Cisco switch/router authentication
hi! is there anyway that i can authenticate user login thru Microsoft AD/IAS to the cisco switch/router without using Cisco ACS or any paid solution? Thx
Hello,
IOS configuration:
Switch(config)#radius-server host 192.168.250.20 key cisco123
Switch(config)#aaa authentication login default group radius local
Switch(config)#aaa authorization exec default group radius local
IAS configuration:
1) Define the RADIUS client entry:
2) Define the IAS Policies:
Similar Messages
-
What's "SAVE" configuration command for Cisco switch/ router?
What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
but so long, any other command that easy to remenber?What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
any other command that easy to remenber?
yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1 -
From where can i download cisco "CCT Routing & Switching" free ebook
plz tell me that from where can i download cisco "CCT Routing & Switching" free ebook.thanks
If you mean this book:
http://www.amazon.com/Routing-Switching-Secrets-Successful-Certified/dp/148615980X
If it not free. Looks like it may have been freely distributed at one time, but is not anymore.
Based on the Amazon reviews, the book is not very valuable.
You are better off using resources from http://learningnetwork.cisco.com. -
SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed
Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
functions svc-enabled
mask-urls
svc address-pool "SSLVPN_OFFICE1"
svc default-domain "domain.internal"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.53.33
svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue eventhttp://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3. -
Can Cisco switch WS-C3650- 24TS-S with ip based services do the ospf routing?
Can Cisco switch WS-C3650- 24TS-S with ip based services do the Ospf routing?
Is it necessary to have IP Services features?Yes, IP Base supports OSPF.
This is web page to check all features:
http://tools.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp -
Linksys router with cisco switch
Hello everyone,
Just wondering if i can connect a cisco switch to my linksys router. Any info will be helpful. Thanks.Well, you should be more specific what info you need.
Your question is answered with: yes, you connect a cisco switch to a linksys router. You can connect pretty much any ethernet switch or hub to a linksys router.
Beyond that I don't know what you want to know and thus cannot really give you more info. -
I am loosing configuration when I power off my Cisco 857 router
I bought new Cisco 857 router from the shop. Router must have been used before as I couln't go in with default username/password cisco/cisco.
Well I followed instruciton and reset password to username and password. Now I finally connected to the Cisco CP express over my IE browser.
I found out that somebody was using a router from the shop so this is why I coun't log to it in the first place. Anyway problem is that when I changed configuration and applied settings it remembers it until I power it off. When I power it on again it remembers all settings from that shop.
It reverts everything back: IP address, previous level 15 account and password - everything like after password reset.
I tried it again and it again lost settings. So I found following instruction:
http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800a65a5.shtml
I followed it and changed again all settings on the router. My settings are again lost after power off/on. I noticed that when I do first bit it does show
0x2102 not 0x2142 like they think that is password reset mode.
Here is my output from Hyper Terminal:
=============================
Cisco#enableCisco#show startUsing 3359 out of 131072 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!logging buffered 51200 warningsenable secret 5 $1$hpKF$Rc1tl6r45J8iHG7EN5jSk.!no aaa new-model!crypto pki trustpoint TP-self-signed-3185909327 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3185909327 revocation-check none rsakeypair TP-self-signed-3185909327!!crypto pki certificate chain TP-self-signed-3185909327 certificate self-signed 01 nvram:IOS-Self-Sig#5.cerdot11 syslogno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1!ip dhcp pool ccp-pool import all network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 lease 0 2!!ip cefno ip domain lookupip domain name molinary.com!!!username admin privilege 15 secret 5 $1$jD3j$r6ROikgGsIlcMTGjkxFQ6.username username privilege 15 password 0 password!!archive log config hidekeys!!!!!interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto!interface ATM0.1 point-to-point description $ES_WAN$ ip nat outside ip virtual-reassembly pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 !!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$ ip address 10.10.10.1 255.255.255.248 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452!interface Dialer0 ip address dhcp encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname [email protected] ppp chap password 0 netgear01 ppp pap sent-username [email protected] password 0 netgear01!ip forward-protocol nd!ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 1 interface ATM0.1 overload!access-list 1 remark INSIDE_IF=Vlan1access-list 1 remark CCP_ACL Category=2access-list 1 permit 10.10.10.0 0.0.0.7dialer-list 1 protocol ip permitno cdp run!control-plane!banner exec ^C% Password expiration warning.-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this deviceand it provides the default username "cisco" for one-time use. If you havealready used the username "cisco" to login to the router and your IOS imagesupports the "one-time" user option, then this username has already expired.You will not be able to login to the router with this username after you exitthis session.It is strongly suggested that you create a new username with a privilege levelof 15 using the following command.username <myuser> privilege 15 secret 0 <mypassword>Replace <myuser> and <mypassword> with the username and password youwant to use.-----------------------------------------------------------------------^Cbanner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C!line con 0 login local no modem enableline aux 0line vty 0 4 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000endCisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#show versionCisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARECisco uptime is 20 minutesSystem returned to ROM by power-onSystem image file is "flash:c850-advsecurityk9-mz.124-15.T12.bin"This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)Configuration register is 0x2102Cisco#Cisco#Cisco#Cisco#endTranslating "end"% Unknown command or computer name, or unable to find computer addressCisco#reloadProceed with reload? [confirm]*Mar 1 01:19:27.786: %SYS-5-RELOAD: Reload requested by username on console. Reload Reason: Reload Command.System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARETechnical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.C850 series (Board ID: 2-149) platform with 65536 Kbytes of main memoryBooting flash:/c850-advsecurityk9-mz.124-15.T12.binSelf decompressing the image : ############################################## [OK] Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamImage text-base: 0x8002007C, data-base: 0x814E7240This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)no ip dhcp use vrf connected ^% Invalid input detected at '^' marker.SETUP: new interface NVI0 placed in "shutdown" statePress RETURN to get started!*Mar 1 00:00:03.952: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized*Mar 1 00:00:03.960: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled*Mar 1 00:00:07.244: %LINK-3-UPDOWN: Interface FastEthernet0, changed state toup*Mar 1 00:00:08.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up*Mar 1 00:00:08.821: %SYS-5-CONFIG_I: Configured from memory by console*Mar 1 01:19:27.072: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up*Mar 1 01:19:27.352: %SYS-5-RESTART: System restarted --Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_team*Mar 1 01:19:27.352: %SNMP-5-COLDSTART: SNMP agent on host Cisco is undergoinga cold start*Mar 1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar 1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar 1 01:19:27.540: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to down*Mar 1 01:19:28.072: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up*Mar 1 01:19:28.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up*Mar 1 01:19:28.484: %LINK-5-CHANGED: Interface ATM0, changed state to administratively down*Mar 1 01:19:28.848: %LINK-5-CHANGED: Interface NVI0, changed state to administratively down*Mar 1 01:19:28.932: %LINK-3-UPDOWN: Interface FastEthernet3, changed state toup*Mar 1 01:19:28.936: %LINK-3-UPDOWN: Interface FastEthernet2, changed state toup*Mar 1 01:19:28.940: %LINK-3-UPDOWN: Interface FastEthernet1, changed state toup*Mar 1 01:19:29.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down*Mar 1 01:19:29.932: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down*Mar 1 01:19:29.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down*Mar 1 01:19:29.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down*Mar 1 01:19:29.948: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to upAuthorized access only!===========================================
Please help me as I am stuck and can't go any further....Hi David White,
Alternatively, after password recovery you can modify the configuration to be what you want, and then issue:
write memory
to save the configuration. You can then verify that your changes have been saved to the startup config by issuing:
show startup-config"
The only good thing is that when I switch off a router it erase configuration except my new password which I created after password reset. Everything else is getting vanished (ADSL settings, DHCP, routing ) everything. Even new admin accounts I created.
Well have a question to your above comments. I am new in Cisco so please put as much detail as you can for me to understand. When you say modify configuration do you mean to go to Cisco CP Express graphical interface and then connect router to hyper terminal and execute above commands?
Why router doesn't remember this anyway. There must be some option to change in configuration to make thing permanent when I hit apply changes in Cisco CO Express otherwise it is pointless to heve it.
Phillip
write memory
is
copy running-config startup-config"
Can't this be done via Cisco CP Express or set up router to copy this every time I change this in graphical interface rather going to command line to achnoledge it?
I understand your concern about this router and somebodie's configuration details as you want things to be un-used when you buy them - true. ADSL details belongs to the shop which sold me the router so that is why I don't make a big problem about this. We take most of hardware from this shop and have discount and many good deals with them so I think they have been just testing it and forgot to erease their config. It might be that someone has returned router to the shop and they have repaired it and tested it.
I hope this is a normal behaviour of this router as I have option to replace it in case this is a fault.
Could you please write me step by step guide how can I make changed options stay permanently on router?
thank you
Dragan -
Problem with Cisco 861W router and outgoing VPN
We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
Here is the Access Point Configuration:
Current configuration : 2100 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname obap
enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
no aaa new-model
dot11 syslog
dot11 ssid OLIVER
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXXXXXX
username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid OLIVER
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner login ^CC
% Password change notice.
Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
^C
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
cns dhcp
end
obap#
Here is the Router's Configuration:
Current configuration : 5908 bytes
! No configuration change since last restart
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname obrouter
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1856757619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1856757619
revocation-check none
rsakeypair TP-self-signed-1856757619
crypto pki certificate chain TP-self-signed-1856757619
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool ccp-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.49.160.10 216.49.160.66
default-router 192.168.0.1
ip cef
no ip bootp server
ip domain name brushhog.com
ip name-server 216.49.160.10
ip name-server 216.49.160.66
license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Any help would be appreciatedHello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router. -
Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
Using 2297 out of 29688 bytes
! Last configuration change at 17:20:27 PDT Tue May 20 2008
! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname Tester
logging buffered 10000 debugging
aaa new-model
aaa group server radius RadiusServers
server 172.26.0.2 auth-port 1812 acct-port 1813
aaa authentication login default group RadiusServers local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
enable secret xxx
username test password xxx
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip domain-lookup
no ip bootp server
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
description To Main Network
ip address X.X.X.X 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
interface Ethernet0/1
description To Internal Network
ip address 172.26.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
load-interval 30
full-duplex
no cdp enable
ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
ip nat inside source list 3 pool test overload
ip nat inside destination list 3 pool test
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
ip radius source-interface Ethernet0/1
access-list 3 permit 172.26.0.0 0.0.0.255
no cdp run
snmp-server community public RO 15
radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
radius-server retransmit 3
radius-server key secret
line con 0
password xxx
logging synchronous
line aux 0
line vty 0 4
access-class 10 in
password 7 1234567890
logging synchronous
ntp clock-period 17208108
ntp server 192.43.244.18
end
My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
Thank you for any assistance you may be able to provide.I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
The command I shared:
aaa authentication enable default group radius local
... was erroneous. The keyword should have been "enable", as you have discovered.
Therefore use:
aaa authentication enable default group radius enable
When I view a Wireshark trace I see the following:
AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
Like you, I see the user password appended with the group of \000 grouping's.
Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
However, there are other mainstream authentication methods that I think you should investigate as well.
You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
I think you should:
1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
2. Investigate whether PPPoE support exists on your router's interfaces.
3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
4. Decide which methods appeals to you.
5. Dive in.
I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
Good luck. -
Cisco 1941 Router-on-a-Stick w/ 11VLANs trunked to a Cisco 2960: From the Switch I can Ping a device in another VLAN, that device cannot ping back. Some devices can ping devices in other VLANs and the device in the other VLAN can successfully return the Ping. Have a look at the attached diagram.
Router Config:
show run
Building configuration...
Current configuration : 7224 bytes
! Last configuration change at 09:05:48 EDT Wed Aug 6 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -8 0
ip cef
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO1941/K9
object-group network Net_Obj_Group1
description This network group allows all 10.0.0.0 and Email Forwarder server through to the Plt PCs
205.191.0.0 255.255.0.0
10.0.0.0 255.0.0.0
object-group network Net_Obj_Group2
description This Network Group includes the Host IPs allowed through the Plant Router
host 10.194.28.23
host 10.194.28.25
host 10.194.28.26
host 10.194.28.27
host 10.194.28.28
host 10.194.28.29
host 10.194.28.37
host 10.194.28.39
host 10.194.28.40
host 10.194.28.70
host 10.194.28.130
host 10.194.28.131
host 10.194.28.132
host 10.194.28.133
host 10.194.28.134
host 10.194.28.135
host 10.194.28.136
host 10.194.28.137
host 10.194.28.138
host 10.194.28.139
host 10.194.28.140
host 10.194.28.141
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Port Ge0/0 to IT Enterprise network Switch GE1/0/38
ip address 10.194.28.111 255.255.255.0
ip access-group 105 in
ip access-group 106 out
ip nat outside
ip virtual-reassembly in
shutdown
duplex full
speed auto
no mop enabled
interface GigabitEthernet0/1
description Port to Plant PCN-K/L24 Sw1 Port 0/24
no ip address
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1.102
description Port to VLAN 102
encapsulation dot1Q 102
ip address 192.168.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.104
description Port to VLAN 104
encapsulation dot1Q 104
ip address 192.168.104.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.105
description Port to VLAN 105
encapsulation dot1Q 105
ip address 192.168.105.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.106
description Port to VLAN 106
encapsulation dot1Q 106
ip address 192.168.106.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.107
description Port to VLAN 107
encapsulation dot1Q 107
ip address 192.168.107.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.111
description Port to VLAN 111
encapsulation dot1Q 111
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.117
description Port to VLAN 117
encapsulation dot1Q 117
ip address 192.168.117.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.121
description Port to VLAN 121
encapsulation dot1Q 121
ip address 192.168.121.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.125
description Port to VLAN 125
encapsulation dot1Q 125
ip address 192.168.125.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.150
description Port to to VLAN 150
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.999
description Port to VLAN 999
encapsulation dot1Q 999
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
no ip http secure-server
ip nat inside source static 192.168.102.201 10.194.28.23
ip nat inside source static 192.168.121.201 10.194.28.25
ip nat inside source static 192.168.106.251 10.194.28.26
ip nat inside source static 192.168.107.245 10.194.28.27
ip nat inside source static 192.168.102.251 10.194.28.28
ip nat inside source static 192.168.150.201 10.194.28.29
ip nat inside source static 192.168.107.179 10.194.28.37
ip nat inside source static 192.168.111.201 10.194.28.39
ip nat inside source static 192.168.105.201 10.194.28.40
ip nat inside source static 192.168.106.21 10.194.28.70
ip nat inside source static 192.168.107.146 10.194.28.130
ip nat inside source static 192.168.107.156 10.194.28.131
ip nat inside source static 192.168.107.161 10.194.28.132
ip nat inside source static 192.168.107.181 10.194.28.133
ip nat inside source static 192.168.107.191 10.194.28.134
ip nat inside source static 192.168.106.202 10.194.28.135
ip nat inside source static 192.168.106.212 10.194.28.136
ip nat inside source static 192.168.117.190 10.194.28.137
ip nat inside source static 192.168.117.100 10.194.28.138
ip nat inside source static 192.168.106.242 10.194.28.139
ip nat inside source static 192.168.125.100 10.194.28.140
ip nat inside source static 192.168.125.99 10.194.28.141
ip nat outside source static 10.194.28.23 10.194.28.23
ip nat outside source static 10.194.28.25 10.194.28.25
ip nat outside source static 10.194.28.26 10.194.28.26
ip nat outside source static 10.194.28.27 10.194.28.27
ip nat outside source static 10.194.28.28 10.194.28.28
ip nat outside source static 10.194.28.29 10.194.28.29
ip nat outside source static 10.194.28.37 10.194.28.37
ip nat outside source static 10.194.28.39 10.194.28.39
ip nat outside source static 10.194.28.40 10.194.28.40
ip nat outside source static 10.194.28.70 10.194.28.70
ip nat outside source static 10.194.28.130 10.194.28.130
ip nat outside source static 10.194.28.131 10.194.28.131
ip nat outside source static 10.194.28.132 10.194.28.132
ip nat outside source static 10.194.28.133 10.194.28.133
ip nat outside source static 10.194.28.134 10.194.28.134
ip nat outside source static 10.194.28.135 10.194.28.135
ip nat outside source static 10.194.28.136 10.194.28.136
ip nat outside source static 10.194.28.137 10.194.28.137
ip nat outside source static 10.194.28.138 10.194.28.138
ip nat outside source static 10.194.28.139 10.194.28.139
ip nat outside source static 10.194.28.140 10.194.28.140
ip nat outside source static 10.194.28.141 10.194.28.141
ip route 0.0.0.0 0.0.0.0 10.194.28.1
access-list 105 permit ip object-group Net_Obj_Group1 object-group Net_Obj_Group2
access-list 106 permit ip object-group Net_Obj_Group2 object-group Net_Obj_Group1
dialer-list 1 protocol ip permit
control-plane
banner login ^CC
Login banner for Plant Router #01^C
banner motd ^CC
MOTD Banner for Plant Router^C
line con 0
password XXXXXXXXX
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXXXXXX
logging synchronous
login
transport input all
scheduler allocate 20000 1000
ntp server 10.199.100.92
end
Switch Config:
sh ru
Building configuration...
Current configuration : 6513 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname K24Sw01
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -5
clock summer-time EDT recurring
udld aggressive
crypto pki trustpoint TP-self-signed-593746944
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-593746944
revocation-check none
rsakeypair TP-self-signed-593746944
4B58BCE9 44
quit
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0
no ip address
interface GigabitEthernet0/1
description Trunk port for vlans 105, 111, 125 and 999 from K24Sw01 port Ge0/1 to P22Sw01 port Ge0/24
switchport trunk allowed vlan 105,111,125,999
switchport mode trunk
interface GigabitEthernet0/2
description Trunk port for vlans 150 and 999 from K24Sw01 port Ge0/2 to N25Sw01 port Ge0/26
switchport trunk allowed vlan 150,999
switchport mode trunk
interface GigabitEthernet0/3
description Trunk port for vlans 102, 104, 106, 107, 117 and 999 from K24Sw01 port Ge0/3 to K28Sw01 port Ge0/26
switchport trunk allowed vlan 102,104,106,107,117,999
switchport mode trunk
interface GigabitEthernet0/4
description Trunk port for vlans 102, 106, 107 and 999 from K24Sw01 port Ge0/4 to H23Sw01 port Ge0/26
switchport trunk allowed vlan 102,106,107,999
switchport mode trunk
interface GigabitEthernet0/5
description Trunk port for vlans 121, 125 and 999 from K24Sw01 port Ge0/5 to M21Sw01 port Ge0/24
switchport trunk allowed vlan 121,125,999
switchport mode trunk
interface GigabitEthernet0/6
description OPEN
spanning-tree portfast
interface GigabitEthernet0/7
description OPEN
spanning-tree portfast
interface GigabitEthernet0/8
description OPEN
spanning-tree portfast
interface GigabitEthernet0/9
description OPEN
spanning-tree portfast
interface GigabitEthernet0/10
description VLan 102 access port
switchport access vlan 102
spanning-tree portfast
interface GigabitEthernet0/11
description - VLan 104 access port
switchport access vlan 104
spanning-tree portfast
interface GigabitEthernet0/12
description - VLan 105 access port
switchport access vlan 105
spanning-tree portfast
interface GigabitEthernet0/13
description - VLan 106 access port
switchport access vlan 106
spanning-tree portfast
interface GigabitEthernet0/14
description - VLan 107 access port
switchport access vlan 107
spanning-tree portfast
interface GigabitEthernet0/15
description - VLan 111 access port
switchport access vlan 111
spanning-tree portfast
interface GigabitEthernet0/16
description - VLan 117 access port
switchport access vlan 117
spanning-tree portfast
interface GigabitEthernet0/17
description - VLan 121 access port
switchport access vlan 121
spanning-tree portfast
interface GigabitEthernet0/18
description - VLan 125 access port
switchport access vlan 125
spanning-tree portfast
interface GigabitEthernet0/19
description - VLan 150 access port
switchport access vlan 150
spanning-tree portfast
interface GigabitEthernet0/20
description - VLan 999 access port
switchport access vlan 999
spanning-tree portfast
interface GigabitEthernet0/21
description OPEN
spanning-tree portfast
interface GigabitEthernet0/22
description OPEN
spanning-tree portfast
interface GigabitEthernet0/23
description OPEN
spanning-tree portfast
interface GigabitEthernet0/24
description From ROUTER Gw ge0/1
switchport trunk allowed vlan 102,104-107,111,117,121,125,150,999
switchport mode trunk
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan102
ip address 192.168.102.253 255.255.255.0
interface Vlan104
no ip address
no ip route-cache
interface Vlan105
no ip address
no ip route-cache
interface Vlan106
no ip address
no ip route-cache
interface Vlan107
no ip address
no ip route-cache
interface Vlan111
no ip address
no ip route-cache
interface Vlan117
no ip address
no ip route-cache
interface Vlan121
no ip address
no ip route-cache
interface Vlan125
no ip address
no ip route-cache
interface Vlan150
no ip address
no ip route-cache
interface Vlan999
no ip address
no ip route-cache
ip default-gateway 192.168.102.1
ip http server
ip http secure-server
snmp-server engineID local 00000009020000019634C2C0
snmp-server community public RO
snmp-server location
snmp-server contact
banner motd ^CCC ADMIN USE ONLY! ^C
line con 0
session-timeout 10
password xxxxxx
logging synchronous
login
stopbits 1
line vty 0 4
session-timeout 10
password xxxxxxx
login
line vty 5 15
session-timeout 10
password xxxxxxxx
login
ntp server 10.199.100.92
end
K24Sw01#HI Mark,
Here is the my config:
Create sub-interfaces, set 802.1Q trunking protocol and ip address on each sub-interface
Router(config)#interface f0/0
Router(config-if)#no shutdown
(Note: The main interface f0/0 doesn’t need an IP address but it must be turned on)
Router(config)#interface f0/0.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.10.1 255.255.255.0
Router(config-subif)#interface f0/0.20
Router(config-subif)#encapsulation dot11 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
(Note: In the “encapsulation dot1q 10″ command, 10 is the VLAN ID this interface operates in)
Configure VLAN
Switch(config)#vlan 10
Switch(config-vlan)#name SALES
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name TECH
Set ports to access mode & assign ports to VLAN
Switch(config)#interface range fa0/1
Switch(config-if)#no shutdown
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 15
Switch(config-if)#interface range fa0/3
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)#interface range fa0/5
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode trunk
1. Please check all your port are up.
2. Check the config once again.
3. Make sure the swicth and router connection port configured as trunk and it should be up.
This config is working for me,
Regards
Dont forget to rate helpful posts. -
Configuration Issue with my Cisco 871 Router
Hi all,
I am a newbie to the Cisco IOS.
I got a Cisco 871 Router that I'd like to use for internet connection. My LAN network is 192.168.1.0/24 and the ISP has assigned us the IP 41.212.79.108/24 and gateway 41.212.79.1.
With my current configuration, I can hit the router - 192.168.1.1 - and it's WAN port - 41.212.79.108 - but not the gateway.
Below is my current config:
Hoggers#show config
Using 4414 out of 131072 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Hoggers
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 **********************.
no aaa new-model
crypto pki trustpoint TP-self-signed-568493463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-568493463
revocation-check none
rsakeypair TP-self-signed-568493463
crypto pki certificate chain TP-self-signed-568493463
certificate self-signed 01 nvram:IOS-Self-Sig#7.cer
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.90
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
ip dhcp pool LANPOOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 41.212.3.2 41.212.3.253
ip domain name yourdomain.com
ip name-server 41.212.3.2
ip name-server 41.212.3.253
archive
log config
hidekeys
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description Wan to Outside World
ip address 41.212.79.108 255.255.255.0
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip tcp adjust-mss 1452
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.212.79.1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.1.31 80 interface FastEthernet4 80
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
control-plane
scheduler max-task-time 5000
end
I'll appreciate any light you can shed on what am missing.2 wireless routers can not communicate wirelessly with each other.
You need to connect cable between 2 routers and use the second wireless router as access point.
Follow this link to connect Linksys router to another router.
Some of your devices are getting same IP address. This might be the issue with DHCP server of the router. You can try DHCP reservation on the router so that each device will get unique IP address. -
Switch/Router can only use PAP to communicate with IAS
I was securing my switches to allow users to login using radius and notice that I have to set the IAS server to PAP for the Cisco equipment to authenticate. Is there an alternative to this since PAP is clear text.
[ PC ]__SSH__[Switch]___PAP___[ IAS ]When using SSH to the switch for switch based authentication you need to
enable PAP on the Radius policy.
Telnet/SSH work on PAP only.
Regards,
~JG
Do rate helpful posts -
Transfer of VLANs through Cisco SOHO router 78 G.SHDSL
Hi,
I have one switch with more VLANs. I need to transfer these Vlans to secondary site through routers Cisco SOHO router 78 G.SHDSL. This situatioin is in attachment.
I'm not sure if this is possible, because this router has only common ethernet ports.
Probably I would need trunk ports on this router.
Could you please help me to specify, which device could replace Cisco SOHO router 78?
Thank you.
Best regards,
VladislavMy guess is that either ifIndex.2 or .3 corresponds to your SHDSL interface. You should walk ifDescr to confirm.
-
NPS Discarding RADIUS request from Cisco switch (802.1x)
Last few weeks I've been busy to get the following to work:
- Cisco 2960 switch as the suppliant
- Another Cisco 2960 as the authenticator switch
- The supplicant is only able to send MS-EAP MS-ChapV2 requests
- The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
but I'd like to get it to work with Windows NPS.
Within NPS I've setup the following Connection Request policy:
- NAS Port Type: Ethernet
I'm using the following Network Policy:
- User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
- NAS Port Type: Ethernet
- Autehntcation Type: EAP
Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
User:
Account Name: Rotterdam-Switch-8-1
Account Domain: DOMAIN
Authentication Details:
Connection Request Policy Name: Secure Wired Connections
Network Policy Name: Switches Allowed
Authentication Provider: Windows
Authentication Server: SERVER.DOMAIN.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
Wireshark on the NPS server shows:
1. The RADIUS Access-Request (1) being received by the NPS Server
2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
3. Another RADIUS Access-Request (1) is beging received by the NPS Server
Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
I've also tried the following:
- I've also tested with an invalid username/password. The request is correctly denied
- I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
Any help would be greatly appriciated ofcourse.
Kind regards,
PeterIt only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
authentication.
End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
http://support.microsoft.com/kb/922574/en-us
Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
http://support.microsoft.com/kb/981190"
Please note that you'll have to enable 'Store password using reversible encryption’ on the accounts that will be used for NEAT authentication.
All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
could be sniffer using a hub/repeater/etc.
Kind regards,
Peter -
DACL does not get downloaded to Cisco Switch from ISE
Hello,
I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch. dynamic vlan assignment workds fine, but dACL doesnot apply
Any instruction plz?Hi Jatin,
ISE is properly configured for dACL, i think there is some compatibility issue on cisco switch ios.
following is the debug output>>
06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
06:36:43: EAPOL pak dump rx
06:36:43: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
06:36:43: dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
06:36:43: RADIUS(00000049): sending
06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
06:36:43: RADIUS: authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
06:36:43: RADIUS: User-Name [1] 6 "test"
06:36:43: RADIUS: Service-Type [6] 6 Framed [2]
06:36:43: RADIUS: Framed-MTU [12] 6 1500
06:36:43: RADIUS: Called-Station-Id [30] 19 "00-11-5C-6E-5E-0B"
06:36:43: RADIUS: Calling-Station-Id [31] 19 "00-19-B9-81-E8-12"
06:36:43: RADIUS: EAP-Message [79] 8
06:36:43: RADIUS: 02 7A 00 06 0D 00 [ z]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0 [ Z6]
06:36:43: RADIUS: Vendor, Cisco [26] 49
06:36:43: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:43: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:43: RADIUS: NAS-Port [5] 6 50011
06:36:43: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: NAS-IP-Address [4] 6 192.168.2.250
06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
06:36:43: RADIUS: authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: EAP-Message [79] 255
06:36:43: RADIUS: 4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34 [M]GFbv@wH1k^R3V4]
06:36:43: RADIUS: 02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30 [29MyJBN\)=Z>u:}0]
06:36:43: RADIUS: 81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70 [0U0U00UVPp0yUr0p]
06:36:43: RADIUS: 30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C [0nlj2http://sysl]
06:36:43: RADIUS: 6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E [og-server/CertEn]
06:36:43: RADIUS: 72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65 [roll/FMFB_Truste]
06:36:43: RADIUS: 64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C [dCA.crl4file://\]
06:36:43: RADIUS: 5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43 [\syslog-server\C]
06:36:43: RADIUS: 65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54 [ertEnroll\FMFB_T]
06:36:43: RADIUS: 72 75 73 74 65 64 43 41 2E [ rustedCA.]
06:36:43: RADIUS: EAP-Message [79] 251
06:36:43: RADIUS: 63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A [crl0+70*Hcwl7/6J]
06:36:43: RADIUS: 74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A [t3W9Vp"]&m`b$Aqj]
06:36:43: RADIUS: EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B [\-@xTUYx]MDESFL;]
06:36:43: RADIUS: D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36 [f~[yS^I}uN2^(SS6]
06:36:43: RADIUS: 82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4 [ 8>$HDhDo|l{V2]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33 [ ?b*$Y3]
06:36:44: RADIUS(00000049): Received from id 1645/99
06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
06:36:44: dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x7B length: 0x03F0 type: 0xD data: @Cfui[ab2,Jt1){ 2]g&GZ1pIbu;+Ga;iF"jy#
oohuV.aFZ4_|
P0`At )B
06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:44: RADIUS: Message-Authenticato[80] 18
06:36:44: RADIUS: F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5 [ VnJr[\`]
06:36:44: RADIUS: Vendor, Cisco [26] 49
06:36:44: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:44: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:44: RADIUS: NAS-Port [5] 6 50011
06:36:44: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:44: RADIUS: State [24] 80
06:36:44: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:44: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
06:36:45: EAPOL pak dump Tx
06:36:45: EAPOL Version: 0x2 type: 0x0 length: 0x0039
06:36:45: EAP code: 0x1 id: 0x7E length: 0x0039 type: 0xD
06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
06:36:46: EAPOL pak dump rx
06:36:46: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:46: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa0/11 is TRUE
Maybe you are looking for
-
When i plug in my iPod to update it i receive the following message, The software required for communitcating with the iPod is not installed correctly. Please reinstall iTunes to install the iPod's software. I've tried reinstalling both but i still g
-
Burned a Windows 7 install DVD from a downloaded .iso file....
...but Boot Camp Assistant 5.0 doesn't recognize it, even though the disc is in the drive and appears on the screen. I've included a screen shot of the error msg. Is the name of the disc the issue? Something else? I've recently upgraded to Mac OS 10.
-
Horn section drops out in Garageband '11? (6.0.4)
Some of the software instruments, such as pop horns, drop out after a measure or so, depending on how high a note its playing. It seems like garageband was trying to make it sort of realistic but its very annoying. Does anyone know how to stop it f
-
ITunes is not syncing all of my songs in my library to my iPhone
I have the latest macbook retina model 15 inch, syncing with an iPhone 6 plus. Please help me out here guys, why aren't all my songs syncing. Most of my songs are purchases, no corrupt files, all purchases are authorized for my computer ... can come
-
TA20637 I have a print job that I can not delete from the queue.
When I try it says "job is completed and can not be deleted from queue" but it seems to be stuck (and keeps reprinting rather than letting me print other documents). What do I do? I tried clearling the printer queue by turning the printer on and off