Radius Inaccessible Authentication Bypass
Hello,
I'd like to know if it's possible to implement a such mechanism on a Cisco 2950 platform.
I'd like to avoid that my clients ports are unauthorized in case of a failure of my radius servers. Is there a way to implement it on a 2950G.
gildas
Would I be correct to assume that you have your 2950G configured with a backup authentication method if the Radius server is not available and that your issue is what to do about authorization?
I have not done this on a 2950G and can not know that it works, but this solution generally works in IOS and I assume that it will work on your 2950G:
aaa authorization exec default group radius if-authenticated
Give it a try and let us know if it works.
HTH
Rick
Similar Messages
-
802.1X Inaccessible Authentication Bypass
On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available. The interface configuration mode command is supposed to be "dot1x critical".
Has it changed to something else in this version of IOS?
The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.htmlHello Prashant
Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
Hope this helps.. all the best.. rate replies if found useful..
Raj -
802.1x: MAC Authentication Bypass
Hey sorry for keeping bugging you guys...
So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
Thank you!!
DifanDifan:
I went through your post and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
I have also attached a document regarding MAB for your better understanding.
This forum is only for you guys...keep bugging us
HTH
JK
Pls rate helpful posts- -
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
1130 WPA-PSK Radius Mac Authentication
I am trying to get our Cisco 1130 AP's to use Radius MAC Authentication using a freeradius server. We have been successful with other AP's (Proxim, Netgear) but haven't been able to get the Cisco 1130 to work.
I have attached 2 files. One is the running config, and the other is a debug of radius.
This is what the freeradius log says.
Thu Nov 6 02:48:46 2008 : Auth: Login OK: [004096a3e012/004096a3e012] (from client 10.80.0.17 port 291 cli 00-40-96-A3-E0-12)
I would appreciate any help that anyone is willing to give.Use the wpa-psk SSID interface configuration command to configure a pre-shared key for use in WPA authenticated key management. To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key for the SSID.
wpa-psk { hex | ascii } [ 0 | 7 ] encryption-key
but make sure that This command is not supported on bridges. -
Using Lion Server Radius for authenticating "other" clients
Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit. I have tried 2 methods of adding the client details to radius:
1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
client localhost {
secret = mysecretpassphrase
client 192.168.0.0/24 {
secret = mysecretpassphrase
shortname = local-lan-clients
and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
2. Instead of above, added the same client info using radiusconfig:
$ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
- then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
$ sudo radclient localhost auth mysecretpassphrase <return>
and... no response, just hangs, nothing in radius log either.
The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/ -
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
Cisco 871W as Radius Local Authenticator
We are tring to configure an Cisco 871w as an access point and also as an local authenticator.The NAS would be the same server. The sample config is as below
aaa group server radius rad_eap
server 10.10.200.1 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip dhcp excluded-address 10.10.200.1
ip dhcp excluded-address 10.10.200.31 10.10.200.254
ip dhcp pool <pool_name>
import all
network 10.10.200.0 255.255.255.0
dns-server 141.x.x.6 141.198.136.12
default-router 10.10.200.1
lease 0 2
interface Dot11Radio0
ip address 10.10.200.1 255.255.255.0
ssid <SSID Name>
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
ip classless
ip http server
ip http secure-server
radius-server local
nas 10.10.200.1 key 0 <key>
user test nthash xxx
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.200.1 auth-port 1645 acct-port 1646 key <key>
radius-server vsa send accounting
By the above config, we are trying to make the clients to authenticate with username created in the RADIUS which is this router and get an ip address through DHCP pool configured for the same. Will the above config does the same. Kindly let me know.
Thanking You
Regards
Anantha Subramanian NatarajanHi,
Thanks .
Worked with cipher mode tkip and used WPA for key management.
Once again,Thanks for the repsonse
Regards
Anantha Subramanian Natarajan -
RADIUS rlm_mschap: authentication failed -14090
We have a Mac mini server running Snow Leopard, and we have configured the RADIUS server to provide WPA2 Enterprise authentication for our Airport Base Stations. I thought I'd share the solution to a problem we were experiencing from time to time where a user could not fully-authenticate to the network. Our logs radiusd would show:
Auth: rlm_opendirectory: User <username> is authorized
Auth: rlm_mschap: authentication failed -14090
Auth: rlm_opendirectory: Could not get the user's uuid
This happened most recently when a user got a new laptop and had migrated everything from a Time Machine back-up. I tried restarting the server, RADIUS, resetting the user's password, etc. Nothing seemed to make a difference, and these logs might as well say nothing at all -- completely unhelpful.
I then had the user log in to his Mac under a different account and try to connect and it was successful. Back to the original account, and we found a whole bunch duplicated profiles under the 802.1X tab in the Network panel of System Preferences. After deleting all of those and trying it again, it finally worked.
Not sure why the server side couldn't be a little more helpful in diagnosing the problem, but there you go...I have similar issues, and tried what you suggested, but no dice. Cross-posted here: http://discussions.apple.com/thread.jspa?messageID=11894473
Summary, one OD account is able to authenticate via AEBS, other accounts are not, and I cannot see any difference. -
I couldn't find anything relevant, but apologies if it has already been answered.
Is there any way of encrypting the traffic between a switch and a radius server when using radius to authenticate switch logins? As far as I can tell the traffic is passed between the switch and the radius server in plain text by default.Hi,
Please bear in mind that it is not the RADIUS protocol that bings security, but rather the authentication method inside it.
Example, if you use PEAP or EAP-TLS, the authentication is all carried inside a TLS tunnel.
You can sniff the RADIUS packets but you will not be able to get any critical information from the client.
Think on the RADIUS as a transport mechanism for EAP authentication.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Software to test RADIUS/TACACS authentication to ACS server
Hi experts,
Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
Thanks in advance!If you look in the ACS utils folder you'll see radtest and tactest.exe
These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
Darran -
Configure Mac Authentication Bypass (MAB) in ACS 5.1
Hello,
I am a newbie in ACS 5.1 and UAC.
I configured a MAB Access Service, but I get the error in the Radius Monitorring: 15024: PAP is not allowed.
However, I nowhere configured PAP. Any idea what I do wrong ?
I did not configure any protocolls, just 'Process Host Lookup'
Thanks a lot
KarienHi,
You can authenticate hosts with ACS internal DB or AD, however please note that if you want to do MAB in AD you need to configure users with the mac address of the machine in the same way you create the users on ACS.
On the other hand if the goal is to authenticate the hosts with the hostname itself, it is diferent from MAB, and you can use the AD DB if the PCs are registered to the domain, whithout any further configuration on the AD side.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
APSB13-03 authentication bypass issue
I see hotfixes for version 9 and 10, but how can I fix this vulnerability in Cold Fusion version 8.0.1?
Because CF8 has reached end of life period Adobe only provides security patches for CF9 and up currently. I'd recommend upgrading to CF9 or CF10 so you can get security patches.
My best guess on how to secure yourself from this particular issue would be to block /CFIDE and make sure you don't use cflogin in your applications.
Pete Freitag
Foundeo Inc. - Makers of HackMyCF & FuseGuard -
Hi guys,
I am not sure if I am hitting IOS bug CSCtx61557
according to the bug tool this is the info:
crash after authc result 'success' from 'dot1x' for client (Unknown MAC)
CSCtx61557
Description
Symptoms: The switch crashes after logging "success" from "dot1x" for client
(Unknown MAC).
Conditions: The symptom is observed with the following conditions:
1. A switchport is configured with both of the following:
authentication event server dead action authorize...
authentication event server alive action reinitalize
2. The radius server was down previously, and a port without traffic (for
example: a hub with no devices attached) was authorized into the inaccessible
authentication bypass (IAB) VLAN without an associated MAC address.
3. The radius server becomes available again, and a dot1x client
attempts to authenticate.
Workaround: There is no workaround.
I am running the following IOS on my 4500X-16 SFP+:
cat4500e-universalk9.SPA.03.05.03.E.152-1.E3.bin
This is what I configured, and what happened:
HOSTNAME(config)#aaa group server radius rad_eap
HOSTNAME(config-sg-radius)# server name ACS1
HOSTNAME(config-sg-radius)# server name ACS2
HOSTNAME(config-sg-radius)# server name ACS3
HOSTNAME(config-sg-radius)#$ication login default group radius local
HOSTNAME(config)#aaa authentication login CONSOLE local
HOSTNAME(config)#aaa authentication enable default group radius enable
HOSTNAME(config)#aaa authentication ppp default local group radius
HOSTNAME(config)#aaa authentication dot1x default group radius
HOSTNAME(config)#aaa authorization exec default if-authenticated
HOSTNAME(config)#aaa authorization network default group radius
HOSTNAME(config)#aaa accounting update newinfo
HOSTNAME(config)#aaa accounting dot1x default start-stop group radius
HOSTNAME(config)#aaa accounting network default start-stop group
eption to IOS Thread:
Frame pointer 897BAE38, PC = 1C03EECC
IOSD-EXT-SIGNAL: Aborted(6), Process = Exec
-Traceback= 1#49176b00b95a50f3145e3825de17d470 c:1C008000+36ECC c:1C008000+3BE50 c:1C008000+3BF48 :1F679000+201A18C :1F679000+31CEE2C :1F679000+2C22958 :1F679000+2C293E4 :1F679000+1166260 :1F679000+2C3C20C
Fastpath Thread backtrace:
-Traceback= 1#49176b00b95a50f3145e3825de17d470 uld:1F224000+2DE8 uld:1F224000+2DE4 iosd_unix:1C3ED000+186A0 pthread:1AA69000+6450
Auxiliary Thread backtrace:
-Traceback= 1#49176b00b95a50f3145e3825de17d470 pthread:1AA69000+BB8C pthread:1AA69000+BB6C c:1C008000+F61E4 iosd_unix:1C3ED000+21270 pthread:1AA69000+6450
Buffered messages: (last 8192 bytes only)
6 left the port-channel Port radius
HOSTNAME(config)#aaa accounting system default start-stop group radius
HOSTNAME(config)#
HOSTNAME(config)#
HOSTNAME(config)#no authentication logging verbose
HOSTNAME(config)#
HOSTNAME(config)#
HOSTNAME(config)#login block-for 300 attempts 5 within 60
-channel1
*Aug 28 01:08:47.873 UTC: %C4K_IOSINTF-5-LMPHWSESSIONSTATE: Lmp HW session DOWN on slot 11 port 12.
*Aug 28 01:08:48.056 UTC: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.5.98 port 514 started - CLI initiated
*Aug 28 01:08:48.571 UTC: %FASTHELLO-2-FH_DOWN: Fast-Hello interface Te2/1/12 lost dual-active detection capability
*Aug 28 01:08:49.099 UTC: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 172.16.250.61 on interface Vlan250
*Aug 28 01:15:08.753 UTC: %C4K_IOSINTF-5-LMPHWSESSIONSTATE: Lmp HW session UP on slot 11 port 1.
*Aug 28 01:15:24.759 UTC: %VSLP-5-VSL_UP: Ready for control traffic
*Aug 28 01:15:27.760 UTC: %VSLP-5-RRP_ROLE_RESOLVED: Role resolved as ACTIVE by VSLP
*Aug 28 01:15:27.760 UTC: %EC-5-BUNDLE: Interface TenGigabitEthernet2/1/1 joined port-channel Port-channel2
*Aug 28 01:15:28.049 UTC: %C4K_REDUNDANCY-6-DUPLEX_M
<Thu Aug 28 01:18:32 2014> Message from sysmgr: Reason Code:[2] Reset Reason:Service [iosd] pid:[6813] terminated abnormally [6].
Details:
Service: IOSd service
Description: IOS daemon
Executable: /tmp/sw/mount/cat4500e-universalk9.SPA.152-1.E.pkg//usr/binos/bin/iosd
Started at Wed Aug 27 22:27:48 2014 (647795 us)
Stopped at Thu Aug 28 01:18:32 2014 (115506 us)
Uptime: 2 hours 50 minutes 44 seconds
Start type: SRV_OPTION_RESTART_STATELESS (23)
Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL (2)
Last heartbeat 0.00 secs ago
PID: 6813
Exit code: signal 6 (no core)
CWD: /var/sysmgr/work
PID: 6813
UUID: 512
FAILURE: syslogd shutdown
I had a ICMP ping going, and it was not affected, as the Standby VSS chassis kicked in and took over, while the previous active chassis reloaded.
2nd time it happened:
Now this time, I had waited until the previous active chassis was back up and running and came back up as Standby hot.
once again I pasted the same config, and bang, It happened a second time on the second chassis which was acting now as Active supervisor.
And once again, the ICMP continuous ping was not interrupted, as the other chassis remained up, while the "new" active crashed after configuring the same configs in a slight different order.
HOSTNAME(config)#radius server ACS2
HOSTNAME(config-radius-server)#$5.22 auth-port 1812 acct-port 1813
HOSTNAME(config-radius-server)# timeout 1
HOSTNAME(config-radius-server)# key 0 XXXX
HOSTNAME(config-radius-server)#!
HOSTNAME(config-radius-server)#radius server ACS3
HOSTNAME(config-radius-server)#$xxxx auth-port 1812 acct-port 1813
HOSTNAME(config-radius-server)# timeout 1
HOSTNAME(config-radius-server)# key 0 xxxxxxx
HOSTNAME(config-radius-server)#
HOSTNAME(config-radius-server)#aaa group server radius rad_eap
HOSTNAME(config-sg-radius)# server name XXXX
HOSTNAME(config-sg-radius)# server name XXXX
HOSTNAME(config-sg-radius)# server name XXXX
HOSTNAME(config-sg-radius)#
HOSTNAME(config-sg-radius)#
PER-3-S
Exception to IOS Thread:
Frame pointer 89455E38, PC = 1CC27ECC
IOSD-EXT-SIGNAL: Aborted(6), Process = Exec
-Traceback= 1#e495ba4f9346cc1496eecd01ebf1814a c:1CBF1000+36ECC c:1CBF1000+3BE50 c:1CBF1000+3BF48 :20276000+201B18C :20276000+31D0DA8 :20276000+2C24800 :20276000+2C2B28C :20276000+11671B0 :20276000+2C3E0B4
Fastpath Thread backtrace:
-Traceback= 1#e495ba4f9346cc1496eecd01ebf1814a iosd_unix:1CFD6000+1C230 iosd_unix:1CFD6000+1C284 iosd_unix:1CFD6000+18854 pthread:1B653000+6450
Auxiliary Thread backtrace:
-Traceback= 1#e495ba4f9346cc1496eecd01ebf1814a pthread:1B653000+BB8C pthread:1B653000+BB6C c:1CBF1000+F61E4 iosd_unix:1CFD6000+21270 pthread:1B653000+6450
Buffered messages: (last 8192 bytes only)
INTF-5-TRANSCEIVERINSERTED: Slot=11 Port=3: Transceiver hasW-9(config-sg-radius)#
HOSTNAME(config-sg-radius)#no authentication logging verbose
HOSTNAME(config)#
HOSTNAME(config)#
HOSTNAME(config)#login block-for 300 attempts 5 within 60
been inserted
*Aug 28 01:26:03.864 UTC: %C4K_IOSINTF-5-TRANSCEIVERINSERTED: Slot=11 Port=4: Transceiver has been inserted
*Aug 28 01:26:03.864 UTC: %C4K_IOSINTF-5-TRANSCEIVERINSERTED: Slot=11 Port=5: Transceiver has been inserted
*Aug 28 01:26:03.864 UTC: %C4K_IO
<Thu Aug 28 01:28:10 2014> Message from sysmgr: Reason Code:[2] Reset Reason:Service [iosd] pid:[6770] terminated abnormally [6].
Details:
Service: IOSd service
Description: IOS daemon
Executable: /tmp/sw/mount/cat4500e-universalk9.SPA.152-1.E3.pkg//usr/binos/bin/iosd
Started at Thu Aug 28 01:13:52 2014 (60006 us)
Stopped at Thu Aug 28 01:28:10 2014 (993041 us)
Uptime: 14 minutes 18 seconds
Start type: SRV_OPTION_RESTART_STATELESS (23)
Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL (2)
Last heartbeat 0.00 secs ago
PID: 6770
Exit code: signal 6 (no core)
CWD: /var/sysmgr/work
are these the symptoms related to CSCtx61557 ?
I have tested this in a test environment, where no ACS was reachable!
Thanks
ColinAnother update,
It seems not only the 4500X platform is affected, its also 4510R+E's:
WS-C4510R+E
WS-X45-SUP8-E
IOS-XE (cat4500es8-UNIVERSALK9-M), Version 03.03.01.XO
4510R+E#sh redundancy /| i | i state
Current Software state = ACTIVE
Uptime in current state = 2 hours, 39 minutes
Current Software state = STANDBY HOT
Uptime in current state = 6 minutes
4510R+E(config)#login block-for 300 attempts 3 within 60
Exception to IOS Thread:
Frame pointer 8D104E28, PC = C9C0FF4
IOSD-EXT-SIGNAL: Aborted(6), Process = Exec
-Traceback= 1#9492282023e5ef761bd83af205155966 c:C98A000+36FF4 c:C98A000+3C2B0 c:C98A000+3C3A8 :10000000+201B994 :10000000+31CA4E4 :10000000+2C1DC54 :10000000+2C246E0 :10000000+116A3F0 :10000000+2C37508
Fastpath Thread backtrace:
-Traceback= 1#9492282023e5ef761bd83af205155966 c:C98A000+E29C0 c:C98A000+E29A0 iosd_unix:CD74000+1877C pthread:B3FE000+647C
Auxiliary Thread backtrace:
-Traceback= 1#9492282023e5ef761bd83af205155966 pthread:B3FE000+BBB4 pthread:B3FE000+BB94 c:C98A000+FA4E8 iosd_unix:CD74000+21270 pthread:B3FE000+647C
Buffered messages: (last 8192 bytes only)
at least one now can directly "redundancy failover" from config mode..... :) -
How can I configure a 802.1x in a switch 2960 with IOS 15.0.2?
Hi,
I'm trying to config a switch WS-C2960+24PC-L with IOS 15.0(2)SE5 and C2960-LANBASEK9-M to use 802.1x in my network but when I type the following commands the IOS doesn't recognize the interface commands and I can't complete the settings:
Router# configure terminal
Router(config)# dot1x system-auth-control
Router(config)# aaa new-model
Router(config)# aaa authentication dot1x default group radius
Router(config)# interface fastethernet2/1
Router(config-if)# switchport mode access
Switch(config-if)# authentication port-control auto (or dot1x port-control auto)
Switch(config-if)# authentication host-mode multihost
Router(config-if)# dot1x pae authenticator
Router(config-if)# end
Source: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/config-ieee-802x-pba.html#GUID-C11588CB-31B6-4CD9-9E74-CF2199FB1807
I've used the same commands in other switch with IOS 12.x and I don't have any problem to complete the settings so.... somebody know if:
* Should I use others commands to activate this feature in this IOS?
* Do I need to use other IOS?
Thanks in advance,The authentication manager commands in Cisco IOS Release 12.2(50)SE or later
The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier
Description
authentication control-direction { both | in}
dot1x control-direction { both | in}
Enable 802.1x authentication with the wake-on-LAN (WoL) feature, and configure the port control as unidirectional or bidirectional.
authentication event
dot1x auth-fail vlan
dot1x critical (interface configuration)
dot1x guest-vlan6
Enable the restricted VLAN on a port.
Enable the inaccessible-authentication-bypass feature.
Specify an active VLAN as an 802.1x guest VLAN.
authentication fallback fallback-profile
dot1x fallback fallback-profile
Configure a port to use web authentication as a fallback method for clients that do not support 802.1x authentication.
authentication host-mode [ multi-auth | multi-domain | multi-host | single-host]
dot1x host-mode { single-host | multi-host | multi-domain}
Allow a single host (client) or multiple hosts on an 802.1x-authorized port.
authentication order
mab
Provides the flexibility to define the order of authentication methods to be used.
authentication periodic
dot1x reauthentication
Enable periodic re-authentication of the client.
authentication port-control { auto | force-authorized | force-un authorized}
dot1x port-control { auto | force-authorized | force-unauthorized}
Enable manual control of the authorization state of the port.
authentication timer
dot1x timeout
Set the 802.1x timers.
authentication violation { protect | restrict | shutdown}
dot1x violation-mode { shutdown | restrict | protect}
Configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
show authentication
show dot1x
Display 802.1x statistics, administrative status, and operational status for the switch or for the specified port. authentication manager: compatibility with earlier 802.1x CLI commands
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html#concept_6275D339A9074AC0BB06F872D7A54FBB
Maybe you are looking for
-
How can I recover my data I erased on my external hard drive
I have a Seagate external 1TB plus hard drive, last night I was trying to drag my folder on my mac(Macbook pro retina 13, 2015, just got it this month) to it but it didn't work, so I searched on Apple solution, it tells me to open the disk utility th
-
Hi There, I have recently migrated my SharePoint 2007 portal to SP2010, However, to my surprise i have noticed all the documents in different document libraries are having 'Approval status' as 'On going' status which suppose to be 'Approved' status.
-
Waking up a Mac Pro through the network?
I am using my macpro to share files to a macbook pro. after a period of inactivity, the macpro goes to sleep and I am no longer able to access it from my macbook pro. Is there a way to wake up the mac pro without having to physically touch it? Thanks
-
MB_MIGO_BADI. Post document. Posting date?
Hi Guys, I need your help. I'm using MB_MIGO_BADI, method post_document to change posting date in header. After user changed the posting date I need to check some conditions and if they are fulfilled I want to change this posting date with sending th
-
Need to disable AP mode multicast in 1231 series access point
Hi I have one controller 2504 and some 1200 series access points.I am using 3 SSID .I want to use two ssid in HREAP mode but HREAP mode is not showinh in access point because multicast is enabled on AP mode.Please see the below picture I have disable