Cisco ISE & 3750 Switch MAB configuration Issue
Hi,
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
Here is the test switch configuration :
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
snmp-server community ISE-Test RO
snmp-server community ISE-Test1 RW
snmp-server trap-source FastEthernet0/24
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
Thank you in advanced! I hope that this issue might be intersting!
Martin
Can you confirm that you have the following syntax in your NAD:
aaa server radius dynamic-author
client 192.168.98.10 server-key AAA_Secret
Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x
Similar Messages
-
I have an LC/APC fiber patch cord infrastructure and I want to connect it to Cisco Catalyst 6500 & Cisco Access 3750 Switches. what type of transceiver should be used?
I read a note on Cisco website stating the following for Cisco SFP+ transceivers:
Note: "Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section"Thank you, but my question is that I have a single mode fiber patch cord with LC/APC connector while cisco stating a note that only use LC/PC or LC/UPC type of connectors with SFP+ transceiver.
So what type of transceiver should I use to connect LC/APC patch cord to cisco switches? Is there another type or SFP+ still can be used? -
Cisco ISE 1.3 MAB authentication.. switch drop packet
Hello All,
I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
and ISE 1.3 versoin..
MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
while some ports are working perfectly..
Same switch configuration is working perfectly on another switch without any issue..
Switch configuration for your suggestion..!!
aaa new-model
aaa authentication fail-message ^C
**** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
^C
aaa authentication login CONSOLE local
aaa authentication login ACS group tacacs+ group radius local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+ group radius
aaa server radius dynamic-author
client 172.16.95.x server-key 7 02050D480809
client 172.16.95.x server-key 7 14141B180F0B
aaa session-id common
clock timezone IST 5 30
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name EVS.com
ip device tracking
epm logging
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
--More-- authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip tacacs source-interface Vlan10
ip radius source-interface Vlan10 vrf default
logging trap critical
logging origin-id ip
logging 172.16.5.95
logging host 172.16.95.x transport udp port 20514
logging host 172.16.95.x transport udp port 20514
snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
snmp-server view EVS-view internet included
snmp-server community S1n2M3p4$ RO
snmp-server community cisco RO
snmp-server trap-source Vlan10
snmp-server source-interface informs Vlan10
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
--More-- snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.5.x version 3 auth evsnetadmin
tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
tacacs-server directed-request
--More-- tacacs-server key 7 107D580E573E411F58277F2360
tacacs-server administration
radius-server attribute 6 on-for-login-auth
radius-server attribute 25 access-request include
radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
radius-server timeout 2
radius-server key 7 060506324F41
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication CONSOLE
line vty 0 4
access-class telnet_access in
exec-timeout 0 0
logging synchronous
--More-- login authentication ACS
transport input ssh24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
Cisco ISE 1.3 Active Directory issue
Hi Folks
I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration > Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load. Any advice?hi
i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
guillaume -
Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling
Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue - Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue - Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
PranavHi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav -
Good Morning,
I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
I appreciate the attention and Thanks,Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
It notes that the 3560-X requires IP base license for all the 802.1X features. -
with acs 4.2 installed in my network, PEAP, EAP-TLS, md5... authentications work normally. But Mac-Based-Authentication doesnt work at all. i tested every thing but no luck .
This is what i have setup on Swith for MAB:
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
radius-server host 192.168.2.16 auth-port 1645 acct-port 1646 key cisco
dot1x system-auth-control
interface FastEthernet0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x mac-auth-bypass
On ACS server, i created Netword-Profile for MAB, i added those Agentless hosts mac-adds, Even i created User-Name&password by those Agentless hosts mac-adds on acs, ..... still nothing seems to be working. i have selected ACS_Internal-Database for mac authentication.
On ACS while i check the Failed-attempt log, nothing is logged there. i dont know where is the issue.
Please tell me where im wrong on my config?Hello Inayat,
Yes you were right. i changed the auth-timeouts, and it is authenticating MAB-clients very fast.
Thank you for your support
I need a user-guide on how to Setup Authentication for Wireless users, we have agentfull and agentless wireless-hosts (having Iphones...). so the authentication methods will be md5, eap-tls and mab.
I will use (LinkSys-Wireless Router) as the authenticator for wireless-hosts ?
I need a user-guide for how to setup the wireless-hosts( supplicants) and how to setup Link-Sys and the Cisco-Switch in the middle. if you have any link, plz refer me -
Cisco stack 3750 switch - some switches not accpet the changes
I have 3750 stack with 4 switches.
I am trying to make change some port to new VLAN, but switch 2 & 3 new change never works, the ports stick with old VLAN. Other two switches works as I expected on new changed VLAN.
Tried to reboot, no progress.
Any idea
#Show VLAN command confirmed the VLAN changes are made.
#show switch detail
Current
Switch# Role Mac Address Priority State
1 Member 0019.e752.xxxx 1 Ready
2 Member 0015.f9bf.xxxx 1 Ready
3 Member 0016.c880.xxxx 1 Ready
*4 Master 0011.bbe4.xxxx 1 Ready
Stack Port Status Neighbors
Switch# Port 1 Port 2 Port 1 Port 2
1 Ok Ok 3 2
2 Ok Ok 4 1
3 Ok Ok 1 4
4 Ok Ok 3 2
#show ver
Switch Ports Model SW Version SW Image
1 52 WS-C3750G-48TS 12.2(25)SEE2 C3750-IPBASE-M
2 52 WS-C3750G-48TS 12.2(25)SEE3 C3750-IPBASE-M
3 52 WS-C3750G-48TS 12.2(25)SEE3 C3750-IPBASE-M
* 4 52 WS-C3750-48P 12.2(25)SEE3 C3750-IPBASE-MNow
Interface GigabitEthernet3/0/25 and Interface GigabitEthernet3/0/26 are changed to different vlan (308 and 324) , but previous VLAN 107 still traffic that ports..
#sh vlan confirmed the changes (at beginning, it does not show up the changes, after reboot system, it shows up, but not effect). Switch 1 and 4 ports changed to new vlan , it works. , any port changes on switch 2 and 3 not working, still with previous VALN 107
#sh vlan
113 DAL_Backup active
115 DAL_Testlab active
308 VLAN0308 active Gi3/0/25
324 VLAN0324 active Gi1/0/1, Gi1/0/26, Gi3/0/26
#show runn
interface GigabitEthernet3/0/24
switchport access vlan 107
switchport mode access
spanning-tree portfast
interface GigabitEthernet3/0/25
switchport access vlan 308
switchport mode access
spanning-tree portfast
interface GigabitEthernet3/0/26
switchport access vlan 324
switchport mode access
spanning-tree portfast
interface GigabitEthernet3/0/27
switchport access vlan 107
switchport mode access
spanning-tree portfast -
LAG configuration issue on Cisco SG300 52 Switch
Hi everybody,
I am having an issue with LAG configuration on a Cisco SG300 52 switch. I have connected four Ge ports on the switch to the four NICs of a Dell R710 Server on which I installed Windows Server 2008 R2. Without LAG configured, these ports would forward traffic to and from the Dell server fine. However, if I configure LAG on the ports with LACP enabled, then they would not forward any network traffic. Debugging shows that the ports are up but their forwarding status show N/A. Am I missing any configuration? Can I configure LAG on edgeports? Or is there any compatibility issue?
Any help from you guys will be greatly appreciated.
Thank you.
VishalHi Dave,
Thank you for your quick response and sorry to have looked at it late. Well, I already resolved the issue and like you pointed out, it was the configuration of the Dell NICs. I had to configure NIC teaming and there was a bug with the Broadcom NIC management software. I had to download this piece of software again and I was then able to configure NIC teaming on it. I initially thought that it was already configured because we got the Dell server "pre-installed with pretty much everything".
Anyway thank you for your assistance. Oh I have a question though if you don't mind clearing my doubt. We have bought 7 of these SG300 Switches and I would like to use all of them
in a hierarchical design as core, distribution and access layer switches because I believe this switch has got all the qualities to be used at all the three layers. We have about 100 users in our company at the moment but expecting growth of about 10-20 employees per year. Would you think a hierarchical network design for a 100 users is a bit of an overkill? Would you think these SG300 switches can handle network traffic at the distribution and core layers? I worked out the average daily traffic is only about 4 Mbps.
Thank you for your valuable guidance.
Kind regards,
Vishal
Date: Mon, 12 Sep 2011 08:09:40 -0600
From: [email protected]
To: [email protected]
Subject: - Re: LAG configuration issue on Cisco SG300 52 Switch
Cisco Support Community
Re: LAG configuration issue on Cisco SG300 52 Switch created by David Hornstein in Small Business Switches - View the full discussion
Hi Chundunsing,
Thank you for the purchase of my switch.
Chundunsing, I love the way you worded your question ; "I am having an issue with LAG configuration on a Cisco SG300 52 switch." ,but seriously you are having a problem with interfacing the dell with my switch.
You have LAG working to the Dell R710 teamed NICs and god knows what NICs or drivers you are using to acheive this.
Now LAG is providing , load balancing between the LAG ports.
Now LAG is providing , link redundancy for connectibity to the Dell R710.
If there is a configuration issue , it sure seems the way you have it configured without LACP is still working. But you have the option when you create a LAP group to enable LACP. You can see this as a tick box in the LAG group.
But might i also install, recently firmware version 1.1.1.8, just came out.
Please be sure to;
Step 1. update the firmware on the switch and
Step 2. select it as the 'active image.'
Step 3 rebbot the switch to utilize this active image.
If you are having any trouble doing this the admin guide references how to achieve this. for your concenience I have atteched the guide to this posting.
regards Dave
Reply to this message by going to Cisco Support Community
Start a new discussion in Small Business Switches at Cisco Support Community -
VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related
Hello expert,
I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
[Cisco Catalyst 3750 Switch]
interface GigabitEthernet1/0/45
description NCC-CC-1stFlr
no switchport trunk encapsulation dot1q
no switchport trunk allowed vlan 101-103
spanning-tree portfast
[Cisco SF300-48P Switch]
interface fastethernet48
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 101-103
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
interface fastethernet29
switchport mode general
switchport general allowed vlan add 103 tagged
switchport general pvid 103
Are these are correct? Kindly advice!
Thank you very much!
Regards,
AlexHi Alex,
for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
The configuration on catalyst should :
#config terminal
#interface Gi 1/0/45
# switchport encapsulation
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 101-103
#spanning-tree portfast
For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
#interface fastethernet29
#switchport mode access
#switchport ccess vlan 103
Please let me know after this configuration
Thanks
Mehdi
Please rate or mark as answered to help other Cisco Customers -
Debian Linux Bonding and Cisco Catalyst 3750 - best practise?
Hello everybody,
I would like to know what's best practice to do this:
The two NICs of a Debian Linux server wants to be connected with two Switchports of a Cisco Catalyst 3750 switch(stack). My goal is to have load-balancing and failover.
My /etc/network/interfaces looks like this:
iface bond0 inet static
address 192.168.0.30
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 192.168.0.10 192.168.0.20
dns-search xyz.mycompany.com
slaves eth0 eth1
bond_mode ???
bond_miimon 100
bond_downdelay 200
bond-updelay 200
First question: What bond mode should I use?
The switchports looks like this:
interface GigabitEthernet3/0/4
switchport access vlan 20
switchport mode access
spanning-tree portfast
What changes are necessery here? Something like this?
interface GigabitEthernet3/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
Thanks a lot for suggestions, hints, etc.! :-)
Greets
StephanHi Michael,
thanks a lot for your answer - and sorry for my late reply!
I like to show you my solution - I hope that it is a solution. ;-)
My config on the switch(stack):
switch#show etherchannel summary
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(SU) LACP Gi3/0/3(P) Gi4/0/3(P)
switch#show running-config interface GigabitEthernet 3/0/3
Building configuration...
Current configuration : 172 bytes
interface GigabitEthernet3/0/3
description myserver, eth0
switchport access vlan 20
switchport mode access
channel-group 2 mode active
spanning-tree portfast
end
lansw01#show running-config interface GigabitEthernet 4/0/3
Building configuration...
Current configuration : 172 bytes
interface GigabitEthernet4/0/3
description myserver, eth1
switchport access vlan 20
switchport mode access
channel-group 2 mode active
spanning-tree portfast
end
switch#show running-config interface port-channel 2
Building configuration...
Current configuration : 82 bytes
interface Port-channel2
switchport access vlan 20
switchport mode access
end
The /etc/network/interfaces of my Debian machine looks like this:
auto lo
iface lo inet loopback
auto bond0
iface bond0 inet static
address 192.168.1.xxx
netmask 255.255.255.0
gateway 192.168.1.xxx
dns-nameservers 192.168.1.xxx
dns-search xxx.xxx.xxx
bond-mode 4
bond-miimon 100
bond-downdelay 200
bond-updelay 200
bond-lacp-rate 1
slaves eth0 eth1
This setup seems to work well. But I'm wondering that there is nothing with "trunking" in my setup. Would you like to give me your opinion about this?
Thanks a lot and many greets
Stephan -
I cannot connect by console port to Cisco Catalyst 3750 using ethernet to USB.
Hello. I have one Cisco Catalyst 3750 switch, and two 2950 switches. I am trying to reset their settings using a console cable with a trendnet Ethernet to USB adapter. When I try loading hyperterm or putty on com3 there is no signal. I have the communication port setting on com3. I don't know what the old settings are, and they can be reset. I get connectivity lights when plugging the cable into the switch ports. What am I missing?
Are you definitely using the correct COM Port number? On Windows7 Right Click My Computer > Manage Then select Device Manager and expanPorts (COM & LPT)d in my case is shows Prolific USB-to-Serial Comm Port (COM5).
Once you have the right COM Port number just use the default settings in Putty. You may find the COM Port is locked up which will require a reboot. -
ISE 1.2, Supplicant configured for 802.1x but need to MAB
I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
Thanks in advanceMaybe the held-period and quite-period parameters would help. I would not change the TX period to anything shorter than 10 seconds. Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds.
Read this doc for best pratices including the timers listed below.
I hope this link works. http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
If not goto www.ciscolive365.com (signup if you havn't already) and search for
"BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
Change the dot1x hold, quiet, and ratelimit-period to 300.
held-period seconds
Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
quiet-period seconds
Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
ratelimit-period seconds
Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled. -
Good Day,
I have Cisco ISE 1.2 with Cisco 2960 NAD.
I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
Please advise what I have put in the authentication policy default rule?? deny access ?
And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
Appreciate your support,In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance. -
Dear guys,
I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
No Accounting Start. (I have configured accouting on Switch 2960).
Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
I would greatly appreciate any help you can give me in working this problem.
Have a nice day,
Thanks and Regrads,Sorry for late reply.
Here is my switch config.
Current configuration : 8630 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no logging console
enable password ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client A.B.C.D server-key keystrings
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip dhcp snooping
ip device tracking
crypto pki trustpoint TP-self-signed-447922560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-447922560
revocation-check none
rsakeypair TP-self-signed-447922560
crypto pki certificate chain TP-self-signed-447922560
certificate self-signed 01
xxxxx
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 139,153,401-402,999,1501-1502
interface FastEthernet0/11
switchport access vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation restrict
mab
interface FastEthernet0/12
switchport access vlan 139
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 139
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
interface Vlan1
no ip address
interface Vlan139
ip address E.F.G.H 255.255.255.0
ip default-gateway I.J.K.L
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host A.B.C.D eq 8443
permit tcp any host A.B.C.D eq 443
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 8905
permit tcp any host A.B.C.D eq 8909
permit udp any host A.B.C.D eq 8905
permit udp any host A.B.C.D eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip radius source-interface Vlan139
snmp-server community keystrings RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host A.B.C.D version 2c keystrings mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
end
My switch version is
WS-2960 12.2(55)SE5 C2960-LANBASEK9-M
I would greatly appreciate any help you can give me in working this problem.
Maybe you are looking for
-
? cannot drag document from downloads to hard drive
I suddenly cannot drag a file, any file, from my Downloads folder on my Dock to my "hard drive". I am hoping that the file that a Microsoft tech had me trash isn't the reason... I was having a problem with Excel for Mac and he had me delete a certain
-
Not all Conversations in Outlook 2010 Show as Expandable Until Selected
Hi, I've recently noticed that when using conversation view in Outlook 2010, not all of the conversations show the expandable arrow icon to the left. When the email is highlighted, however, the arrow appears and the conversation can be expanded as us
-
DJVU to EPUB converter for Windows 7
Hello, I just bought an iPad mini and want to read books from it. I need a converter (DJVU to EPUB) in order to convert my existing library. I'm using Windows 7 64-bit OS. Thanks for suggestions.
-
Uninstall BSecure to make iTunes 10.5.1.42 work...
After tracking several instances of people uninstalling various kinds of parental software, I unstalled my BSecure internet filter. iTunes store came right up. Now I guess the only thing to do now is to figure out what Bsecure is doing about this i
-
Mail doesn't show windows on bootup, doesn't quit
Something happened to my Mail (10.3.9). I tried quitting, it didn't, then force-quit it and Restarted Mac. Booted up Mail again, no main window, tried checking incoming mail, still no main window, tried quitting again, still won't quit. Other windows