How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface  MAC Address     Method   Domain   Status         Session ID          
Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface  MAC Address     Method   Domain   Status         Session ID          
Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface  MAC Address     Method   Domain   Status         Session ID          
Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x                                                      
 description Connection to DUMBswitch                                            
 switchport mode access                                                         
 switchport voice vlan XXX                                                      
 switchport port-security maximum 10                                            
 switchport port-security                                                       
 switchport port-security violation protect                                     
 authentication host-mode multi-auth                                            
 authentication priority dot1x                                                  
 authentication port-control auto                                               
 authentication timer reauthenticate 4000                                       
 authentication violation replace                                               
 dot1x pae authenticator                                                        
 dot1x timeout tx-period 10                                                     
 spanning-tree portfast                                                         
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen Hristov

Hi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier

Similar Messages

  • How to provide access to  v$tables in oracle 10g to user

    Hi,
    can any one suggest me how to provide access to v$tables in oracle 10g to user .
    its requried for auditor.
    PLease help me.
    regards

    user12009184 wrote:
    HI have to provide access to all V$ tables
    it required for configuration of new tool.
    ThanksYou can grant it the select catalog role to the user. It should provide all the required access to the general v$* & dba_* views.
    GRANT SELECT_CATALOG_ROLE TO USER;
    Let me know if this helps.
    Regards,
    Rizwan

  • Simulate Multiple users connecting to same session

    Hi All,
    Is there anyway we can simulate multiple users connecting to the same session in oracle using PL/SQL.
    Thanks,
    MK.

    As per the architects in our company, lots of users connect to the same session and access the database.Exactly what does this mean? A single session can service one user at a time. I would wager that the architects are envisioning (or describing) a connection pooling setup where the middle tier server maintains a relatively small number of connections to the database (each with its own session most likely) and users operate by getting a connection from the pool, making a request, and returning the connection back to the pool. At any given point, only one user can be using a connection.
    If that's the case, you would simulate this by simply executing code in a loop in PL/SQL.
    Of course, if this is the case, each connection in the connection pool would its own copy of the collection and so each connection would get its own list of order numbers. You'd have to develop some way to ensure that each session populated its collection with a different set of order numbers.
    Justin

  • How to find the number of users  connected to database from OS level(Linux)

    Hi All,
    Could anyone know , how to find the number of users connected to database without connecting with sql*plus
    is there any command to find it?
    example we have 10 databases in one server, how to find the number of users connected to particular database without connecting to database(v$session)?
    oracle version:- 10g,11g
    Operating System:- OEL4/OEL5/AIX/Solaris
    any help will be appreciated.
    Thanks in advance.
    Thank you.
    Regards,
    Rajesh.

    Excellent.
    Tested, works as long as you set the ORACLE_SID first ( to change databases )
    ps -ef | grep $ORACLE_SID | grep "LOCAL=NO" | awk '{print $2}' | wc -l
    Thanks!
    select OSUSER
        from V$SESSION
    where AUDSID = SYS_CONTEXT('userenv','sessionid')
        and rownum=1;Best Regards
    mseberg

  • How can i set up multiple user accounts for my new ipad mini?

    How can i set up multiple user accounts for my new ipad mini?

    The iPad mini is basically a one user device. There are no Accounts. You can set up restrictions so that only you can do certain things.

  • How do we set up multiple users?

    how do we set up multiple users?

    Create separate user accounts for each use. Use Accounts preferences or Users & Groups preferences depending on which version of OS X you are using.

  • How do I access my encrypted User Account files from my Back Up hard drive?  Time Machine  was used to create the back up disk; File Vault was used to encrypt the files.

    How do I access my encrypted User Account files from my Back Up hard drive?  Time Machine  was used to create the back up disk; File Vault was used to encrypt the files.

    Thanks.  I will try going through TM.  Since my Simpletech is on the way out, I'll be plugging in a new external hard drive (other than the back-up drive) and trying to restore the library to the new drive.  Any advice or warning if this is NOT the right thing to do?
    Meanwhile, that is a great tip to do an alternate back-up using a different means.  It's been tough to figure out how to "preserve access" to digital images and files for posterity, knowing the hardware will always fail/obsolesce sooner or later, and that "clouds" are only as good as their consistent and reliable accessibility.  Upping the odds with redundancy will help dull the edge of my "access anxiety", though logically, it can never relieve it.  Will look into
    Carbon Copy Cloner.

  • How do I access external hard drive connected to AirPort Extreme via iPad

    Hello,
    How do I access external hard drive connected to AirPort Extreme via iPad / windows laptop.
    I donot have a Mac and I use windows laptop.

    For your iPad, you will need an app, like FileBrowser, to access the external drive.
    For your Windows laptop, you would access the drive like any other network share. The basic format is: \\<servername>\<sharename>, where, in this case, the servername is the base station name and the sharename is the name of the external drive.

  • How to change password of sys user connected as sysdba?

    How to change password of sys user connected as sysdba?
    I have connected with user name sys as sysdba in oracle 9i with password oracle.
    I want to change the password . I typed password and pressed entered. It asks me to type old password, then new password and retype the new password. When I press enter it gives error message "ERROR:
    ORA-28008: invalid old password"
    Password unchanged.
    does anyone know about this...? how to change the password..?

    You may be using operating system authentication to log in as sys with sysdba privileges.
    By using password utility, you can change the password of sys user (which is in database) which is "change_on_install" when you create a database.
    You can change this password.

  • How to send emails to Multiple Users from a Single People Picker lookup field using Sharepoint designer workflow

    Hi All,
    I am working with SharePoint 2013 designer workflow. we are using office 365.
    Our requirement to send email to multiple users, get the user groups from lookup list people and groups column.
    But SP designer sending emails to the first user alone.
    Please guide me to proceed.
    Advance Thanks.
    Regards
    Jenkins NS
    Thanks and Regards Jenkins

    finally I got a solution
     Identified a workaround to solve the issue using SharePoint designer.
    Step 1
    Create a lookup list Example department
    Columns
    Title (by default) – Single line of text
    Users – Person or Group
    Emails – Multiple lines of text
    hidden the Emails column (go to content type and set the column as hidden)
    Create a SharePoint designer Workflow
    Start Workflow automatically when an item is created
    Also Start Workflow automatically when an item is changed
    Workflow Stage 1
    Set Emails to current Item: Users
    The workflow will get all users email ids and add in the Emails column delimiter as semicolon.
    Step 2
    Create a custom list to get the email ids and send email
    Create a lookup column ex: analysis and refer department list, Allow multiple values
    Then Create a SharePoint designer workflow
    full details workflow steps please follow below
    URL
    http://jenkinsblogs.com/2015/04/30/how-to-send-emails-to-multiple-users-from-lookup-list-people-picker-field-using-sharepoint-designer-workflow/
    Thanks and Regards Jenkins

  • How to provide access to login oem to another user except sysman?

    Hi,
    i have installed OracleGrid 10.2.0.3 in windows 2003 server and configuared 10 servers and 15 databases in oem. i created one user in oem repository database. that user should access only two databases through oem. how configuare this?
    Thanks,

    You should not create a super administrator to meet your requirement. So, uncheck the 'super administrator' and choose only the targets which you need to provide access. Follow all the six steps of user creation. You can also provide a full access or just view only.

  • How to make Adobe acrobat feature to convert SAP  Pages to PDF available for multiple users connected to the same server

    We have installed Adobe Acrobat X Pro- English,Francais,Deutsch version 10.1.9 in our test environment and tried  testing it for converting SAP pages into PDF with a few pilot users. In doing so we faced a challenge, where only one user at a time can use Adobe Acrobat PRO to convert SAP pages in to PDF.As long as the first user who  is connected to Adobe Acrobat Pro via SAP isn’t logged off, other users connected to the same  server  are not being able to get the “Save As” dialog box to save the PDF in their preferred location.
    This is a business requirement and we need an urgent solution for the same. Can anyone help us in telling us if this is possible and if yes the how to go about?

    It's not something we deal with here, the LiveCycle products are a different world. Key points: Adobe LiveCycle is a range of products, some desktop, some server. LiveCycle PDF Generator is the one you should look at, it comes in 3 editions. License terms are by negotiation. Key management is via its Java API.

  • How to make Adobe acrobat feature to convert SAP  Pages to PDF available for multiple users connected to the same Citrix server

    Hi,
    In my previous endeavours to solve this business requirement where multiple users will be able to use the Adobe acrobat feature to convert SAP pages inside SAP to PDF, I was told that it is not possible to do this for multiple users at the same time. However I have found an article according to which it says it is possible. Could you check it once and let me know if this article can be used for implementing the requirement stated above as this link clearly indicates that Adobe Acrobat is supported on Citrix.
    Please find the link below where it states it is adobe acrobat is supported in Citrix for multiple users.
    http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/citrix.html.

    1. What is the Acrobat feature that you mean? There's nothing specific to SAP included with Acrobat.
    2. Yes, some Terminal Server configurations appear supported (check carefully). All users of the terminal server will need a license, so far as I know - total licenses = total individual people using.

  • Multiple Users Connected to Airport Disk at Same Time

    It used to be that I could have multiple user accounts on my MBP connected at the same time to my AirPort Extreme Base Station (802.11n). Now, every time I switch users, I have to reconnect to the AEBS, which in turn seems to disconnect the other user. File Sharing is set up to allow connections via the AEBS password, which always worked fine in the past.
    I'm not sure what has changed in my setup, other than installing Snow Leopard (which I don't assume changed anything in this regard).
    Any ideas will be most appreciated.

    Sorry no one has answered this question. I have the exact problem. I have two user accounts on my MBP. I selected connecting AEBS via AEBS password, too. I can connect with one account and see everything on the disk. When I switch to the other account, it sees the disk but nothing on it. If I disconnect from the disk in that account and then reconnect to the disk, the second account sees everything on the disk. Switching back to the first account, it now can see nothing on the disk and the disk emblem has an icon on it which indicates no access. Clicking on the disk tells me I have no access privileges for the disk. I can then do the same as I did on the second account - use the disconnect button, reconnect, and then all files appear. Of course, when going back to the second account, can no longer access the information. I can do this all day switching back and forth, disconnecting and reconnecting. Obviously, this is not the way it is suppose to work.
    I am using snow leopard also.
    I have tried setting the disk up by using accounts - created two user accounts and passwords In the Airport Utility application. I can access the disk but nothing shows up on it. I suppose I could have created stuff on it and it would not have been available to the other account. Still, not the way I want to use it. I think I tried using the disk password method also and I think it reacted just like the user account issue or maybe the other---neither will keep both users logged in and have access to whatever is on the disk - which is how I want to use it.
    I add this reply in hopes that someone will read both accounts and give us both an answer. OR, if the original poster now has the answer, please provide!!!
    Troup Nightingale

  • How Can I Login To Multiple User Accounts Simultaneously

    I am using an Intel iMac (2GHz Intel Core 2 Duo) with 1GB of memory and 10.4.11. I have Fast User Switching enabled. I restart the Mac every morning. Then I login to a second user account. While at work, I access these accounts via VNC.
    Sometimes I forget to login to the second user account. I do it from work via VNC, which sometimes causes complications.
    Does OSX support simultaneous multiple user account login? If not, is there a work-around solution such as an AppleScript? This would provide a time savings to me, as well as a convenience if I forgot to login to the second user account before leaving home.
    Thank you.
    Kurt R. Todoroff

    Seems to me, in another discussion, the simple Fast User Switching does not
    do much really fast or automatically; there are a few faster steps than having
    to log into each and every account change (even when FUS is enabled) so
    this later development sounds a little more automatic, esp over a distance.
    Is there a third party app or valid script that an do the multiple logins automatic
    after the first-run; so passwords need not be re-entered, and the screen can just
    switch over "fast" to another open account window, ready to go to work in there?
    {And not just a keyboard shortcut to save a few little steps, overall.}
    Whichever way the road turns...
    Good luck & happy computing!
    {edited}

Maybe you are looking for

  • Conditionally Color a row based on the Day of the Week for that row ?

    Hi, I have a Table containing some timing entries for each day. I have been trying to format some rows depending on a value in one of the columns for that row. What I would like to achieve is color the cell background gray for every row where the Dat

  • Process to create Service PR through WO

    Hello, We are trying to create a service PR through a WO. Can any one help. After the PR is release through WO, we wanted the PR to have an: Account Assignment Category= Order Item Catergory=Service. THanks.

  • Ejb3 help needed( ejb-local-ref      )

    hi I have developed one enterprise application.In client refers the session bean in turn session bean refers the entity bean. But the problem is when i run that application i am not getting desired output.I ahve used JNDI look up to refer the bean. i

  • Event ID: 1021 after upgrating to SP5

    Hi, I recent upgraded to BES SP5 exchange, I now get the follwoing In Windows Server 2003 event viewer I get: Event Type: Error Event Source: MSExchangeIS Event Category: Connections Event ID: 1021 Date: Time: User:  Computer: server/Administrator wa

  • Where can I download FCP X 1.0.4?

    Where is the link to the download. Can't find it on the Apple site. What the F%^T^&%K. More head aches.