ISE NEAT switch won't authenticate on Sup32-based 6500

I have a 3560-CG switch configured as a NEAT supplicant switch. It is working correctly when connected to a 3750G stack running 12.2(55)SE9 but not when connected to a 6500 Sup32-10G running 12.2(33)SXJ8
The authentication is seen in ISE but 802.1X seems to fail and then switches to MAB (not permitted). So there is some issue with the EAP-MD5 authentication stage
Another possible issue is that the switch then triggers a BPDU-Guard error disable state on the authenticating 6500. I assumed the role of "dot1x supplicant controlled transient" is to supress BPDU's until *successful* authentication, not just completion of the stage. 
The authenticator switch reports:
Nov 18 15:29:57.822: CISP-ERROR (Gi4/32): CISP packet on interface Gi4/32 is dropped as  supplicant is not a switch

That's what I thought but the again, from the 6500 config prompt I actually get echo replys(!) from the FWCTX, with capture enabled as:
     access-list CAP permit ip any any
     capture mgmt access-list CAP interface MGMT packet-length 1500 circular-buffer
But it shows blank and no hit counts. Same happens usind RTMonitor in ASDM (6.2.(2f)) some packets that are permited and routed correctly aren't actually noticed. I don't get any logging for the missing/dropped/denied echo replies from the FWCTX to the 6500 MSFC nor for the successful replies from the 6500 to the FWCTX withh ASDM Debugging logging on.

Similar Messages

  • Some Wireless clients won't authenticate to 887VA-W

    Hi folks
    I've swapped over a few months ago from an 877w router to an 887VAw which has a separate AP in-built, and there are a few wireless clients that had no problem authenticating to the 877w but just refuse to communicate to the 887VA-W.
    The clients in question are set top box type devices : (1)Now TV and (2) Sky Wireless Adapter.
    They have no problem seeing the SSID's being broadcast, and for troubleshooting I've setup an open test SSID without any encryption, but the clients still won't authenticate and grab an ip address, or more accurately they just don't get a dhcp ip address so I don't think authentication is really the issue. I don't know why these clients aren't happy with dhcp on the guest vlan (vlan2) where other clients get an ip address and work fine. Perhaps the fact I'm using vlan1 (being used for the Eap-Fast home wlan) as the native untagged vlan might have something to do with it? If I use a static ip address on the guest vlan (vlan 2 / ip 10.1.1.n ) then the Sky Wireless Adapter can send and receive packets across the wlan.
    Can anybody please suggest some debugs or config changes to try and nail the problem? The relevant configs from the AP is pasted below, and the router below that.
    Brgds, Tim
    aaa new-model
    aaa group server radius rad_eap
     server name rs-local
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication ppp default local
    aaa authorization exec default local
    dot11 ssid home
       vlan 1
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa version 2
    dot11 ssid guest
       vlan 2
       authentication open
       authentication key-management wpa
       mbssid guest-mode
       wpa-psk ascii 7 abcdef123
    dot11 ssid test
       vlan 3
       authentication open
       mbssid guest-mode
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption vlan 1 mode ciphers aes-ccm
     encryption vlan 2 mode ciphers aes-ccm
     broadcast-key vlan 1 change 30
     broadcast-key vlan 2 change 43200
     ssid home
     ssid guest
     ssid test
     antenna gain 0
     mbssid
     speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
     packet retries 64 drop-packet
     no preamble-short
     station-role root
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     no cdp enable
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.2
     encapsulation dot1Q 2
     no ip route-cache
     no cdp enable
     bridge-group 2
     bridge-group 2 subscriber-loop-control
     bridge-group 2 spanning-disabled
     bridge-group 2 block-unknown-source
     no bridge-group 2 source-learning
     no bridge-group 2 unicast-flooding
    interface Dot11Radio0.3
     encapsulation dot1Q 3
     no ip route-cache
     no cdp enable
     bridge-group 3
     bridge-group 3 subscriber-loop-control
     bridge-group 3 spanning-disabled
     bridge-group 3 block-unknown-source
     no bridge-group 3 source-learning
     no bridge-group 3 unicast-flooding
    interface GigabitEthernet0
     description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
     no ip address
     no ip route-cache
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet0.2
     encapsulation dot1Q 2
     no ip route-cache
     bridge-group 2
     bridge-group 2 spanning-disabled
     no bridge-group 2 source-learning
    interface GigabitEthernet0.3
     encapsulation dot1Q 3
     no ip route-cache
     bridge-group 3
     bridge-group 3 spanning-disabled
     no bridge-group 3 source-learning
    interface BVI1
     ip address 172.27.44.2 255.255.255.0
     no ip route-cache
    ip default-gateway 172.27.44.1
    ****Router Config****
    interface Wlan-GigabitEthernet0
     description Internal switch interface connecting to the embedded AP
     switchport mode trunk
     no ip address
    interface wlan-ap0
     description Service module interface to manage the embedded AP
     ip unnumbered BVI1

    Hi Sebastian
    Please see ip dhcp debug from 887VA-W showing the Sky client requesting an ip address but failing to get one. Also a debug from an 877-W showing successful dhcp assignment. Also the dhcp config as requested.The successful trace shows 2 mac addresses from the Sky wireless adapter/ Sky box each getting a dhcp address. I don't know whether the failure is a bug in the 887 dhcp code or some config in the embedded AP that needs tweaking.
    Bregs, Tim
    The Sky wired adapter (I think it's the mac of the sky box lan port) mac is 00:19:FB:A4:B2:1A
    The Sky wireless mac is 18:28:61:99:7B:A8
    887VA-W Debug - Failure:
    887#term mon
    887#sh deb
    DHCP server packet debugging is on.
    887#
    887#
    000141: Dec 16 07:03:02.082 London: DHCPD: ARP entry exists (10.1.1.10, e0c9.7ad6.24ee).
    000142: Dec 16 07:03:02.082 London: DHCPD: unicasting BOOTREPLY to client e0c9.7ad6.24ee (10.1.1.10).
    Denham_887#
    000143: Dec 16 07:05:25.536 London: DHCPD: client's VPN is .
    000144: Dec 16 07:05:25.536 London: DHCPD: No option 125
    000145: Dec 16 07:05:25.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
    000146: Dec 16 07:05:25.536 London: DHCPD: Allocate an address without class information (10.1.1.0)
    000147: Dec 16 07:05:25.536 London: DHCPD: Saving workspace (ID=0x4000009)
    Denham_887#
    000148: Dec 16 07:05:27.536 London: DHCPD: Reprocessing saved workspace (ID=0x4000009)
    000149: Dec 16 07:05:27.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
    000150: Dec 16 07:05:27.536 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
    000151: Dec 16 07:05:27.536 London: DHCPD: no option 125
    000152: Dec 16 07:05:27.536 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
    Denham_887#
    000153: Dec 16 07:05:32.468 London: DHCPD: New packet workspace 0x123EC554 (ID=0xC700000A)
    000154: Dec 16 07:05:32.468 London: DHCPD: client's VPN is .
    000155: Dec 16 07:05:32.468 London: DHCPD: No option 125
    000156: Dec 16 07:05:32.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
    000157: Dec 16 07:05:32.468 London: DHCPD: Allocate an address without class information (10.1.1.0)
    000158: Dec 16 07:05:32.472 London: DHCPD: Saving workspace (ID=0xC700000A)
    Denham_887#
    000159: Dec 16 07:05:34.080 London: DHCPD: New packet workspace 0x1240A47C (ID=0x5500000B)
    000160: Dec 16 07:05:34.080 London: DHCPD: client's VPN is .
    000161: Dec 16 07:05:34.080 London: DHCPD: No option 125
    000162: Dec 16 07:05:34.080 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
    000163: Dec 16 07:05:34.080 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
    000164: Dec 16 07:05:34.080 London: DHCPD: no option 125
    000165: Dec 16 07:05:34.080 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
    Denham_887#
    000166: Dec 16 07:05:34.468 London: DHCPD: Reprocessing saved workspace (ID=0xC700000A)
    000167: Dec 16 07:05:34.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
    000168: Dec 16 07:05:34.468 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
    000169: Dec 16 07:05:34.468 London: DHCPD: no option 125
    000170: Dec 16 07:05:34.468 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    Denham_887#
    000171: Dec 16 07:05:35.476 London: DHCPD: client's VPN is .
    000172: Dec 16 07:05:35.476 London: DHCPD: No option 125
    000173: Dec 16 07:05:35.476 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
    000174: Dec 16 07:05:35.476 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
    000175: Dec 16 07:05:35.476 London: DHCPD: no option 125
    000176: Dec 16 07:05:35.476 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    Denham_887#
    000177: Dec 16 07:05:37.520 London: DHCPD: client's VPN is .
    000178: Dec 16 07:05:37.520 London: DHCPD: No option 125
    000179: Dec 16 07:05:37.520 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
    000180: Dec 16 07:05:37.520 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
    000181: Dec 16 07:05:37.524 London: DHCPD: no option 125
    000182: Dec 16 07:05:37.524 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    Denham_887#
    000183: Dec 16 07:05:40.532 London: DHCPD: client's VPN is .
    000184: Dec 16 07:05:40.532 London: DHCPD: No option 125
    000185: Dec 16 07:05:40.532 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
    000186: Dec 16 07:05:40.532 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
    000187: Dec 16 07:05:40.532 London: DHCPD: no option 125
    000188: Dec 16 07:05:40.532 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    Denham_887#
    000189: Dec 16 07:05:43.540 London: DHCPD: client's VPN is .
    000190: Dec 16 07:05:43.540 London: DHCPD: No option 125
    000191: Dec 16 07:05:43.540 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
    000192: Dec 16 07:05:43.540 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
    000193: Dec 16 07:05:43.540 London: DHCPD: no option 125
    000194: Dec 16 07:05:43.540 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    Denham_887#
    000195: Dec 16 07:05:48.884 London: DHCPD: client's VPN is .
    000196: Dec 16 07:05:48.884 London: DHCPD: No option 125
    000197: Dec 16 07:05:48.884 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
    000198: Dec 16 07:05:48.884 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
    000199: Dec 16 07:05:48.884 London: DHCPD: no option 125
    000200: Dec 16 07:05:48.884 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
    887VA-W dhcp config:
    887#sh run | section dhcp
    no ip dhcp use vrf connected
    ip dhcp binding cleanup interval 10
    no ip dhcp conflict logging
    ip dhcp pool home
     network 172.27.44.0 255.255.255.0
     dns-server 208.67.222.222 208.67.220.220  
     default-router 172.27.44.1
    ip dhcp pool test
     import all
     network 11.1.1.0 255.255.255.0
     default-router 11.1.1.1
     dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool guest
     import all
     network 10.1.1.0 255.255.255.0
     default-router 10.1.1.1
     dns-server 208.67.222.222 208.67.220.220
    877-W Debug - Success:
    877#deb ip dhcp se
    877#deb ip dhcp server pa
    DHCP server packet debugging is on.
    877#deb ip dhcp server ev
    DHCP server event debugging is on.
    877#
    000258: *Jun 23 22:20:07.087 BST: DHCPD: checking for expired leases.
    000259: *Jun 23 22:20:14.684 BST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   1828.6199.7ba9 Associated SSID[guest] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]
    000260: *Jun 23 22:20:16.289 BST: DHCPD: Sending notification of DISCOVER:
    000261: *Jun 23 22:20:16.289 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
    000262: *Jun 23 22:20:16.289 BST:   DHCPD: remote id 020a00000a010101f2000000
    000263: *Jun 23 22:20:16.289 BST:   DHCPD: circuit id 00000000
    000264: *Jun 23 22:20:16.289 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
    000265: *Jun 23 22:20:16.289 BST: DHCPD: Seeing if there is an internally specified pool class:
    000266
     *Jun 23 22:20:16.289 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
    000267: *Jun 23 22:20:16.289 BST:   DHCPD: remote id 020a00000a010101f2000000
    000268: *Jun 23 22:20:16.289 BST:   DHCPD: circuit id 00000000
    000269: *Jun 23 22:20:16.289 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
    000270: *Jun 23 22:20:16.289 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    000271: *Jun 23 22:20:16.493 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
    000272: *Jun 23 22:20:16.493 BST: DHCPD: Sending notification of ASSIGNMENT:
    000273: *Jun 23 22:20:16.493 BST:  DHCPD: address 10.1.1.9 mask 255.255.255.0
    000274: *Jun 23 22:20:16.493 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
    000275: *Jun 23 22:20:16.493 BST:   DHCPD: lease time remaining (secs) = 86400
    000276: *Jun 23 22:20:16.493 BST: DHCPD: Appending system default domain
    000278: *Jun 23 22:20:16.493 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
    000279: *Jun 23 22:20:16.493 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    000280: *Jun 23 22:20:17.089 BST: DHCPD: checking for expired leases.
    000281: *Jun 23 22:20:18.097 BST: %SYS-5-CONFIG_I: Configured from console by vty0
    Denham#
    000282: *Jun 23 22:20:21.314 BST: DHCPD: Sending notification of DISCOVER:
    000283: *Jun 23 22:20:21.314 BST:   DHCPD: htype 1 chaddr 0019.fba4.b21a
    000284: *Jun 23 22:20:21.314 BST:   DHCPD: remote id 020a00000a010101f2000000
    000285: *Jun 23 22:20:21.314 BST:   DHCPD: circuit id 00000000
    000286: *Jun 23 22:20:21.314 BST: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI2.
    000287: *Jun 23 22:20:21.314 BST: DHCPD: Seeing if there is an internally specified pool class:
    000288: *
    Jun 23 22:20:21.314 BST:   DHCPD: htype 1 chaddr 0019.fba4.b21a
    000289: *Jun 23 22:20:21.314 BST:   DHCPD: remote id 020a00000a010101f2000000
    000290: *Jun 23 22:20:21.314 BST:   DHCPD: circuit id 00000000
    000291: *Jun 23 22:20:21.314 BST: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.8).
    000292: *Jun 23 22:20:21.314 BST: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
    000293: *Jun 23 22:20:21.406 BST: DHCPD: DHCPREQUEST received from client 0019.fba4.b21a.
    000294: *Jun 23 22:20:21
    406 BST: DHCPD: Sending notification of ASSIGNMENT:
    000295: *Jun 23 22:20:21.406 BST:  DHCPD: address 10.1.1.8 mask 255.255.255.0
    000296: *Jun 23 22:20:21.406 BST:   DHCPD: htype 1 chaddr 0019.fba4.b21a
    000297: *Jun 23 22:20:21.406 BST:   DHCPD: lease time remaining (secs) = 86400
    000298: *Jun 23 22:20:21.406 BST: DHCPD: Can't find any hostname to update
    000299: *Jun 23 22:20:21.406 BST: DHCPD: Sending DHCPACK to client 0019.fba4.b21a (10.1.1.8).
    000300: *Jun 23 22:20:21.406 BST: DHCPD: broadcasting
    BOOTREPLY to client 0019.fba4.b21a.
    000302: *Jun 23 22:20:33.049 BST: DHCPD: Sending notification of DISCOVER:
    000303: *Jun 23 22:20:33.049 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
    000304: *Jun 23 22:20:33.049 BST:   DHCPD: remote id 020a00000a010101f2000000
    000305: *Jun 23 22:20:33.049 BST:   DHCPD: circuit id 00000000
    000306: *Jun 23 22:20:33.049 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
    000307: *Jun 23 22:20:33.049 BST: DHCPD: Seeing if there is an internally specified pool class:
    000308
    Denham#: *Jun 23 22:20:33.049 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
    000309: *Jun 23 22:20:33.049 BST:   DHCPD: remote id 020a00000a010101f2000000
    000310: *Jun 23 22:20:33.049 BST:   DHCPD: circuit id 00000000
    000311: *Jun 23 22:20:33.049 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
    000312: *Jun 23 22:20:33.053 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
    000313: *Jun 23 22:20:33.081 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
    000314: *Jun 23
    Denham# 22:20:33.081 BST: DHCPD: Sending notification of ASSIGNMENT:
    000315: *Jun 23 22:20:33.081 BST:  DHCPD: address 10.1.1.9 mask 255.255.255.0
    000316: *Jun 23 22:20:33.081 BST:   DHCPD: htype 1 chaddr 1828.6199.7ba8
    000317: *Jun 23 22:20:33.081 BST:   DHCPD: lease time remaining (secs) = 86400
    000318: *Jun 23 22:20:33.081 BST: DHCPD: Appending system default domain
    000319: *Jun 23 22:20:33.085 BST: DHCPD: Using hostname 'skywirelessconnector.indahouse.dyndns.org.' for dynamic update (from hostname opti
    indahouse#uon)
    000320: *Jun 23 22:20:33.085 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
    000321: *Jun 23 22:20:33.085 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.

  • X-Fi Mode Switcher won't work in XP non-admin accou

    I have installed X-Fi extreme music on my WinXP SP2 machine. Both audio console and the graphical console launcher/mode-switcher won't work properly in non-admin accounts. It will be "stuck" in one mode and whatever I do, it refuses to change to another mode.
    Both work fine when I use the admin account. Please help. Thanks in advance.

    Unfortunatly Im a greedy cuss and won't share my computer with anyone so I'm running in more or less Admin 24/7 and not ran into the issue. I think there is a setting in XP that you can change that will allow non-admins to make changes to the system. You might check User settings for the account in the "User Accounts" in control panel. Will see if I can find some info on it for you but you can also check MS Knowledgebase.

  • Cisco catalyst 3850 switch won't take command: "switchport mode trunk encapsulation dot 1q"

    Hi all,
        I'am working on this switch's configuration. when I typed "switchport mode trunk encapsulation dot 1q", I got an error " invavid input". I'm guessing that this model already set encapsulation type to dot 1q, and that's why the switch won't take it, right? 
       Please help!

    According to the documents it supports both.
    You are however using the wrong command, it should be -
    "switchport trunk encapsulation dot1q"
    ie. no "mode" keyword.
    If it doesn't take that then do a "sh int <x> capabilities" and it should show you which encapsulation methods are supported.
    Jon

  • L3 Switch script to shutdown a port based IP reachability

    Hello all,
    I would like to know if using EEM I can shutdown a Gigabit interface based on IP reachability of the remote neighbor via ping?
    And no shutdown when the IP reachability is reestablished? I'm Using IOS-XE
    I ask this because I've a L2 connection which is not directly end-to-end but it have some network component (DWDM) in the middle for signal regeneration.
    The provider of the DWDM circuit confirm that the signal is NOT end-to-end so in case there is a failure ine the circuit the interfaces of the L3 switches won't go down and the traffic is still routed on this path since on the Routing table he routes are still present also if the remote neighbor is not reachable
    should I Use the track with the event manager applet IOS commands???
    Many Thanks
    Saluti

    I would recommend looking at feature based capabilities before implementing things with EEM... This way it would be easier to support etc...
    The functionality you are asking for should be available on your platform (I assume you are on ASR1K as you are mentioning IOS-XE). You should look at BFD...
    Here are a few references:
    http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-bi-fwd-det.html
    You mentioned static routes, so maybe this is also relevant:
    http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-xe-3s-book_chapter_01000.html
    Arie

  • Community profile lost after switching from facebook-connected to email-based account?

    Hi there, apparently I do not have access to my old facebook-connected profile here in the community after switching to a new, e-mail based account. Is there a way to merge my new account (alexanderklar) with my old one (klar)? Or maybe reactivate access to my old account via my e-mail-based credentials? Thank you and best regardsAlexander Klar

    Hey , looks like your account is now ready! 
    Log in with "alexanderklar" and it will log you back into your old account automatically! :)

  • VWLC + ISE 1.2 = Randomly won't authenticate users until reboot?

    Hello all!
    I have an issue where authentications (dot1x) from the vWLC to ISE 1.2 will start to fail after a certain amount of up time. The certain amount I'm not sure about, because it just started to happen. ISE will either complain about the client having an issue with TLS or ISE will show a successful authentication.
    The vWLC shows the client associated, but never authenticates the client (in the case of ISE showing successful authentication).
    vWLC on version 7.6.110.0.
    ISE on version 1.2.0.899.
    Anyone else having or had this issue? I have a TAC case open, but they want me to do a webex with them when the issue is happening, and it's hard to leave it broken while users are complaining.
    Thanks!

    are you sure, the number of clients associating to you network is less than the maximum clients supported by this vWLC? can you post the details of Failed authentications of clients from Live authentications ( go to ISE > operations > Authentications > details)
     

  • Cisco ISE 1.3 failed to authenticate wireless endpoint

    Dear all,
    I recently have a big problem of my ISE after upgraded from version 1.2 to 1.3, the original plan is follow for wireless laptop authenticate to our network.
    There are 2 SSID, REG and INT, when the user and laptop first time use the WIFI, they need to request a user certificate from CA, and they need to login to the REG SSID with AD username and password. The Wireless controller 2504 will pass the packet to ISE, the use will use 802.1x authen method with PEAP to request for cert. if the authentication successful, the user need to open a web browser and the NSP page of ISE will shown up for user to register, and the CA will generate the user cert to user. Then the SSID will switch to INT and using EAP/TLS to authenticate the user cert with the CA.
    That was fine when working in ISE 1.2. However, after upgrade to 1.3 because of the proxy setting in 1.3 allow to input username and password which our proxy server required and cannot be changed. Under 1.3 the authentication failed even in the first step of authentication policy of ISE, the policy will check if the laptop using 802.1x and login by AD account, then it will pass to authorization policy. But when I check the log, there is always have the error message 5411 Supplicant stopped responding to ISE , 12930 Supplicant stopped responding to ISE after sending it the first PEAP message , 5440 Endpoint abandoned EAP session and started new
    I have search long time in the Internet but without any help, appreciate if any expert can help me. I have also upload the debug message from our ISE for reference.
    Thank you
    Best Regards,
    Terry Chow

    Hi Terry,
    Just wondering if you got an answer to your problem?
    I am deploying a new solution with ISE 1.3 and I was having a similar problem with my wireless users when I tried to enable it last night
    Cheers,
    John

  • IPod nano gen 4 forward button won't work, and the hold switch won't either.  I've tried restoring it and it didn't fix the problem. Any suggestions?

    The forward button won't work and the hold switch doesn't either.  I tried restoring it, but that didn't work.

    Restore to factory settings.new iPod if you have not yet already. If still problem time for an appointment at the Genius Bar of an Apple store.

  • Canon Powershot SX700 won't authenticate and camera keeps giving the message "check settings"

    Help PLEASE! I'm pretty computer savy but I can't figure this out. I'm running on a Mac OS version 10.9.2 and I have downloaded all the software from Canon, I'm connected but the camera says check settings when I go to authenticate the camera....I can't upload any pictures to the Canon Image Gateway....I'm really frustrated with this. It shouldn't be this difficult. 

    So here's what happened....I had everything right; my camera saw my computer and I was registered. It just wouldn't let me authenticate. Canon Support (on the phone) tried everything with me and we couldn't get it hooked up to the online Canon iMage Gateway. Let me say here support was great and I like that but I think that it should be a breeze to connect to...it is with all my Apple Devices. The Canon Tech suggested that I take my camera and computer to a friends house and see if her internet modemn would let me connect....IT DID! Right off the bat. SO NOW I"M HOOKED UP AND AUTHENTICATED! YEA!!! BUT the uploader plugin won't work now and I can't seem to uninstall it....so if you had a "check settings" message- go to a library or neighbor and see if you can connect it through their internet.....good luck. Joanie

  • Cisco ISE & 3750 Switch MAB configuration Issue

    Hi,
    I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
    Here is the test switch configuration :
    interface FastEthernet0/22
    switchport access vlan 10
    switchport mode access
    authentication event fail action next-method
    authentication event server dead action authorize vlan 11
    authentication event server alive action reinitialize
    authentication order mab dot1x
    authentication priority mab dot1x
    authentication port-control auto
    authentication periodic
    authentication violation restrict
    mab     
    dot1x pae authenticator
    spanning-tree portfast
    spanning-tree bpduguard enable
    snmp-server community ISE-Test RO
    snmp-server community ISE-Test1 RW
    snmp-server trap-source FastEthernet0/24
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
    radius-server vsa send accounting
    radius-server vsa send authentication
    Thank you in advanced! I hope that this issue might be intersting!
    Martin

    Can you confirm that you have the following syntax in your NAD:
    aaa server radius dynamic-author
    client 192.168.98.10 server-key AAA_Secret
    Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
    Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x

  • Cisco ISE and Switch 3560-X

    Good Morning,
    I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
    My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
    I appreciate the attention and Thanks,

    Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
    It notes that the 3560-X requires IP base license for all the 802.1X features.

  • ISE 1.1 won't boot

    Powered down my ISE 1.1 server and booted it back up and now it won't start correctly.
    We have rebooted it multiple times and tried to manually start the services but no luck.  Any thoughts?
    ISE-1/admin# sh ap stat ise
    ISE Database listener is running, PID: 3356
    ISE Database is running, number of processes: 17
    ISE Application Server process is not running.
    ISE M&T Session Database is running, PID: 3013
    ISE M&T Log Collector is running, PID: 4485
    ISE M&T Log Processor is running, PID: 4594
    ISE M&T Alert Process is not running.

    It appears that the issue is with the code I am running.  Version 1.1.1.268 has this issue.  I backed up my data to an FTP server with the command
    backup backup-name repository repository-name application application-name encryption-key
    hash |plain encryption-key name
    Example 1
    ise/admin# configure termainal
    ise/admin(config)# repository myrepository
    ise/admin(config-Repository)# url ftp://starwars.test.com/repository/system1
    ise/admin(config-Repository)# user luke password skywalker
    ise/admin(config-Repository)# exit
    ise/admin(config)# exit
    ise/admin#
    then re-imaged the server.  
    Thanks

  • CWA on ISE and switches

    I was able to configure the CWA on the switch and Cisco ISE. It is working as expected. I followed the guide on the link bellow.
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
    I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
    interface GigabitEthernet1/0/12
    description ISE1 - dot1x clients - UCS Eth0
    switchport access vlan 100
    switchport mode access
    ip access-group webauth in
    authentication order mab
    authentication priority mab
    authentication port-control auto
    mab
    spanning-tree portfast
    end
    ip access-list extended webauth
    permit ip any any

    Why ACL must be configured on the port on the switch
    Question:
    I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
    What is Web Authentication?
    Web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch wills failover to the webauth profile and will redirect client traffic to a web page on the switch.
    Role of ACL:
    The redirectACL sent back with the central webauth profile determines which traffic (HTT or HTTPS) is redirected to the ISE. The downloadable ACL allows you to define what traffic is allowed. You should typically allow for DNS, HTTP(S), and 8443 and deny the rest. Otherwise, the switch redirects HTTP traffic but allows other protocols.
    Port ACLs
    Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction. These access lists are supported:
    •Standard IP access lists using source addresses
    •Extended IP access lists using source and destination addresses and optional protocol type information
    •MAC extended access lists using source and destination MAC addresses and optional protocol type information
    The switch examines ACLs associated with all inbound features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.  Figure is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
    Figure 31-1 Using ACLs to Control Traffic to a Network
    When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
    With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.
    For More information, please check
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715468

  • Ise and switch authentication and privilege level

    Hi Guys,
    I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
    Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
    For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
    I appreciate any help!
    Sander

    @Sander,
    You were in the right area. 
    Policy->Results->Authorization->Authorization Profiles.
    Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
    Cisco:cisco-av-pair = shell:priv-lvl=15
    or whatever privilege level you want to assign.
    On your AuthZ rule, match the conditions and apply the created profile.

Maybe you are looking for