CISCO MST (802.1S) config digest KEY calculation

Similar Messages

• Ask the Expert: Cisco's 802.11ac Solutions - Deployment, Design, and Interop

  Ask your Questions on Cisco’s 802.11ac Solutions - Deployment, Design, and Interop with Cisco Experts: Richard Hamby and Shankar Ramanathan.
  Monday, March 30th, 2015 to Friday, April 10th, 2015
   Richard Hamby is a senior technical support engineer and Team Lead of the Cisco Technical Assistance Center in Richardson, Texas.  He is an expert in Indoor and Outdoor wireless for the full line of Cisco Unified and Converged Access Wireless products, as well as TAC Engineering Engagement Engineer liaison to project engineering teams for new Cisco wireless products.  Prior to his current role, Richard was a customer support engineer with the AAA Security TAC team supporting Cisco identity management solutions and been with Cisco since 2009.
  Shankar Ramanathan is a Customer Support Engineer at the Cisco Technical Center. He is a Technical Content Engineer and Subject Matter Expert for Cisco Enterprise Unified and Converged Access wireless mobility solution including Wireless LAN Controller  2500/5500/WISM2/7500/8500, Converged access 5760/3650/3850 switches,  Access Points Lightweight and Autonomous, VoWLAN (792x/9971) , Cisco Prime Infrastructure SNMP management, Cisco Mobility Services Engine(MSE/ CMX). Prior to joining Cisco in  November 2011, he worked as a wireless network engineer at Elan Technologies, responsible for RF wireless network planning, simulation, propagation path analysis, and optimization of Wi-Fi 802.11 mesh and WiMax (802.16 d/e) networks for various system  integration and automation projects. Shankar holds a master of science degree in electrical engineering specializing in communications and signal process from the State University of New York, Buffalo. Shankar has a CCIE in Wireless(#40548) and CCNA  certified (number 410004168640IMZF) and has over six years of industry experience.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  A common question we are asked is 'why is my device not achieving 11ac data rates?'
  One of the most common answers relates to client compatibility/capability. To get the highest possible data rates of 11ac (assuming proper distance and RF health), the AP and the client device must both be capable supporting the requirements - 5GHZ, 80MHz Channel, short guard interval, 3 spatial streams. Each spatial stream has a max of 433.3Mb/s (at 80MHz, short GI).
  The majority of 11ac-capable wireless cards on the market do not support 3 spatial streams. Most adapters in wireless-capable devices are 1SS or 2SS.  For example, the Intel 7260 11ac adapter used in many devices is a 2SS adapter - therefore it's max possible data rate is 866.7.  Another common adapter in use is the 11ac Broadcom 3SS that Apple uses in the newer Macbooks.  These devices can achieve the 1.3GBs PHY data rate.
  This guidance is the same for 11n adapters as well.  To achieve max rate, your 11n AP and adapter must both support 40MHz channels, 3SS, short GI.
  Note: The 11n and 11ac standards both define support for 4SS.  4SS-capable devices are rare, so 3SS is essentially our reality.
  One of the most useful references for questions related to this topic is the AP Data Sheet for each AP.  Here's the AP3700 for example:
  http://www.cisco.com/c/en/us/products/collateral/wireless/3700-series-access-point/data_sheet_c78-729421.html
  Table 1 lists the expected data rate per MCS Index value by #SS at each channel width and GI. Indexes 0-7 are the same for 11n and 11ac (11n limited to 40MHz channels of course).  And MCS 8 & 9 are 11ac-only 256-QAM modulations. 

• Internet connect: Exporting 802.1x config to login window

  Hi,
  We are trying to setup our macbooks to login to our wireless network by authenticating against active directory. I've followed all the steps in the following article
  http://docs.info.apple.com/article.html?artnum=303471
  but as far as I can see internet connect is failing to export the 802.1x config to the login window as nothing is being added to the com.apple.loginwindow plist file and the login doesn't work.
  Has anyone managed to do this?
  Does anyone know the setting to manually add to the com.apple.loginwindow file to make it work?
  Thanks
  Louis
  Macbook/Imac   Mac OS X (10.4.10)  

  I am having the same problem at my university network. I believe it has something to do with this part of the article you quoted:
  "Once configured, when a network user enters their user name and password at the Mac OS X login window, the system attempts to connect to the 802.1X network with the same user name and password. This connection is necessary to authenticate the user to a network server."
  It's not perfectly clear, but it seems the username and password for the 802.1X connection must match the username and password at login. Lame, if you ask me.
  I'm also having a different problem on my network: My wife and I have separate accounts on our Mac, and every time we switch between users the 802.1X disconnects for some reason. Very annoying, but I guess it has something to do with a genuine user authentication - not a computer authentication, if that makes sense.

• Can I use an airport express to extend a Cisco E4200 802.11n or 802.11g wireless network?

  Can I use an Airport Express to extend a Cisco E4200 802.11n or 802.11g wireless network?  I'd like to improve access in a dead spot with an airport express. I know I can connect this wayt for airplay, but how about extending the signal?
  Thx! ACB

  Apple's "extend a wireless network" function appears to be a proprietary feature that works only with other Apple AirPort routers. As far as we know, this feature is not compatible with devices from other manufacturers.
  It would be extremely unlikely that the Express could do what you want, but some things are never known until  you try.

• Problem username &password in cisco aironet 802 11n

  HI all ,
  I will configure a new AP wireless cisco aironet 802 11n Dual band access  , but i'm blocking in username and password can you anyone help me please how can i recovery this login

  Hi Hossam,
  The default username and password, "Cisco".
  Password Recovery Procedure:
  https://supportforums.cisco.com/docs/DOC-4532
  Regards
  Dont forget to rate helpful posts.

• Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

  Dear Folks,
  Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
  OS = Win 7 SP1 (32/64 Bit) and Win 8
  Thanks,
  Regards,
  Mubasher Sultan

  Hi Mubasher
  KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
  KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
  KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
  KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
  KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
  KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
  For more information please go through this link:
  http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
  Best Regards:
  Muhammad Munir

• WLC, Layer 2 Security -- 802.1x vs Auth Key mngt

  Hi,
  I'm quit confuse what's different btw this two for dot1x. Please help clarufy. I read through a lot of doc but it's not let me clear. Why 802.1x exisits both on "Layer 2 Security" (pict2) & "Auth Key Mngt" (pict1). How those exactly work?
  Thank you in adv.
  Nipat.p

  Pic #1 is when using PEAP, EAP-TLS or EAP-Fast, pic # 2 is LEAP
  Sent from Cisco Technical Support iPhone App

• Cisco Jabber Client - QoS Config

  Hi Guys,
  I'll be deploying the new jabber client for a customer and i'm unsure of what QoS to configure on the switch ports for end users. Users will also have 7942 handsets, so if i configure auto qos voip cisco-phone, I doubt this will protect the voice/video for Jabber.
  Has anyone got any config or tips they can share?
  Cheers,
  James

  Hi,
  I believe you can use "auto qos voip cisco-softphone"
  Please see below QOS SRND.
  http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf
  Regards
  Ronak

• Particular case of Key calculation in invoice

  Hi guys,
  I have a particular case in which I don't understand how the system calculates WRX and EIN keys in Invoice:I describe an example semplyfing the numbers
  1) I have a PO with quantity ordered = 100 and price order 10: I entered several GR for a total qty 95 and so I have a GR value of 950
  2)NOW I Change the PO price and I set it to 9 instead 10
  3)I post two Invoice:
  - in the first I post 64 qty for an amount  of 544 and so the price is 8,5
  - in the second I post 31 qty(so with the first I entered all 95 qty) for an amount of 31*8,5 = 263,5 because the system takes the price of first invoice obviously
  In customizing the Purchase account EIN is parametrized 'At the receipt value'.
  Now:in the firs invoices the key KBS is calculated as  8,5 * 64= 544, in the second invoice KBS is calculated as 8,5 * 31= 263,5 and it is OK
  My question is:how the system calculates the keys WRX and EIN in these two invoices?I have read in this forum and also the OSS Notes 518368, 352419, 308008 but I should want your opinion.....
  Thanks in advance
  Best regards

  Hi,
  Create two formula variables, one for report input (formula variable 1)  and other for  premium received date(formula variable 2) . KF1 = ( Current premium period values ) , KF2 = KF1 -1 ( Previous premium period values ).
  Now,If var1 > var2 display KF1 else KF2.
  Write a formula, If (formula variable 1  > formula variable 2 )*KF1 + KF2.

• Problem in cut off value key calculation

  Dear Experts,
  We have assigned a cut off key with 5% in our depreciation key with tick on " Scrap value deduction from base value".
  We have made a service entry sheet on 13/12/2014. On the same day we have reversed that SES. But system is taking the effect of cut off value key on depreciation calculation in case of original service entry sheet only. System is not taking effect of cut off value key on reversal of SES. Because of this there is a difference between depreciation posted through SES and reversal of SES. Ideally these ( depreciation posted through original SES and depreciation posted through reversal of SES) should be knock off.
  I am not understanding whether this is standard behaviour of SAP or we are missing something. For better understanding I am attaching the screen shot of AW01N of asset.
  Regards,
  Ankit K. Agarwal

  Hi Ankit,
  System definitely consider scrap value for reversal also. I did testing it is picking. Can you check once again the depreciation posted.
  Regards,
  Mukthar

• NPS Discarding RADIUS request from Cisco switch (802.1x)

  Last few weeks I've been busy to get the following to work:
  - Cisco 2960 switch as the suppliant
  - Another Cisco 2960 as the authenticator switch
  - The supplicant is only able to send MS-EAP MS-ChapV2 requests
  - The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
  This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
  but I'd like to get it to work with Windows NPS.
  Within NPS I've setup the following Connection Request policy:
  - NAS Port Type: Ethernet
  I'm using the following Network Policy:
  - User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
  - NAS Port Type: Ethernet
  - Autehntcation Type: EAP
  Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
  User:
  Account Name: Rotterdam-Switch-8-1
  Account Domain: DOMAIN
  Authentication Details:
  Connection Request Policy Name: Secure Wired Connections
  Network Policy Name: Switches Allowed
  Authentication Provider: Windows
  Authentication Server: SERVER.DOMAIN.local
  Authentication Type: EAP
  EAP Type: -
  Account Session Identifier: -
  Reason Code: 1
  Reason: An internal error occurred. Check the system event log for additional information.
  Wireshark on the NPS server shows:
  1. The RADIUS Access-Request (1) being received by the NPS Server
  2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
  3. Another RADIUS Access-Request (1) is beging received by the NPS Server
  Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
  Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
  I've also tried the following:
  - I've also tested with an invalid username/password. The request is correctly denied
  - I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
  Any help would be greatly appriciated ofcourse.
  Kind regards,
  Peter

  It only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
  Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
  authentication.
  End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
  Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
  http://support.microsoft.com/kb/922574/en-us
  Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
  http://support.microsoft.com/kb/981190"
  Please note that you'll have to enable 'Store password using reversible encryption’  on the accounts that will be used for NEAT authentication.
  All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
  could be sniffer using a hub/repeater/etc.
  Kind regards,
  Peter

• Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]

  Dear Folks,
  Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?
  Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?
  Thanks,
  Regards,
  Mubasher
  My Interface Configuration is as below;
  interface GigabitEthernet1/34
  switchport access vlan 131
  switchport mode access
  switchport voice vlan 195
  ip access-group ACL-DEFAULT in
  authentication event fail action authorize vlan 131
  authentication event server dead action authorize vlan 131
  authentication event server alive action reinitialize
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  snmp trap mac-notification change added
  dot1x pae authenticator
  dot1x timeout tx-period 5
  storm-control broadcast level 30.00
  spanning-tree portfast
  spanning-tree bpduguard enable

  Hello Mubashir,
  Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
  Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Cisco ACS 4.1 Windows License Key Question

  How do I obtain the license key for my Cisco ACS Server for Windows software v4.1?

  For acs windows, there is no license key. You need to purchase the acs software.
  During installation, it does not ask for any key.
  Regards,
  ~JG
  Do rate helpful posts

• Configuration Cisco switch 802.1x for ISE

  Hi dears,
  I configurated EAP_FAST authentication on Cisco ISE  from Cisco Video material. Now I need full 802.1X configuration in cisco switch  guide or video link.
  Please provide this.
  Thanks.

  See this link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html

• NAP- Settings required on Cisco switches- 802.1X

  Hi All,
  We have to provide access control for users using NAP and Cisco 2960s switches.
  The request is to have only domain users authenticate to the operations vlan, non domain users will be assigned to a guest network.
  What would be the configs on the switch to allow this config to work? What will force the switch port to assign to the operations vlan when authenticated to the domain?
  Thanks much

  Hi,
  I suppsoe you are using ACS 4.x version.
  you need to config dot1x under the switchport. use the default VLAN as the guest VLAN.
  You need to configure the ACS to allow access to domain users only (by forcing MACHINE authentication with PEAP for example).
  In the NAP, you need to match the NAP selection on the NAS-IP-Address of the switch so that this NAP is only selected if this switch sends the request.
  Now, inside the NAP you have to allow only PEAP-MSCHAPv2. (you already forced machine authenticaiton with PEAP from under external DB config already as per earlier step).
  When auth works, from under the user/or group, send the attributes to assign a specific VLAN to the user.
  Otherwise, if the user auth is not successful it will be put in the default vlan which is the guest vlan.
  with ACS 5.x version, doing this is more flexible.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"