Multi-auth and broadcast traffic

I was talking with a co-worker about multi-auth host mode and we are wondering how does it handle broadcast traffic. So if we have a switch port set to multi-auth and we are doing dynamic vlan assignment. Say you have an esx host device running 5 vm instances, if three of them pass and get assigned vlan 32, the other two fail and get assigned vlan 86. When a broadcast goes out on vlan 32, will the devices that are in vlan 86 see the broadcast traffic?

Anybody have an idea?

Similar Messages

Switch port in dot1x multi-auth mode stops passing traffic

Dear All,
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
interface GigabitEthernet2/34
switchport mode access
ip arp inspection limit rate 30
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 6
spanning-tree portfast
ip verify source vlan dhcp-snooping
end
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
Did anyone experience a simmilar problem? Any advice?
Thanks.
Mirek

We have the same issue on 3750E switch running 12.2.(58)SE

Difference between 802.1x multi-host and 802.1x multi-auth

Hi,
This is a bit confusing for me. Does someone has an easy explanation?
What I understand and looked up for the moment (correct me if I'm wrong):
802.1x multi-host: Good for an AP or a phone setup. Port becomes authorized as soon as one client is authenticated. In this situation the AP or the phone. Aftherwards pc's have access without any further 802.1x action.
802.1x multi-auth: Multiple devices are allowed to independently authenticate through the same port. More secure? Is this good for next setup: I have a 802.1x port on the managed 24p switch, but the customer decides to plug in a non-managed 8p cheap switch on his desk where different pc's will be plugged in. So I have a 802.1x port on the Cisco switch connected to a non-managed 8p switch. I suppose 802.1x multi-host configuration is not a secure option here.
I don't know if I am clear enough. Don't hesitate to ask if not.
Thanks for your reply.

You are right with your understanding.
Multi-Host is a valid solution if a power-user for example is using many VMs on his PC. After authenticating initially, all VMs can communicate with the network.
Multi-Auth is more secure because each MAC address accessing the network is controlled.
A very good overview on 802.1x and the configuration can be found on the Cisco IOS Quick Reference Guide for IBNS.

How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen Hristov

Hi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier

Broadcast traffic with LCD Projector

Hi all,
Please help...
how to enable broadcast traffic on WiSM on same VLAN/Interface...
i have a LCD Projector that when the client do automatic search.. the client will broadcast to 255.255.255.255 and somehow the the LCD Projetor do not respond for the broadcast traffic by the client...
I already configured the WiSM to forward broadcast traffic...
i already tested it using cisco autonomous AP and have the LCD Projector and Laptop joining the same ssid and successfully do the automatic search...
anyone can help...??
regards
Robin

hey... i have good news.....
the problem is on the AP Multicast Mode...not on the ethernet multicast mode...
Web Mode.................................... Enable
Secure Web Mode............................. Disable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
Secure Shell (ssh).......................... Enable
Telnet...................................... Enable
Ethernet Multicast Mode..................... Enable Mode: Ucast
Ethernet Broadcast Mode..................... Enable
AP Multicast Mode........................... Unicast
IGMP snooping............................... Enabled
IGMP timeout................................ 60 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Disable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
--More-- or (q)uit
Apple Talk ................................. Disable
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80
Fast SSID Change ........................... Enabled
802.3 Bridging ............................. Disable
IP/MAC Addr Binding Check .................. Enabled
does it mean that the wlc will receiving multicast traffic from the ethernet and will forward the multicast traffic on the wireless side in unicast mode....

Authentication Host-Mode Multi-Auth not working

hi
In my lab environment I configured 802.1x with "Multi-Auth" mode for multiple clients on a single protected port to be authenticated agains Microsoft NPS AAA server.
Switch ports configured with Single-Host or Mult-Host options are working fine but "Multi-Auth" mode its not working. My hardware details and configurations are as follows
Catalyst Model = WS-C2960S-24TSL running IOS 12.2(55)SE2
Current configuration : 10423 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
aaa new-model
aaa group server radius NPS
server-private x.x.x.x auth-port 1645 acct-port 1646 key <removed>
aaa authentication dot1x default group NPS
aaa authorization network default group NPS
aaa session-id common
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport mode access
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
switchport voice vlan 98
authentication host-mode multi-auth
authentication order dot1x mab webauth
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
interface GigabitEthernet1/0/7
switchport access vlan 5
switchport mode access
authentication host-mode multi-host
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface Vlan5
ip address x.x.x.x x.x.x.x
interface Vlan98
no ip address
radius-server vsa send accounting
radius-server vsa send authentication
end
My debug log for Authentication, dot1x and AAA is as follows.
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 98, data VLAN 5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Setting domain ALL to UNATHED
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: dot1x-ev(Gi1/0/5): Interface state changed to UP
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Enabling dot1x in switch shim
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Link UP
*Mar 1 01:58:51.360: AAA/BIND(00000004): Bind i/f
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Assigned AAA ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Retrieved Accounting Session ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Allocated new Auth Manager context (handle 0x83000002)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Adding method dot1x to runnable list for Auth Mgr context 0x
*Mar 1 01:58:51.360: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0000000000000002006CD0E0
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Sending START to dot1x (handle 0x83000002)
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: initial state auth_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_initialize_enter called
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_disconnected_enter called
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: idle during state auth_disconnected
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_initialize_enter called
*Mar 1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle
*Mar 1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)
*Mar 1 01:58:51.360: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Created a client entry (0x4100002D)
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Received handle 0x4100002D from method
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'
*Mar 1 01:58:51.360: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/5
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x4100002D
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_enter called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_connecting_action called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0x4100002D
*Mar 1 01:58:51.365:     dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 1 01:58:51.365: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_enter called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_authenticating_action called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0x4100002D
*Mar 1 01:58:51.365:     dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 1 01:58:51.365: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:58:51.365: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:58:51.365: EAPOL pak dump Tx
*Mar 1 01:58:51.365: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:58:51.365: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:58:51.365: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_request_action called
*Mar 1 01:58:53.352: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:58:54.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:22.188:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:22.188: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:22.188: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:22.188: EAPOL pak dump Tx
*Mar 1 01:59:22.188: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:22.188: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:22.188: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:53.016:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:53.016: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:53.016: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:53.016: EAPOL pak dump Tx
*Mar 1 01:59:53.016: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:53.016: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:53.016: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received an EAP Timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x4100002D
*Mar 1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_timeout_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_timeout_action called
*Mar 1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x4100002D
*Mar 1 02:00:23.844:     dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_exit called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authc_result_enter called
*Mar 1 02:00:23.844: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AUTHC_RESULT from dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authc Result: no-response
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Existing AAA ID: 0x00000004
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AAA ID 0x00000004 from method
*Mar 1 02:00:23.844: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
*Mar 1 02:00:23.844: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending AUTHZ_FAIL to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received Authz fail for the client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Authc Failed' to 'Failed over'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending DELETE to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Deleting client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) No more runnable methods
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Authc Failed' to 'No Methods'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Building default attribute list for unresponsive client
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Signalling Authc fail for client 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.844: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'No Methods' to 'Authz Failed'
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Signalling Authz fail for client 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) dot1x_switch_authz_fail: Called for GigabitEthernet1/0/5 and 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Setting domain DATA to UNATHED
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-SYNC (Gi1/0/5) Syncing update for context (0000.0000.0000)
*Mar 1 02:00:23.849: AUTH-EVENT: Started Auth Manager tick timer
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Started 'restart' timer (60s) for client 0000.0000.0000
*Mar 1 02:00:23.849: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x4100002D
*Mar 1 02:00:23.849:     dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)
*Mar 1 02:00:23.849: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held
*Mar 1 02:00:23.849: dot1x-ev:Delete auth client (0x4100002D) message
*Mar 1 02:00:23.849: dot1x-ev:Auth client ctx destroyed
*Mar 1 02:00:23.849: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

Multiauthentication Mode
Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
•The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
NOTE :
•Only one voice VLAN is supported on a multiauth port.
•You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
for more information :
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html

New server make many broadcast traffic for NetBIOS wpad

From 1 month ago I finished transferred from old server 2003 to new server 2012 with new machine all role , DHCP and sharing file are transferred successfully and I use netdom computername to keep the name for the new server as a same name for the old server
and all thing in my network is good but I feel that there are some slow in the network and some router in my network frozen from time to time a need to restart
I use Wireshark to monitor my network and I found that my new server make many broadcast traffic for NetBIOS wpad , the server make more than 500 nbns broadcost per second .
No.
           Time
                        Source
Destination
Protocol    Length
Info
384       134.075102
192.168.15.100        192.168.15.255
nbns         92
name query nb wpad<00>
Where 192.168.15.100 is my server IP.
all server and workstation have a antivirus and latest update of windows and the server not connect to internet
Can anyone help me to solve this problem.

I found the problem and i would like to share it with other
the problem from my antivirus Kaspersky Endpoint security 10 when i close the program the broadcast stop and all traffic return to normal
i open antivirus again and disable the using of proxy from it and now its work good.
Thanks

Getting Broadcast traffic from one 3745 to another

The topology is simple. Three 3550 switches as the backbone tied together using spanning-tree layer 2 wire speed switching. Very simple stuff there. Introduce 3745 access routers, one attached to each 3550, each loaded with 16port ESW, 1 GigE GBic card, and a 8A/S card.
The problem is we have systems that blow out broadcast traffic that needs to traverse accross all 16-ESWs. We have tried all manor of things but we can not get broadcast traffic to traverse the 1GE port. We can see packets hitting the interface but they are simply getting dropped on the floor.
I can go into more detail if needed but we think we're missing a painfully simple detail. Perhaps something to do with L3 and L2? Perhaps something to do with bridge groups or vlans or helper protocols?
Any wisdom to help us out would be greatly appreciated!

Dwayne
As you probably already know, the helper-address is configured on the interface that receives the broadcast to be forwarded. So if the broadcast source is in a 16ESW then I would expect the helper address to be configured on whatever interface (probably virtual) repersents the layer 3 interface for those layer 2 ports.
The function of helper address is that it takes a broadcast packet and forwards to some destination address. The general assumption is that the destination address will be unicast. The destination address can be a subnet broadcast (directed broadcast) and I assume that this is what you are trying to do. Is this correct? If so then be sure that you have ip directed-broadcast enabled on the interface where the destination subnet is located.
Another potential issue is identification of broadcast packets to be forwarded. Helper address is not intended to forward ALL broadcasts. There is a group of protocols that are enabled by default (DHCP, TFTP, etc). If the broadcast packets that you want to forward are not one of these default protocols then you need to use the ip forward-protocol udp command which would be configured on the interface receiving the initial broadcast (the same interface as the helper-address).
You probably have these already. But I can not find a good description of what is configured where and thought that a review of these principles might be helpful.
It probably would be quite helpful to post configs of at least one 3745 and also its associated 3550. If you do not want to post these on the forum please feel free to EMail them to me. My EMail address is available from my forum profile.
HTH
Rick

TMG Client and Broadcast

Hello colleagues
I have mini-question. I have TMG server and I have TMG clients on user PC's.
When my TMG server is down and I'am reboot it, I had seen that in network I have too many broadcast traffic. When TMG server is loaded broadcast traffic is down.
How TMG clients use a broadcast? or TMG clients not use broadcast?
Thanks.

Hi,
Glad to hear that. Thank you for your sharing.
Best Regards,
Joyce
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Broadcast traffic over VPN

I have a client connecting to a portion of my network using AnyConnect. This is working fine, client connects to my ASA5505 and access network resources.
What I need to be able to do (for long and boring reasons) is allow the client to "see" the broadcast traffic that is happening on the internal network. Is this possible or is the ASA and the VPN tunnel simply going to not allow this?
Many thanks for any help in advance.

Hi Simon,
Truth is what exact kind of broadcast do you wnt your clients to see?
I am not pretty sure about this.....but the below link is for DHCP broadcast to go via a vpn tunnel for a remote office.
https://supportforums.cisco.com/message/3554062#3554062
I hope this helps and throws more light on what you are trying to achieve.
Cheers
Teddy

UDP Broadcast Traffic from Cisco ASA

Hi,
I want to know that, like Cisco IOS Router, Does Cisco ASA pass the UDP Broadcast traffic e.g., TFTP etc...?
Any thoughts ???
BR,
Mubasher Sultan

Hi Mubasher,
Unlike the router the ASA does not forward any kind of broadcast packet (with the exemption of the DHCP broadcasts when DHCP Relay is enabled).
I understand that your DHCP server is providing here the IP address for your TFTP servers. I guess you are using DHCP option 150.
So if the DHCP server is on one interface and the client is on another you can configure DHCP Relay on your ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
In regards of the TFTP requests these will be normal unicast packets as Cadet said so just make sure that you have the proper ACLs and NAT rules for that.

Bridged network only gets UDP broadcast traffic?

I've created a bridged network Mac OS X 10.8.5 using ifconfig and TUNTAP for OS X to bridge my wireless connection, en0, with a virtual interface, tap0, which I can use for guest VMs:
        $ sudo sysctl -w net.inet.ip.forwarding=1
        $ sudo sysctl -w net.link.ether.inet.proxyall=1
        $ sudo sysctl -w net.inet.ip.fw.enable=1
        $ sudo ifconfig bridge0 create
        $ sudo ifconfig bridge0 addm en0 addm tap0
        $ sudo ifconfig bridge0 up
        $ ifconfig
        en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
                  ether 28:cf:xx:xx:xx:xx
                  inet6 xxxx::xxxx:xxxx:xxxx:xxxx%en0 prefixlen 64 scopeid 0x4
                  inet 192.168.100.64 netmask 0xffffff00 broadcast 192.168.100.1
                  media: autoselect
                  status: active
        bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
                  ether ac:de:xx:xx:xx:xx
                  Configuration:
                            priority 0 hellotime 0 fwddelay 0 maxage 0
                            ipfilter disabled flags 0x2
                  member: en0 flags=3<LEARNING,DISCOVER>
                           port 4 priority 0 path cost 0
                  member: tap0 flags=3<LEARNING,DISCOVER>
                           port 8 priority 0 path cost 0
        tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
                  ether ca:3d:xx:xx:xx:xx
                  open (pid 88244)
I'm using this with QEMU and the guest VM never gets a DHCP lease. If I `tcpdump -i tap0`, I only see broadcast traffic. Shouldn't I see a mirror of everything on en0? (192.168.100.33, the host doing the broadcasting, is another unrelate, noisy server on my LAN.)
Any ideas?

IGMP snooping may be enabled by default on the 6509. Disabling it may solve your problem.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/snooigmp.htm#wp1020466

Help with broadcast traffic on PIX !!!

Hi,
i have an issue with a UPS software to automatically shut down clients in the event of UPS battery draining completely after a power cut....
we have 3 different subnet on our PIX and the software uses broadcast method to discover clients and list them in the control panel...of course the PIX blicks broadcasts and hence my server control panel cannot 'discover' the clients.
What would you reccoment to pass broadcast traffic from a specific IP to other specific IPs (not all subnet) on the PIX E interfaces !!!! ????
Thanks,
George

Hi Leo,
I am aware of the ip helper commands on the router... i tried looking up the same command for the PIX (im not very familiar with PIXs) and could not find it, and realized that it should not exist....
is there another way around this though... ??? without using something similat to ip helper-directed broadcasts commands ???
Thanks,
George

Deploying vlan and limiting traffic from not reaching network core

Folks:
I am reading CCNP Switch 642-813 official Certification Guide (isbn=978-1-58720-243-8) and I’m a little confused as to the following on page.71 –
“You should not allow VLANs to extend beyond the Layer 2 domain of the distribution switch. In other words, the VLAN should not reach across the network’s core and into another switch block. The idea again is to keep broadcasts and unnecessary traffic movement out of the core block”.
Can anyone offer a different way of stating this or offer a picture or a diagram? I am having a hard time visualizing what this is trying to say – is this refereeing to two different switch blocks/stacks on either side of a switch core if I were to the draw the topology flat?
Thanks
JJ

JJ
This is referring to the 3 tier design where you have a separate access layer/distribution layer and core layer.
So imagine a campus where you have multiple buildings and a main site. All the other buildings connect to the main site and to get from one building to another they go via the main site.
The main site would have a pair of core switches and a pair of distribution switches + access layer switches. The other buildings would have a distribution pair of switches and access layer switches. Each buildings distribution switches would connect back to the core switches usually with L3 links. In the past you used L2 links but with L3 switching you now generally route, or more precisely, L3 switch through the core.
What that extract from your book is saying is that each building has it's own vlans and they are routed on the distribution switches in each building. Only traffic destined for a vlan or more specifically a subnet that is not within the building should be sent to the core switches which then route them to the correct place.
What you shouldn't do is have a vlan in a building that also extends to the core and possibly to other buildings. This is because a vlan is a broadcast domain so a broadcast in a vlan would be sent to all hosts in that vlan. So if you allow a vlan to extend through the core you are allowing broadcasts from one building to go through the core to other buildings.
The core switches should be left to L3 switch traffic between buildings and pretty much nothing else.
There is usually no need to extend vlans to or across the core ie. each set of vlans is terminated on the distribution switches so broadcasts are contained within each building or again more specifically within each vlan within the building.
One other thing to note is that if you have a single building with maybe just a WAN connection the 3 tier design is not necessarily the best way to go and a common solution is a collapsed core where the core and dsitribution switches are the same physical switches. It saves on cost and within a single building there is often very little need for a high speed core.
I have used the terms route and L3 switch interchangeabley here but technically all L3 capable switches route in hardware so to be precise it is L3 switching.
Finally the above about a single building setup does not refer to a DC where the rules are somewhat different.
Hope that helps and i haven't confused you more.
Feel free to ask further if needed.
Jon

Internetwork Performance Monitor Broadcast Traffic

About a month ago we migrated out CiscoWorks server to VMware. Ever since we have had a significant amount of broadcast traffic coming from the server. We have noticed this as it is stopped by our firewall.
This traffic is broadcast on UDP port 44342 and 42342
There is also broadcast traffic to the subnet of the server on UDP port 137
From nbstat I can see that this traffic is coming from Internetwork Performance Monitor.
The traffic follows an interesting pattern in that for about 3 days after the server is rebooted it appears constantly then stops completely. After the next reboot the traffic appears again.
Is there anything that can be done to stop this traffic without stopping IPM from working?

After seeing the traffic hit our firewall I did a netstat on the Cisco Works server and found traffic on UDP ports 44342 & 42342 from the process osiagent.exe. Through services I traced this back to the Cisco Works services.
I have seen a post which says this is COBRA agent advertisement traffic. It this so?
If so what exactly is the role of the COBRA agent and can it be administered?

Multi-auth and broadcast traffic

Similar Messages

Maybe you are looking for