Cisco ISE & 3750 Switch MAB configuration Issue

Similar Messages

• Connection of LC/APC fiber patch cords to Cisco Catalyst 6500 $ Cisco Access 3750 Switches

  I have an LC/APC fiber patch cord infrastructure and I want to connect it to Cisco Catalyst 6500 & Cisco Access 3750 Switches. what type of transceiver should be used?
  I read a note on Cisco website stating the following for Cisco SFP+ transceivers:
  Note: "Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section"

  Thank you,  but my question is that I have a single mode fiber patch cord with LC/APC connector while cisco stating a note that only use LC/PC or LC/UPC type of connectors with SFP+ transceiver.  
  So what type of transceiver should I use to connect LC/APC patch cord to cisco switches?  Is there another type or SFP+ still can be used? 

• Cisco ISE 1.3 MAB authentication.. switch drop packet

  Hello All,
  I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
  and ISE 1.3 versoin..
  MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
  while some ports are working perfectly..
  Same switch configuration is working perfectly on another switch without any issue..
  Switch configuration for your suggestion..!!
  aaa new-model
  aaa authentication fail-message ^C
  **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
  ^C
  aaa authentication login CONSOLE local
  aaa authentication login ACS group tacacs+ group radius local
  aaa authentication dot1x default group radius
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+ group radius
  aaa server radius dynamic-author
   client 172.16.95.x server-key 7 02050D480809
   client 172.16.95.x server-key 7 14141B180F0B
  aaa session-id common
  clock timezone IST 5 30
  system mtu routing 1500
  ip routing
  no ip domain-lookup
  ip domain-name EVS.com
  ip device tracking
  epm logging
  dot1x system-auth-control
  interface FastEthernet0/1
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   --More--         authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip tacacs source-interface Vlan10
  ip radius source-interface Vlan10 vrf default
  logging trap critical
  logging origin-id ip
  logging 172.16.5.95
  logging host 172.16.95.x transport udp port 20514
  logging host 172.16.95.x transport udp port 20514
  snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
  snmp-server view EVS-view internet included
  snmp-server community S1n2M3p4$ RO
  snmp-server community cisco RO
  snmp-server trap-source Vlan10
  snmp-server source-interface informs Vlan10
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
   --More--         snmp-server enable traps tty
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps envmon fan shutdown supply temperature status
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps bridge newroot topologychange
  snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification change move threshold
  snmp-server enable traps vlan-membership
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.5.x version 3 auth evsnetadmin
  tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
  tacacs-server directed-request
   --More--         tacacs-server key 7 107D580E573E411F58277F2360
  tacacs-server administration
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 25 access-request include
  radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
  radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
  radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
  radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
  radius-server timeout 2
  radius-server key 7 060506324F41
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
   exec-timeout 5 0
   privilege level 15
   logging synchronous
   login authentication CONSOLE
  line vty 0 4
   access-class telnet_access in
   exec-timeout 0 0
   logging synchronous
   --More--         login authentication ACS
   transport input ssh

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Cisco ISE 1.3 Active Directory issue

  Hi Folks
  I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

  hi
  i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
  i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
  it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
  guillaume

• Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

  Hi All,
  We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
  1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
  RADIUS Probe 
  SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
  2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
   - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
  - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
  For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
  That would be really great if any one can help me on the same.
  Thanks & Regards
  Pranav

  Hi Pablo ,
  Please find below solutions 
  Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
  Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
  Regards
  Pranav

• Cisco ISE and Switch 3560-X

  Good Morning,
  I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
  My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
  I appreciate the attention and Thanks,

  Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
  It notes that the 3560-X requires IP base license for all the 802.1X features.

• MAB Configuration Issue

  with acs 4.2 installed in my network,   PEAP, EAP-TLS, md5... authentications work normally.  But Mac-Based-Authentication   doesnt work at all.  i tested every thing but no luck .
  This is what i have setup on Swith for MAB:
  aaa new-model
  aaa authentication login default none
  aaa authentication dot1x default group radius
  radius-server host 192.168.2.16 auth-port 1645 acct-port 1646 key cisco
  dot1x system-auth-control
  interface FastEthernet0/1
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  dot1x mac-auth-bypass
  On ACS server, i created Netword-Profile for MAB, i added those Agentless hosts mac-adds,   Even i created User-Name&password by those Agentless hosts mac-adds on acs,   ..... still nothing seems to be working.   i have selected ACS_Internal-Database for mac authentication.
  On ACS while i check the   Failed-attempt log, nothing is logged there.  i dont know where is the issue.
  Please tell me where im wrong on my config?

  Hello Inayat,
  Yes you were right.   i changed the  auth-timeouts, and it is authenticating MAB-clients very fast. 
  Thank you for your support
  I need a user-guide on how to Setup Authentication for Wireless users,  we have agentfull and agentless wireless-hosts (having Iphones...).   so the authentication methods will be  md5, eap-tls and  mab.
  I will use  (LinkSys-Wireless Router)  as the authenticator for wireless-hosts ?       
  I need a user-guide for  how to setup the wireless-hosts( supplicants)  and how to setup  Link-Sys  and the Cisco-Switch in the middle.     if you have any link, plz refer me

• Cisco stack 3750 switch - some switches not accpet the changes

  I have 3750 stack with 4 switches.
  I am trying to make change some port to new VLAN, but switch 2 & 3 new change never works, the ports stick with old VLAN. Other two switches works as I expected on new changed VLAN.
  Tried to reboot, no progress.
  Any idea
  #Show VLAN command confirmed the VLAN changes are made.
  #show switch detail
                                                 Current
  Switch# Role     Mac Address     Priority     State
  1       Member   0019.e752.xxxx     1         Ready
  2       Member   0015.f9bf.xxxx    1         Ready
  3       Member   0016.c880.xxxx     1         Ready
  *4       Master   0011.bbe4.xxxx     1         Ready
           Stack Port Status             Neighbors
  Switch# Port 1     Port 2           Port 1   Port 2
  1       Ok         Ok               3       2
  2       Ok         Ok               4       1
  3       Ok         Ok               1       4
  4       Ok         Ok               3       2
  #show ver
  Switch   Ports  Model              SW Version              SW Image
       1   52     WS-C3750G-48TS     12.2(25)SEE2            C3750-IPBASE-M
       2   52     WS-C3750G-48TS     12.2(25)SEE3            C3750-IPBASE-M
       3   52     WS-C3750G-48TS     12.2(25)SEE3            C3750-IPBASE-M
  *    4   52     WS-C3750-48P       12.2(25)SEE3            C3750-IPBASE-M

  Now 
  Interface GigabitEthernet3/0/25 and Interface GigabitEthernet3/0/26 are changed to different vlan (308 and 324) , but previous VLAN 107 still traffic that ports..
  #sh vlan confirmed the changes (at beginning, it does not show up the changes, after reboot system, it shows up, but not effect). Switch 1 and 4 ports changed to new vlan , it works. , any port changes on switch 2 and 3 not working, still with previous VALN 107
  #sh vlan
  113 DAL_Backup                       active
  115 DAL_Testlab                     active
  308 VLAN0308                         active   Gi3/0/25
  324 VLAN0324                         active   Gi1/0/1, Gi1/0/26, Gi3/0/26
  #show runn
  interface GigabitEthernet3/0/24
  switchport access vlan 107
  switchport mode access
  spanning-tree portfast
  interface GigabitEthernet3/0/25
  switchport access vlan 308
  switchport mode access
  spanning-tree portfast
  interface GigabitEthernet3/0/26
  switchport access vlan 324
  switchport mode access
  spanning-tree portfast
  interface GigabitEthernet3/0/27
  switchport access vlan 107
  switchport mode access
  spanning-tree portfast

• LAG configuration issue on Cisco SG300 52 Switch

  Hi everybody,
  I am having an issue with LAG configuration on a Cisco SG300 52 switch. I have connected four Ge ports on the switch to the four NICs of a Dell R710 Server on which I installed Windows Server 2008 R2. Without LAG configured, these ports would forward traffic to and from the Dell server fine. However, if I configure LAG on the ports with LACP enabled, then they would not forward any network traffic. Debugging shows that the ports are up but their forwarding status show N/A. Am I missing any configuration? Can I configure LAG on edgeports? Or is there any compatibility issue?
  Any help  from you guys will be greatly appreciated.
  Thank you.
  Vishal

  Hi Dave,
  Thank you for your quick response and sorry to have looked at it late. Well, I already resolved the issue and like you pointed out, it was the configuration of the Dell NICs. I had to configure NIC teaming and there was a bug with the Broadcom NIC management software. I had to download this piece of software again and I was then able to configure NIC teaming on it. I initially thought that it was already configured because we got the Dell server "pre-installed with pretty much everything".
  Anyway thank you for your assistance. Oh I have a question though if you don't mind clearing my doubt. We have bought 7 of these SG300 Switches and I would like to use all of them
  in a hierarchical design as core, distribution and access layer switches because I believe this switch has got all the qualities to be used at all the three layers. We have about 100 users in our company at the moment but expecting growth of about 10-20 employees per year. Would you think a hierarchical network design for a 100 users is a bit of an overkill? Would you think these SG300 switches can handle network traffic at the distribution and core layers? I worked out the average daily traffic is only about 4 Mbps.
  Thank you for your valuable guidance.
  Kind regards,
  Vishal
  Date: Mon, 12 Sep 2011 08:09:40 -0600
  From: [email protected]
  To: [email protected]
  Subject: - Re: LAG configuration issue on Cisco SG300 52 Switch
  Cisco Support Community
  Re: LAG configuration issue on Cisco SG300 52 Switch created by David Hornstein in Small Business Switches - View the full discussion
  Hi Chundunsing,
  Thank you for the purchase of my switch.
  Chundunsing, I love the way you worded your question ; "I am having an issue with LAG configuration on a Cisco SG300 52 switch." ,but seriously you are having a problem with interfacing the dell with my switch.
  You have LAG working to the Dell R710 teamed NICs and god knows what NICs or drivers you are using to acheive this.
  Now LAG is providing , load balancing between the LAG ports.
  Now LAG is providing , link redundancy for connectibity to the Dell R710.
  If there is a configuration issue , it sure seems the way you have it configured without LACP is still working. But you have the option when you create a LAP group to enable LACP. You can see this as a tick box in the LAG group.
  But might i also install, recently firmware version 1.1.1.8, just came out.
  Please be sure to;
  Step 1. update the firmware on the switch and
  Step 2. select it as the 'active image.'
  Step 3 rebbot the switch to utilize this active image.
  If you are having any trouble doing this the admin guide references how to achieve this. for your concenience I have atteched the guide to this posting.
  regards Dave
  Reply to this message by going to Cisco Support Community
  Start a new discussion in Small Business Switches at Cisco Support Community

• VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related

  Hello expert,
  I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
  [Cisco Catalyst 3750 Switch]
  interface GigabitEthernet1/0/45
   description NCC-CC-1stFlr
   no switchport trunk encapsulation dot1q
   no switchport trunk allowed vlan 101-103
   spanning-tree portfast
  [Cisco SF300-48P Switch]
  interface fastethernet48
   spanning-tree link-type point-to-point
   switchport trunk allowed vlan add 101-103
   macro description switch
   !next command is internal.
   macro auto smartport dynamic_type switch
  interface fastethernet29
   switchport mode general
   switchport general allowed vlan add 103 tagged
   switchport general pvid 103
  Are these are correct? Kindly advice!
  Thank you very much!
  Regards,
  Alex

  Hi Alex,
  for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
  The configuration on catalyst should :
  #config terminal
  #interface Gi 1/0/45
  # switchport encapsulation 
  #switchport trunk encapsulation dot1q
  #switchport mode trunk 
  #switchport trunk allowed vlan 101-103
  #spanning-tree portfast
  For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
  #interface fastethernet29
   #switchport mode access
   #switchport ccess vlan 103
  Please let me know after this configuration
  Thanks
  Mehdi
  Please rate or mark as answered to help other Cisco Customers

• Debian Linux Bonding and Cisco Catalyst 3750 - best practise?

  Hello everybody,
  I would like to know what's best practice to do this:
  The two NICs of a Debian Linux server wants to be connected with two Switchports of a Cisco Catalyst 3750 switch(stack). My goal is to have load-balancing and failover.
  My /etc/network/interfaces looks like this:
  iface bond0 inet static
         address 192.168.0.30
         netmask 255.255.255.0
         network 192.168.0.0
         broadcast 192.168.0.255
         gateway 192.168.0.1
         dns-nameservers 192.168.0.10 192.168.0.20
         dns-search xyz.mycompany.com
         slaves eth0 eth1
         bond_mode ???
         bond_miimon 100
         bond_downdelay 200
         bond-updelay 200
  First question: What bond mode should I use?
  The switchports looks like this:
  interface GigabitEthernet3/0/4
   switchport access vlan 20
   switchport mode access
   spanning-tree portfast
  What changes are necessery here? Something like this?
  interface GigabitEthernet3/0/4
   switchport trunk encapsulation dot1q
   switchport mode trunk
   spanning-tree portfast
  Thanks a lot for suggestions, hints, etc.! :-)
  Greets
  Stephan

  Hi Michael,
  thanks a lot for your answer - and sorry for my late reply!
  I like to show you my solution - I hope that it is a solution. ;-)
  My config on the switch(stack):
  switch#show etherchannel summary
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  2      Po2(SU)         LACP      Gi3/0/3(P)  Gi4/0/3(P)
  switch#show running-config interface GigabitEthernet 3/0/3
  Building configuration...
  Current configuration : 172 bytes
  interface GigabitEthernet3/0/3
   description myserver, eth0
   switchport access vlan 20
   switchport mode access
   channel-group 2 mode active
   spanning-tree portfast
  end
  lansw01#show running-config interface GigabitEthernet 4/0/3
  Building configuration...
  Current configuration : 172 bytes
  interface GigabitEthernet4/0/3
   description myserver, eth1
   switchport access vlan 20
   switchport mode access
   channel-group 2 mode active
   spanning-tree portfast
  end
  switch#show running-config interface port-channel 2
  Building configuration...
  Current configuration : 82 bytes
  interface Port-channel2
   switchport access vlan 20
   switchport mode access
  end
  The /etc/network/interfaces of my Debian machine looks like this:
  auto lo
  iface lo inet loopback
  auto bond0
          iface bond0 inet static
          address 192.168.1.xxx
          netmask 255.255.255.0
          gateway 192.168.1.xxx
          dns-nameservers 192.168.1.xxx
          dns-search xxx.xxx.xxx
          bond-mode 4
          bond-miimon 100
          bond-downdelay 200
          bond-updelay 200
          bond-lacp-rate 1
          slaves eth0 eth1
  This setup seems to work well. But I'm wondering that there is nothing with "trunking" in my setup. Would you like to give me your opinion about this?
  Thanks a lot and many greets
  Stephan

• I cannot connect by console port to Cisco Catalyst 3750 using ethernet to USB.

  Hello. I have one Cisco Catalyst 3750 switch, and two 2950 switches. I am trying to reset their settings using a console cable with a trendnet Ethernet to USB adapter. When I try loading hyperterm or putty on com3 there is no signal. I have the communication port setting on com3. I don't know what the old settings are, and they can be reset. I get connectivity lights when plugging the cable into the switch ports. What am I missing? 

  Are you definitely using the correct COM Port number? On Windows7 Right Click My Computer > Manage Then select Device Manager and expanPorts (COM & LPT)d  in my case is shows Prolific USB-to-Serial Comm Port (COM5). 
  Once you have the right COM Port number just use the default settings in Putty. You may find the COM Port is locked up which will require a reboot.

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

• Cisco ISE CWA issue

  Good Day,
  I have Cisco ISE 1.2 with Cisco 2960 NAD.
  I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
  Please advise what I have put in the authentication policy default rule?? deny access ?
  And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
  Appreciate your support,

  In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
  First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

• Cisco ISE some Radius issues

  Dear guys,
       I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
  No Accounting Start. (I have configured accouting on Switch 2960).
  Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
  I would greatly appreciate any help you can give me in working this problem.
  Have a nice day,
  Thanks and Regrads,

  Sorry for late reply.
  Here is my switch config.
  Current configuration : 8630 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no logging console
  enable password ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client A.B.C.D server-key keystrings
  aaa session-id common
  system mtu routing 1500
  vtp mode transparent
  ip dhcp snooping
  ip device tracking
  crypto pki trustpoint TP-self-signed-447922560
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-447922560
   revocation-check none
   rsakeypair TP-self-signed-447922560
  crypto pki certificate chain TP-self-signed-447922560
   certificate self-signed 01
    xxxxx
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 139,153,401-402,999,1501-1502
  interface FastEthernet0/11
   switchport access vlan 139
   switchport mode access
   authentication host-mode multi-auth
   authentication open
   authentication port-control auto
   authentication periodic
   authentication timer inactivity 180
   authentication violation restrict
   mab
  interface FastEthernet0/12
   switchport access vlan 139
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 139
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
  interface GigabitEthernet0/1
   switchport mode trunk
  interface GigabitEthernet0/2
  interface Vlan1
   no ip address
  interface Vlan139
   ip address E.F.G.H 255.255.255.0
  ip default-gateway I.J.K.L
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   permit ip any any
  ip access-list extended ACL-DEFAULT
   remark Allow DHCP
   permit udp any eq bootpc any eq bootps
   remark Allow DNS
   permit udp any any eq domain
   permit icmp any any
   permit tcp any host A.B.C.D eq 8443
   permit tcp any host A.B.C.D eq 443
   permit tcp any host A.B.C.D eq www
   permit tcp any host A.B.C.D eq 8905
   permit tcp any host A.B.C.D eq 8909
   permit udp any host A.B.C.D eq 8905
   permit udp any host A.B.C.D eq 8909
   deny   ip any any
  ip access-list extended ACL-WEBAUTH-REDIRECT
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any
  ip radius source-interface Vlan139
  snmp-server community keystrings RW
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host A.B.C.D version 2c keystrings  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  line vty 5 15
  end
  My switch version is
  WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
  I would greatly appreciate any help you can give me in working this problem.