Auto Smartport Macros
I'm looking for a little advice.
Background
I've got Auto SmartPort Macros working on the newest firmware for my 2960x switches for all of my devices. 15.2(3)E
However I'm having some buggy issues with 15.2(3)E. If it's a small stack of 2 switches, no problems at all. However I tested on a 7 switch stack and repeatedly lost connectivity to the stack. Here are more details on that specific issue.
Cisco Suggested Firmware
The "Cisco Suggested" firmware is 15.0(2)EX5 (Based on what the download section tells you)
However when I'm running 15.0(2)EX5 the switch is unable to automatically detect my Cisco 7821/7841/8841/8831 phones and my CAP702i APs.
I'm assuming it's because the devices are actually newer than the Suggested Firmware.
Here is a 7821 Example, it knows the model but not that it should fall in the Cisco IP Phone category...
Here is a CAP702i:
The actual questions
Is there a way (besides updating the firmware) to add to the known devices list? "sh macro auto monitor"
I've considered adding all of the OUIs, there are about 6 that I've found. Is that my best solution?
If I start filling the switch up with OUIs to detect, am I going to have a performance hit?
Is anyone running 15.2(3)E in production? Feedback? Should I stay with the Cisco Suggested?
Is there any indication of when the next firmware rev will be released?
Thanks for any input and advice you can give.
-Mike
Hi Brademeyer29,
what you see unfortunately it is not configuration issue. This has been reported to the engineering team and should be fixed in the next release firmware 1.4.1.
For now you will have to use workaround such as not changing native VLAN or not to use smartport.
Regards,
Aleksandra
Similar Messages
-
I am testing ISE and Auto Smartports and i got the execution of the macro via ISE working.
However, it seems i MUST enable globally "macro auto global processing " before it the macro is really executed.
I would like to avoid this, as enabling this globally, it will automatically run all standard cisco macros for phones, AP, etc.
To prevent this, i need to configure "no macro auto processing" on each and every interface...
Isn't there another way to enable macros but not run the default macros on all ports. Only run -custom- macros when triggered by ISE ?
regards,
GeertYou may need to create a Cisco TAC case for this.
If not, then move this thread to the EEM section. If the Moto AP supports CDP then you can get someone (like Joe Clark) to build a small EEM script.
EEM is supported up to the 3560/3750. -
Prime Infrastructure - CLI Template - SmartPort Macro
I'm hoping that someone can provide an example of a CLI Template for deploying a SmartPort Macro in Prime Infrastructure 2.0. I've tried multiple formats and can't seem to get it to work.
Macro to be configured:
macro auto execute TEST_MACRO {
blah
blah
blahdeeblah
Example 1 Template:
#INTERACTIVE
macro auto execute TEST_MACRO {
<IQ><R>
<IQ><R>blah
<IQ><R>blah
<IQ><R>blahdeeblah
<IQ><R>}
#ENDS_INTERACTIVE
The above example runs successfully, however it does not actually produce a result.
Example 2 Template:
<MLTCMD>macro auto execute TEST_MACRO {
blah
blah
blahdeeblah
}</MLTCMD>
The above example fails with the following result:
Error : Exception while sending interactive commands to device, Expect timeout: Failed to match expected device output due to Expect timeout current timeout 60000. Current output : > >blah >blah >blahdeeblah >} mc-t307-acc06(config)# Current expects : blah blah blahdeeblah \}
I'm sure that all my troubles stem from '>' result that is sent to the CLI after each line of the function is entered, however I can't seem to work around the problem.
I've tried many more combinations without success... Any help would be appreciated.Instead of
#INTERACTIVE
macro auto execute TEST_MACRO {
<IQ><R>
<IQ><R>blah
<IQ><R>blah
<IQ><R>blahdeeblah
<IQ><R>}
#ENDS_INTERACTIVE
Try
<MLTCMD>
macro auto execute TEST_MACRO {
blah
blah
blahdeeblah
</MLTCMD>
This works for me. -
Auto Smartports with non-Cisco devices
I have used auto smartports in the past and have been successful creating macros that use mac-addresses.
My question is can I create a macro that works with non-Cisco devices that are CDP capable?
We have Motorolla access points that use CDP and I would like to use auto smartports to put them on their own VLANs.
Can it be done using CDP? What version of the IOS would I need to be on? Currently the 3750-Xs are on 12.2.(55).
Are there any guides or configuration examples? I've searched but have been unsuccessful in find anything so far.
I have seen some articles that reference device sensors and device profiles, but have no idea where to begin.
Thanks in advance for your support.You may need to create a Cisco TAC case for this.
If not, then move this thread to the EEM section. If the Moto AP supports CDP then you can get someone (like Joe Clark) to build a small EEM script.
EEM is supported up to the 3560/3750. -
Hi there,
Do you know of a way or an OSS nte available that can help us with the auto open macro function in DMS. We have created a spreadsheet and added a macro which pops up when you open the spread sheet and prompts you to make a selection of what functions you want on the tab. After selection, it creates a form for you based on your selection. We have attachen this document in DMS but when open it up in change mode, the macro is not coming up to give the user the option of what to select in order to get the relevant form.
Please assist.
Thanks,
PatrickDear Patrick,
please check in transaction DC30 which parameter you have entered under 'Define Workstation Application in network' for the used workstation application.
I would recommend you to maintain here the parameter %AUTO% for the used workstation application.
Best regards,
Christoph
P.S.: Please reward points for useful information. -
Following this DOC:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/116515-configure-autosmartports-00.html
c3750e-universalk9-mz.152-2.E.bin
It works fine for cisco phones, switches routers, but when I try to define a custom macro as shown in the example, it does not recognize an Avaya 1140E phone - it still applies the ciso phone macro to this. The doc is not really clear about what exactly the trigger is for recognizing this phone. Does anyone have this working for Avaya phones?I managed to get it working - the phones are advertising themselves as Nortel-IP-Phone-2000-Series
macro auto trigger AVAYA_IP_PHONE
profile Nortel-IP-Phone-2000-Series
macro auto execute AVAYA_IP_PHONE {
if
then conf t
interface $INTERFACE
macro description $TRIGGER
description ***** AVAYA PHONE *****
switchport access vlan 100
switchport mode access
switchport voice vlan 200
exit
fi
if
then conf t
interface $INTERFACE
no macro description $TRIGGER
no description ***** no more avaya phone *****
no switchport access vlan 100
no switchport mode access
no switchport voice vlan 200
exit
fi
end -
Security guidelines in switches.
Hello to everybody.
This is my first post and I don´t know if it is the right place.
I would like to know what are the security guidelines that you set up in your switched lan, I mean, do you block unused ports? do you use 802.1x with RADIUS? do you disable telnet and http access?
What are the security guidelines that you use in your company or clients?
Thanks in advance.Our network uses the following:
AAA;
ACS logon to network equipments;
SSH;
HTTP/HTTPS with access list
Depending on the size of your LAN, anyone whoever says that "unused ports should be shutdown" should be shot or given a labotomy. I have more than 300 LAN switches. Do you know the calls I'll be getting every hour just to get ports enabled or disabled? It would make me and my team very un-popular very fast.
Configuring Auto Smartports Macros
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/swmacro.html -
2960s switch gui and smartport user defined macro
Hi,
I have a few 2960s switches and would like to use the GUI to configure ports using the smartport function. These seem to be based on predefined macro's which I can't edit. I have created my own macro, how do I enable the macro in the GUI so I can use the use my own macro?
Regards,
PaulOk, SmartPort macro is now a HIDDEN command, since 12.2(58)SE and later.
If you've got a macro you want to use, you have to enter it using CLI. Here's how you do it:
config t
macro name <BLAH>
[ENTER YOUR MACRO HERE]
[Use the "@" to end your macro]
end
To envoke the macro:
config t
interface <BLAH>
macro apply <MACRO NAME>
end
To view the macro:
sh pars macro name <MACRO NAME> -
Good morning,
I'm observing what appears to be a bug in the smartport feature on our SG300 switches. We use this for our Auto Voice VLAN. We are using our own user defined macro's in place of the ip_phone and ip_phone_desktop as we use native vlans different than what these macro's allow. I believe this to be a bug.
Reproducing steps:
1. Define user based macro - including anti macro:
macro name user_ip_phone
#macro description user_ip_phone
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
switchport mode trunk
smartport switchport trunk allowed vlan add $uservoice_vlan
spanning-tree portfast
macro name no_user_ip_phone
#macro description no_user_ip_phone
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
smartport switchport trunk allowed vlan remove $uservoice_vlan
spanning-tree portfast
macro name user_ip_phone_desktop
#macro description user_ip_phone_desktop
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
switchport mode trunk
smartport switchport trunk allowed vlan add $uservoice_vlan
spanning-tree portfast
macro name no_user_ip_phone_desktop
#macro description no_user_ip_phone_desktop
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
smartport switchport trunk allowed vlan remove $uservoice_vlan
spanning-tree portfast
2. Apply these to the built in macros:
macro auto user smartport macro ip_phone user_ip_phone $uservoice_vlan 30
macro auto user smartport macro ip_phone_desktop user_ip_phone_desktop $uservoice_vlan 30
3. Set an interface to the following:
int gig1
switchport mode trunk
switchport trunk native vlan 10
spanning-tree portfast
spanning-tree bpduguard enable
4. Apply an IP phone to the interface and it will apply the user_ip_phone macro:
int gig1
spanning-tree portfast
spanning-tree bpduguard enable
switchport trunk allowed vlan add 30
switchport trunk native vlan 10
macro description user_ip_phone
!next command is internal.
macro auto smartport dynamic_type ip_phone
5. This is normal behaviour and is what we are expecting. We also expect that when the switch reboots or the interface is changed, the anti macro no_user_ip_phone should be used.
6. Two strange behaviours occur throughout the course of a reboot.
On firmware 1.4.XX, when the switch reboots the anti macro is performed on the interface - however, the no_ip_phone macro is used instead of the no_user_ip_phone. This removes the native vlan information which is what we do not want and we are left with:
int gig1
spanning-tree portfast
spanning-tree bpduguard enable
switchport trunk allowed vlan add 30
macro description "user_ip_phone | no_ip_phone | user_ip_phone"
!next command is internal.
macro auto smartport dynamic_type ip_phone
On firmware 1.3.5X, when the switch reboots - the same occurs and the anti macro no_ip_phone is run but the config remains the same for some strange reason:
int gig1
spanning-tree portfast
spanning-tree bpduguard enable
switchport trunk allowed vlan add 30
switchport trunk native vlan 10
macro description "user_ip_phone | no_ip_phone | user_ip_phone"
!next command is internal.
macro auto smartport dynamic_type ip_phone
However on firmware 1.3.5X, I have observed on multiple occasions on different switches, the statement: "macro auto user smartport macro ip_phone user_ip_phone $uservoice_vlan 30" being removed from the config after reboot which sees the default ip_phone and no_ip_phone macro run.
Impact
This is causing a massive impact on our environment. We've had the last few years on version 1.3.5 and the user macros have worked apart from when the switch has rebooted after being in operation for a few months, this is when the "macro auto user smartport macro ip_phone user_ip_phone $uservoice_vlan 30" gets removed and users cannot get data on their port. This has been hard to debug and investigate and seems to happen randomly.
This is why I have tried upgrade to the 1.4.XX firmware, but have discovered the behaviour is even worse and the behaviour I outlined above happens on every reboot of the switch.
We have about 20 to 25 SG300's in production, only one of which is still within it's 12 months, and I cannot troubleshoot with this switch as it's heavily used. Therefore I cannot approach Support directly with this as there are no switches to troubleshoot on - however, I do feel the above behaviour can be reproduced and I suspect there must be some sort of bug in the macro (anti-macro) application on ports following a reboot.Hi Tim,
I saw this problem in 1.4 while not in 1.3.5.
Now there is a solution for this issue, which is to add the trunk native vlan setting to the user defined macro so that it will finally be recovered after reboot.
no macro auto user smartport macro ip_phone_desktop
# disassociated the user macro
macro name u_ip_phone_desktop
#macro keywords $u_native_vlan $u_voice_vlan
#macro key description: $u_native_vlan: The native VLAN for trunk
# $u_voice_vlan: The voice VLAN ID
#Default Values are
#$u_native_vlan = 10
#$u_voice_vlan = 30
#the default mode is trunk
smartport switchport trunk allowed vlan add $u_voice_vlan
smartport switchport trunk native vlan $u_native_vlan
no macro description
spanning-tree portfast
macro name no_u_ip_phone_desktop
#macro keywords $u_voice_vlan
#macro key description: $u_voice_vlan: The voice VLAN ID
#Default Values are
#$u_voice_vlan = 30
smartport switchport trunk allowed vlan remove $u_voice_vlan
no macro description
spanning-tree portfast auto
macro auto user smartport macro ip_phone_desktop u_ip_phone_desktop $u_native_vlan 10 $u_voice_vlan 30 -
Refreshing and Executing a Macro
Post Author: Zahed
CA Forum: Desktop Intelligence Reporting
Refreshing and Executing a Macro Problem Description I have a report which has a MACRO WITHIN IT. I want to schedule the report , refresh report and auto run macro which exports the results to text file. I am able to schedule and Refresh but can't get the MACRO auto after refresh to run. In 5.1.8 when I scheduled the report it used give me the option to REFRESH And run the MACRO. How do I do this in BO XR2.
The text file itself is a concatenation of the date and version number which is done within the code, hence the need to use and run the Macro. The Macro needs to executed after Report Refresh.Any help will be appreciatedZahedOK, enough time lost.
Would you simply have tried tit, you would have seen that your toolbar is automatically stored in your Global.mpt (I did hope you had heard about the organizer and global.mpt) and as such available for all projects in that machine.
You would also have seen that when you create it it floats, and by simply dragging a toolbar around you can make it float.
If you want to make it accessible to all users, copy it into a file (using Tools, Organizer) save that file, send it to your end users (or store it on a file server where they have access) with the instruction to use Tools, Organizer to copy it into their
global.mpt. Done this many times for customers, works like a charm.
Indeed in 2010 it is more complicated and some things like creating your own button is so complicated I dare not even begin. -
Hi All,
When trying to save a report in excel, and we choose the path where the file is to be saved, Excel run the Auto Open Macro. ¿How we avoid that?. It is not needed at all. We just need to save the file in the path chosen, and the work with that file later on.
Thanks in advance,
Regards.Hi,
Thanks for your reply.
I already did that, I remove AutoOpen.xls from the path we use for Excel Folder, and it still popping up. It's been happening recently, since last week. It's giving messages like AutoOpen is locked for another user, even when the file is already saved.
Any Ideas? We need to save files without Auto Open, like before.
Regards. -
SG series switch smart port macro issues
Hi there,
There seems to be a problem with some switches that it doesn't allow us to change the untagged VLAN in the smartport macro.
This causes a problem: if we change it manually when we apply the smartport it works fine but if the switch reboots the smartport is reapplied with the VLAN set in the macro, this puts the port onto the worng VLAN which is not good.
Please help.Hello Gerrard,
This is actually a currently known issue. When you try to update the native VLAN on a smartport macro it looks like it has taken effect, but never really gets updated. I have confirmed the same issue on a device here in the lab.
Give us a call at 1.866.606.1866 and we can create a support case for you and try to get that issue resovled.
Thank you for choosing Cisco,
Christopher Ebert
Senior Network Support Engineer - Cisco Small Business Support Center
*Please rate helpful posts* -
Cisco SG300 and LLDP with Yealink Phones.
I am currently trying to setup a Cisco SG300 switch with a hosted VoIP solution using the SG300's at the customer's premise. The Yealink phones I am not able to get them to pull an IP address and believe the problem is related to LLDP. We also use Polycom phones and they work just fine. Here is the configuration that I am currently using ( I have tried several different configurations and none of them work with the Yealinks. Any help would be greatly appreciated.
DLC#show run
config-file-header
DLC
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 2,88
exit
voice vlan id 88
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname DLC
interface vlan 2
name Data
interface vlan 88
name FlexVoice
interface gigabitethernet1
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet2
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet3
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet4
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet5
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet6
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet7
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet8
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet9
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet10
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet11
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet12
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet13
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet14
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet15
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet16
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet17
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet18
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet19
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet20
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet21
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet22
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet23
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet24
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet27
switchport mode access
switchport access untagged vlan 2
no macro auto smartport
interface gigabitethernet28
switchport mode access
switchport access untagged vlan 88
no macro auto smartport
exit
DLC#Here is the latest configuration that I tried, Polycom phone worked, Yealink didn't.
co-test#show run
config-file-header
co-test
v1.4.0.88 / R800_NIK_1_4_194_194
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 2,88,881
exit
voice vlan id 88
voice vlan state oui-enabled
voice vlan cos 6 remark
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 0004f2 Polycom
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 001565 Yealink
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname co-test
interface vlan 2
name data
interface vlan 88
name flexvoice
ip address 172.16.88.2 255.255.255.0
no ip address dhcp
interface gigabitethernet1
voice vlan enable
interface gigabitethernet2
voice vlan enable
interface gigabitethernet3
voice vlan enable
interface gigabitethernet4
voice vlan enable
interface gigabitethernet5
voice vlan enable
interface gigabitethernet6
voice vlan enable
interface gigabitethernet7
voice vlan enable
interface gigabitethernet8
voice vlan enable
interface gigabitethernet9
voice vlan enable
interface gigabitethernet10
voice vlan enable
interface gigabitethernet11
voice vlan enable
interface gigabitethernet12
voice vlan enable
interface gigabitethernet13
voice vlan enable
interface gigabitethernet14
voice vlan enable
interface gigabitethernet15
voice vlan enable
interface gigabitethernet16
voice vlan enable
interface gigabitethernet17
voice vlan enable
interface gigabitethernet18
voice vlan enable
interface gigabitethernet19
voice vlan enable
interface gigabitethernet20
voice vlan enable
interface gigabitethernet21
voice vlan enable
interface gigabitethernet22
voice vlan enable
interface gigabitethernet23
voice vlan enable
interface gigabitethernet24
voice vlan enable
interface gigabitethernet27
switchport mode access
switchport access vlan 2
no macro auto smartport
interface gigabitethernet28
switchport mode access
switchport access vlan 88
no macro auto smartport
exit
co-test# -
RADIUS packet-id not incrementing, called-station-id missing
I am running v1.3.5.58 on an SG300-20. I am attempting to use a Network Access Control (NAC) solution, which involves a RADIUS proxy. It is getting confused by two odd behaviors of the SG300 when attempting EAP-PEAP-MSCHAPv2 authentication.
1. The SG300 does not properly increment the "Packet Identifier" bits as it progresses through the RADIUS negotiation. The packet identifier is always 0x00.
2. The SG300 does not properly set the "Called-Station-ID" Attribute-Value-Pair (AVP). Instead, it is left blank.
Although freeradius is able to find away around these problems, the NAC RADIUS proxy cannot. Have I done something in the config to cause this to happen (see below)? Is this a known bug? Does it have a workaround? Will our hero save defeat the villain and save the day? ;-)
config-file-header
ausoff-sw-test1
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
spanning-tree priority 40960
port jumbo-frame
vlan database
vlan 2-3,12,14,16,99,600,1000,1010
exit
voice vlan id 1010
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
dot1x traps authentication failure 802.1x
dot1x traps authentication success 802.1x
hostname ausoff-sw-test1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
encrypted radius-server key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI=
encrypted radius-server host 172.18.14.114 key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI= priority 1 usage dot1.x
radius-server host 172.18.58.58 usage dot1.x
radius-server timeout 10
logging host 172.18.58.50
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted
username nac password encrypted *** privilege 15
username admin password encrypted *** privilege 15
username cisco password encrypted *** privilege 15
username readonly password encrypted ***
ip ssh server
ip ssh password-auth
snmp-server server
snmp-server engineID local 800000090308cc68423f4d
snmp-server location "***"
snmp-server contact "***"
snmp-server community *** rw 172.18.58.58 view DefaultSuper
snmp-server community *** rw 172.18.14.105 view DefaultSuper
snmp-server host 172.18.58.58 traps version 2c nac
snmp-server host 172.18.58.58 version 3 auth nac
snmp-server group nac v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
snmp-server group SNMPSuperuser v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
encrypted snmp-server user nac nac v3 auth sha ***
encrypted snmp-server user ManageEngines SNMPSuperuser v3 auth sha ***
ip http timeout-policy 1800
clock timezone " " -6
sntp anycast client enable ipv4
sntp broadcast client enable ipv4
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 0.pool.ntp.org poll
sntp server 1.pool.ntp.org poll
ip domain name blah.net
ip name-server 172.18.19.232
ip domain timeout 2
ip domain retry 1
ip telnet server
interface vlan 2
name NACRegistration
interface vlan 3
name NACIsolation
interface vlan 12
name Users
interface vlan 14
name Dev
interface vlan 16
name LAN
interface vlan 99
name Mgmt
ip address 172.18.58.61 255.255.255.128
interface vlan 600
name "Core Test"
dot1x guest-vlan
interface vlan 1000
name Guest
interface vlan 1010
name Voice
interface gigabitethernet1
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet2
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet3
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet4
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet5
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet6
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet7
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet8
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet9
dot1x host-mode single-host
dot1x violation-mode protect trap 10
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet10
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet11
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet12
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet13
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet14
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet15
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet16
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet17
dot1x host-mode multi-sessions
no snmp trap link-status
port monitor GigabitEthernet 20
spanning-tree disable
spanning-tree bpduguard enable
switchport mode general
switchport general acceptable-frame-type untagged-only
switchport forbidden default-vlan
interface gigabitethernet18
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet19
switchport trunk native vlan 600
interface gigabitethernet20
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 2-3,12,14,16,99,600,1000,1010
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
exit
ip default-gateway 172.18.58.1Thank you for your response, Tom. I have performed packet captures associated with this issue, and they show that the Called-Station-ID AVP is not sent with the RADIUS packets, from the SG300. There is not an issue with capitalization, the value is simply not provided at all. Here is an example of a tcpdump decode of such a packet. Please note the missing attribute:
15:48:01.843296 IP (tos 0x0, ttl 64, id 59875, offset 0, flags [none], proto UDP (17), length 142)
172.18.58.61.49205 > 172.18.58.58.1812: [udp sum ok] RADIUS, length: 114
Access Request (1), id: 0x00, Authenticator: 390000003f2000009e3f0000eb670000
NAS IP Address Attribute (4), length: 6, Value: 172.18.58.61
0x0000: ac12 3a3d
NAS Port Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
NAS Port Attribute (5), length: 6, Value: 57
0x0000: 0000 0039
Username Attribute (1), length: 12, Value: SSO\dalewl
0x0000: 5353 4f5c 6461 6c65 776c
Accounting Session ID Attribute (44), length: 10, Value: 050000DF
0x0000: 3035 3030 3030 4446
Calling Station Attribute (31), length: 19, Value: E0-DB-55-B3-1D-5C
0x0000: 4530 2d44 422d 3535 2d42 332d 3144 2d35
0x0010: 43
EAP Message Attribute (79), length: 17, Value: ..
0x0000: 0201 000f 0153 534f 5c64 616c 6577 6c
Message Authentication Attribute (80), length: 18, Value: ......R..1...EU.
0x0000: bed3 b19e c70f 52e0 ec31 afcb d545 55ad -
SG300: MAC authentication with Radius VLAN assignment problems
Hi,
I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
Here's the final switch config:
config-file-header
switchf460dc
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
no spanning-tree
vlan database
vlan 12,100,110,666
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
no bonjour enable
hostname switchf460dc
line ssh
exec-timeout 0
exit
encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
logging host 1.2.3.4 severity debugging
passwords aging 0
ip ssh server
snmp-server server
snmp-server community public ro 192.168.99.93 view Default
clock timezone " " +1
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server 172.16.1.1
interface vlan 12
ip address 192.168.99.170 255.255.255.0
no ip address dhcp
interface gigabitethernet5
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 100,110,666 untagged
no macro auto smartport
interface gigabitethernet6
switchport mode access
switchport access vlan 110
interface gigabitethernet9
switchport mode access
switchport access vlan 12
interface gigabitethernet10
switchport trunk allowed vlan add 12,100,110
exit
ip default-gateway 192.168.99.1
On the switch side I would expect VLAN 666 to be set but it's not there:
switchf460dc#show dot1x users
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
gi5 0090dca15880 00:90:dc:a1:58:80 MAC Remote 01:09:25
This is the radius users file. It's a simple file for test.
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 666
I am attaching a screenshot of the Radius reply sent by the server.
I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
It may be that the tag is missing in the Radius reply? If yes, how do I add it?
Any ideas?
Thanks.
Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.
Maybe you are looking for
-
Spry drop-down nav bar not working in Netscape 7
Hello My site is up at www.Frontiers.uk.net. I built a drop down navigation menu using Dreamweaver's new Spry feature. It works fine in IE 6 & 7, Firefox & Mozilla, but in Netscape 7 (the only Netscape I've tested), the dop-down menus don't always ap
-
Add alpha channel to a BufferedImage
Hi, I am making a small jigsaw puzzle type game. I read an image from a file into a BufferedImage using ImageIO.read(). From this image I cut out rectangular pieces using getSubimage(). Then I would like to mask out the small figure cuts that should
-
Change Date for Order Item Partner Changes
When I make a change to a partner on an Order Item the Change Date VBAP-EDATU is not populated. can anyone recommend a way to have this field filled for all changes to any fields on an Order (header and Item)?
-
Forms 10g compile : syntax error near unexpected token `in
Hi, I am writing a code to compile FORMS 10g(10.1.2.0.2) in HP_UX one by one. this is the code---frm10g.sh *#!/bin/ksh* *# . ~oracle/forms/server/default.env* *# . sid icache* TERM=vt220 *if [ $# != 2 ]* then echo Usage : $0 module_name module_type e
-
When I add a row, I lose the formula!
I made a simple check register spreadsheet a year ago & when I run out of rows I add more rows by dragging the handle in the lower right of the spreadsheet DOWN. I can also click the handle with the number of the row in the lower left to add just one