Cascade a switch to a dot1x port

Similar Messages

• Dot1x port authentication configuration

  Hello Friends,
  I am working on dot1x configuration deployment project and wanted to clear one confusion, I am having simple setup in which after authentication, workstation should go to vlan decided by ACS and after failed authenticatio, workstation should go to Guest or auth-fail any one is fine since I will keep both same.
  So I can understand that basic config should be as follows considering old IOS.
  int fas0/1
  dot1x port-control auto
  switchport mode access
  switchport guest-vlan 10
  switchport auth-fail valn 10
  Now I had see many configuration examples and found that many have defined vlan's in switchport mode access [5]
  Why is this command needed since vlan will be assigned from ACS, Could somone tell me why few configuration have defind ports in some vlans already ?
  Also what can be best practice in case ACS server goes down, since in that scenario all workstation will fail into auth-fail or Guest vlan's.
  Is there any Best practices for such scenario's ?????
  Thanks
  Ajay

  i found the answer this morning :
  "IEEE 802.1X Authentication with Wake on LAN
  The IEEE 802.1X authentication with wake on LAN (WoL) feature allows dormant PCs to be powered when the switch receives a specific Ethernet frame, known as the “magic packet.” You can use this feature in environments where administrators need to connect to systems that have been powered off.
  When a host that uses WoL is attached through an 802.1X port and the host powers off, the 802.1X port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
  When the switch uses 802.1X authentication with WoL, the switch forwards traffic to unauthorized 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to block ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to other devices in the network."
  describes exactly the problem i have, and i cant fix it because if i remove the "authentication port-control auto" the computer does not authenticate anymore :/

• Dot1x port-control auto protocol down (ACS5.3)

  Hello everyone! 
  I urgently need your help please. 
  I would like to configure the ports of a switch for 802.1x. 
  when I type the command: Dot1x harbor auto-control on the interface, the protocol is down and users are disconnected wiring. 
  Can someone help me please? it is really urgent.
  thank you in advance

  hello
  thank you for your answer.
  bellow is the configuration  that i've configured on the switchs:
  configure terminal
    aaa new-model
    aaa authentication dot1x default group radius
    interface fastethernet0/1
    dot1x port-control auto
    end
   radius-server host x.x.x.x auth-port 1612 key xxxx
  but the command : dot1x port-control auto , cause protocol dows but the port status is UP.
  I did not understand the function of this command:"Dot1x harbor auto-control" 
  could you tell me a little more?
  thank you in advance.

• Uplinking or cascading "SRW" switches

  Hi Folks, I recently purchased three SRW switches, one 2024 and two 2048s. I want to uplink them together (for the obvious reasons) but am having problems with this. Is it imperative that I use the miniGBIC ports to uplink the switches or can I use any port on the switch? Must I make any particular changes to the the port configs to improve uplink performance? Is it possible to create LAGs between ports on these switches? Ugggggghhhhh....all these questions!! Thank you in advance for any assistance you may provide. JP

  it is not necessary to use a gbic to cascade the switches unless you're planning to connect them via fiber. you can connect the switches via gigabit ports just as connecting 2 regular switches. if you have vlans created, and you want the same vlans created on all switches to communicate, you need to set up the uplink port as trunk. you can setup LAG to have a faster connection between switches.

• Dot1x Port Autnetication Error

  I can't get port authentication to work with our ACS 4.0. Cisco 3560 log attached below. I need help!
  interface GigabitEthernet0/3
  switchport access vlan 10
  switchport mode access
  mls qos trust dscp
  dot1x pae authenticator
  dot1x dot1x port-control auto
  dot1x timeout server-timeout 60
  dot1x reauthentication
  dot1x guest-vlan 500
  spanning-tree portfast
  Global Config
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  Any ideas where I need to go to fix would be much appriciated!
  Thanks!

  Yes authentication fails. In windows it says it is validating user and eventually fails authentication.
  PTHA-MDF-SW-04#sh dot1x int gi0/3
  Dot1x Info for GigabitEthernet0/3
  PAE = AUTHENTICATOR
  PortControl = AUTO
  ControlDirection = Both
  HostMode = SINGLE_HOST
  ReAuthentication = Enabled
  QuietPeriod = 60
  ServerTimeout = 60
  SuppTimeout = 30
  ReAuthPeriod = 3600 (Locally configured)
  ReAuthMax = 2
  MaxReq = 2
  TxPeriod = 30
  RateLimitPeriod = 0
  Guest-Vlan = 500
  I am not seeing any log entrys in ACS! This is getting to be silly. Why is it so dificult to get a Cisco product to work with a Cisco product. I am about to throw out the ACS box.
  Aren't the cisco log enough to at least point me in some direction for troubleshooting?

• Access Connections Ethernet Location Switching only saves one port at a time

  Like many other people, I cannot get automatic location switching between two Ethernet networks to work properly.
  I have two stored network locations;  one for home and one for work.  Both of these are set up as Best Available Network with both Ethernet and Wireless.
  Under Tools - Location Switching, both networks are listed, and "Include Ethernet connections in automatic switching and prompt me to save Ethernet ports"  is checked.    However, in the details column, the current location has 1 saved port(s), and the other has 0 saved ports.    The saved port is always the one most recently connected.  
  If I go to Edit Saved Ports, only one location is listed, with the correct IP address and MAC address for the router.   If I connect at the other location, only that location is listed, again with the correct IP address and MAC address.
  The router IP addresses are different (work is 192.168.0.1, and home is 192.168.1.254), and obviously the MAC addresses are different, so it should be possible for Access Connections to distinguish them.  Unfortunately the only "editing" that is possible is to delete the saved port.  I would be happy to add a saved port manually, but that is not an option.  In addtion, despite the "...prompt me to save Ethernet ports" being checked, I have never received a prompt.  Even if I delete the saved port, it resaves automatically next time without any prompt.
  I have also tried setting up both locations as Ethernet only, but have exactly the same problem.
  My T520 was supplied with Access Connections 5.85 preinstalled.  I tried upgrading to 5.97 in the hope that it had been fixed in the meantime.  Unfortunately it has not.
  Access Connections is still marginally useful to me for automatic switching between Wireless and Ethernet, and for a simple manual switch of settings such as default printer, home page, and file sharing.  However, it would be very useful for the home and work locations to be autodetected and switched.  
  From the number of unresolved questions on this board on the same topic, it appears that this is a long standing deficiency with Access Connections.  Is there any chance of this being fixed?

  I found from another bulletin board that ethernet location switching seemed to work OK with Access Connections 3.82, but stopped working with releases after that, and from my experience still does not work with 5.97
  http://www.thinkpads.com/forum/viewtopic.php?f=18&t=38514
  Two questions:
  1. Does anyone know if Access Connections 3.82 works with Windows 7?
  2. If so, where could I get a copy?  The oldest version on the Lenovo website appears to be 5.50
  I will refrain from commenting on the necessity of going back to such an old version to recover basic functionality for this utility......

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• How can I mirror all ports on CISCO 3750 switches to one Gigabyte port?

  Hi,
  I have a requirement to mirror all the ports on my 7 CISCO 3750 switches, which are in 3 separate stacks, to one single Gigabyte Ethernet port.
  Does anyone know how I can do that?
  Thanks in advance.

  Vlad, thanks a heap for your response.
  I want to apply to my sitation. Please let me know if I get them right in the following:
  Catalyst A
  vlan 901
  remote-span
  monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on the CISCO 3725)
  monitor session 1 destination remote vlan 901
  Catalyst B
  vlan 901
  remote-span (If I don't need to monitor this switch, do I still need to put anything into this switch at all?)
  Catalyst C
  vlan 901
  remote-span
  monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on this switch as well)
  monitor session 1 source remote vlan 901
  monitor session 1 destination interface gigabitethernet 3 (There are 4 Gigabit Ethernet Uplink in CISCO 3750, I want all the traffic to go to port 3, is this the right way to do?)
  Thanks in advance.

• SCVMM2012r2 UR3 : Even with no Virtual switch assigned, an uplink port profile remains

  Hi,
  What I'm tryng to do, is to unassign an uplink set on my host, set to the wrong NIC (actually, on 3 NIC, event if I specified 2 when I added the logical switch...).
  To proceed, I deleted the Logical Switch assigned in the host properties on Virtual Switches tab.
  On my host, the teaming has been deleted, but unfortunately, on one of my NIC, the subnet set in my Logical Network subsit in "Logical Network Connectivity" and is greyed out.
  It's said "The subnet an VLAN information is set by an uplink port profile set 'tVMNet' associated to this host an cannot be changed here".
  But, if I removed the virtual switch, how can it be?
  Thanks for any advice, I'm stuck

  Hi all,
  I did finaly remove the cluster from SCVMM and added it back, and it's working now. No more ghost config remaining.
  I'm working on SCVMM from 3 days now, and I'm really not sure that's the easy to use tool we need to manage our small private cloud... It's buggy, slow, oposite of ergonomic and far too much cloud provider oriented...

• Where is the 300 series switch with 48 gigabit ports and PoE?

  Love the 300 series but surprised that Cisco did not put out a 48 port model with gigabit and PoE.  Would love to hear from Cisco on the reasoning behind that and if there are any plans to introduce one?  Given that gigabit and VoIP is the future at many companies it only makes sense.

  The switches use the SFPs to link to each other. The SG500 has ports for 1G or 5G and the SG500X has 10G ports. Whichever port you select will be the speed at which the switches pass traffic and stack control information. These same ports can be 'reclaimed' if you were to set the switch to stand alone mode. I have put a chart below which details the ports you can use and the speed of these ports.
  Header 1
  Header 2
  Header 3
  Header 4
  Header 5
  Units in Stack
  SG500X
  SG500X
  SG500
  SG500
  Stack Port Name
  S1,S2-XG
  S1,S2-5G
  S1,S2
  S3,S4
  Stack Port Speeds
  10G/1G
  1G/5G
  1G
  1G/5G

• 3560E Switches and 10G uplink ports

  Hi!
  Thinking of 3560E switches with 2 X2 10G uplinks, I was wondering if I can use, at the same time, 1 uplink port @ 10G and the other one @ 1G, with the proper CVR-X2-SFP converter and SFP modules.
  Thanks in advance!
  Regards,
  Martin.

  Believe if you use a TwinGig converter in one of the module slots, you can connect one or two gig SFP links to it while the other module slot is 10 gig.

• Best PoE switch for home (8-ports) that can support 5-6 phones

  Guys,
  can you recommend 8 port switch that will provide enough power for 3 x 9971 and 3 x 7965 or similar?
  Thanks!

  I think the small-business switch SG300-10MP or SG300-MPP (with PoE+) could fit your needs:
  http://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data_sheet_c78-610061.html

• Using a Switch to Increase LAN ports on Airport Express

  Hi,
  I'm currently using an Aiport Extreme as a wireless AP to my network, being directly connected to my ADSL modem/router (This is handling DHCP etc). This all works great, with an iMac, Macbook and various other wireless devices connected very nicely over 802.11n. It also functions as a print server and NAS through the USB port (Really helpful features)
  I have a number of other ethernet only devices (Set-top boxes, consoles etc) located away from the Extreme (In the lounge, under the TV). I want to connect these to the extreme's wireless network, having moved house and cable connections nolonger being an option. I was considering using WDS with a second Extreme, but thought about the possibility of a Express instead, in order to take advantage of the iTunes capability, its comparably low cost and small size. The difficulty is it only has 1 LAN port for use in WDS (Bridge) mode.
  The simple question is, can I attached a basic switch (4 port for example) to the LAN port of the Express when it is running in WDS bridged mode to allow multipe ethernet devices to be attached to the Express?
  Any help or suggestions would be much appreciated.
  John

  wildej, Welcome to the discussion area!
  The simple question is, can I attached a basic switch (4 port for example) to the LAN port of the Express when it is running in WDS bridged mode to allow multipe ethernet devices to be attached to the Express?
  Yes

• ASA 5505 switch from Mode: access Port to Trunk on the fly via CSM ?

                     Hi
  Can I configure the Port at the ASA 5050 from Mode: access Port to trunk during the FW is running in a production area without console access ?
  As I know at the 5505 ist should work
  sincerley
  Alfred

  Are you using the same access port to access the ASA via CSM? If you are, then i would strongly recommend console access.
  If you are using a different port to make the changes, then yes you can configure it. However, I would still recommend configuring it during non production hour, just in case there is an issue.

• Macbook Pro and KVM (Lindy KVM Switch Lite DVI 2 Port)

  I have purchased the above to allow me to share my apple cinema screen, speakers, keyboard and mouse with my G5 Tower and MacBook Pro.
  I have it all plugged in etc, but when I switch computers, the Macbook doesn't work properly, both screens flash blue on and off every 20 seconds or so. As if it is not detecting the screen properly.
  Then when i switch back to the tower, there is a 10-20 second delay before the keyboard and mouse kicks in (the keyboard is plugged into the cinema screen and the mouse into the keyboard, as it should be)
  I did find that if i plugged the keyboard straight into the KVM then I get no keyboard delay. But why when USb is going through the cinema display do i get such a long delay?
  When the tower is selected the macbook still thinks there is a second screen attached (can see both in my display prefs) and goes into dual screen mode (which is the way i want to use it when all plugged in) but it is when i switch the Macbook, it all start to go wrong.
  Any ideas? Have tired resetting everything (PRAm, plist, ejecting the screen (ctrl + shift + eject)), several times. Checked cables etc
  I thought it could be hardware issue, perhaps the Macbook Pro doesn't give a big enough signal out of the KVM (as it has to travel two cable lengths)
  The display works fine when plugged directly into the MBP.
  I tried it in bootcamp (xp) and annoyingly the KVM works fine, and I get dual screen mode, share keyboard and audio as it should. It is only in Leopard 10.5.6 that i get the problems.
  So it is not hardware as technically it has to power to do as it should (as windows proved), it seems more like a Apple software problem as it looks like it is constantly checking for displays and resetting itself.
  Anyway to force it not to do this?
  Thanks

  I've just noticed a similar issue. I have an ATEN CS62DU switch between a PC with vista and a macbook pro 2.33ghz. 15.4inch (early 2007). Switching worked fine as far as I can remember, but after upgrading my mac to 10.5.6 it crashes as soon as I switch. Very very iritating.
  Anyone else experienced kvm malfunction after the 10.5.X -> 10.5.6 upgrade?
  Fred.