Port-Based Authentication on 877
Hi
I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port ( xx 0000.xxxx.xxxx STATIC Gi1/0/3) .
authentication control-direction in
authentication event fail retry 1 action authorize vlan xx
authentication event no-response action authorize vlan xx
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
As I remove command authentication port-control auto then sh mac address-table command shows me DYNAMIC MAC.
Anyone can please let explain me why it is happing
Regards,
Any input?
Similar Messages
-
IEEE 802.1x Port based Authentication with Restricted VLAN
Hi all,
I have the following configuration:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
dot1x system-auth-control
radius-server host 10.10.10.10 key cisco
interface FastEthernet0/1
switchport mode access
authentication event fail retry 1 action authorize vlan 2
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
But it takes quite a while for the user who is not authorized to be switch to vlan 2.
I would like to know what is best practice when using this kind of configuration and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
Regards,
LaurentLaurent,
Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
thanks,
Tarik Admani -
802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS? -
802.1X Port Based Authentication Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI believe , you need to configure re-authentication on this switch port:
! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server -
Help with 4506 802.1x Port Based Authentication (Wired)
Hi all,
I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
dot1x port-control auto
i've also configured the interface to be a plain L2 access port by executing
switchport mode access
any help will be appreciated!I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS? -
IEEE 802.1x port-based authetication
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.Hi Claudia,
do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
What is the IOS version you're using there?
What is the RADIUS server in use?
What is the exact error message you see on the RADIUS side?
Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
What is the server cert size and the MTU configured on the switches?
With the info you provided it's difficult to say what's the reason of this failure.
I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
How to do .1x port based network access authentication through ACS
How to do .1x port based network access authentication through ACS.
Hi,
802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
Regards,
Kush -
SharePoint 2013 Claim based authentication
Hi,
I'm trying to configure SharePoint 2013 web application to use Claim based authentication. I updated the SharePoint web application using the following cmdlet:
Convert-SPWebApplication -Identity "http:// <servername>:port" -From Legacy -To Claims -RetainPermissions -Force
I noticed that the authentication mode has been changed to Claims Based Authentication for the detault zone. But when I use fiddler to capture the traffic, there is no FedAuth cookie for the traffic to my SharePoint site.
Questions:
1. Does FedAuth cookie must exist when the SharePoint web application is configured to use Claims Based Authentication?
2. The "Enable Windows Authentication" is checked and NTLM is selected for "Integrated Windows Authentication". Is this a correct setup for Claims based authentication?
3. Is there any documents talking about how to configure Windows Claims-Based authentication?
Thank you!Hi Wu Tao,
Please find the below technet links and white paper (Claims-based
Identity for Windows (white paper)) which will talk about windows claim based authentication.
http://technet.microsoft.com/en-us/library/cc262350(v=office.15).aspx
http://technet.microsoft.com/en-us/library/jj219571(v=office.15).aspx
And the below link will talk about setup for claim based authentication.
http://technet.microsoft.com/en-in/library/ee806885(v=office.15).aspx
If you need more information, please let us know
Sekar - Our life is short, so help others to grow
Whenever you see a reply and if you think is helpful, click "Vote As Helpful"! And whenever
you see a reply being an answer to the question of the thread, click "Mark As Answer -
Certificate Based Authentication and SSL
To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE. -
Client certificate based authentication
We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
/WEB-INF
/resources
- private.jar
- private.jnlp
/resources
- icon.png
- public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
<servlet-name>ResourceProvider</servlet-name>
<url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources awailiable from browser</web-resource-name>
<url-pattern>/resources/secret/browser/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>somerole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>somerole</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
<information>
<icon href="icon.png"/>
</information>
<resources>
<j2se version="1.6+"/>
<jar href="secret/javaws/secretkey/private.jar" />
<jar href="public.jar" />
</resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help! -
802.1x Machine Based Authentication - Password expired
Hi,
I would like to ask 1 question about machine based authentication on 802.1x.
1.We are deploying 802.1x on wired user.
2.Some user are using machine based authentication in order to authenticate their port.
3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
Anybody can shed a light to me. Thanks.This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
This also might help:
http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC -
802.1x mac based authentication
We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.
Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.
The 2 options would be standard port security or 802.1x port security if you switches support this.
In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.
You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.
standard port base security by MAC:
http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html
802.1x port based security:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html -
802.1x Mac-Adress Based Authentication
I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.
We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc. -
I am sorry if this has been asked before or it is the wrong place to ask this.
I just want to know how secure is MAC-Based Authentication on an AP340 access-point (not bridge) with version 11.07.
I've done this by adding 'Dest MAC Address' in 'Address Filters' under 'Association' in 'Setup'.
Also selected 'Disallowed' for 'Default Unicast Address Filter' for all the relevant authentication types in 'Advanced' for 'AP Radio' of the 'Network Ports' in 'Setup'.
Thanks for any suggestions.If an attacker has a network analizer, they can see the MAC address in use (even if WEP is being used as the MAC must not be encrypted)
Some 802.11 NICs allow the user to configure a MAC address into the NIC.
So the attacker *could*:
1. observe a valid NIC in use
2. program that MAC into their NIC
3. Wait till the valid user has gone home
4. Use the NIC they have programmed to access your network from the safty of the parking lot.
LEAP or VPNs provide a much more secure solution -
Sun IDM Key based authentication
Hi All,
I've a requirement in SUN IDM for configuring an AIX resource with key based authentication.
For this, first i created public and private keys in the AIX resource ( AIX Server) with a passphrase. The files id_rsa and id_rsa.pub are now available in /home/<UserID>/.ssh on the AIX Server . UserID is the ID used to login to the AIX server( no root access)
Then, i created a file named authorized_keys and copied the contents of the id_rsa.pub and pasted in authorized_keys file.
For key based authentication, i configured the resource with the following parameters on SUN IDM console :
Host name=Specific to server
TCP Port=22
Login User= <UserID> <User ID used while creating publice and priavte keys on AIX server)
Login shell Prompt=$
SUDO authentication =TRU
Connection Type= SSHPubKey
Private key = (Contents of id_rsa file from AIX server)
Passphrase = created from the server
Now, if i do the Test Configuration, I get the error message : Auth Failed.
Do I need to create the authorized_keys file under the /.ssh ( root .ssh folder of the AIX server ) instead of the .ssh folder of the UserID used for creating the keys?
Am i missing something here?
Thanks in advance.The issue is resolved.
Steps done to solve:
1. Logged in to the IDM Server via putty with a User ID which has better Sudo rights and generated the keys with passphrase.
2. Logged in to the target resource ( AIX Server ) and appended the contents of public key ( From the IDM Server) in authorized_keys file ( in AIX server)
3. Gave the private key and passphrase (generated from IDM Server ) in the Resource parameters in IDM console.
After following the steps above, i was able to do a test configuration successfully.
Maybe you are looking for
-
Java Error - Don't Understand...
Hi, everyone. I don't know Java nor will I pretend to have any clue what I am talking about - I just need to know what my next step should be to resolve this bizarre problem. My boss got this java code for a calculator YEARS ago for our websites, no
-
Trouble Sending MMS to T-Mobile
I have searched the forums seeing if this has been asked or answered before but couldn't find anything, so I am going to ask here. I have noticed that if I send videos to anyone using a T-Mobile phone sometimes they get the video and other times they
-
MODERATOR: All points have been UNASSIGNED and the thread LOCKED. Please do not share email addresses, documents, or links to copyrighted or company confidential information on these forums. If you have some information, please consider posting it
-
So I have finally gotten my ASP pages to display correctly as far as the records I want to show for each page - a miracle in itself. I created a button to go to a details page which, on press, does go to the details page, but it doesn't display the c
-
Adobe shockwave player problem Help
Hi Guys! I just want some help . Whenever I open some websites with scripts like http://www.mytrickslab.com/, Suddenly the adobe shockwave plyer stops working in my browser. How can i fox this problem . Thanks Will be looking forward for some serious