IAS authentication with 200 series switches based on MAC addresses

Similar Messages

• ISE mab authentication with Avaya/Nortel switches

  Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
  When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
  Could this be an issues with the username/password format in the Radius packet from the Cisco?
  Thanks in advance for any assistance.
  -Kurt

  As requested...
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
  chBugDetails&bugId=CSCuc22732
  MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
  The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

• Creating NAC remediation rules based on MAC address

  Hi All,
  Any idea please. Is it possible to control PCs allowed on the network based on MAC address list in NAC? I.e Create a list of MAC addresses for PCs on my network in NAC; then each pc granted network access (passed NAC authentication and remediation) on the network only if its MAC address is in that list.
  So my checks will be:
  1. Have antivirus updated
  2. Have antispyware updated
  3. Have windows updates installed
  4. Have MAC address registered in the MAC list
  5. etc.
  Then after the above checks pass --> GRANT network access.
  regards,
  Stanlaus.

  I have been doing some of this, and while it does provide some of the functionality that is lost without the ability to apply rules only to read messages, it is not a complete solution. One of the biggest drawbacks is that it is not easy to selectively limit what new mail shows up the smart mailbox. One approach that works, sort of, is to limit the smart mailbox to only messages from people in my address book. However, not all relevant messages are from people already in my mailbox, so it requires constantly double checking to make sure that things are slipping through the cracks.
  The best thing about being able to apply rules, after receiving them, based on the status of a message is that it puts the control in the users hands. It allows you to selectively apply rules, only when you want to apply them. Rather than always/never, you have the ability to apply rules "sometimes/as needed." It allows for fuzzy logic, rather than hard conditions.

• Tcl script to change access vlan based on MAC address

  Hello all.  I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy.  They then call and complain about poor video quality.
  I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits.  if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed. 
  Script is attached.  Any help or advice is appreciated!

  Does your video equipment use CDP?  If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port.  Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.

• DHCP to send different Gateways based on MAC-Addresses

  Hello,
  I would like to use the built-in DHCP server to send out different Gateways based on the clients' MAC-Addresses.
  I have already managed to assign "static" IP-Adresses using the DHCP server to specific MAC-Adresses.
  Is this possible or do I need additional software ?
  thanks for your help

  The basic IP networking construct here is the IP subnet (and the subnet mask); that's how you set up groups of related network hosts in an IP network. Hosts within a subnet tend to have the same DNS and gateway router and related pieces configured, and one DHCP server and such. (That's not strictly necessary, but...)
  Launch Server Admin, select the DHCP service, set up subnets via the DHCP service by subnet mask, and establish DNS and default router settings there for each of the subnets.
  Then set up static maps for the MAC address(es) associated with the hosts, and drop the static IP addresses into the particular subnet you want the host associated with.
  You will want to leave room in the subnet for both the DHCP allocations (if any) and for the static hosts mapped into the subnet via MAC address.
  There well may be a better way here, but this will get you where you want. (And the Network Services Administration manual - which you'll need to read - does seem a bit confusing around this particular sequence.)
  nb: I don't have a "scratch" Leopard Server configuration handy to test and confirm this sequence.
  nb: Xserve boxes require a little extra thought, given each Xserve box tends to have four MAC addresses.

• VLAN Select - Interface dirty - Index based on Mac Address

  Hello Experts,
  we are testing the VLAN Select Feature with a 5508 controller, version 7.0.230 and two /23 DHCP Scopes on an external dhcp server. Our cookbook is following document:
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml
  Now i have a few questions
  1 - Is there any chance to see the calculated index based on the Mac Address to which the interface is assigned to the client. I try "debug client MAC-ADDRESS" and "debug dhcp", Maybe i overlook it, but i can't find any information to that index.
  2 - Is there a cli command to delete the index? It would be great for testing purposes and troubleshooting.
  3 - Is there a cli command to look, if the interface is "dirty"?
  4 - Our DHCP Server has a lease time of 5 Minutes. Is it possible to set the interface dirty time to a value less than 30 minutes?
  Best Regards,
  Michael

  I know this is an old post - but I ran across it trying to find an answer to the same questions.
  Did you ever find any answers?  I did find an answer to question 3, show interface group detailed.
  But I haven't found a way to delete the indexes short of rebooting all the controllers, and apparently you would have to reboot them all at the same time.

• User Control System based on MAC address?

  I wonder how can I make a user control system for my website based of visitor's computer's MAC addresses?
  Is it possible to get MAC address of visitors of my site in FLASH? If possible how?
  Thanks for reply in advance

  Not possible through flash player. You may advocate javascript approach and use it in combination with Flash.

• 802.1x phone with two MAC address

  Hello,
  I have following scenario: Computers are connected behind phones, and phones are authenticating with MAB. The problem is with phones, because they have two mac addresses one is in voice vlan and another is in data vlan. Both phone and computer are authenticated successfully but when switch sees additional MAC address of phone in data vlan it shuts down port. Here is sample configuration:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 15
  authentication host-mode multi-domain
  authentication port-control auto
  dot1x pae authenticator
  authentication violation shutdown
  mab
  spanning-tree portfast

  Can you verify if the phone's mac address is being learned on the data vlan and the voice vlan? Because cisco phones use cdp to discover if a voice vlan is configured on the switchport before forwarding traffic.
  Please issue a show mac address table interface x/y after bouncing the port to see what is causing the port to error disable.
  Also what version of code is running on the switch and phone?
  Thanks

• Authentication with MS-IAS / AD

  I'm trying to control the access of my LAN by authenticate user with EAP / MSIAS + AD.
  The IAS denied the access with error 112: The remote RADIUS server did not process the authentication request.
  I setup the IAS policy to answer with vendor specific 64:"VLAN", 65:802, 81:10
  Is somebody already acheive to use MS-IAS Radius authentication with a Cisco switch 2960
  Mon Jun 28 12:22:49 2010: <191>4105: Jun 28 12:22:49.122 UTC+1: RADIUS(00000098): Send Access-Request to 10.221.136.14:1645 id 1645/56, len 211
  Mon Jun 28 12:22:49 2010: <191>4106: Jun 28 12:22:49.122 UTC+1: RADIUS:  authenticator 91 EC 87 87 89 0E AF 79 - 76 CE 5A 61 ED 1A D7 AC
  Mon Jun 28 12:22:49 2010: <191>4107: Jun 28 12:22:49.122 UTC+1: RADIUS:  User-Name           [1]   17  "EUROPE\ParisAdm"
  Mon Jun 28 12:22:49 2010: <191>4108: Jun 28 12:22:49.122 UTC+1: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mon Jun 28 12:22:49 2010: <191>4109: Jun 28 12:22:49.122 UTC+1: RADIUS:  Framed-MTU          [12]  6   1500                     
  Mon Jun 28 12:22:49 2010: <191>4110: Jun 28 12:22:49.122 UTC+1: RADIUS:  Called-Station-Id   [30]  19  "00-24-51-55-47-84"
  Mon Jun 28 12:22:49 2010: <191>4111: Jun 28 12:22:49.122 UTC+1: RADIUS:  Calling-Station-Id  [31]  19  "00-14-22-BF-46-40"
  Mon Jun 28 12:22:49 2010: <191>4112: Jun 28 12:22:49.122 UTC+1: RADIUS:  EAP-Message         [79]  22 
  Mon Jun 28 12:22:49 2010: <191>4113: Jun 28 12:22:49.122 UTC+1: RADIUS:   02 02 00 14 01 45 55 52 4F 50 45 5C 50 61 72 69 73 41 64 6D   [ EUROPE\ParisAdm]
  Mon Jun 28 12:22:49 2010: <191>4114: Jun 28 12:22:49.122 UTC+1: RADIUS:  Message-Authenticato[80]  18 
  Mon Jun 28 12:22:49 2010: <191>4115: Jun 28 12:22:49.122 UTC+1: RADIUS:   27 E9 35 4C C3 69 99 B0 1B D9 3A 08 84 C0 71 E4            [ '5Li:q]
  Mon Jun 28 12:22:49 2010: <191>4116: Jun 28 12:22:49.122 UTC+1: RADIUS:  Vendor, Cisco       [26]  49 
  Mon Jun 28 12:22:49 2010: <191>4117: Jun 28 12:22:49.122 UTC+1: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE030000006B13A4833C"
  Mon Jun 28 12:22:49 2010: <191>4118: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Mon Jun 28 12:22:49 2010: <191>4119: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port            [5]   6   50004                    
  Mon Jun 28 12:22:49 2010: <191>4120: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Id         [87]  17  "FastEthernet0/4"
  Mon Jun 28 12:22:49 2010: <191>4121: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.3            
  Mon Jun 28 12:22:50 2010: <191>4122: Jun 28 12:22:49.206 UTC+1: RADIUS: Received from id 1645/56 10.221.136.14:1645, Access-Reject, len 20
  Mon Jun 28 12:22:50 2010: <191>4123: Jun 28 12:22:49.206 UTC+1: RADIUS:  authenticator CC 28 1A 22 28 32 F2 27 - 79 1F 2B 01 32 C5 AD BC
  Mon Jun 28 12:22:50 2010: <191>4124: Jun 28 12:22:49.206 UTC+1: RADIUS(00000098): Received from id 1645/56
  Mon Jun 28 12:22:52 2010: <187>4125: Jun 28 12:22:50.842 UTC+1: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
  Thx for your help
  Pascal

  You need to have 3 policies create in IAS. Each will define the ssid and the AD group the user belongs to. So on the wlc, do you have 3 ssids and each has it own vlan?
  Sent from Cisco Technical Support iPad App

• Series 200 Smart Switch not communicating, DHCP blocked

  I have a small, simple small business network.  There are 2 switches - an 8-port switch connected to my main Windows server (which is the DHCP provider for the network), and a 24-port switch which is plugged into the 8-port switch.
  I replaced these switches (Dell unmanaged switches) with the Cisco 200 series smart switches (the 8-port and 26-port models).  When I plug the 26-port switch into the 8-port switch, it is unable to get its DHCP address from the Windows server.  Also, any device plugged into the 26-port switch cannot communicate with any other device, and all of the ethernet port lights flash at the same time at the same frequency - quite a light show!
  If I plug the Windows server DIRECTLY into the 26-port switch it receives a DHCP address.
  I have tried a 2nd Cisco 26-port swtich and it does the same thing, so I assume it is not a hardware issue.
  What is the solution to this problem?

  Louis,
  Try this, go into the first 200 series switch that is connected to the server and go to the spanning tree tab. 
  Under the spanning tree tab properties, set the bridge priority to 0.  This makes this switch the spanning tree root.
  Try this and see if the second switch passes traffic and receives and ip address.

• ACS V4.1 How to separate MAC addresses in an Authentication rule....?

  I'm configuring Agentless Authentication based om MAC addresses sendt from the access switch using MAB (MAC Authent. Bypass). I got it up and running, but with just one MAC address configured in the Authentication rule. When I try to configure more than one address in the rule, I get an error saying this is not a MAC address. How do you separate the MAC entries in the same Authentication rule. The doc says you can configure 10.000 addresses in one rule.

  The ACS can authenticate MAC addresses sent from an AP/Switch. A properly configured AP/Switch will attempt to authenticate a MAC address using Secure-PAP authentication with the ACS. The MAC addresses are entered into the ACS as users, with the username and password being the MAC address.
  1. From the ACS main menu, click on the USER SETUP button.
  2. In the USER text box, type the MAC address to add to the user database. Use no dashes, periods,
  or any other delimiter.
  At the USER SETUP screen, enter the MAC address in the SECURE-PAP PASSWORD text box.
  3.Click the SUBMIT button.
  Adding the AP/Switch to the ACS server
  1. From the ACS main menu click on the NETWORK CONFIGURATION button.
  2. Click on the ADD ENTRY button.
  3. Configure the DNS name of the AP, the IP address of the AP, the RADIUS shared secret and the
  Authentication method.
  4. Make sure to select RADIUS (Cisco Aironet) in the AUTHENTICATE USING drop down menu.
  5. To complete, click the SUBMIT+RESTART button.

• How do I restrict access to Wireless router (800 series) by mac address

  I hope I'm in the correct area.
  I'm trying to deny access to 3 wireless devices to the cisco 800 series wireless router
  The MAC address are:
  MAC Address    IP address      Device        Name            Parent         State
  0014.6caf.410a 192.168.2.26    unknown       -               self           Assoc
  9803.d8ba.cd42 192.168.2.41    unknown       -               self           Assoc
  a4d1.d205.72e1 192.168.2.25    unknown 
  If this cannot be done is it poosible to assign the mac address to an ip address and then denying access to the ip address.
  Thanks
  Jon

  Hello Jon,
  You should be able to do it either way. Best way would be by IP address so you do not even allow the host to associate with your AP.
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Adobe Premiere Pro CS6 crashes with not finding a capable play module on a windows desktop with a AMD Radeon R9 200 series board.

  I installed Premiere Pro CS 6.0 on a brand new system.
  Win 8.1,
  i7 3.4 GHz on an Asus Sabertooth
  16 Gig memory
  AMD Radeon R9 290 Graphics Board with the latest drivers and Bios.
  On starting Premiere I get the (as I noticed quite frequent appearing) error message that Premiere cannot find a capable play module and the suggestion to update my video drivers.
  I tried everything I found in this forum or on the web:
  Installed the latest drivers
  Run the program as an administrator
  Updated the Graphics board Bios
  Updated Premiere CS6
  Started Gpusniffer in CMD-mode to find out what board it found and added that to the cuda_supported_cards.txt in the Premiere directory.
  All to no avail. The app will simply not start.
  The Gpusniffers report states:
  Loadlibrary “n” failed 
  Loadlibrary “n” failed 
  --- OpenGL Info ---
  Vendor: ATI Technologies Inc.
  Renderer: AMD Radeon R9 200 series
  OpenGL Version: 4.4.13084 Compatability Profile Context 14.301.1001.0
  GLSL Version 4.40
  Monitors: 1
  Monitor 0 properties –
  Size: <0, 0, 1920 1080>
  Mex texture size: 16384
  Support non-power of two: 1
  Shaders 444 :1
  Shaders 422: 1
  Shaders 420: 1
  --- GPU Information Info –
  Did not find any devices that support GPU computation.
  As I invested a lot in the CS6 Master Collection I am not considering an update tot the CC version, also because the same problem occurs in that version too.
  I would be much obliged if someone has an answer that truly will work.  This problem costed me the best part of two days’ work and fouled up my workflow considerably.

  ==========
  I tried to go into display settings and disable the Intel card. (this caused low resolution which is unexceptable)
  ==========
  This makes me think it's using that graphics "card" ( probably built into mobo ? ...called 'onboard graphics ? )
  This stuff gets tricky and sometimes the only way to make windows 'recognize' the pci graphics card is to actually take it out and boot, and then put it back in...
  Then you get mssg " windows detected new hardware" and you install the drivers...
  usually bios gives you choice of using onboard graphics or not ( but this too is wanky sometimes...sorry to say ...)
  I recently ( this past year ) had a similar sort of situation but have a desktop, where its easy for me to take off side panel and pull the pci-e graphics card and boot, and get that horrible low res default screen...turn off, install card, reboot etc...
  but anyway, it sounds to me like you're notebook is using that mobile graphics driver stuff and not the radeon. Somehow you've got to make it switch to that graphics card is maybe your solution.
  sorry I dont have notebook but maybe someone else here does and can help more...
  good luck.
  ps..its always a weird fact of life...when things aren't working 'right' something has to get done fast....
  edit:
  I dont know how much you know about windows stuff, but after you disable that intel thing and get your low res screen.. you DID try to update the driver for that card using 'my computer / device manager  '   right ??

• Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco® NX-OS.
  The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
  vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
  This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
  Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
  Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
  Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response. 
  Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Gustavo
  Please see my responses to your questions:
  Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
  Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
  Now for Data Plane we have two types of traffic – Unicast and Multicast.
  The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
  Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
  For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
  The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
  Similarity: For both products, loop avoidance is possible due to VSL bit
  The VSL bit is set in the DBUS header internal to the Nexus.
  It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
  This mechanism is used for loop prevention within the chassis.
  The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
  Differences:  In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
  It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
  For more details please see below presentation:
  https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
  DCI Scenario:  If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
  But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
  Let us know if you have further questions.
  Thanks,
  Vishal

• Are 300 Series switches compatible with pre-standard PoE detection in old Cisco phones?

  Are 300 Series switches compatible with pre-standard PoE detection in old Cisco phones? They don't seem to be (a 7902G won't power on when connected to an SF302-08MP with firmware version 1.1). Is any special configuration needed on the switch to enable this detection?

  Please note that the 200 and 300 Series switches now support Cisco Legacy POE as of September 2011, allowing it to deliver power to 7960, 7940, and other pre-standard phones and APs. Details provided at the following link:
  https://supportforums.cisco.com/docs/DOC-18337