Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS

Similar Messages

• Cisco Nexus 5548UP and FI6248UP compatibility with FC SFP

  Cisco Nexus 5548UP and FI 6248UP comes with Unified Ports. What are the SFP types this port can take? 1Gig, 10Gig and 2/4/8FC. Could you please clarify?  
  Thanks,
  Cheriyan

  Hi Cheriyan,
  Here is te URL to the 6200 series FI data sheet:
  http://www.cisco.com/en/US/prod/collateral/ps10265/ps11544/data_sheet_c78-675245.pdf
  Check for the table to supported SFPs.
  Same for the 5500 switches
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-618603.html.
  Hope this helps!
  ./Abhinav

• Configuring Cisco ISE for Authorization with External Radius Server attribute

  Hi,
  I'm trying to integrate an external radius server with Cisco ISE.
  I created an External Identity Store>Radius Token Server.
  I created a Identity Store sequence with just one identity store just as creadted above.
  And I was able to authenticate successfully.
  But when it comes to authorization.
  I observed we just have one tab named Authorization while creating Radius Token server.
  And it always refers to ACS:attribute_name.
  If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
  In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
  How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
  I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
  Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
  Thanks in advance
  Senthil K

  This is the step of Creating and Editing RADIUS Vendors
  To create and edit a RADIUS vendor, complete the following steps:
  Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
  The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
  Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
  you want to edit and click Edit.
  Step 3 Enter the following information:
  • Name—(Required) Name of the RADIUS vendor.
  • Description—An optional description for the vendor.
  • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
  vendor.
  • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
  • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
  Step 4 Click Submit to save the RADIUS vendor.

• Aironet 350 AP's with Funk's Steel Belted Radius Server

  I have heard that the Aironet AP's don't play nice with Funk's Steel Belted Radius Server. Has anyone had an experience with these products or anything you have heard about this problem would be good to know. I have a customer that already has Funk's Software and doesn't want to change if he doesn't have to. Thanks David Beaver

  I have used FUNK's beta code with LEAP support with no problems. The only issue we had and still do, is that we can't use the RADIUS server to authenticate against an LDAP server. I believe that they are working on that also.

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• How can I authenticate and authorize with Web Service on ESB ?

  Hello,
  I want to authenticate and authorize client with Web Service published
  by HTTP/SOAP BC.
  Simply if it is an Web Service as J2EE application, I will use
  Basic Authentication with JAX-RPC and Realm.
  But I think that Web Service published by HTTP/SOAP BC is not belong
  to J2EE Application. Threre is no place to describe security role mapping
  (like web.xml).
  JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
  JAAS Subject is given in the NM Properties. Really in this package
  com.sun.jbi.internal.security.*
  implements JAAS autentication and authorization (at JaasAuthenticator).
  But I can't see how to configure my Service to use this.
  How can I authenticate and authorize with Web Service on ESB ?
  I referred to the resources.
  Mutual Authentication for Web Services: A Live Example
  http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
  XML and Web Services Security
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
  JAAS Authentication Tutorial
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
  Thanks,
  Takurou
  - environment ---------------------------------------------
  OpenESB : Project Open ESB Starter Kit
  AppServer : Sun Java Systems Application Server 9.0 PE
  OS : Windows XP
  I don't assume to use SSL (if It's necessary I will try).
  User information is stored in a LDAP Server.
  -----------------------------------------------------------

  Hello,
  I read this resource.
  SecurityDesign
  http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
  Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
  But I can't see well why this page comments 'HTTP over SSL, TLS'.
  HTTP/SOAP Binding Component Overview
  http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
  Does BC support only "SSL server authentication" ?
  Doesn't BC support "SSL client authentication" by username/password ?
  Thanks,
  Takurou

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• VN-Tag with Nexus 1000v and Blades

  Hi folks,
  A while ago there was a discussion on this forum regarding the use of Catalyst 3020/3120 blades switches in conjunction with VN-tag.  Specifically, you can't do VN-Tag with that Catalyst blade switch sitting inbetween the Nexus 1000V and the Nexus 5000.  I know there's a Blade switch for the IBM blade servers, but will there be a similar version for the HP C-class blades?  My guess is NO, since Cisco just kicked HP to the curb.  But if that's the case, what are my options?  Pass-through switches?  (ugh!)
  Previous thread:
  https://supportforums.cisco.com/message/469303#469303

  wondering the same...

• Initially stating No authorization required using Adobe.  When I try to change it so I can transfer downloaded books by my Nook e-reader it I get an error message stating the Adobe user name and password is associated with another computer.  What gives?

  When I set up Adobe reader on my computer to be able to download books from a library and then transfer to my Nook e-reader, I initially stating No authorization required using Adobe.  When I try to change it so I can transfer downloaded books by my Nook e-reader it I get an error message stating the Adobe user name and password is associated with another computer.  What gives?

  This is pretty surprising and wierd that even Reader 10.1.1 is crashing on your system. It works pefectly for me.
  Would it be possible for you to get the crash dump, and upload it, so that I can have a look at the same.
  Download PROCDUMP from <http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx> and extract it to a folder, say, c:\temp\procdump.exe
  Open cmd prompt and type "cd c:\temp".
  Launch the browser and open the PDF.
  Open task manager, sort processed by name. Two AcroRd32.exe instances  should have been launched. Note the PID (a small integer like 5588) corresponding to the AcroRd32.exe with the higher memory usage; this is the process that must be crashing. Note this PID.
  On the cmd window, type "procdump -e -ma 5588 c:\temp\01.dmp" (replace 5588 with the actual PID of the process noted in Step 4). Procdump will now wait for the aoolication to crash. If it throws a EULA, accept it.
  Perform your steps to cause the crash.
  Procdump will have created a dump file at "c:\temp\01.dmp". Zip it up (since it will be 100s of MBs otherwise) and share with me.
  Thanks in advance for all your help
  Ankit

• Cisco wlc and steel belted radius

  we have cisco wlc controller  that have  two ssid  one for user and one for guest
  we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
  please send to me any integrated guide between cisco wlc and steel belted radius
  regards

  Hi                                                      Mohammad,
  I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
  Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
  You may wish to contact your RADIUS vendor for additional configuration steps on the server.
  Best,
  Drew

• I created an apple id and tried to authorize my computer but it says that this apple id has not yet been used with the itunes store, why?

  I created an apple id and tried to authorize my computer but it says that this apple id has not yet been used with the itunes store, why?

  FAQ apple id http://support.apple.com/kb/HT5622?viewlocale=en_US
  http://support.apple.com/kb/HT1311

• Issues with a port-channel between Nexus 5K and 4506

  I'm having some trouble configuring an up-link from a Cisco 4506 to a set of Nexus 5k switches and cannot get either side to recognize the media. My configuration is as follows...
  Nexus 5k
  interface Ethernet1/22
    description ## 1A ##
    switchport mode trunk
    switchport trunk native vlan 150
    speed 1000
  Cisco 4506
  interface GigabitEthernet1/6
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 150
   switchport mode trunk
  I am using 1gb sfp's (GLC-SX-MM) and I have verified that the fiber cables I am using and the fiber between closets is in working condition. But I cannot get the interface to come up. 

  I tried that and I could see the status light on the ports come on but it still showed not connected.
  I configured another switch (a 3560) with the same config and the same layout with the fiber and I got the connection up on it. I just cant seem to get it on the 4506, would it be something with the supervisor? Could it be wanting to use the 10gb port instead of the 1gb ports?

• Fabric with two Nexus-5548 and a brocade switch does not get fabric updates

  We have a fabric containing two Nexus 5548 and a Brocade 5000 switch in interop mode 2. When i make changes to the zoning, the first nexus (the fabric principal) and the brocade switch see the zone changes. The second Nexus switch does not see it. There are no error messages but  the change just can't be seen.  What can i do to find out, what goes wrong ?

  Ouch, deprecated is not the word i wanted to read
  We are using 5.1(3)N1(1a) on nexus-rz1-a
  and 6.0(2)N1(2) on nexus-rz2-a.
  The fabric can be seen :
  nexus-rz2-a# show fcs ie vsan 10
  IE List for VSAN: 10
  IE-WWN                   IE     Mgmt-Id  Mgmt-Addr (Switch-name)
  10:00:00:05:1e:90:57:27  S(Rem) 0xfffc01 10.88.133.110 (bc-san1)
  20:0a:00:2a:6a:72:ba:01  S(Loc) 0xfffc1c 10.88.133.105 (nexus-rz2-a)
  20:0a:54:7f:ee:7f:dc:01  S(Adj) 0xfffc0b 10.88.133.100 (nexus-rz1-a)
  [Total 3 IEs in Fabric]
  nexus-rz1-a# show fcs ie vsan 10
  IE List for VSAN: 10
  IE-WWN                   IE     Mgmt-Id  Mgmt-Addr (Switch-name)
  10:00:00:05:1e:90:57:27  S(Adj) 0xfffc01 10.88.133.110 (bc-san1)
  20:0a:00:2a:6a:72:ba:01  S(Adj) 0xfffc1c 10.88.133.105 (nexus-rz2-a)
  20:0a:54:7f:ee:7f:dc:01  S(Loc) 0xfffc0b 10.88.133.100 (nexus-rz1-a)
  [Total 3 IEs in Fabric]
  I try to distribute the zoneset this way:
  zoneset distribute vsan 10
  Zoneset distribution initiated. check zone status
  nexus-rz1-a# show zone status
  VSAN: 10 default-zone: deny distribute: full Interop: 2
      mode: basic merge-control: allow
      session: none
      hard-zoning: enabled broadcast: disabled
  Default zone:
      qos: none broadcast: disabled ronly: unsupported
  Full Zoning Database :
      DB size: 6291 bytes
      Zonesets:1  Zones:62 Aliases: 44
  Active Zoning Database :
      DB size: 10243 bytes
      Name: FABRIC1  Zonesets:1  Zones:60
  Status: Zoneset distribution completed at 08:06:00 UTC Dec  3 2013
  nexus-rz2-a# show zone status
  VSAN: 1 default-zone: deny distribute: active only Interop: default
      mode: basic merge-control: allow
      session: none
      hard-zoning: enabled broadcast: disabled
  Default zone:
      qos: none broadcast: disabled ronly: unsupported
  Full Zoning Database :
      DB size: 4 bytes
      Zonesets:0  Zones:0 Aliases: 0
  Active Zoning Database :
      Database Not Available
  Status:
  VSAN: 10 default-zone: deny distribute: full Interop: 2
      mode: basic merge-control: allow
      session: none
      hard-zoning: enabled broadcast: disabled
  Default zone:
      qos: none broadcast: disabled ronly: unsupported
  Full Zoning Database :
      DB size: 6291 bytes
      Zonesets:1  Zones:62 Aliases: 44
  Active Zoning Database :
      DB size: 10243 bytes
      Name: FABRIC1  Zonesets:1  Zones:60
  Status: Activation completed at 13:03:42 UTC Dec  2 2013

• MAB and 802.1x issues with IP-phone

  I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:
  Connect the phone and let it boot up(takes a while) and authenticate with MAB.
  Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan)
  However, the following scenario doesn't work:
  The computer is already connected to the phone
  The phone is then connected to the switch
  What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.
  Can anyone explain why the first scenario works, and not the second?
  The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config:
  network-policy profile 1
  voice vlan 90
  interface GigabitEthernet0/12
  switchport mode access
  network-policy 1
  authentication control-direction in
  authentication event fail retry 1 action authorize vlan 60
  authentication event server dead action authorize vlan 60
  authentication event no-response action authorize vlan 60
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority mab dot1x
  authentication port-control auto
  authentication periodic
  authentication violation replace
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 5
  dot1x max-reauth-req 1
  spanning-tree portfast
  Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).

  Hey. Yes, as specified in the last sentence in my post, the phone is placed in the Voice Domain, and both RADIUS and LLDP-MED (network policy profile 1) specifies voice vlan as 90.
  The weird thing is that everything works fine if both use 802.1x, and that there is only a problem when phone(using MAB) already has the computer connected to it, when the phone is turned on(connected to PoE-switch). It must be because the computer boots up and authenticates first I think.
  The phones are Snom 821.