IronPort Port Based HA

Similar Messages

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• Port-Based Authentication on 877

  Hi 
  I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port   (  xx    0000.xxxx.xxxx    STATIC      Gi1/0/3) .  
  authentication control-direction in
  authentication event fail retry 1 action authorize vlan xx
  authentication event no-response action authorize vlan xx
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication port-control auto
  authentication violation protect
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 10
  As I remove command authentication port-control auto then sh mac address-table  command shows me DYNAMIC MAC.
  Anyone can please let explain me why it is happing 
  Regards,

  Any input?

• IEEE 802.1x port-based authetication

  I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
  I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

  Hi Claudia,
  do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
  What is the IOS version you're using there?
  What is the RADIUS server in use?
  What is the exact error message you see on the RADIUS side?
  Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
  What is the server cert size and the MTU configured on the switches?
  With the info you provided it's difficult to say what's the reason of this failure.
  I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Port based routing?

  Hi,
  My Mac connects to Internet through ADSL router, and to a PPTP-VPN host through this connection.
  And I want to FORCE all my http/https connections(that use destination port 80, 443, and perhaps some more) to use the VPN, while keep anything else go through the ADSL router directly.
  Is this possible?

  Did you find any solution?
  I'm trying to find a way to do this too.. on linux port based routing can be done with iptables. Mac OS X uses ipfw but:
  The fwd action does not change the contents of the packet at all.
  In particular, the destination address remains unmodified, so
  packets forwarded to another system will usually be rejected by
  that system unless there is a matching rule on that system to
  capture them.
  Then there is natd? I'm not sure if this can be used..
  And another one is /etc/pf.conf which has this openbsd guide but fails with "PF ERROR! No ALTQ support in kernel. ALTQ related functions disabled".

• Port Based MPLS

  Dear Gurus,
  Im trying to configure port based mpls, however i find my 7206 doesnt support any encapsulation mpls, only l2tpv3. Is this IOS dependency?
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
  R2(config-if)#xconnect 3.3.3.3 100 encapsulation ?
    l2tpv3  Use L2TPv3 encapsulation
  tia.

  Hello Jepoy,
  according to feature navigator it is  supported on C7200 port mode C7200
  but you need some specific feature sets
  like
  c7200-adventerprisek9-mz.124-24.T2.bin
  I have a pair of C7200 with advanced security and xconnect is not supported on them
  Hope to help
  Giuseppe

• Does the SLM224G switch support port-based VLAN's?

  I am looking for a simple solution to create two LAN's. One for my own and one for my customers, who will be able to use desktop PC's with internet access. I have only one internet connection (DSL over ISDN) and wil not getting another just for my customers.
  My own network should not be accessible or visible to users who are using the customers-PC's. The other way around is allowed, but not really necessary. My setup requires me to hook up the switch to the (ISP) router, and that router just has one LAN port not able to do anything related to VLAN's.
  I read about port-based VLAN's here, where it is stated that creating seperate LAN's is just putting ports into VLAN's on the switch, nothing else needs to be done... However, they used a NetGear smart switch.
  I checked out Cisco's SLM224G as it is affordable, has 24 ports (instead of 8 for the NetGear) and should support VLAN's. I have read a lot about VLAN's, including:
  "- Port-based VLAN's means that you can reconfigure ports to be in different VLAN's. Port-based VLAN's do not confirm 802.1q VLAN support.
  - 802.1q VLAN's means that you can tag VLAN's with 802.1q headers to create a trunk between two devices that carries frames for multiple VLAN's. 802.1q VLAN's confirm that there is also Port-based VLAN support."
  I known from the spec sheets that the SLM224G supports 802.1q (tagged) trunking. So it should, given found text above, also support port-based VLAN's.
  My question is whether it indeed will support port-based VLAN's?
  Am I able to use it directly behind my ISP's router and create two seperate LAN's?
  If so, one extra question: how are the PC's behind the switch (inside the two VLAN's) get their IP-adresses from the ISP-router? Or will it service only one of the two LAN's and should I install a DHCP-server in the other LAN?
  Any information is very welcome!
  Thank you.

  Thanks for your responce, mr. Carr.
  I have read more about vlan's and their setup. I think the article about port based vlan's was lacking some information about the router/firewall. May be it was set up to work with different vlan's from the start. Strangely, in the text it is said that nothing needs to be set up besides the (Netgear) vlan-capable switch.
  So, from your response and other texts I learned I needed a vlan-capable router. I have to say that I need to be able to manage a server on the LAN from the outside (internet). I already tried to set up a Cisco/Linksys WRT54G router behind the ISP's (ZyXel) single LAN-ported router and that would not work at all (even when the Linksys was set in router-mode). I lost the connection to internet setting it up that way. I even tried to setup the Linksys in the DMZ of the ZyXel, with no luck. I was unable to set that up with working internet-access form the LAN. So I was not too happy with the suggestion to set up a (second) vlan-capable gigabit router behind the ISP's router....
  Eventually, I bridged the ZyXel to get rid of the double NAT/gateway mode of the two routers as routing mode did not work on the Linksys. The Linksys is now getting the WAN-ip from the ISP on it's WAN port and I furthermore used DD-WRT's firmware to enable the build-in vlan-capabilities of the Linksys.
  Now I have set up the Linksys with two vlan's and I bought the SLM224G as an inexpensive manageable 24-port vlan-capable switch to provide the number of ports I needed. I devided the SLM in two vlan's and used two wires from the Linksys to the SLM. So the SLM does support port-based vlan's by simply setting up two ranges of ports with different PVID settings. Trunking and 802.1q tagging isn't needed that way. I know I could have used two dumb switches to get two separate subnetted networks, but this way I get just enough ports in a single device where I have ample space to put it.
  Anyway, thanks for helping me understanding the way vlan-capable switches work.

• Vlan vs port based qos

  Hi,
  I have a question about vlan based qos. I am happy with qos configuration as applied to ports. However, vlan based qos confuses me somewhat.
  Is vlan based qos intended for situations where packets are to cross vlans? In that case, am I correct in assuming that vlan based qos has no effect on packet flows within that vlan? In that case the idea of vlan based qos would be to police/mark traffic leaving/joing that vlan?
  Or, does vlan based qos extend queuing (priority queue etc) down to ports that are members of that vlan are configured with vlan based qos? I think not but I'm not absolutely sure.
  I can't seem to get to the bottom of this on cco.
  Thanks, Steve

  Hi Steve,
  Packets do not have to cross VLANs for you to need VLAN-based QoS.
  VLAN-based QoS gives you an additional layer of queueing hierarchy. With port-based Qos, there is a set of software queues per physical port. As packets are scheduled from these queues, they are emitted from the port.
  With VLAN-based QoS, there is another layer. Each VLAN configured for VLAN-based QoS will have a set of queues associated with it, instead of having a set of queues for the physical port. This comes in useful for providers of Metro Ethernet service who offer multiple classes of service. Such ethernet services are usually sold with a fixed bandwidth per-VLAN. At egress switch ports, the provider will use vlan-based QoS to police/shape traffic in order to conform to the sold rate. Within this shaped rate, queueing will be used to ensure that the higher classes of service get preference.
  In answer to your questio, vlan-based qos does have an effect on packet flows within that vlan.
  Hope that helps - pls rate the post if it does.
  Regards,
  Paresh.

• IEEE 802.1x Port based Authentication with Restricted VLAN

  Hi all,
  I have the following configuration:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  dot1x system-auth-control
  radius-server host 10.10.10.10 key cisco
  interface FastEthernet0/1
  switchport mode access
  authentication event fail retry 1 action authorize vlan 2
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  But it takes quite a while for the user who is not authorized to be switch to vlan 2.
  I would like to know what is best practice when using this kind of configuration  and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
  Regards,
  Laurent

  Laurent,
  Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
  thanks,
  Tarik Admani

• Two gateways, port-based load balancing

  Hello,
  I have a simple question on Mac OS X Leopard/SL Server regarding the use of 2 distinct internet connections on a single LAN.
  Gateway #1 : 10.0.1.1 (delivering IPs) - 18 mbps
  Gateway #2 : 10.0.1.254 - 4 mbps
  Any computer accessing the network is delivered an IP by the DHCP server (10.0.1.1), thus uses #1 as of main gateway.
  The main server (10.0.1.16) is running DNS services and a Squid proxy-cache.
  Now, is it possible to set all the computers that connect to the network up so that they use the main server as of main gateway and see their requests redirected to #1 or #2 according to the port in use ?
  For example:
  mail,http,https,jabber -> #1
  skype,rtsp,... -> #2
  Thank you very much for your help
  Tha
  Message was edited by: Kwintin

  is it possible to set all the computers that connect to the network up so that they use the main server as of main gateway and see their requests redirected to #1 or #2 according to the port in use ?
  No. routing is based on destination IP address, not port.
  Therefore each client will send all traffic for a specific address to a specific router address. It doesn't matter whether it's talking HTTP, SMTP, IMAP, POP, AIM, or any other protocol - any traffic for that IP will go to the same router.
  You have three ways of getting around this.
  One is to install a router that supports dual WAN connections. Point all internal clients to the LAN address of the router and let it do the work of routing the traffic as needed, based on its routing policies (routers may be able to route based on port).
  Option two is to setup a proxy server for specific services - for example you could setup a HTTP/HTTPS proxy server on a machine that has router #1 as its default gateway and configure the clients to talk to router #2. All traffic on the clients will go over router #2 except the proxied traffic which will go to the proxy and then out via router #1.
  This is relatively simple to setup, but is limited to traffic that can be easily proxied (e.g. that probably excludes email).
  The third option is static routing. Look at the servers each machine is contacting and setup static routes for the smaller set of addresses. For example, if you're only splitting off traffic to Skype's servers then set each client with a default route of router #1, and static routes to Skype's server to router #2. Now all traffic except that to Skype will use router #1.
  This is really only viable if you have a relatively small number of destination addresses you're trying to divert. That's why it works well for Skype (single server address), but wouldn't work well for something more generic such as 'web traffic' since you cannot predict which web servers (and therefore which IP addresses) need static routes.
  Of the three options, only option #1 will cover all protocols for all clients, but it's also the only option that costs $$s if your current router doesn't support multiple WAN interfaces.

• Port based LB and Local Director

  My customer would like to know whether the Local Director supports Load Balancing using the source port information. If this is possible any document on the configuration wouldbe highly appreciated.
  Regards,
  Mahesh

  http://www.cisco.com/en/US/products/sw/iworksw/ps2769/products_maintenance_guide_chapter09186a008007d9fa.html#xtocid225795
  as per this document i think the loadbalancing based on source port information cannot be done.
  ''The MNLB Services Manager makes the load-balancing decisions based on application availability, server capacity, and load distribution algorithms such as round robin or least connections, or the Dynamic Feedback Protocol (DFP).''

• ERROR OWS-04045 during accessing multiple ports based web service

  I use WSA to publish a web service which have multiple ports.
  The ant build script :
  <oracle:assemble appName="${app.name}" ear="${app.name}.ear"
  targetNamespace="http://www.xxx.com" classpath="${domestic.class.path}"
  input="${web.home.path}/WEB-INF/classes" output="${archive.output.path}"
  style="rpc" mappingFileName="type-mapping.xml" appendToExistingDDs="true"
  serviceName="${app.name}">
  <oracle:porttype interfaceName="com.xxx.service.ICompanyDefinerWebService"
  className="com.xxx.CompanyWebServiceImpl">
  <oracle:port name="company" uri="company" />
  </oracle:porttype>
  <oracle:porttype interfaceName="com.xxx.IUserDefinerWebService"
  className="com.xxx.UserProfileWebServiceImpl">
  <oracle:port name="userprofile" uri="userprofile" />
  </oracle:porttype>
  </oracle:assemble>
  There is a class name UserDTO which extends another class AbstractDTO, which locates in another package. I used a type-mapping file for giving them different namespaces.
  After deployment, I can use the url http://localhost:8888/xxx/userprofile to access the web service. OC4J provided a javascript based stub for testing.
  But I met some problems. When I use the web stub to access it , error occurs.
  ERROR OWS-04045 Malformed Request Message:Caught exception while handling request: unexpected element name: expected={http://www.xxx.com/framework/bean}operationRecord, actual={http://www.xxx.com/user/dto}operationRecord
  I switched the form to display in xml before invoke, I found there are different and correct namespaces on these 2 elements (UserDTO and OperationLog) .So, I'm very strange why the server will response such a fault information.
  In addition, if I use default style (just document-wrapped) to publish web service, almost all methods can not be accessed on web stub which is provided by oracle.
  Surely, the problem is caused by multiple port. The soap specification is 1.2 and JDK is SUN 1.5.0-b6, OC4J is 10.1.3.3
  I just want to konw whether oracle have some better practices or suggestion for publishing a web service which will have multiple ports.
  The other problem is we can not use abstract class(only support interface) when we want to use WSA to assemble a web service based EAR.

  Is it possible to use several "class L4VIPCLASS" inside the "policy-map multi-match VIPs" in order to have several VIPs to load-balance services for several serverfarms?
  Something like this:
  class-map match-all L4VIPCLASS-1
  2 match virtual-address 172.16.1.1 tcp eq www
  class-map match-all L4VIPCLASS-2
  2 match virtual-address 172.16.1.2 tcp eq www
  class-map match-all L4VIPCLASS-3
  2 match virtual-address 172.16.1.3 tcp eq 8081
  policy-map type loadbalance http first-match WEB_POLICY-1
  class class-default
  serverfarm-1
  policy-map type loadbalance http first-match WEB_POLICY-2
  class class-default
  serverfarm-2
  policy-map type loadbalance http first-match WEB_POLICY-3
  class class-default
  serverfarm-3
  policy-map multi-match VIPs
  class L4VIPCLASS-1
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-1
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 1 vlan 11
  class L4VIPCLASS-2
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-2
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 2 vlan 22
  class L4VIPCLASS-3
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-3
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 3 vlan 33
  interface vlan XX
  service-policy input VIPs
  Many thanks for your support.

• IronPort, user based filtering with MS terminal / Citrix?

  Hi there,
  Can someone tell me if the IronPort can handle user based filtering on MS terminalserver / Citrix (multi-user server) with AD-integration?
  Thanks a lot.
  Greets,
  Norbert

  If you're using transparent redirection on the Citrix boxes you can use
       Use Cookie Surrogates
       Turn on the "Virtual IP" feature in Citrix. (which really means Citrix is dealing with the problem, not the WSA)
  The issue with cookie surrogates is that https traffic appears to be unauthenticated to the WSA and some applications can't deal with them. (check the help file on the box under "Understanding How Authentication Affects HTTPS and FTP over HTTP Requests")
  How are you doing the redirection?  If you're using explicit redirection, you can turn off surrogates for an identity and it does authentication that is session based...
  The simplest would be Virtual IP on Citrix, since that looks the most like a regular workstation to a WSA...

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• 802.1X Port Based Authentication Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I believe , you need to configure re-authentication on this switch port:
  ! Enable re-authentication
  authentication periodic
  ! Enable re-authentication via RADIUS Session-Timeout
  authentication timer reauthenticate server