Communicator and dot1x with mab

Hi,
We are running dot1x multi-domain with mab and guest vlan fallback.
But there is an issue with the Cisco communicator.
When it connects it sends a dummy mac address starting with 30ff.
This makes the ports go in to err-disable state.
Is there any workaround to solve this?
The users like the functionality of being able to make a call from their outlook contacts and use the Cisco phone.
BR
/Ola

I believe that you are hitting a bug CSCsa64171

Similar Messages

  • Which smart tv (SAMSUNG U46F7000 or SONY BRAVIA W8 46'') has the best communication and functionality with apple devices?

    Which SMARTTV (SAMSUNG U46F7000 or SONY BRAVIA W8 46'') has a better communication and functionality with apple devices (i pad- iphone).
    Since the above manufacturers do not give me a straight answer and it is very important reason for me to make a choice please advise!

    Sorry but I must correct about SONY!!!
    The question was for Bravia series W9 and not W8.

  • Create community and pages with my application

    Hello,
    Can I automatically create community and pages with my application?
    Where can I find an example to create an java application to automatically create community, pages and Portel using an XML file that describes the structure?

    Hello,
    Can I automatically create community and pages with my application?
    Where can I find an example to create an java application to automatically create community, pages and Portel using an XML file that describes the structure?

  • You have an old emagic midi driver installed it can cause unreliable communication and crashes with GB

    When booting up Garage Band I got error message that reads " You have an old emagic midi driver installed this can cause
    unreliable midi communication and crashes. Yesterday tried installing an older Emagic Logic Version 5.5.1 with a XSKey Updater file.  Decided to remove the Logic Driver and with all Emagic files.  Garage Band suggests to download a newer emagic midi
    driver 1.5 from "www.emagic.de"  but this site no longer exist.  Was trying to get Logic Big Box 5 to run in order to purchase LOGIC EXPRESS V9.  Otherwise I have to spend $199 for the complete version.  Any help is recommended.   

    FBSMTWB: Fast Browser Search, Make the Web Better
    See these pages and threads about Fast Browser Search (FBSMTWB in the user agent, Help > About).
    * http://help.fastbrowsersearch.com/
    * http://www.pccybertek.com/2009/05/remove-fast-browser-search
    See also:
    *https://support.mozilla.com/kb/Websites+or+add-ons+incorrectly+report+incompatible+browser
    *http://kb.mozillazine.org/Resetting_your_useragent_string_to_its_compiled-in_default

  • Hi to everybody, I'm new of the community and I'd like to know if anybody could help me with this issue. I have differente itunes libraries stored in differente hard disks, and I' d like to merge them all in one unique library

    Hi, I' m new of the community and I hope I'm not asking something that has been already discussed. I have different iTunes libraries on different hard disks and I would like to merge them in an unique library - mantaining all the metadata - so that I can use this new one with iTunes Match. Could anybody help me?

    PowerTunes - http://www.fatcatsoftware.com/powertunes/ (commercial software)
    syncOtunes - http://homepage.mac.com/oligrob/syncOtunes/syncOtunes.html
    Alison 1231, your question is not identical to the original poster's so perhaps you could start a new topic with the question since the answers will be different and not apply to the OP's post.

  • HT5085 Hi there,  i'm new to the iPHONE community and please can someone tell me how to backup my phone to iCLOUD. How do i connect with wi-fi. Must i buy a wi-fi connetion or what.Thank you kind regards

    Hi there,  i'm new to the iPHONE community and please can someone tell me how to backup my phone to iCLOUD. How do i connect with wi-fi. Must i buy a wi-fi connetion or what.Thank you kind regards

    Do you have a wi-fi network in your home ? If you do then you should be able to connect your phone to it via Settings > Wi-Fi on your phone - that should show any networks that are available, and tapping on the network that you want to use (and typing in its password if it's password protected) should connect the phone to it. If you don't have a wi-fi network then yes, you will need wifi router in your home, which is connected to the internet (e.g. via your phone line) to be able to back up your phone to iCloud.
    Connecting to wifi : http://support.apple.com/kb/HT5569 (the screenshots on that page are from iOS 7, but they should be similar on iOS 6)
    iCloud backup and storage overview : http://support.apple.com/kb/PH12519
    You can also backup your phone to your computer's iTunes : http://support.apple.com/kb/HT1766

  • I log in to 'HP Enterprise Business Community' and 'Consumer Support Forums' with the same username?

    Hi,,
    I am expecting that I must use a different user ID to log in to each of 'HP Enterprise Business Community' and 'Consumer Support Forums.'
    However, I am logged in to both with the same user id.
    Then, how to get to  my subcriptions I posted in each forum?
    Although I  log in to the 'HP Enterprise Business Community ' and Consumer Support Forums' with  same user name, when clicking on my user name while logged in to 'Consumer Support Forums'. , then I only noticed my posts posted at this forum. However, thos  posted in HP Enterprise Business Community, I didn't find them. To see them, then I must click on my usename while  logged in to HP Enterprise Business Community.
    Could you please confirm this for me?

    The Enterprise and Consumer forums are separate communities.  Even if you use the same username, you need to go to them separately to view your subscribed threads.
    smkranz
    I am a volunteer, and not an HP employee.
    Palm OS ∙ webOS ∙ Android

  • First time on this apple community and my question is .... It's saying  'my iphone is synced with another iTunes Library' ..... and it cant be as I only have this 1 computer and only 1 apple device, please can someone help?   25 Jan @ 17.01

     

    Plawexki wrote:
    ...  do you know if the contacts, photos, messages etc will be wiped?
    Yes... Everything will be Wiped and Replaced with what is currently on Your Mac.
    SYNCING with iTunes
    See here  >  http://support.apple.com/kb/HT1386
    From Here  >  http://www.apple.com/support/iphone/syncing/
    You may find this information of interest...
    Have a read here...
    https://discussions.apple.com/message/18409815?ac_cid=ha
    And See Here...
    How to Use Multiple iDevices with One Computer

  • Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
    October 27, 2014 through November 7, 2014.
    The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
    Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
    Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
    Remember to use the rating system to let Craig know if you have received an adequate response.
    Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
    (Comments are now closed)

    1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
    2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
    a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
    b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
    For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
    Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
    If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
    A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
    Regarding AD multi-domain support...
    Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
    Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
    When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
    In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
    Regards,
    Craig

  • ISE first authorization sucess and then fail (MAB)

    Hi,
    Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
    I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
    "Authorization succeeded"  but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
    As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
    0002SWC002(config)#int fa0/13
    0002SWC002(config-if)#shut
    0002SWC002(config-if)#
    Jan  7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
    Jan  7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
    0002SWC002(config-if)#no shut
    0002SWC002(config-if)#
    Jan  7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
    Jan  7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
    Jan  7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
    020D7C192D1
    Jan  7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
    Jan  7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
    Jan  7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
    0/13 AuditSessionID 0A0005FC00000020D7C192D1
    Jan  7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
    A0005FC00000020D7C192D1
    Jan  7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
    0D7C192D1
    Jan  7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
    FC00000020D7C192D1
    Jan  7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
    Jan  7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
    Jan  7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
    Jan  7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
    IP-WAIT
    Jan  7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
    05FC00000020D7C192D1
    Jan  7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
    Jan  7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
    000020D7C192D1
    Jan  7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
    After this the proces starts over again.
    This is the switch port config:
    interface FastEthernet0/13
    description VoIP/Data
    switchport mode access
    switchport voice vlan 20
    switchport port-security
    switchport port-security violation restrict
    ip access-group ACL-ALLOW in
    srr-queue bandwidth share 1 70 25 5
    srr-queue bandwidth shape 3 0 0 0
    priority-queue out
    authentication event fail action next-method
    authentication event server dead action authorize voice
    authentication host-mode multi-auth
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    mab
    snmp trap mac-notification change added
    no snmp trap link-status
    dot1x pae authenticator
    dot1x timeout tx-period 10
    storm-control broadcast level 2.00 1.00
    storm-control multicast level 2.00 1.00
    storm-control action shutdown
    storm-control action trap
    spanning-tree portfast
    service-policy input ax-qos_butnet
    ip dhcp snooping limit rate 5
    end
    Is there a problem with the client (computer) or in ISE/Switch?

    Hi Tarik,
    First off; thank you for helping me troubleshoot this problem.
    I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
    You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
    When I look at the debugs I see this difference
    With the original ACL I get this:
    %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
    %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
    %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
    %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
    When using "permit icmp any any" i get this:
    %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
    %EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
    I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
    I have added debugs in attachment.
    device1_orig_acl - the none working device with original ACL
    device1_any_any - the none working device with permit icmp any any
    working_device_orig_acl - the device that works with the original ACL
    Do you have an answer to why this is happening?
    Regards,
    Philip

  • Macs joined to AD Domain, and 802.1x/mab authentication problems

    Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?

    hello,
    in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
    the interfaces have the following config:
     authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication periodic
     authentication timer restart 120
     authentication timer reauthenticate server
     authentication timer inactivity 600
     mab
     dot1x pae authenticator
    Good luck

  • 4500 Series Switches and 802.1x MAB

    My organization has multiple 4500 series switches experiencing the same problem when attempting to authenticate devices via MAB.  The issue is that the "show mab interface fax/x details" shows the Client MAC in a waiting status.  The device is never sending the switch it's MAC in order to proceed with MAB authentication, so of course the port never forwards traffic.  However, if we remove authentication port-control auto the port starts forwarding and the device gains connectivity.  Below is the interface configuration command and the MAB details.  The IOS version of this current switch is 15.0(2)SG8.  Are we missing something special for a 4500 as far as configuration is concerned.
    interface FastEthernet8/16
     description USER 
     switchport access vlan 600
     switchport mode access
     switchport nonegotiate
     duplex full
     authentication host-mode multi-domain
     authentication port-control auto
     authentication periodic
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 5
    end
    SWITCH-4510R#sh mab interface fa8/16 details
    MAB details for FastEthernet8/16
    Mac-Auth-Bypass           = Enabled
    MAB Client List
    Client MAC                = Waiting
    Session ID                = 841AF6D100002931AF99B827
    MAB SM state              = ACQUIRING
    Auth Status               = UNAUTHORIZED

    hello,
    in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
    the interfaces have the following config:
     authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication periodic
     authentication timer restart 120
     authentication timer reauthenticate server
     authentication timer inactivity 600
     mab
     dot1x pae authenticator
    Good luck

  • How do I use Qt and OpenGL with Visual Studio

    Hi! I mainly want to program in C++ and I want to use Qt and OpenGL with Visual Studio.
    I am currently revising C++ and later on i am going to start reading Qt and OpenGL. I have a background of
    Embedded firmware design(C and Assembly).
    The Visual Studio Version I have is 2013 ultimate. How do I use Qt and OpenGL with Visual Studio?
    Thanks
    Alexandros

    Hi ClassicalGuitar,
    The forum supports VS setup and installation. And your issue is not about the forum. I will move the thread to off-topic forum. Thanks for your understanding.
    Regards,
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

  • HT1918 I have several old email addresses and accounts with itunes where the email is no longer working, and i have forgotten my password,  how do i activate the songs?

    I have several old email addresses and accounts with itunes where the email is no longer working, and i have forgotten my password,  how do i activate the songs

    Welcome to the Apple Community.
    The following article(s) may help you.
    Look up your old and forgotten Apple ID

  • How to I share Itune library, and movies with a different user on the same computer?

    How do I share Itunes and movies with a different user on the same computer?

    https://discussions.apple.com/community/itunes

Maybe you are looking for