Cisco switches and 802.1.x

Hi, there !
I have a question for you.
Cisco all switches, is it impossible to present for 802.1x ?
I try to put a network access server in our network to authenticate.
Thanks.
I will wait your answer.
Regards.

Most Cisco switches will handle 802.1x, but it depends on the switch and the OS. Which specific ones are you considering?
Wes

Similar Messages

  • Cisco switches and virtual ip address(load balancing address) on xenapp portals

    Hi I am quite new in configuring cisco switches and stumble across an issue after installing xenapp7.6 with load balanced portal to the ddc`s
    It seems i only can ping or get access to portal if using real ip address behind cisco switch from other subnets in my network.
    I can ping ddc01 and ddc02 and connect to the portal with http without problem. However when i triy to access the load balancing address of the ddc`s
    it wont answer to ping or http
    In same subnett it is no problem connecting to the load balancing address of the ddc`s, but in loactions on other subnets i only can access real server ip
    eks
    dd01   192.168.1.4    ok ping and access behind cisco switch from subnets
    ddc02 192.168.1.5   ok to ping  access behind cisco switch from subnets
    load balancing for both ddc 192.168.1.6 not able to get answer og access from subnets, only in same subnett
    Is there any way to configure switch to access the load balancing address of the ddc`s ?
    Regards
    Pål Arne Røberg

    Wrong forum. This forum is dedicated to feedback related to CSC framework itself. You should not wish for response here.
    Moved by moderator, no longer apply.

  • How to view the login log in window NPS after login cisco switch and without SQL server database

    how to view the login log in window NPS after login cisco switch and without SQL server database
    in summary 
    there is only log with event id 4400
    A LDAP connection with domain controller XCPAWS20.cyberport.noc for domain NOC2 is established.

    Hi adil,
    For your issue, you can create a custom security token service (STS) and then set up a trust relationship between a SharePoint 2010 farm and the custom STS.
    For more information, you can refer to the articles:
    http://forums.asp.net/t/1335229.aspx?Sharing+Authentication+Ticket+Between+ASP+NET+and+Sharepoint
    https://msdn.microsoft.com/en-us/library/office/ff955607(v=office.14).aspx
    http://www.paraesthesia.com/archive/2011/02/01/working-with-windows-identity-foundation-in-asp-net-mvc.aspx/
    Best Regards,
    Eric
    Eric Tao
    TechNet Community Support

  • Cisco Switches and HP Interoperability with Spanning-Tree (RSTP)

    Hello All.
    I read a lot of information from this forum about Spaning-Tree interoperability between HP Switches and Cisco Switches.
    Rather than having questions I would like to post that I manage to configure successfully HP and Cisco using RSTP (802.1w).
    SWPADRAO]display stp root
    MSTID  Root Bridge ID        ExtPathCost IntPathCost Root Port
      0    32768.cc3e-5f3a-2939  0           0
    [SWPADRAO]display stp brief
    MSTID      Port                         Role  STP State     Protection
      0        GigabitEthernet1/0/47        DESI  FORWARDING    NONE
      0        GigabitEthernet1/0/48        DESI  FORWARDING    NONE
    [SWPADRAO]display stp instance 0
    -------[CIST Global Info][Mode RSTP]-------
    CIST Bridge         :32768.cc3e-5f3a-2939
    Bridge Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
    CIST Root/ERPC      :32768.cc3e-5f3a-2939 / 0
    CIST RegRoot/IRPC   :32768.cc3e-5f3a-2939 / 0
    CIST RootPortId     :0.0
    BPDU-Protection     :enabled
    Bridge Config-
    Digest-Snooping     :disabled
    TC or TCN received  :17
    Time since last TC  :0 days 0h:1m:52s
    SWNHAM17#show spanning-tree VLAN0001
     Spanning tree enabled protocol rstp
     Root ID    Priority    32768
                Address     cc3e.5f3a.2939
                Cost        4
                Port        26 (GigabitEthernet0/2)
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec  Bridge ID  Priority    61441  (priority 61440 sys-id-ext 1)
                Address     001b.54db.7200
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
                Aging Time 300 Interface        Role Sts Cost      Prio.Nbr Type
    Gi0/1            Altn BLK 4         128.25   P2p
    Gi0/2            Root FWD 4         128.26   P2p
    SWNHAM18#show spanning-tree VLAN0001
     Spanning tree enabled protocol rstp
     Root ID    Priority    32768
                Address     cc3e.5f3a.2939
                Cost        4
                Port        26 (GigabitEthernet0/2)
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec  Bridge ID  Priority    61441  (priority 61440 sys-id-ext 1)
                Address     001b.0cbc.4300
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
                Aging Time 300 Interface        Role Sts Cost      Prio.Nbr Type
    Gi0/1            Desg FWD 4         128.25   P2p
    Gi0/2            Root FWD 4         128.26   P2p

    Hello, David.
    Your command doesn't work because it's made only for tha ports that has command "spanning-tree portfast" in them. Try change spanning tree mode at the HP switch to MSTP if this is possible.

  • Cisco Switches and Dell EqualLogic PS series integration

    Scanrio: In head office there is Dell EqualLogic PS series and in branch also same for replicaiotn from head office to branch i want to know the ios feature set of Switch and Router.

    If the Dell EqualLogic systems are using iSCSI to communicate there is no specific feature required on the Cisco gear. The Cisco gear will pass iSCSI traffic just like any other IP traffic.
    Make sense?
    Cheers,
    Brad

  • 4500 Series Switches and 802.1x MAB

    My organization has multiple 4500 series switches experiencing the same problem when attempting to authenticate devices via MAB.  The issue is that the "show mab interface fax/x details" shows the Client MAC in a waiting status.  The device is never sending the switch it's MAC in order to proceed with MAB authentication, so of course the port never forwards traffic.  However, if we remove authentication port-control auto the port starts forwarding and the device gains connectivity.  Below is the interface configuration command and the MAB details.  The IOS version of this current switch is 15.0(2)SG8.  Are we missing something special for a 4500 as far as configuration is concerned.
    interface FastEthernet8/16
     description USER 
     switchport access vlan 600
     switchport mode access
     switchport nonegotiate
     duplex full
     authentication host-mode multi-domain
     authentication port-control auto
     authentication periodic
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 5
    end
    SWITCH-4510R#sh mab interface fa8/16 details
    MAB details for FastEthernet8/16
    Mac-Auth-Bypass           = Enabled
    MAB Client List
    Client MAC                = Waiting
    Session ID                = 841AF6D100002931AF99B827
    MAB SM state              = ACQUIRING
    Auth Status               = UNAUTHORIZED

    hello,
    in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
    the interfaces have the following config:
     authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication periodic
     authentication timer restart 120
     authentication timer reauthenticate server
     authentication timer inactivity 600
     mab
     dot1x pae authenticator
    Good luck

  • Cisco Switching and Apple Computers

    I was wondering if anyone has any experience with running Macs' on their Cisco networking equipment. It seems to only be one generation of IMacs' that disable ports on our switches. I do realize many variables may have a role in disabling port settings but it's only a chosen few that it happens with. Not having the authority to program each port being disabled to run in full duplex mode versus default settings from manufacturing in auto-negotiate I'm at a loss. Even after explaining the solution, nothing gets done. My question is could someone post some documentation of some sort backing up my theories? Also if anyone could please include anything about proper port settings for access points on our VLANs that also become disabled at times. I do know through research done that all access points should be classified as such on the network. Am I correct in stating this also? I thank you in advance for any information or help you may provide for me and posts will be rated.

    check out the following links, hope this helps :
    Using VLANs with Cisco Aironet Wireless Equipment :
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
    Wireless Virtual LAN Deployment Guide :
    http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html

  • How to set up Qos for Microsoft Lyncs 2013 in cisco Switches and Router

    Hi
    as i am new to Qos part , please send the complete qos configuration command has to apply in my cisco 2960s switchs as well as 4506 chassis(L3 mode act as my router).
    as i know from microsoft, DSCP 46 and 34 should give highest priory
    please send the completed configuration for priorities this DSCP
    thanks
    Sujish

    Hi,there,
    The rule setting should be same as in Exchange 2010,you can configure it via outlook or OWA if you have full access permission. I also believe it should be something related to Repliation,would you please check the event log to see if the
    AD and Exchange replication has completed.
    In some cases, replication can take longer depending on how many AD sites and Exchange servers in the environment:
    http://support.microsoft.com/kb/148381
    http://support.microsoft.com/kb/158989
    Hope these useful!
    Regards,
    Sharon
    Sharon Shen
    TechNet Community Support
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

  • Windows 7 LLDP and Cisco Switches

    Does Windows 7 support IEEE LLDP (not to be confused with MS LLTP). We have LLDP enabled on are Cisco Switches and want to be able to see are what ports the Windows 7 devices are connected to. Using the Cisco Show LLDP neighbors.

    Hi,
    I suggest you refer to the following article in MSDN blog:
    Link Layer Topology Discovery Protocol Specification
    http://msdn.microsoft.com/en-us/library/windows/hardware/gg463061.aspx
    Thanks,
    Vincent Wang
    TechNet Community Support

  • NPS Discarding RADIUS request from Cisco switch (802.1x)

    Last few weeks I've been busy to get the following to work:
    - Cisco 2960 switch as the suppliant
    - Another Cisco 2960 as the authenticator switch
    - The supplicant is only able to send MS-EAP MS-ChapV2 requests
    - The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
    This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
    but I'd like to get it to work with Windows NPS.
    Within NPS I've setup the following Connection Request policy:
    - NAS Port Type: Ethernet
    I'm using the following Network Policy:
    - User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
    - NAS Port Type: Ethernet
    - Autehntcation Type: EAP
    Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
    User:
    Account Name: Rotterdam-Switch-8-1
    Account Domain: DOMAIN
    Authentication Details:
    Connection Request Policy Name: Secure Wired Connections
    Network Policy Name: Switches Allowed
    Authentication Provider: Windows
    Authentication Server: SERVER.DOMAIN.local
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Reason Code: 1
    Reason: An internal error occurred. Check the system event log for additional information.
    Wireshark on the NPS server shows:
    1. The RADIUS Access-Request (1) being received by the NPS Server
    2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
    3. Another RADIUS Access-Request (1) is beging received by the NPS Server
    Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
    Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
    I've also tried the following:
    - I've also tested with an invalid username/password. The request is correctly denied
    - I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
    Any help would be greatly appriciated ofcourse.
    Kind regards,
    Peter

    It only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
    Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
    authentication.
    End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
    Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
    http://support.microsoft.com/kb/922574/en-us
    Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
    http://support.microsoft.com/kb/981190"
    Please note that you'll have to enable 'Store password using reversible encryption’  on the accounts that will be used for NEAT authentication.
    All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
    could be sniffer using a hub/repeater/etc.
    Kind regards,
    Peter

  • Cisco Architectures for 2950/2960 Switches and 2800 Routers

    Hello,
    I have a question regarding the architectures of these three series, i.e. the type of switch fabric they use and the general architecture (first, second, or third generation regarding the sharing of the bus, memory and the type of switch fabric). We have so far learned these three generation and our assumption is that the only generation being produced now is the third (crossbar) generation, but so far we have to information to back up this claim. We are doing a study on buffer sizing in edge routers/switches so knowing the exact architecture of each model is our priority.
    Thank you for reading and thanks in advance for the answers. 

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Exact details on Cisco switch and/or router architecture can be hard to come by, as much of the information, Cisco appears to consider proprietary.
    Most switches have some kind of cross bar architecture.  Overall bandwidth tends to be higher in later variants (to support higher port densities and/or higher bandwidth ports).  Later switch architectures are less likely to block at ports.  However, there are often other architecture changes which may improve or worsen performance.  For example, 2960 tends to have more fabric bandwidth than the 2950, but the 2960 has different port buffer management (I believe) from the 2950, often resulting in more port drops with bursty traffic.
    True routers, like the 2800 series, I believe use a PCI bus, with additional bandwidth restrictions to the modules.  They will well support the WAN bandwidths they are recommended for, but they do not well support LAN port bandwidths.  Again, specific architecture details can be hard to come by.

  • SIP 7960 to non-Cisco Switch

    Does anyone know if a 7960 (SIP) phone can connect to a non-Cisco switch and separate the Voice traffic from the access port traffic?
    I tried connecting a 7960 to a baystack 450T, configuring the switchport as a "tagged trunk", and then changing the Admin Vlan ID on the phone to the desired voice vlan. It looks as though the switch wants the access port traffic to be tagged as well.
    Any help would be greatly appreciated!
    Thanks,
    Darin

    Hi !
    You need to configure a 802.1q trunk on your non-cisco switch. The 802.1q native vlan should be the one the PC is in. The voice vlan will be tagged.
    Configure all parameters (like voice-vlan-id etc) on the phone manually (obviously CDP does not work). I have done it and it works fine (but i never tried on the switch you mentioned).
    Inline Power will also not work because the 7960 is not 802.3af compliant (yet).
    Mike

  • Passing Voice VLAN through a non-Cisco switch

    Hi All,
    Will a non-Cisco switch (no 802.1q support) that is putted beetween Cisco IP Telephone and Cisco Catalyst switch (which is configured with auxilary Voice Vlan) pass voice vlan frames and CDP?

    Any switch should pass on either ISL(which is cisco properitary and hence not supported on non-Cisco) or IEEE 802.1Q frames or else it cannot support voice vlan support . And non-Cisco switches do not support CDP as it is once again Cisco proprietary protocol.

  • Which Switch and Router to choose?

    I am interested in purchasing a Cisco Switch and Router, or possible a Cisco Switch Router.
    However, I am not sure of what model to go with.
    Currently, we have a network with about 200 Workstations and 30 Servers for our Corporation Infrastructure.
    Also, for our lab, we have about 50 Linux Based Servers, and 30 Solaris Based Servers, that are part of our Network. We are a Research and Development Company, and we have had issues with the Lab machines bringing down our network, as well as our corporate network adversely affecting the lab machines. What we would like to do is segment the network so that the different areas will be isolated. However, we also would like to have a lot of control over the traffic that will be able to cross from our network into the lab so that users will still be able to run their tests.
    Security is also an issue, and it would be great to have more control, and a better view of what kind of traffic is running through our network.
    Currently, we have about 8 Gigabyte Switches which are unmanaged (Linksys and NetGear). Our idea was to get a 1 or 2 Cisco Switch Routers, and then split them up into VLANS and cascade our current switches so that we can still make use of them. The other ideas was to just get a Cisco Switch and use our CheckPoint Router/Firewall to do the routing.
    Can you give me any advice as to what model of Cisco Product you would recommend?
    Is it better to go with a Switch Router, or simply get a separate Switch and Router?
    Please note that all of our Machines have 10/100/1000 NICs, so the device will need to be Gigabyte.
    Thanks you so much!

    You have two choices. Either to use a chassis based solution or to use stacable switches such as a 3750. Are all the cat 5(or 5e,6) runs coming into one centralized location ? Or are there separate wiring closets that you plan to put. If then we need to put separate switches at those locations and run fiber back to the central location which has a chassis based or stackable switch.
    If using a chassis based solution, you can get a 4506 (4507 for redundancy, with a redundant supervisor engine). Supervisor engine is nothing but the CPU of the switch. 4506 is a 6 slot modular switch with 2 power supplies for redundancy. You cannot add two Supervisor engines on a 4506 (4507 can).
    Slot 1 is always for supervisor engine, the remaining 5 slots you can fill using 48 port 10/100/1000 modules.(48 * 5 = 240). So your maximum port density is 240 ports on a 4506. (Note that there are 4507, 4510 which are similar models with more slots)
    If using 3750, you can stack upto 9 switches in a stack using stacking cables on the back side of the switch. Each switch will have 48 ports (10/100/1000) and you can stack 5 switches to get 240 ports.
    For the firewall I would recommend using a PIX 515E, (Why go for Checkpoint firewall when you can use all Cisco). For routing between the vlans, the switches that I recommended above are all Layer 3 switches. They will route between the different vlans. You can also configure ACLs to restrict traffic between multiple vlans.
    HTH

  • Etherchannel trunk with two cisco switch

    Hi, my company using only one Cisco 3750 switch with VLAN1,2,3,4,5. 
    Now my company bought another cisco switch and we would like to etherchannel trunk between both and create new VLAN in new switch.  We look over from partner, some of them suggested we use LACP, and some of them suggest we use PAgP.  We are so confuse which will be better in our environment.
    Previous: Router <> 3750 switch A (VLAN 1,2,3,4,5)
    Now we bought another Cisco Switch B:  Router <>3750 switch A <> switch B (add more VLAN 6,7,8,9,10)
    Which of below command is the best choice to suit our company ? suppose we use 2 port of gigabitethernet 1/0/1 and 1/0/2 trunk?  All VLAN 1-10 need to communicate with each other.
    interface GigabitEthernet1/0/1
     channel-group 1 mode active  <<< (use "active" or "desirable" is the best choice)
     switchport mode trunk
    interface GigabitEthernet1/0/2
     channel-group 1 mode active
     switchport mode trunk
    interface Port-channel 1
     switchport trunk encapsulation dot1q << (do we need put this? as we think this is by default after trunk?)
     switchport mode trunk
     switchport nonegotiate <<< (do we need "nonegotiate" if both switch setup same configure?)

    Hello
    My understanding is pagp and lacp basically perform the same features - however as PAGP is cisco propriety LACP is IEEE standard which can be used between different route/switch vendor platforms.
    As for disabling DTP ( switchport nonegotiate) - i would agree to do this suggestion, As so not to  have trunks being dynamically created.
    Lastly i would manually prune unused vlans across trunk interfaces, to save on cpu and memory usage because of the stp instances that coild be used ( however such a small vlan database  like yours would not be an issue)
    So to summarise:
    Cisco to Cisco ehterchannels =PAGP
    Cisco to other vendors = LACP
    L2 etherchannel
    ================
    1) default physical interfaces (if possible)
    2) configure port-channel in physical interfaces
    -- port-channel will be created automatically
    3)create trunking encapsulation or access port mode directly in port-channel interface
    4)enable physical interfaces "no shut"
    conf t
    default int ran fa0/1 -3 ( if applicable)
    int ran fa0/1 -3
    shut ( if applicable)
    channel-group 1 mode xxx
    int port-channel 1
    switchport trunk encap dot1q
    switchport- mode trunk
    switchport nonegotiate
    switchport trunk allowed vlan 1-10
    res
    Paul

Maybe you are looking for

  • Apple ProRes QuickTime Decoder  - Both types say I have "a newer version installed", but I can't view Pro-Res files on either type of machine.

    I'm trying to view a Pro-Res file from Final Cut Pro on machines that have Quicktime Pro, but having no luck.  I've tried installing the " Apple ProRes QuickTime Decoder " for both Windows and Mac (on the correct machines), but I keep getting "You al

  • 10.5.8 running VERY slow

    hi, i have a 20" stainless Intel imac, with 3 gigs of ram. I've noticed that recently, now that i'm running 10.5.8, everything is very slow. From when i first start the machine, to opening just one app (Safari), it takes a longer time now. Has anyone

  • How can I count in Joins?

    Hello, I have the following table definitions: --- Tables CREATE TABLE group_test (ID number NOT NULL, group_name varchar2(20)); ALTER TABLE group_test ADD (CONSTRAINT group_test_p primary key (ID)); CREATE TABLE member_of_groups (group_test_id numbe

  • Spot color definitions choices

    How can I make my spot color definitions choice persistent? I read a kb item that said how to swap out the new Pantone Plus color books for the old ones, to maintain color parity with older versions. One of the steps has me going to "Spot colors" on

  • Reg: Integration between two application

    Hi, I have a scenario where Application A will drop a flat file in one of the unix directory, and this file needs to be fed into the Application B. Appl A ---> Flat file ---> Appl B The file needs to be processed immediately when it arrives in respec