Assign IP by Radius

Hello,
I need that the Radius Server (Radiator) assign an IP address to the client that connects to one AP1100 (IOS 12.2).
Despite the Radius register that send the IP Address to client, thiss don't accept the IP.
** Sending to 172.29.3.1 port 21672 ....
Code: Access-Accept
Identifier: 242
Authentic: <181>&r<1>|<128><9><220><212><134>Y<241><235><146>_u
Attributes:
User-Name = "[email protected]"
Framed-IP-Address = 172.28.1.220
Framed-IP-Netmask = 255.255.0.0
Tunnel-Type = 1:VLAN
Tunnel-Medium-Type = 1:Ether_802
Tunnel-Private-Group-ID = 1:100
The TCP/IP config of the client Wireless LAN tries to obtain the IP in automatic mode.
Is a special configuration necessary on AP for that Radius can assign the IP address for the client?
Thanks,
Nuno.

Hi a_vazquez
I am having a similar problem. My setup is with Cisco AP 1200 (2.4 + 5.0GHZ) and a FUNK SBR radius server. The setup is in a lab scenario as we are at the design stage.
The client (HP notebook with W400 wireless card) is configured for LEAP authentication and dynamic WEP via the radius server.
My problem is that the SBR radius server assigns an IP address to the client, but the client does not seem to get the IP address. The SBR shows in its configuration and also in a sniffer trace that it has assigned an IP address, yet the client does not recieve it.
One thing i noticed in the sniffer trace is "unknown attribute 79, 80 and 88. apart from that i cant see whats stopping the IP address from getting to the client.
a static Ip address on the client works fine and we have full connectivity with all devices.
Can someone help please???
Thanks
Ali

Similar Messages

  • SSL VPN IP Address Assignment from IAS radius server

    Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?

    Hi,
    I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
    If you have any question do not hesitate to contact me.

  • Cisco-assign-ip-pool RADIUS VSA is an integer?

    Hi all,
    I'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.
    So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
    As far as I can remember, we used to put pool *names* within ip:addr-pool (something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
    So how should we configure the values for this attribute in ACS 5?

    If your NAS is "RADIUS (Cisco IOS/PIX)" it will use a Cisco-AVPair attribute with "ip:addr-pool=poolname" inside it.
    If your NAS is just about any other RADIUS type, it will use attribute 88, Framed-Pool.
    Use the dictionary Radius-Cisco and then select cisco av-pair in the radius authorization profile.
    After that configure:
    ip:addr-pool=poolname
    The pool should be defined on the device itself like ASA. The ACS will only push the name of it.
    Jatin Katyal
    - Do rate helpful posts -

  • 802.1x authetication with dynamic Vlan assignment by a radius server

    Hi
    At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
    When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
    I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
    What does work:
    - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
    - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
    So far so good.
    But what doesn't work:
    - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
    - I can not find the Guest VLAN.
    Any help would be appriciated.

    Hi Wouter,
    Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
    http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
    I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
    http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
    Regards,
    Aleksandra 

  • ASA 5505 VPN Group Policies (RADIUS) and tunnel group

    I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
    I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
    Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
    I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
    Session Type: WebVPN
    Username     : kaisaron78             Index        : 1
    Public IP    : 172.16.0.3
    Protocol     : Clientless
    License      : AnyConnect Premium
    Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
    Bytes Tx     : 518483                 Bytes Rx     : 37549
    Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
    Login Time   : 10:59:33 CEDT Mon Aug 18 2014
    Duration     : 0h:00m:23s
    Inactivity   : 0h:00m:00s
    VLAN Mapping : N/A                    VLAN         : none
    Audt Sess ID : c0a801fa0000100053f1c075
    Security Grp : none
    Asa5505# sh vpn-sessiondb webvpn
    Session Type: WebVPN
    Username     : manintra               Index        : 2
    Public IP    : 172.16.0.3
    Protocol     : Clientless
    License      : AnyConnect Premium
    Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
    Bytes Tx     : 238914                 Bytes Rx     : 10736
    Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
    Login Time   : 11:01:02 CEDT Mon Aug 18 2014
    Duration     : 0h:00m:05s
    Inactivity   : 0h:00m:00s
    VLAN Mapping : N/A                    VLAN         : none
    Audt Sess ID : c0a801fa0000200053f1c0ce
    Security Grp : none
    As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
    ! ADDRESS POOLS AND NAT
    names
    ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_27
     subnet 192.168.10.0 255.255.255.224
    access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
    nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
    ! RADIUS SETUP
    aaa-server OpenOTP protocol radius
    aaa-server OpenOTP (inside) host 192.168.1.8
     key ******
     authentication-port 1812
     accounting-port 1814
     radius-common-pw ******
     acl-netmask-convert auto-detect
    webvpn
     port 10443
     enable outside
     dtls port 10443
     anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
     anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
     anyconnect enable
    ! LOCAL POLICIES
    group-policy SSLPolicy internal
    group-policy SSLPolicy attributes
     vpn-tunnel-protocol ssl-clientless
     vlan 3
     dns-server value 10.5.1.5
     default-domain value management.local
     webvpn
      url-list value Management_List
    group-policy RemoteAC internal
    group-policy RemoteAC attributes
     vpn-tunnel-protocol ikev2 ssl-client
     vlan 1
     address-pools value AnyConnect_Pool
     dns-server value 192.168.1.4
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value Split_Tunnel_Anyconnect
     default-domain value home.local
     webvpn
      anyconnect profiles value AnyConnect_Profile_client_profile type user
    group-policy SSLLockdown internal
    group-policy SSLLockdown attributes
      vpn-simultaneous-logins 0
    ! DEFAULT TUNNEL
    tunnel-group DefaultRAGroup general-attributes
     authentication-server-group OpenOTP
    tunnel-group DefaultWEBVPNGroup general-attributes
     authentication-server-group OpenOTP
    tunnel-group VPN_Tunnel type remote-access
    tunnel-group VPN_Tunnel general-attributes
     authentication-server-group OpenOTP
     default-group-policy SSLLockdown
    !END
    I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
    Any help will be more than appreciated.
    Cesare Giuliani

    Ok, it makes sense.
    Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
    Thank you again for your precious and kind help, and for your patience as well!
    Cesare Giuliani

  • Using ACS for VLAN assignment

    Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
    1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
    2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
    I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
    Thanks for any help...
    Kelvin

    Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
    I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
    ip access-list extended guest
    permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
    permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
    permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
    deny ip any any
    Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

  • How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

    Good morning everybody,
    I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
    What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
    What I have successfully managed to get to work so far is this:
    1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
    Interface  MAC Address     Method   Domain   Status         Session ID          
    Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
    Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
    2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
    show authentication sessions:
    Interface  MAC Address     Method   Domain   Status         Session ID          
    Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
    Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
    Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
    However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
    What I want to get is an output like this:
    Interface  MAC Address     Method   Domain   Status         Session ID          
    Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
    Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
    Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
    I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
    The configuration of the interface connected to the Dumb switch is as follows.
    interface FastEthernet0/x                                                      
     description Connection to DUMBswitch                                            
     switchport mode access                                                         
     switchport voice vlan XXX                                                      
     switchport port-security maximum 10                                            
     switchport port-security                                                       
     switchport port-security violation protect                                     
     authentication host-mode multi-auth                                            
     authentication priority dot1x                                                  
     authentication port-control auto                                               
     authentication timer reauthenticate 4000                                       
     authentication violation replace                                               
     dot1x pae authenticator                                                        
     dot1x timeout tx-period 10                                                     
     spanning-tree portfast                                                         
    The way I see it is explained in the following steps:
    - PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
    - When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
    Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
    Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
    Thank you
    Stoimen Hristov

    Hi Stoimen,
    I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
    From what I can see, you have 2 options available to you:
    1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
    2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
    Hopefully someone else will chime in with another option.
    Xavier

  • FlexConnect, EAP-TLS and dynamic VLAN assignments

    I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
    I have some questions:
    - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
    - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
    - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
    Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

    I'll give this a shot:)
    For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
    The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
    64 (Tunnel-Type) should be set to VLAN (Integer = 13)
    65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
    81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
    You can find this by searching on Google.... A lot of examples out there
    v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
    Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
    FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
    Hope this helps.
    Sent from Cisco Technical Support iPhone App

  • Authentication Host-Mode Multi-Auth not working

    hi
    In my lab environment I configured 802.1x with "Multi-Auth" mode for multiple clients on a single protected port to be authenticated agains Microsoft NPS AAA server.
    Switch ports configured with Single-Host or Mult-Host options are working fine but "Multi-Auth" mode its not working. My hardware details and configurations are as follows
    Catalyst Model = WS-C2960S-24TSL running IOS 12.2(55)SE2
    Current configuration : 10423 bytes
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    aaa new-model
    aaa group server radius NPS
    server-private x.x.x.x auth-port 1645 acct-port 1646 key <removed>
    aaa authentication dot1x default group NPS
    aaa authorization network default group NPS
    aaa session-id common
    switch 1 provision ws-c2960s-24ts-l
    authentication mac-move permit
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface GigabitEthernet1/0/1
    switchport access vlan 5
    switchport mode access
    authentication order dot1x webauth
    authentication priority dot1x webauth
    authentication port-control auto
    authentication timer reauthenticate 7200
    authentication violation protect
    dot1x pae authenticator
    spanning-tree portfast
    interface GigabitEthernet1/0/5
    switchport access vlan 5
    switchport mode access
    switchport voice vlan 98
    authentication host-mode multi-auth
    authentication order dot1x mab webauth
    authentication priority dot1x
    authentication port-control auto
    dot1x pae authenticator
    interface GigabitEthernet1/0/7
    switchport access vlan 5
    switchport mode access
    authentication host-mode multi-host
    authentication order dot1x webauth
    authentication priority dot1x webauth
    authentication port-control auto
    authentication timer reauthenticate 7200
    authentication violation protect
    dot1x pae authenticator
    spanning-tree portfast
    interface Vlan5
    ip address x.x.x.x x.x.x.x
    interface Vlan98
    no ip address
    radius-server vsa send accounting
    radius-server vsa send authentication
    end
    My debug log for Authentication, dot1x and AAA is as follows.
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 98, data VLAN 5
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Setting domain ALL to UNATHED
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5
    *Mar  1 01:58:51.354: dot1x-ev(Gi1/0/5): Interface state changed to UP
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Enabling dot1x in switch shim
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
    *Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Link UP
    *Mar  1 01:58:51.360: AAA/BIND(00000004): Bind i/f
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Assigned AAA ID 0x00000004
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Retrieved Accounting Session ID 0x00000004
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Allocated new Auth Manager context (handle 0x83000002)
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Adding method dot1x to runnable list for Auth Mgr context 0x
    *Mar  1 01:58:51.360: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0000000000000002006CD0E0
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Sending START to dot1x (handle 0x83000002)
    *Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: initial state auth_initialize has enter
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_initialize_enter called
    *Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)
    *Mar  1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_disconnected_enter called
    *Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: idle during state auth_disconnected
    *Mar  1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_enter called
    *Mar  1 01:58:51.360: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x4100002D (0000.0000.0000)
    *Mar  1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_initialize_enter called
    *Mar  1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle
    *Mar  1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)
    *Mar  1 01:58:51.360: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
    *Mar  1 01:58:51.360: dot1x-ev(Gi1/0/5): Created a client entry (0x4100002D)
    *Mar  1 01:58:51.360: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0x4100002D (0000.0000.0000)
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Received handle 0x4100002D from method
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'
    *Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'
    *Mar  1 01:58:51.360: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/5
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x4100002D
    *Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)
    *Mar  1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_enter called
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_connecting_action called
    *Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0x4100002D
    *Mar  1 01:58:51.365:     dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
    *Mar  1 01:58:51.365: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating
    *Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_enter called
    *Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_authenticating_action called
    *Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0x4100002D
    *Mar  1 01:58:51.365:     dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)
    *Mar  1 01:58:51.365: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request
    *Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
    *Mar  1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
    *Mar  1 01:58:51.365: dot1x-ev(Gi1/0/5): Role determination not required
    *Mar  1 01:58:51.365: dot1x-registry:registry:dot1x_ether_macaddr called
    *Mar  1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
    *Mar  1 01:58:51.365: EAPOL pak dump Tx
    *Mar  1 01:58:51.365: EAPOL Version: 0x3  type: 0x0  length: 0x0005
    *Mar  1 01:58:51.365: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
    *Mar  1 01:58:51.365: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
    *Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_request_action called
    *Mar  1 01:58:53.352: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to up
    *Mar  1 01:58:54.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up
    *Mar  1 01:59:22.188: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
    *Mar  1 01:59:22.188:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
    *Mar  1 01:59:22.188: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
    *Mar  1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
    *Mar  1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
    *Mar  1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
    *Mar  1 01:59:22.188: dot1x-ev(Gi1/0/5): Role determination not required
    *Mar  1 01:59:22.188: dot1x-registry:registry:dot1x_ether_macaddr called
    *Mar  1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
    *Mar  1 01:59:22.188: EAPOL pak dump Tx
    *Mar  1 01:59:22.188: EAPOL Version: 0x3  type: 0x0  length: 0x0005
    *Mar  1 01:59:22.188: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
    *Mar  1 01:59:22.188: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
    *Mar  1 01:59:53.016: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
    *Mar  1 01:59:53.016:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
    *Mar  1 01:59:53.016: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
    *Mar  1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
    *Mar  1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
    *Mar  1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
    *Mar  1 01:59:53.016: dot1x-ev(Gi1/0/5): Role determination not required
    *Mar  1 01:59:53.016: dot1x-registry:registry:dot1x_ether_macaddr called
    *Mar  1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
    *Mar  1 01:59:53.016: EAPOL pak dump Tx
    *Mar  1 01:59:53.016: EAPOL Version: 0x3  type: 0x0  length: 0x0005
    *Mar  1 01:59:53.016: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
    *Mar  1 01:59:53.016: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
    *Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Received an EAP Timeout
    *Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x4100002D
    *Mar  1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)
    *Mar  1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout
    *Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_timeout_enter called
    *Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_timeout_action called
    *Mar  1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout
    *Mar  1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle
    *Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
    *Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x4100002D
    *Mar  1 02:00:23.844:     dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)
    *Mar  1 02:00:23.844: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result
    *Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_exit called
    *Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authc_result_enter called
    *Mar  1 02:00:23.844: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID
    *Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for 0000.0000.0000
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AUTHC_RESULT from dot1x (handle 0x83000002)
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authc Result: no-response
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Running' to 'Authc Failed'
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Running' to 'Authc Failed'
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Existing AAA ID: 0x00000004
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AAA ID 0x00000004 from method
    *Mar  1 02:00:23.844: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
    *Mar  1 02:00:23.844: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending AUTHZ_FAIL to dot1x (handle 0x83000002)
    *Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Received Authz fail for the client  0x4100002D (0000.0000.0000)
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Authc Failed' to 'Failed over'
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending DELETE to dot1x (handle 0x83000002)
    *Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Deleting client 0x4100002D (0000.0000.0000)
    *Mar  1 02:00:23.844: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
    *Mar  1 02:00:23.844: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) No more runnable methods
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Authc Failed' to 'No Methods'
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Building default attribute list for unresponsive client
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Signalling Authc fail for client 0000.0000.0000
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
    *Mar  1 02:00:23.844: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
    *Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'No Methods' to 'Authz Failed'
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Signalling Authz fail for client 0000.0000.0000
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) dot1x_switch_authz_fail: Called for GigabitEthernet1/0/5 and 0000.0000.0000
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Setting domain DATA to UNATHED
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
    *Mar  1 02:00:23.849: AUTH-SYNC (Gi1/0/5) Syncing update for context (0000.0000.0000)
    *Mar  1 02:00:23.849: AUTH-EVENT: Started Auth Manager tick timer
    *Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Started 'restart' timer (60s) for client 0000.0000.0000
    *Mar  1 02:00:23.849: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x4100002D
    *Mar  1 02:00:23.849:     dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)
    *Mar  1 02:00:23.849: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held
    *Mar  1 02:00:23.849: dot1x-ev:Delete auth client (0x4100002D) message
    *Mar  1 02:00:23.849: dot1x-ev:Auth client ctx destroyed
    *Mar  1 02:00:23.849: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

    Multiauthentication Mode
    Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
    Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
    Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
    •The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
    •Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
    •A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
    •The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
    •After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
    •The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
    NOTE :
    •Only one voice VLAN is supported on a multiauth port.
    •You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
    for more information :
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html

  • 802.1x Auth-Fail VLAN --- XP does not recognize

    With Auth-Fail VLAN configured on Cisco 3550 the Switch successfully configures the port to the configured auth-fail vlan upon unsuccessful authentication. The PC even gets the IP address from DHCP.
    However, the Windows XP network icon on the task bar continues to display as if it is trying to configure the network. The popup text displays "Attempting to authenticate" whereas the PC is fully connected and able to communicate on the network.
    Any idea...????

    I am performing machine authentication against MS AD. It does get an ip address from the authentication VLAN but not before minor delay...(have seen up to a minutes delay in some cases).
    The following is working fine in my case:
    Machine Authenticaiton (S) ---> User Auth (S) then all is good.
    Machine Auth (S) ---> User Auth (F) transition to Auth Fail VLAN
    Machine Auth (F) ---> Machine is in AuthFail VLAN then User Auth (S) Machines transitions to correct access VLAN (or RADIUS assigned VLAN).
    There are times when the behaviour is a bit variable in terms of VLAN assignment. Reading the IOS guide it makes sense if you are not assigning VLAN through RADIUS then switch sometimes tends to leave the port in the currently assigned VLAN, which depending on the port state (success/fail) could be the access VLAN or the AuthFail VLAN.

  • 802.1x per host authentication under one port with multi-host access by hub

    Dear,
    While multi-host connect to one port by hub, it seems that in multi-host mode, after one host passed the authentication, the port change state to up, and the other hosts do not need to authenticate any more. And in single host mode, only one host could access to the network under one port.
    In the situation with multi-host access to one port by hub, is it possible that we could control per user access by authentication for each?
    We did some test on 3550, it seems that the 3550 doesnot support what we need. And what about 4506?
    Thanks!

    Multiauthentication Mode
    Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
    Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
    Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
    •The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
    •Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
    •A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
    •The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
    •After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
    •The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
    NOTE :
    •Only one voice VLAN is supported on a multiauth port.
    •You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
    for more information :
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html

  • Migration to 802.1x for large scale Ethernet network

    Hi all,
    I have a very large wired-only Ethernet network which I would like to migrate to 802.1x for stronger authentication of end users. The problem I have is that there are long chains of legacy swtiches which do not support 802.1x (the topology of the network is a complete tree of switches). As far as I know, 802.1x is port based.
    So here is the issue:
    - the replacement of all switches will take a very long time, but I would like to have all end users authenticated asap
    - switches supporting .1x will initially only be located at the roots of the tree. There will still be legacy switches not supporting .1x between end users and newer switches.
    - authentication of users on a port of a new switch will be shared between several end users.
    Do you know if it possible to enable authentication of all users but having only enabled 802.1x in some more central locations first?
    Cheers,
    Benoit

    IEEE 802.1x Authentication
    These are the IEEE 802.1x authentication configuration guidelines:
    ?When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.
    ?If you try to change the mode of an IEEE 802.1x-enabled port (for example, from access to trunk), an error message appears, and the port mode is not changed.
    ?If the VLAN to which an IEEE 802.1x-enabled port is assigned changes, this change is transparent and does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
    If the VLAN to which an IEEE 802.1x port is assigned to shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.
    Try these links:
    http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1025090
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml

  • Dot1x re-authenticate & dot1x initialize

    Hi,
    Im trying dot1x with critical authentication plus MAC authentication bypass,
    on Cat2960 with SEE2.
    Its onfigration is the following;
    aaa new-model
    aaa authentication login cisco local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    dot1x system-auth-control
    dot1x critical eapol
    interface GigabitEthernet0/11
    switchport access vlan 101
    switchport mode access
    dot1x mac-auth-bypass
    dot1x critical
    dot1x critical recovery action reinitialize
    dot1x pae authenticator
    dot1x port-control auto
    dot1x timeout tx-period 1
    dot1x max-reauth-req 1
    spanning-tree portfast
    radius-server dead-criteria time 5
    radius-server attribute 32 include-in-access-req format %h
    no radius-server attribute nas-port
    radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 test username TEST idle-time 1
    radius-server source-ports 1645-1646
    radius-server key Cisco(%$%
    radius-server vsa send accounting
    When RADIUS server is down after a client is authenticated and the 2 commands,
    dot1x re-authenticate int and dot1x initialize int are issued,
    it does not change to critical auth state, remaining authorized by server with
    dot1x re-authenticate command.
    This result is correct?
    CCO says,
    Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/sw8021x.htm#wp1194433
    If the port is already authorized and re-authentication occurs, the switch puts
    the critical port in the critical-authentication state in the current VLAN,
    which might be the one previously assigned by the RADIUS server.
    Please give me any help.
    Thanks,

    Debug on dot1x initialize;
    C2960#dot1x initialize int g0/11
    Aug 8 00:50:00: dot1x-ev:dot1x_exec_init_interface: Initializing Authenticator instances on GigabitEthernet0/11
    Aug 8 00:50:00: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet0/11
    Aug 8 00:50:00: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
    Aug 8 00:50:00: dot1x-ev:vlan 101 vp is removed on the interface GigabitEthernet0/11
    Aug 8 00:50:00: dot1x-ev:dot1x_switch_addr_remove: Removed MAC 0000.3926.0384 from vlan 101 on interface GigabitEthernet0/11
    Aug 8 00:50:00: dot1x-ev:dot1x_vlan_assign_client_deleted on interface GigabitEthernet0/11
    Aug 8 00:50:00: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
    Aug 8 00:50:00: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
    Aug 8 00:50:00: dot1x-ev:Created a default authenticator instance on GigabitEthernet0/11
    Aug 8 00:50:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down
    Aug 8 00:50:01: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.0000.0000
    Aug 8 00:50:01: dot1x-ev:No reply attributes received from AAA for 0000.0000.0000
    Aug 8 00:50:01: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, authenticating port GigabitEthernet0/11
    Aug 8 00:50:01: dot1x-ev:dot1x_switch_critical_vlan_policy: No Critical Auth VLAN defined for
    port GigabitEthernet0/11
    Aug 8 00:50:01: dot1x-ev:Updating feature config
    Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
    Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
    Aug 8 00:50:01: dot1x-ev:vlan 101 vp is added on the interface GigabitEthernet0/11
    Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
    Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
    Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
    Aug 8 00:50:01: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface GigabitEthernet0/11
    Aug 8 00:50:01: dot1x-ev:Received successful Authz complete for 0000.0000.0000
    Aug 8 00:50:01: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address
    Aug 8 00:50:01: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.
    Aug 8 00:50:01: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11
    Aug 8 00:50:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up
    C2960#
    C2960#
    C2960#sh dot1x int g0/11 d
    Dot1x Info for GigabitEthernet0/11
    PAE = AUTHENTICATOR
    PortControl = AUTO
    ControlDirection = Both
    HostMode = SINGLE_HOST
    ReAuthentication = Disabled
    QuietPeriod = 60
    ServerTimeout = 30
    SuppTimeout = 30
    ReAuthPeriod = 3600 (Locally configured)
    ReAuthMax = 1
    MaxReq = 2
    TxPeriod = 1
    RateLimitPeriod = 0
    Mac-Auth-Bypass = Enabled
    Critical-Auth = Enabled
    Critical Recovery Action = Reinitialize
    Dot1x Authenticator Client List Empty
    Port Status = AUTHORIZED
    Authorized By = Critical-Auth
    Operational HostMode = MULTI_HOST
    Vlan Policy = N/A
    C2960#

  • Migration to 802.1x authentication

    Hi all,
    I have a very large wired-only Ethernet network which I would like to migrate to 802.1x for stronger authentication of end users. The problem I have is that there are long chains of legacy switches which do not support 802.1x (the topology of the network is a complete tree of switches). As far as I know, 802.1x is port based.
    So here is the issue:
    - the replacement of all switches will take a very long time, but I would like to have all end users authenticated asap
    - switches supporting .1x will initially only be located at the roots of the tree. There will still be legacy switches not supporting .1x between end users and newer switches.
    - authentication of users on a port of a new switch will be shared between several end users.
    Do you know if it possible to enable authentication of all users but having only enabled 802.1x in some more central locations first?
    Cheers,

    IEEE 802.1x Authentication
    These are the IEEE 802.1x authentication configuration guidelines:
    ?When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.
    ?If you try to change the mode of an IEEE 802.1x-enabled port (for example, from access to trunk), an error message appears, and the port mode is not changed.
    ?If the VLAN to which an IEEE 802.1x-enabled port is assigned changes, this change is transparent and does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
    If the VLAN to which an IEEE 802.1x port is assigned to shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.
    Try these links:
    http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1025090
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml

  • Random Circles

    Hello-
    I am trying to figure out how to make a random number of
    circles appear on a stage I have created and then have them scale x
    and y randomly and at different speeds as well. In other words, the
    circles would appear in random numbers, in random locations, at
    different speeds, and scale up or down in random sizes as well. The
    client has asked for circles to appear and disappear to symbolize
    "complete chaos". You can see a screenshot of the circles and image
    here:
    www.malphurs.com/random.jpg
    I have found plenty of tutorials on random actionscripts, but
    none that mix all of the above: random location, speed, and
    scaling.
    Any help would be greatly appreciated.

    initiate a loop (that allows stage updates) where you add a
    circle to the stage with some probability p, assign it a radius,
    location, speed and scaling parameters all chosen at random between
    limits you want and add it to an array.
    also in that loop update each circle's properties, check for
    circles that should be removed from the stage and your array and
    update the stage.
    you can use a separate loop to periodically change p and the
    other parameter limits, if you want.

Maybe you are looking for