ISE NEAT switch won't authenticate on Sup32-based 6500
I have a 3560-CG switch configured as a NEAT supplicant switch. It is working correctly when connected to a 3750G stack running 12.2(55)SE9 but not when connected to a 6500 Sup32-10G running 12.2(33)SXJ8
The authentication is seen in ISE but 802.1X seems to fail and then switches to MAB (not permitted). So there is some issue with the EAP-MD5 authentication stage
Another possible issue is that the switch then triggers a BPDU-Guard error disable state on the authenticating 6500. I assumed the role of "dot1x supplicant controlled transient" is to supress BPDU's until *successful* authentication, not just completion of the stage.
The authenticator switch reports:
Nov 18 15:29:57.822: CISP-ERROR (Gi4/32): CISP packet on interface Gi4/32 is dropped as supplicant is not a switch
That's what I thought but the again, from the 6500 config prompt I actually get echo replys(!) from the FWCTX, with capture enabled as:
access-list CAP permit ip any any
capture mgmt access-list CAP interface MGMT packet-length 1500 circular-buffer
But it shows blank and no hit counts. Same happens usind RTMonitor in ASDM (6.2.(2f)) some packets that are permited and routed correctly aren't actually noticed. I don't get any logging for the missing/dropped/denied echo replies from the FWCTX to the 6500 MSFC nor for the successful replies from the 6500 to the FWCTX withh ASDM Debugging logging on.
Similar Messages
-
Some Wireless clients won't authenticate to 887VA-W
Hi folks
I've swapped over a few months ago from an 877w router to an 887VAw which has a separate AP in-built, and there are a few wireless clients that had no problem authenticating to the 877w but just refuse to communicate to the 887VA-W.
The clients in question are set top box type devices : (1)Now TV and (2) Sky Wireless Adapter.
They have no problem seeing the SSID's being broadcast, and for troubleshooting I've setup an open test SSID without any encryption, but the clients still won't authenticate and grab an ip address, or more accurately they just don't get a dhcp ip address so I don't think authentication is really the issue. I don't know why these clients aren't happy with dhcp on the guest vlan (vlan2) where other clients get an ip address and work fine. Perhaps the fact I'm using vlan1 (being used for the Eap-Fast home wlan) as the native untagged vlan might have something to do with it? If I use a static ip address on the guest vlan (vlan 2 / ip 10.1.1.n ) then the Sky Wireless Adapter can send and receive packets across the wlan.
Can anybody please suggest some debugs or config changes to try and nail the problem? The relevant configs from the AP is pasted below, and the router below that.
Brgds, Tim
aaa new-model
aaa group server radius rad_eap
server name rs-local
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication ppp default local
aaa authorization exec default local
dot11 ssid home
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
dot11 ssid guest
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 abcdef123
dot11 ssid test
vlan 3
authentication open
mbssid guest-mode
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 43200
ssid home
ssid guest
ssid test
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 64 drop-packet
no preamble-short
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
no bridge-group 3 source-learning
interface BVI1
ip address 172.27.44.2 255.255.255.0
no ip route-cache
ip default-gateway 172.27.44.1
****Router Config****
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered BVI1Hi Sebastian
Please see ip dhcp debug from 887VA-W showing the Sky client requesting an ip address but failing to get one. Also a debug from an 877-W showing successful dhcp assignment. Also the dhcp config as requested.The successful trace shows 2 mac addresses from the Sky wireless adapter/ Sky box each getting a dhcp address. I don't know whether the failure is a bug in the 887 dhcp code or some config in the embedded AP that needs tweaking.
Bregs, Tim
The Sky wired adapter (I think it's the mac of the sky box lan port) mac is 00:19:FB:A4:B2:1A
The Sky wireless mac is 18:28:61:99:7B:A8
887VA-W Debug - Failure:
887#term mon
887#sh deb
DHCP server packet debugging is on.
887#
887#
000141: Dec 16 07:03:02.082 London: DHCPD: ARP entry exists (10.1.1.10, e0c9.7ad6.24ee).
000142: Dec 16 07:03:02.082 London: DHCPD: unicasting BOOTREPLY to client e0c9.7ad6.24ee (10.1.1.10).
Denham_887#
000143: Dec 16 07:05:25.536 London: DHCPD: client's VPN is .
000144: Dec 16 07:05:25.536 London: DHCPD: No option 125
000145: Dec 16 07:05:25.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000146: Dec 16 07:05:25.536 London: DHCPD: Allocate an address without class information (10.1.1.0)
000147: Dec 16 07:05:25.536 London: DHCPD: Saving workspace (ID=0x4000009)
Denham_887#
000148: Dec 16 07:05:27.536 London: DHCPD: Reprocessing saved workspace (ID=0x4000009)
000149: Dec 16 07:05:27.536 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000150: Dec 16 07:05:27.536 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
000151: Dec 16 07:05:27.536 London: DHCPD: no option 125
000152: Dec 16 07:05:27.536 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
Denham_887#
000153: Dec 16 07:05:32.468 London: DHCPD: New packet workspace 0x123EC554 (ID=0xC700000A)
000154: Dec 16 07:05:32.468 London: DHCPD: client's VPN is .
000155: Dec 16 07:05:32.468 London: DHCPD: No option 125
000156: Dec 16 07:05:32.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000157: Dec 16 07:05:32.468 London: DHCPD: Allocate an address without class information (10.1.1.0)
000158: Dec 16 07:05:32.472 London: DHCPD: Saving workspace (ID=0xC700000A)
Denham_887#
000159: Dec 16 07:05:34.080 London: DHCPD: New packet workspace 0x1240A47C (ID=0x5500000B)
000160: Dec 16 07:05:34.080 London: DHCPD: client's VPN is .
000161: Dec 16 07:05:34.080 London: DHCPD: No option 125
000162: Dec 16 07:05:34.080 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000163: Dec 16 07:05:34.080 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
000164: Dec 16 07:05:34.080 London: DHCPD: no option 125
000165: Dec 16 07:05:34.080 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
Denham_887#
000166: Dec 16 07:05:34.468 London: DHCPD: Reprocessing saved workspace (ID=0xC700000A)
000167: Dec 16 07:05:34.468 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000168: Dec 16 07:05:34.468 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000169: Dec 16 07:05:34.468 London: DHCPD: no option 125
000170: Dec 16 07:05:34.468 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000171: Dec 16 07:05:35.476 London: DHCPD: client's VPN is .
000172: Dec 16 07:05:35.476 London: DHCPD: No option 125
000173: Dec 16 07:05:35.476 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000174: Dec 16 07:05:35.476 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000175: Dec 16 07:05:35.476 London: DHCPD: no option 125
000176: Dec 16 07:05:35.476 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000177: Dec 16 07:05:37.520 London: DHCPD: client's VPN is .
000178: Dec 16 07:05:37.520 London: DHCPD: No option 125
000179: Dec 16 07:05:37.520 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000180: Dec 16 07:05:37.520 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000181: Dec 16 07:05:37.524 London: DHCPD: no option 125
000182: Dec 16 07:05:37.524 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000183: Dec 16 07:05:40.532 London: DHCPD: client's VPN is .
000184: Dec 16 07:05:40.532 London: DHCPD: No option 125
000185: Dec 16 07:05:40.532 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000186: Dec 16 07:05:40.532 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000187: Dec 16 07:05:40.532 London: DHCPD: no option 125
000188: Dec 16 07:05:40.532 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000189: Dec 16 07:05:43.540 London: DHCPD: client's VPN is .
000190: Dec 16 07:05:43.540 London: DHCPD: No option 125
000191: Dec 16 07:05:43.540 London: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI1.
000192: Dec 16 07:05:43.540 London: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.13).DHCPD: Setting only requested parameters
000193: Dec 16 07:05:43.540 London: DHCPD: no option 125
000194: Dec 16 07:05:43.540 London: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
Denham_887#
000195: Dec 16 07:05:48.884 London: DHCPD: client's VPN is .
000196: Dec 16 07:05:48.884 London: DHCPD: No option 125
000197: Dec 16 07:05:48.884 London: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI1.
000198: Dec 16 07:05:48.884 London: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.12).DHCPD: Setting only requested parameters
000199: Dec 16 07:05:48.884 London: DHCPD: no option 125
000200: Dec 16 07:05:48.884 London: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
887VA-W dhcp config:
887#sh run | section dhcp
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
no ip dhcp conflict logging
ip dhcp pool home
network 172.27.44.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 172.27.44.1
ip dhcp pool test
import all
network 11.1.1.0 255.255.255.0
default-router 11.1.1.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool guest
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 208.67.222.222 208.67.220.220
877-W Debug - Success:
877#deb ip dhcp se
877#deb ip dhcp server pa
DHCP server packet debugging is on.
877#deb ip dhcp server ev
DHCP server event debugging is on.
877#
000258: *Jun 23 22:20:07.087 BST: DHCPD: checking for expired leases.
000259: *Jun 23 22:20:14.684 BST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 1828.6199.7ba9 Associated SSID[guest] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]
000260: *Jun 23 22:20:16.289 BST: DHCPD: Sending notification of DISCOVER:
000261: *Jun 23 22:20:16.289 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000262: *Jun 23 22:20:16.289 BST: DHCPD: remote id 020a00000a010101f2000000
000263: *Jun 23 22:20:16.289 BST: DHCPD: circuit id 00000000
000264: *Jun 23 22:20:16.289 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
000265: *Jun 23 22:20:16.289 BST: DHCPD: Seeing if there is an internally specified pool class:
000266
*Jun 23 22:20:16.289 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000267: *Jun 23 22:20:16.289 BST: DHCPD: remote id 020a00000a010101f2000000
000268: *Jun 23 22:20:16.289 BST: DHCPD: circuit id 00000000
000269: *Jun 23 22:20:16.289 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
000270: *Jun 23 22:20:16.289 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
000271: *Jun 23 22:20:16.493 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
000272: *Jun 23 22:20:16.493 BST: DHCPD: Sending notification of ASSIGNMENT:
000273: *Jun 23 22:20:16.493 BST: DHCPD: address 10.1.1.9 mask 255.255.255.0
000274: *Jun 23 22:20:16.493 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000275: *Jun 23 22:20:16.493 BST: DHCPD: lease time remaining (secs) = 86400
000276: *Jun 23 22:20:16.493 BST: DHCPD: Appending system default domain
000278: *Jun 23 22:20:16.493 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
000279: *Jun 23 22:20:16.493 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
000280: *Jun 23 22:20:17.089 BST: DHCPD: checking for expired leases.
000281: *Jun 23 22:20:18.097 BST: %SYS-5-CONFIG_I: Configured from console by vty0
Denham#
000282: *Jun 23 22:20:21.314 BST: DHCPD: Sending notification of DISCOVER:
000283: *Jun 23 22:20:21.314 BST: DHCPD: htype 1 chaddr 0019.fba4.b21a
000284: *Jun 23 22:20:21.314 BST: DHCPD: remote id 020a00000a010101f2000000
000285: *Jun 23 22:20:21.314 BST: DHCPD: circuit id 00000000
000286: *Jun 23 22:20:21.314 BST: DHCPD: DHCPDISCOVER received from client 0019.fba4.b21a on interface BVI2.
000287: *Jun 23 22:20:21.314 BST: DHCPD: Seeing if there is an internally specified pool class:
000288: *
Jun 23 22:20:21.314 BST: DHCPD: htype 1 chaddr 0019.fba4.b21a
000289: *Jun 23 22:20:21.314 BST: DHCPD: remote id 020a00000a010101f2000000
000290: *Jun 23 22:20:21.314 BST: DHCPD: circuit id 00000000
000291: *Jun 23 22:20:21.314 BST: DHCPD: Sending DHCPOFFER to client 0019.fba4.b21a (10.1.1.8).
000292: *Jun 23 22:20:21.314 BST: DHCPD: broadcasting BOOTREPLY to client 0019.fba4.b21a.
000293: *Jun 23 22:20:21.406 BST: DHCPD: DHCPREQUEST received from client 0019.fba4.b21a.
000294: *Jun 23 22:20:21
406 BST: DHCPD: Sending notification of ASSIGNMENT:
000295: *Jun 23 22:20:21.406 BST: DHCPD: address 10.1.1.8 mask 255.255.255.0
000296: *Jun 23 22:20:21.406 BST: DHCPD: htype 1 chaddr 0019.fba4.b21a
000297: *Jun 23 22:20:21.406 BST: DHCPD: lease time remaining (secs) = 86400
000298: *Jun 23 22:20:21.406 BST: DHCPD: Can't find any hostname to update
000299: *Jun 23 22:20:21.406 BST: DHCPD: Sending DHCPACK to client 0019.fba4.b21a (10.1.1.8).
000300: *Jun 23 22:20:21.406 BST: DHCPD: broadcasting
BOOTREPLY to client 0019.fba4.b21a.
000302: *Jun 23 22:20:33.049 BST: DHCPD: Sending notification of DISCOVER:
000303: *Jun 23 22:20:33.049 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000304: *Jun 23 22:20:33.049 BST: DHCPD: remote id 020a00000a010101f2000000
000305: *Jun 23 22:20:33.049 BST: DHCPD: circuit id 00000000
000306: *Jun 23 22:20:33.049 BST: DHCPD: DHCPDISCOVER received from client 0118.2861.997b.a8 on interface BVI2.
000307: *Jun 23 22:20:33.049 BST: DHCPD: Seeing if there is an internally specified pool class:
000308
Denham#: *Jun 23 22:20:33.049 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000309: *Jun 23 22:20:33.049 BST: DHCPD: remote id 020a00000a010101f2000000
000310: *Jun 23 22:20:33.049 BST: DHCPD: circuit id 00000000
000311: *Jun 23 22:20:33.049 BST: DHCPD: Sending DHCPOFFER to client 0118.2861.997b.a8 (10.1.1.9).
000312: *Jun 23 22:20:33.053 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8.
000313: *Jun 23 22:20:33.081 BST: DHCPD: DHCPREQUEST received from client 0118.2861.997b.a8.
000314: *Jun 23
Denham# 22:20:33.081 BST: DHCPD: Sending notification of ASSIGNMENT:
000315: *Jun 23 22:20:33.081 BST: DHCPD: address 10.1.1.9 mask 255.255.255.0
000316: *Jun 23 22:20:33.081 BST: DHCPD: htype 1 chaddr 1828.6199.7ba8
000317: *Jun 23 22:20:33.081 BST: DHCPD: lease time remaining (secs) = 86400
000318: *Jun 23 22:20:33.081 BST: DHCPD: Appending system default domain
000319: *Jun 23 22:20:33.085 BST: DHCPD: Using hostname 'skywirelessconnector.indahouse.dyndns.org.' for dynamic update (from hostname opti
indahouse#uon)
000320: *Jun 23 22:20:33.085 BST: DHCPD: Sending DHCPACK to client 0118.2861.997b.a8 (10.1.1.9).
000321: *Jun 23 22:20:33.085 BST: DHCPD: broadcasting BOOTREPLY to client 1828.6199.7ba8. -
X-Fi Mode Switcher won't work in XP non-admin accou
I have installed X-Fi extreme music on my WinXP SP2 machine. Both audio console and the graphical console launcher/mode-switcher won't work properly in non-admin accounts. It will be "stuck" in one mode and whatever I do, it refuses to change to another mode.
Both work fine when I use the admin account. Please help. Thanks in advance.Unfortunatly Im a greedy cuss and won't share my computer with anyone so I'm running in more or less Admin 24/7 and not ran into the issue. I think there is a setting in XP that you can change that will allow non-admins to make changes to the system. You might check User settings for the account in the "User Accounts" in control panel. Will see if I can find some info on it for you but you can also check MS Knowledgebase.
-
Cisco catalyst 3850 switch won't take command: "switchport mode trunk encapsulation dot 1q"
Hi all,
I'am working on this switch's configuration. when I typed "switchport mode trunk encapsulation dot 1q", I got an error " invavid input". I'm guessing that this model already set encapsulation type to dot 1q, and that's why the switch won't take it, right?
Please help!According to the documents it supports both.
You are however using the wrong command, it should be -
"switchport trunk encapsulation dot1q"
ie. no "mode" keyword.
If it doesn't take that then do a "sh int <x> capabilities" and it should show you which encapsulation methods are supported.
Jon -
L3 Switch script to shutdown a port based IP reachability
Hello all,
I would like to know if using EEM I can shutdown a Gigabit interface based on IP reachability of the remote neighbor via ping?
And no shutdown when the IP reachability is reestablished? I'm Using IOS-XE
I ask this because I've a L2 connection which is not directly end-to-end but it have some network component (DWDM) in the middle for signal regeneration.
The provider of the DWDM circuit confirm that the signal is NOT end-to-end so in case there is a failure ine the circuit the interfaces of the L3 switches won't go down and the traffic is still routed on this path since on the Routing table he routes are still present also if the remote neighbor is not reachable
should I Use the track with the event manager applet IOS commands???
Many Thanks
SalutiI would recommend looking at feature based capabilities before implementing things with EEM... This way it would be easier to support etc...
The functionality you are asking for should be available on your platform (I assume you are on ASR1K as you are mentioning IOS-XE). You should look at BFD...
Here are a few references:
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-bi-fwd-det.html
You mentioned static routes, so maybe this is also relevant:
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-xe-3s-book_chapter_01000.html
Arie -
Community profile lost after switching from facebook-connected to email-based account?
Hi there, apparently I do not have access to my old facebook-connected profile here in the community after switching to a new, e-mail based account. Is there a way to merge my new account (alexanderklar) with my old one (klar)? Or maybe reactivate access to my old account via my e-mail-based credentials? Thank you and best regardsAlexander Klar
Hey , looks like your account is now ready!
Log in with "alexanderklar" and it will log you back into your old account automatically! :) -
VWLC + ISE 1.2 = Randomly won't authenticate users until reboot?
Hello all!
I have an issue where authentications (dot1x) from the vWLC to ISE 1.2 will start to fail after a certain amount of up time. The certain amount I'm not sure about, because it just started to happen. ISE will either complain about the client having an issue with TLS or ISE will show a successful authentication.
The vWLC shows the client associated, but never authenticates the client (in the case of ISE showing successful authentication).
vWLC on version 7.6.110.0.
ISE on version 1.2.0.899.
Anyone else having or had this issue? I have a TAC case open, but they want me to do a webex with them when the issue is happening, and it's hard to leave it broken while users are complaining.
Thanks!are you sure, the number of clients associating to you network is less than the maximum clients supported by this vWLC? can you post the details of Failed authentications of clients from Live authentications ( go to ISE > operations > Authentications > details)
-
Cisco ISE 1.3 failed to authenticate wireless endpoint
Dear all,
I recently have a big problem of my ISE after upgraded from version 1.2 to 1.3, the original plan is follow for wireless laptop authenticate to our network.
There are 2 SSID, REG and INT, when the user and laptop first time use the WIFI, they need to request a user certificate from CA, and they need to login to the REG SSID with AD username and password. The Wireless controller 2504 will pass the packet to ISE, the use will use 802.1x authen method with PEAP to request for cert. if the authentication successful, the user need to open a web browser and the NSP page of ISE will shown up for user to register, and the CA will generate the user cert to user. Then the SSID will switch to INT and using EAP/TLS to authenticate the user cert with the CA.
That was fine when working in ISE 1.2. However, after upgrade to 1.3 because of the proxy setting in 1.3 allow to input username and password which our proxy server required and cannot be changed. Under 1.3 the authentication failed even in the first step of authentication policy of ISE, the policy will check if the laptop using 802.1x and login by AD account, then it will pass to authorization policy. But when I check the log, there is always have the error message 5411 Supplicant stopped responding to ISE , 12930 Supplicant stopped responding to ISE after sending it the first PEAP message , 5440 Endpoint abandoned EAP session and started new
I have search long time in the Internet but without any help, appreciate if any expert can help me. I have also upload the debug message from our ISE for reference.
Thank you
Best Regards,
Terry ChowHi Terry,
Just wondering if you got an answer to your problem?
I am deploying a new solution with ISE 1.3 and I was having a similar problem with my wireless users when I tried to enable it last night
Cheers,
John -
The forward button won't work and the hold switch doesn't either. I tried restoring it, but that didn't work.
Restore to factory settings.new iPod if you have not yet already. If still problem time for an appointment at the Genius Bar of an Apple store.
-
Canon Powershot SX700 won't authenticate and camera keeps giving the message "check settings"
Help PLEASE! I'm pretty computer savy but I can't figure this out. I'm running on a Mac OS version 10.9.2 and I have downloaded all the software from Canon, I'm connected but the camera says check settings when I go to authenticate the camera....I can't upload any pictures to the Canon Image Gateway....I'm really frustrated with this. It shouldn't be this difficult.
So here's what happened....I had everything right; my camera saw my computer and I was registered. It just wouldn't let me authenticate. Canon Support (on the phone) tried everything with me and we couldn't get it hooked up to the online Canon iMage Gateway. Let me say here support was great and I like that but I think that it should be a breeze to connect to...it is with all my Apple Devices. The Canon Tech suggested that I take my camera and computer to a friends house and see if her internet modemn would let me connect....IT DID! Right off the bat. SO NOW I"M HOOKED UP AND AUTHENTICATED! YEA!!! BUT the uploader plugin won't work now and I can't seem to uninstall it....so if you had a "check settings" message- go to a library or neighbor and see if you can connect it through their internet.....good luck. Joanie
-
Cisco ISE & 3750 Switch MAB configuration Issue
Hi,
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
Here is the test switch configuration :
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
snmp-server community ISE-Test RO
snmp-server community ISE-Test1 RW
snmp-server trap-source FastEthernet0/24
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
Thank you in advanced! I hope that this issue might be intersting!
MartinCan you confirm that you have the following syntax in your NAD:
aaa server radius dynamic-author
client 192.168.98.10 server-key AAA_Secret
Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x -
Good Morning,
I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
I appreciate the attention and Thanks,Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
It notes that the 3560-X requires IP base license for all the 802.1X features. -
Powered down my ISE 1.1 server and booted it back up and now it won't start correctly.
We have rebooted it multiple times and tried to manually start the services but no luck. Any thoughts?
ISE-1/admin# sh ap stat ise
ISE Database listener is running, PID: 3356
ISE Database is running, number of processes: 17
ISE Application Server process is not running.
ISE M&T Session Database is running, PID: 3013
ISE M&T Log Collector is running, PID: 4485
ISE M&T Log Processor is running, PID: 4594
ISE M&T Alert Process is not running.It appears that the issue is with the code I am running. Version 1.1.1.268 has this issue. I backed up my data to an FTP server with the command
backup backup-name repository repository-name application application-name encryption-key
hash |plain encryption-key name
Example 1
ise/admin# configure termainal
ise/admin(config)# repository myrepository
ise/admin(config-Repository)# url ftp://starwars.test.com/repository/system1
ise/admin(config-Repository)# user luke password skywalker
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#
then re-imaged the server.
Thanks -
I was able to configure the CWA on the switch and Cisco ISE. It is working as expected. I followed the guide on the link bellow.
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
interface GigabitEthernet1/0/12
description ISE1 - dot1x clients - UCS Eth0
switchport access vlan 100
switchport mode access
ip access-group webauth in
authentication order mab
authentication priority mab
authentication port-control auto
mab
spanning-tree portfast
end
ip access-list extended webauth
permit ip any anyWhy ACL must be configured on the port on the switch
Question:
I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
What is Web Authentication?
Web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch wills failover to the webauth profile and will redirect client traffic to a web page on the switch.
Role of ACL:
The redirectACL sent back with the central webauth profile determines which traffic (HTT or HTTPS) is redirected to the ISE. The downloadable ACL allows you to define what traffic is allowed. You should typically allow for DNS, HTTP(S), and 8443 and deny the rest. Otherwise, the switch redirects HTTP traffic but allows other protocols.
Port ACLs
Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction. These access lists are supported:
•Standard IP access lists using source addresses
•Extended IP access lists using source and destination addresses and optional protocol type information
•MAC extended access lists using source and destination MAC addresses and optional protocol type information
The switch examines ACLs associated with all inbound features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network. Figure is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
Figure 31-1 Using ACLs to Control Traffic to a Network
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.
For More information, please check
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715468 -
Ise and switch authentication and privilege level
Hi Guys,
I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
I appreciate any help!
Sander@Sander,
You were in the right area.
Policy->Results->Authorization->Authorization Profiles.
Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
Cisco:cisco-av-pair = shell:priv-lvl=15
or whatever privilege level you want to assign.
On your AuthZ rule, match the conditions and apply the created profile.
Maybe you are looking for
-
Ist generation ipod wont sync with synchios. Help please
Hi i used synchios to tranfer my music on my 1st gen ipod touch . My daughter did an update or smething and now it wont work . tried resetting both software and and ipod but to no avail , can i find a ios t
-
Dmp 4400 can't play local files
I am using a DMP-4400 with firmware v.5.2.2. The unit connects to the network fine and is able to display webpages from the internet without problem; the ftp server is working fine also. However, when I attempt to play any type of local file ( locate
-
Applet: Internet Explorer hung up if UI component is created in stop method
Hello I'm trying to ask an user is he/she is willing to save some changes in structure that is managed from applet when this user is closing my applet. Under the jdk 1.4 everything was ok, but in jdk 5.0 it causes internet explorer crashes. On the we
-
I have a usb to 1/4" cable and want to record my guitar through it on logic. How do I do so?!?
-
Hi Experts, I am using RH_INSERT_INFTY for modifying a position (1001) I am able to add all other relationships. But Relation A 012 is not getting added. Is there any difference for relation A 012? Also one thing I observed with A 012 is that, for a