:50:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up
C2960#
C2960#
C2960#sh dot1x int g0/11 d
Dot1x Info for GigabitEthernet0/11
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 1
MaxReq = 2
TxPeriod = 1
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Critical-Auth = Enabled
Critical Recovery Action = Reinitialize
Dot1x Authenticator Client List Empty
Port Status = AUTHORIZED
Authorized By = Critical-Auth
Operational HostMode = MULTI_HOST
Vlan Policy = N/A
C2960# -
Migration to 802.1x authentication
Hi all,
I have a very large wired-only Ethernet network which I would like to migrate to 802.1x for stronger authentication of end users. The problem I have is that there are long chains of legacy switches which do not support 802.1x (the topology of the network is a complete tree of switches). As far as I know, 802.1x is port based.
So here is the issue:
- the replacement of all switches will take a very long time, but I would like to have all end users authenticated asap
- switches supporting .1x will initially only be located at the roots of the tree. There will still be legacy switches not supporting .1x between end users and newer switches.
- authentication of users on a port of a new switch will be shared between several end users.
Do you know if it possible to enable authentication of all users but having only enabled 802.1x in some more central locations first?
Cheers,IEEE 802.1x Authentication
These are the IEEE 802.1x authentication configuration guidelines:
?When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.
?If you try to change the mode of an IEEE 802.1x-enabled port (for example, from access to trunk), an error message appears, and the port mode is not changed.
?If the VLAN to which an IEEE 802.1x-enabled port is assigned changes, this change is transparent and does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an IEEE 802.1x port is assigned to shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.
Try these links:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1025090
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml -
Hello-
I am trying to figure out how to make a random number of
circles appear on a stage I have created and then have them scale x
and y randomly and at different speeds as well. In other words, the
circles would appear in random numbers, in random locations, at
different speeds, and scale up or down in random sizes as well. The
client has asked for circles to appear and disappear to symbolize
"complete chaos". You can see a screenshot of the circles and image
here:
www.malphurs.com/random.jpg
I have found plenty of tutorials on random actionscripts, but
none that mix all of the above: random location, speed, and
scaling.
Any help would be greatly appreciated.initiate a loop (that allows stage updates) where you add a
circle to the stage with some probability p, assign it a radius,
location, speed and scaling parameters all chosen at random between
limits you want and add it to an array.
also in that loop update each circle's properties, check for
circles that should be removed from the stage and your array and
update the stage.
you can use a separate loop to periodically change p and the
other parameter limits, if you want.
Maybe you are looking for
-
i was recently downloading a movie from the itunes store and was cut off the internet and the movie didnt finishe downloading how do i finish the download for said movie?
-
Need help for Data source 0CRM_TRPR_ATTR
Hello Friends, We have 0CRM_TR info object and it contains attribute 0CRM_TR_ATTR ,Text 0CRM_TR_TEXT and Hier . For this attribute we are not getting multiple employee assigned to one territory, so SAP suggested us to use 0CRM_TRPR_ATTR data sour
-
Printing completed form responces in the original PDF completed form format.
I sign into forms central, I see the responces to my form, but the answers are all in seprate fields. So to match the answers to the original PDF form, I must print the responces, and then mathch them with the original form. Is there a way to print t
-
Files creation time on digital camera's SD is now offset with timezone
Been checking out the photos I've took with a digital camera by taking the SD card and mounting it in current (all up to date) Arch. It was weird to see that the latest photos are shown as being in the future. Basically the camera don't know about ti
-
Alternative Access Mappings (AAM) issue accessing from internal and external URL's
Hi, We have SharePoint 2010 with couple site collections. Our farm has following URLs (AAM): For internal access: intranet.company.local - all sites, mysite.company.local - my sites. For external access: extranet.company.com - all sites, mysite.com