Enumerate switch ports

I need a way to list out the last mac address known to port-security per port in IOS, and EEM may be my answer.  
The command  "show port-security address" gets me close - it shows current mac on all up ports, like: 
> AS5#show port-security address
>         Secure Mac Address Table
> ------------------------------------------------------------------------
> Vlan   Mac Address       Type                     Ports   Remaining Age
>                                                             (mins)  
> ----   -----------       ----                     -----   -------------
>   6   001d.e5ea.a1d5   SecureDynamic           Gi1/0/26   < 1
>   6   0007.7d43.638b   SecureDynamic           Gi1/0/31   < 1
>   6   0050.6003.76ce   SecureDynamic           Gi1/0/40   < 1
>   1   0050.b607.c3a3   SecureDynamic           Gi1/0/43   < 1
>   1   c42c.030c.05d4   SecureDynamic           Gi1/0/44   < 1
>   1   0023.5e20.a48e   SecureDynamic           Gi1/0/45   < 1
> ------------------------------------------------------------------------
however, I also need the last mac known to the port. For example "show port-security int g7/11" has the info I need:
> DEVON-3RDFL-138-4#sh port-security int gi 7/11              
> Port Security             : Enabled
> Port Status               : Secure-down
> Violation Mode             : Restrict
> Aging Time                 : 1 mins
> Aging Type                 : Absolute
> Maximum MAC Addresses     : 1
> Total MAC Addresses       : 0
> Configured MAC Addresses   : 0
> Sticky MAC Addresses       : 0
> Last Source Address       : d4be.d995.8159 <-- We are looking for > this, but we may not know which port it was last connected to...
> Last Source Address VlanId : 455
> Security Violation Count   : 0
However, enumerating all ports on a switch to find which one has a specific mac address is painful.
So, my intent is to wrte an EEM script that will enumerate all ports on a switch and hold that in an array that I can then sequentially run commands again.
Surely someone has already written a script to enumerate all switch interfaces.   Anyone know where to find it?
Thanks,
Neville

Thanks Joseph! 
With your code I got my script working! I'm attaching it here.
Some notes of mine.
1) I sure like PERL *a lot* more than TCL.   I find TCL weird where I don't do a ; at the end of lines, don't declare my variables with $ and not having a conecpt of an @array is killing me!
2) I changed the 1st part of the script from port-security ports to all Ethernet interfaces. If a port is down it does not show in "show port-security adresses", where it will show with "show interface summary | inc Ethernet".
3) I added Catalyst switches output port-security info two ways: either "Last Source Address : aa.bb.cc.dd.ee.ff"  (older code) or "Last Source Address:Vlan : aa.bb.cc.dd.ee.ff:1" (newer code).   I added logic to deal with either output.
4) The script seems to run pretty slow. It takes ~15 seconds for a switch with 24 interfaces on it.  In a stack I'd run into MAXRUN time issues for sure.
Again thanks Joseph! - Finished Script below:
::cisco::eem::event_register_none
# Written 2012 by Neville Aga ([email protected])
# Make an alias to trigger this script, such as
# "alias exec show-last-macs event manager run show_last_macs.tcl"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
# Open the CLI
if [catch {cli_open} result] {
   error $result $errorInfo
} else {
    array set cli1 $result
# Go into enable mode 
if [catch {cli_exec $cli1(fd) "en"} result] {
    error $result $errorInfo
# Enumerate switch ethernet interfaces and put them into array..
# er list. TCL doesnt do arrays
# Enumerate all ports here
set output [cli_run [list "show interfaces summary | inc Ethernet"]]
set ports [list]
foreach line [split $output "\n"] {
regsub {\*} $line "" line
set line [string trim $line]
regsub -all {\s+} $line " " line
#puts "line is $line\n"
lappend ports [lindex $line 0]
puts "Last MAC associated with all port-security switch ports:"
puts "by Neville Aga ([email protected]). Follow me on twitter @nevilleaga"
foreach port $ports {
set output [cli_run [list "sh port-security int $port"]]
if { [regexp {Port Security\s+:\s(Enabled)} $output -> enabled] } {
if { [regexp {Port Status\s+:\s+(\S+)} $output -> portstatus] } {}
# This will get output returned like "Last Source Address  :  aa.bb.cc.dd.ee.ff" - 6500 typical
if { [regexp {Last Source Address\s+:\s+([a-fA-F0-9\.]+)} $output -> mac] } {
puts "Last MAC for $port is $mac -- $portstatus "
# This will get output returned like "Last Source Address:Vlan :  aa.bb.cc.dd.ee.ff:1" - 3560 12.2.53
if { [regexp {Last Source Address:Vlan\s+:\s+([a-fA-F0-9\.]+)} $output -> mac] } {
puts "Last MAC for $port is $mac -- $portstatus"
# Close the CLI
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
    error $result $errorInfo

Similar Messages

  • Jabber and Meida Interface Service - Switch port

    Hi All,
    here is from Cisco:
    Before Cisco Jabber for Windows sends audio media or video media, it checks for Cisco Media Services Interface .
    • If the service exists on the computer , Cisco Jabber for Windows provides flow information to Cisco Media Services Interface . The service then signals the network so that routers classify the flow and provide priority to the Cisco Jabber for Windows traffic.
    • If the service does not exist, Cisco Jabber for Windows does not use it and sends audio media and video media as normal.
    My Question is : what does normal means?
    1- we can identify ports for Jabber in CUCM, then create ACL and apply QoS.in that Case what " Normal Traffic " means?
    2- for MSI, do we need to configure anything on the switch port to work peoperly?
    3- How switch knows which Qos to apply based on what MSI saying? still needs an ACL, if yes, what s apoint of using MSI dfor Qos?
    Thanks,
    Hamed

    This would be EF for voice, AF41 for video/voice, and CS3 for SIP signal. Two things typically cause this to get treated as best effort:
    The Windows PC is not allowing the application to set DSCP markings. Group or local security policy can be used to allow this
    The switch is not trusting the data VLAN. Most SRND material suggests using a policer to limit the amount of EF/AF41/CS3 traffic from the data VLAN and to remark the violation traffic to best effort.
    You'll want to start with the MediaNet Deployment Guide. There is a lot going on to make this work.
    The MSI tells the switch what application and ports are being used. The switch then sets the DSCP marking on that traffic.
    Please remember to rate helpful responses and identify helpful or correct answers.

  • Two VLANs on one switch port?

    Currently we have the following
    Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
    What I would like to do is on those exterior switches have two vlans assigned to it.
    We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
    Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
    The switch ports on those phones support vlan tagging
    How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

    To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
    In cat switches, voice vlan is created using command,
    set port auxiliaryvlan vlan
    In IOS based switches,
    int fa0/1
    switchport mode trunk
    switchport trunk encap dot1q
    switchport trunk native vlan
    switchport voice vlan
    switchport priority cos extend 0
    or
    int fa0/1
    switchport mode access
    switchport access vlan
    switchport voice vlan
    I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.

  • Failed while creating virtual Ethernet switch. Failed to connect Ethernet switch port

    Hello Folks
    I am completely stuck with the configuration of my virtual networks. I have one logical switch left to add to one of my Hyper-V 2012 R2 hosts when I started getting the error below when I try to add logical switches to either Hyper-V Host. I have been using
    the document. 'Hybrid Cloud with NVGRE (Cloud OS)' to implement the virtual networking. Basically using the exact configuration that is in the document. I have added the PA Logical Network and the Network adapters and added the logical switch for it to my
    hyper-v 2012 R2 host and everything was fine. I am now trying to add my ISCSI Logical Switch to the host and this is the error I get. My other Hyper-V host I get this error for any logical switch I am trying to add. Can someone help me with this error. I haven't
    been able to find any information about it.
    Also a some quick info on tracing an error like this so I can figure out what is causing it.
    Thsi is my configuration so far
    So as far as I know everything is peachy untill the error below. Dead stop now
    Error (12700)
    VMM cannot complete the host operation on the 08-NY-VHOST01.accounts.ccac-ont.ca server because of the error: Failed while creating virtual Ethernet switch.
    Failed to connect Ethernet switch port (switch name = '******', port name = '88C16766-ED02-4AC0-8CD7-660AC9D424DD', adapter GUID = '{FAF431D8-0124-4E40-BB3B-9234BAA02973}'): The system cannot find the file specified. (0x80070002).
    Unknown error (0x800b)
    Thank you for your time
    Christopher
    Christopher Scannell

    notice your GUID?  you may want to consider ensuring that is the same GUID associated in your database.  Sometimes during data corruption theres a smidge of a chance your sql database kind of either pulls old guids esp if this was reverted to snapshot
    without it being powered off etc.  
    I would try that first.  then i would consider if you get to configure that with your current liscense associated with the host.  I would need way more info to help any further

  • How to get Networking Switch Port Configuration (I guess SNMP4j will help)

    Greetings :)
    We have extreme Summit 450e switches installed in our organization. approximately 2000 desktops are connected to these switches.
    Now, I want to make a utility to get info from these switches, for example, which IP, MAC etc is running on a particular switch port. I want to extract these kind of info from all switches and export it into a database.
    Any help, how to start this work.
    Thanks...

    > Any help, how to start this work.
    First research what programmable interfaces it supports.  That includes any management API including SNMP, TCP and HTTP.
    And then from that figure out what you want to do with it.
    After you do both of the above then you start looking to java to program the solution.

  • Can't get switch ports to work

    Okay so I have a basic home lab, 2600 router x2 and 2900 XL switch x 2. I've connected each router together (they "see" each other in cdp), and each router to one switch. My problem is that the interfaces that the router connects to the switch won't accept an ip address, (it says unrecognized command) and the switch lights are off). A "show status" says only the trunk port (22 on each switch) are connected. I've checked the cabling, it works, and the cables are out of the box. What am I missing/forgetting?
    Sorry if i newb :\ I'm Looking forward to going over static routes xD
    Thanks,
    Devlin
    (I looked throught the documentation, maybe I missed it? I did a config reset on the switches. I bought these used, I hope they aren't broken :\)

    No, they don't work, POST is fine (The switches boot normally), CABLING IS FINE, they are NOT admin down
    Switch1#sho run
    Building configuration...
    Current configuration:
    version 12.0
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname Switch1
    ip subnet-zero
    !!!!! Omitted fa ports 1-24
    interface VLAN1
    no ip directed-broadcast
    no ip route-cache
    line con 0
    transport input none
    stopbits 1
    line vty 5 15
    end
    Switch1#sho int status
    Says every port except the ports trunking between the two switches is "not connected"
    !!!!!HERES AN EXAMPLE OF ON OF THE DOWN SWITCHPORTS!!!!!
    Switch1#sho int fa0/1
    FastEthernet0/1 is down, line protocol is down
    Hardware is Fast Ethernet, address is 00b0.647f.6681 (bia 00b0.647f.6681)
    MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex , Auto Speed , 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 1d23h, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops
    5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 64 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
    0 watchdog, 0 multicast 0 input packets with dribble condition detected
    2 packets output, 424 bytes, 0 underruns
    0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
    Switch1# sh version
    Cisco Internetwork Operating System Software
    IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC8, RELEASE SOFTWAR
    E (fc1)
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 19-Jun-03 13:09 by antonino
    Image text-base: 0x00003000, data-base: 0x0034E2F4
    ROM: Bootstrap program is C2900XL boot loader
    Switch1 uptime is 1 day, 23 hours, 31 minutes
    System returned to ROM by power-on
    System image file is "flash:c2900xl-c3h2s-mz.120-5.WC8.bin"
    cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byt
    es of memory.
    Processor board ID FAA0402G17B, with hardware revision 0x03
    Last reset from power-on
    Processor is running Enterprise Edition Software
    Cluster command switch capable
    Cluster member switch capable
    24 FastEthernet/IEEE 802.3 interface(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 00:B0:64:7F:66:80
    Motherboard assembly number: 73-3425-10
    Power supply part number: 34-0920-01
    Motherboard serial number: FAA04019FEM
    Power supply serial number: NONE
    Model revision number: A0
    Model number: WS-C2924M-XL-EN
    System serial number: FAA0402G17B
    Configuration register is 0xF
    I'm really desperate here I have no idea what the problem is, and I cannot prepare for the exam without being able to assign ip addresses to the switch ports. If anyone can help me I would be EXTREMELY grateful.
    Thanks
    Devlin

  • Cisco Prime Infrastructure 2.0 Alarms (switch port down)

    We have a cisco Prime Infrastructure 2.0 managing switches, routers and AP.
    By default, when a port of a switch goes down, the cisco Prime Infrastructre generates a Critical Alarm for that. (this is a problem, because every phone of laptop disconnection will generate a critical alarm for me)
    I found out that if we go to Administration --> Alarm Severity --> Link down, I can change the Alarm from Critical to another type of alarm.(ex: warning)
    The problem is that I want to keep the Critical Alarm for my Uplinks ports and for some important switch ports, and I would like to make the alarm as warning for the normal user ports.
    I know that I can create Port Groupping and add ports to each group and apply monitoring templates on those groups. But This couldn't Help me solving my alarm problem.
    So I just need to know how to manage the alarms severity for each group of ports.
    Thank you

    Hi,
    Same problem here.
    I am using Cisco Prime Infrastructure 2.0 (evaluation version for 60 days). I want to deploy port monitoring for my trunk ports between switches and some other important ports e.g. servers. Basically I want to get alarms when these ports are down, there are errors on ports and etc.
    So in Design>Port Grouping I created User Defined group with important ports. In Deploy>Monitoring Deployment I selected Interface Health (default)>Deploy selected Port Groups and when selected port group I created.
    Now the rule shows Deployed: Yes and Status: Active. After that I just pulled out one port which was in monitored group, waited 5min as it is set in Interface Health (default) template, and nothing happened, and worse, alarms started to show up of other ports where regular users are connected (computers was turned off), which I do not want to see at all. I tried redeploy template, I even created my own template but still no desired result.
    Any suggestions how to make port monitoring work?

  • LMS 4.2 - How do I find switch ports that are configured as trunks.

    I've been tasked with finding all switch ports that are configured as Trunks. We plan to use LMS 4.2 to push (via Netconfig) new interface level commands to all user (non-trunked) ports. From my experience, this poses a problem because we do not know which ports are configured as trunks -vs- user ports.
    Using Netconfig is not going to be easy since there is no way to script this. It would be great if I could run a show command on a switch and then have CWSI peform a change based upon the output.
    In other words, we need a way to run a job based upon the output of a command.
    Is there a section of LMS that I could use for help with this?
    Thanks,

    You need to go to Monitoring>Dashboard. Here Just click the switch in the Llisted device and then click the interface you will find the all the down and Up interface with type of configuration (i.e. Trunk or Access.)

  • Switch port in dot1x multi-auth mode stops passing traffic

    Dear All,
    I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
    interface GigabitEthernet2/34
    switchport mode access
    ip arp inspection limit rate 30
    authentication host-mode multi-auth
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    dot1x pae authenticator
    dot1x timeout tx-period 5
    dot1x max-reauth-req 6
    spanning-tree portfast
    ip verify source vlan dhcp-snooping
    end
    It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
    Did anyone experience a simmilar problem? Any advice?
    Thanks.
    Mirek

    We have the same issue on 3750E switch running 12.2.(58)SE

  • 802.1X Authentication issues when moving between switch ports

    Hi Guys,
    We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
    My configuration we have on the switch ports look as follows:
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    dot1x pae authenticator
    Your help is greatly appreciated.
    Grant

    Hi Neno,
    Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
    Here is the config:
    aaa group server radius customer-nps
     server name radius1
     server name radius2
    aaa authentication dot1x default group radius
    dot1x system-auth-control
    radius server radius1
     address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
     key 7 05392415365959251C283630083D2F0B3B2E22253A
    radius server radius2
     address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
     key 7 107C2B031202052709290B092719181432190D000C
    interface GigabitEthernet1/0/1
     switchport access vlan 300
     switchport mode access
     switchport voice vlan 2
     srr-queue bandwidth share 1 30 35 5
     queue-set 2
     priority-queue out
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication periodic
     authentication timer reauthenticate 28800
     authentication timer inactivity 1800
     mab
     no snmp trap link-status
     mls qos trust cos
     dot1x pae authenticator
     auto qos trust cos
     storm-control broadcast level 1.00
     storm-control multicast level 1.00
     spanning-tree portfast
     spanning-tree bpdufilter enable

  • Lwapp capwap AP to act as a supplicant on a 802.1x enabled switch port

    Hi
    All our switchports is configured to validate the connected device with 802.1x
    However when a wireless accesspoint, that is running FlexConnect, is connected I have to make a "mac bypass" on the AP mac addess and add the multihost command to the port config.
    I really like to move away from the mac bypass, but keep the multihost command, and install a certificat on the AP. Have anyone any ideas about how to get the AP itself to auth?

    Hi,
    The AP can act as 802.1x supplicant if it is connected to a 802.1x enabled switch port.
    Cisco unified APs however supports only EAP-FAST as the EAP method.
    Here is a config example, hope it'll be useful.
    http://goo.gl/HMbiHL
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Switch port configuration for 3500i AP

    Hi,
    We are due to install a brand new enterprise WLAN based on the WiSM2 platform, 3502i AP and WCS. The APs will be plugged into the 2960S-24TPS-L.
    I have scanned over all documentation and cannot for the life of me find a recommended switch port configuration for connecting the AP to the switch in terms of speed / duplex etc. For example, should I just configure the port to auto detect, or is forcing the speed / duplex the way to go. I could also do with knowing other best practice configurations for AP connectivity.
    Any help would be greatly appreciated.
    Chris.

    The AP comes online with just auto detect, but I want to know if there are any benefits to forcing this to 1Gbps / Full duplex, or even if this is the right way to go. I suspect auto detect is the best method.

  • Template(best practice) for Switch ports

    Hi,
    Looking for best practice advice on switchport config for client facing ports.
    We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
    For Access Ports(First two should stop DTP I'm hoping?):
    switchport mode access
    switchport nonegotiate
    storm-control broadcast level 20.00
    storm-control action trap
    no cdp enable
    spanning-tree portfast
    spanning-tree bpdufilter enable
    spanning-tree guard root
    switchport port-security maximum 10
    switchport port-security
    switchport port-security aging time 10
    And for trunk ports to clients:
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport trunk allowed vlan xxx,xxx
    switchport nonegotiate
    storm-control broadcast level 20.00
    storm-control action trap
    no cdp enable
    spanning-tree bpdufilter enable
    spanning-tree guard root
    Thanks in advance.

    Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
    That's Cisco's branch design doc from Design Zone.
    For those that want a fast answer:
    For VoIP phones and PC:
    interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
    description phone with PC connected to phone
    switchport access vlan 102
    switchport mode access
    switchport voice vlan 101
    switchport port-security maximum 2
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    ip arp inspection limit rate 100
    load-interval 30
    srr-queue bandwidth share 1 70 25 5
    srr-queue bandwidth shape 3 0 0 0
    priority-queue out
    mls qos trust device cisco-phone
    spanning-tree portfast
    spanning-tree bpduguard enable
    ip verify source
    ip dhcp snooping limit rate 100
    For data only:
    interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
    description DATA only ports
    switchport access vlan 102
    switchport mode access
    switchport port-security maximum 3
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    ip arp inspection limit rate 100
    load-interval 30
    srr-queue bandwidth share 1 70 25 5
    srr-queue bandwidth shape 3 0 0 0
    priority-queue out
    spanning-tree portfast
    spanning-tree bpduguard enable
    ip verify source
    ip dhcp snooping limit rate 100
    That's Cisco's recommendation.
    And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

  • Multiple PWWN on single switch port

    Hi,
    I wanted to know, how its possible to have multiple PWWN on single switch port..??
    Whats the concept behind it..
    Thanks
    Rajeev.

    Hi Rajeev,
    The concepts that you are looking for is N Port virtualization (NPV) and N-Port ID Virtualization (NPIV).
    Fuurther details can be found via the following Cisco White paper
    http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps5989/ps9898/white_paper_c11-459263.html
    Hope that helps.
    Regards,
    Michael

  • AP 802.1X switched port-authentication

    Hi,
    I've setup EAP authentication (PEAP) to authenticate WLAN client on an AP.
    The AP is connected to a switch where the port is not configured for 802.1X.
    On this switched port I enabled, in multi-host, 802.1X to authenticate also the AP as a client, but since it's enabled I've not been able to authenticate anymore the WLAN client due to the fact that the port will not transition to Authorized
    If I connect on the same port a PC using 802.1X,this is working fine..
    Am I missing something to configure on the switch or AP ???
    Any suggestion are appreciated
    Regards
    Omar

    Omar,
    There's a gotcha with this...most likely a trunk issue...
    Here is a snippet for EAPOL guidelines:
    Authentication Configuration Guidelines
    This section provides the guidelines for configuring 802.1x authentication on the switch:
    802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.
    802.1x is supported only on Ethernet ports.
    Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1.
    802.1x authentication always uses the sc0 interface as the identifier for the authenticator when communicating with the RADIUS server.
    802.1x authentication is not supported with the sc1 interface.
    You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.
    You cannot enable trunking on an 802.1x port.
    You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port.
    You cannot enable DVLAN on an 802.1x port.
    You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802.1x port.
    You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a SPAN source port.
    You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802.1x-enabled port.
    You cannot enable the multiple-authentication option on an 802.1x-enabled auxiliary VLAN port. Enabling the multiple-host option on an 802.1x-enabled auxiliary VLAN is not recommended.
    Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.
    Here is the url for the link:
    http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029697

Maybe you are looking for

  • IDOC process in QM

    Hi,   Can any one help me to understand the use of IDOC Process in QM??? In which scenarios we will use IDOC in QM. 

  • MobileMe album login fails

    I published albums to MobileMe using usergroups (name/password). With my apple tv i cannot access the protected albums. I type the logins which work on Mac and PC but on AppleTV dont give access. I tried case sensitive. Any idea why login via AppleTV

  • TS3276 Mail accounts falling offline

    My mail accounts keep falling offline. I have to quit mail and restart it to get my accounts to come back online.

  • [Solved] Quick launch buttons not working

    So I bought the GT60 2OC 3k IPS edition around 3 months ago and it's been working more or less perfectly. However today I haven't been able to use any of the quick launch buttons, they don't even light up when clicked on. I tried reinstalling SCM mul

  • Quickest Way Of Getting H.264 Video Onto DVD?

    I have a number of videos on H.264 which I want to put onto DVD. The obvious way is to convert them to AIC or ProRes, put them in an FCP sequence and export to Compressor/DVDSP etc. Is there any quicker way (however dirty) or any method that saves th