Web Authentication Catalyst 2960

Similar Messages

• View-only access to Catalyst 2960/2960S device manager

  I have noticed that when I access the (Web-based) device manager on a Catalyst 2960 or 2960S switch, the authentication prompt (from within IE, at least) includes the phrase, "The server <switch-hostname> at level_15_or_view_access requires a username and password." This would seem to imply that it's possible to configure view-only (a.k.a. read-only) access to the device manager, which would be perfect for first-level support personnel (in our environment). I reviewed the information on how to configure local authentication for the Web server (leveraging "ip http authentication local" among other commands), but the examples are a bit too broad for me understand how to specifically (and only) allow someone coming in via HTTP(S) to gain read-only access to the device manager. (Command line access should be denied entirely for the view-only user, if possible, or at least limited to commands that can't modify the switch's configuration.) Assuming this is possible, could someone cite the command sequence required?
  Thanks,
  Mike

  Hi,a customer want a user which has view-only rights on his catalyst switches. I created a user whit privilige level 7.If you log into the CLI everything is fine. But by trying to log into the web page the system wants a level 15 user.Is their any possibility to grant the level 7 user "view-only" rights on the Catalyst Device Manager?Thanks.Thanks.
  Hi,
  Check out the below link for SDM for read only user configuration
  http://conft.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/application/notes/SDMcli.pdf
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• Central web authentication

  I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
  I want to achieve the following authentication order on a switchport:
  802.1x
  MAB
  central web authentication
  So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
  I've configured the switchport with the following commands
  switchport access vlan 99
  switchport mode access
  switchport voice vlan 50
  authentication event no-response action authorize vlan 32
  authentication host-mode multi-domain
  authentication order dot1x mab webauth
  authentication port-control auto
  authentication violation protect
  authentication fallback webprofile
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 2
  dot1x timeout tx-period 2
  spanning-tree portfast
  spanning-tree bpduguard enable
  the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
  SW01T#sh fallback profile webprofile
  Profile Name: webprofile
  Description : webauth profile
  IP Admission Rule : NONE
  IP Access-Group IN: 133
  FYI, the access list:
  Extended IP access list 133
  10 permit ip any host 10.175.0.29
  30 permit udp any any eq bootps
  40 permit udp any eq bootpc any
  In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
  (attributes of the profile):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
  But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
  001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
  AAF003E000000582E866B69
  001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
  ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
  69
  001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
  methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
  Is there some configuration guide or steps available in order to make this work please?
  kind regards

  Hi Tarik,
  thank you for the fast reply.
  I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
  But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
  If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
  Switch# show auth sessions int fa 1/0/3
             Interface:  FastEthernet1/0/3
           MAC Address:  0011.25d7.6c6c
            IP Address:  10.175.0.229
             User-Name:  001125d76c6c
                Status:  Authz Success
                Domain:  DATA
       Security Policy:  Should Secure
       Security Status:  Unsecure
        Oper host mode:  multi-domain
      Oper control dir:  both
         Authorized By:  Authentication Server
            Vlan Group:  N/A
      URL Redirect ACL:  webauth
          URL Redirect:  https://ISE.onemrva.priv:8443/guestportal/gateway?session
  Id=0AAF003E0000175A43004FE3&action=cwa
       Session timeout:  N/A
          Idle timeout:  N/A
     Common Session ID:  0AAF003E0000175A43004FE3
       Acct Session ID:  0x000018CF
                Handle:  0xEF00075B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
         webauth  Not run
  As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
  authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
  If I check the "show ip admission cache", nothing is seen in there.

• 802.1x on Cisco Catalyst 2960

  I am trying to enable 802.1x on one of
  the switchports of the Cisco Catalyst
  2960:
  C2960#sh run | i radius
  aaa authentication login test group radius local
  aaa authentication dot1x default group radius
  radius-server host 10.250.97.26 auth-port 1812 acct-port 1813
  radius-server source-ports 1645-1646
  radius-server key 123456
  C2960#sh run | i dot
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  dot1x critical eapol
  C2960#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  C2960(config)#int g0/14
  C2960(config-if)#dot1x ?
  % Unrecognized command
  C2960(config-if)#dot1x
  As you can see, I can not enable 802.1x
  at the interface level. The code is am running is 12.2.25SEE4:
  Switch Ports Model SW Version SW Image
  * 1 24 WS-C2960G-24TC-L 12.2(25)SEE4 C2960-LANBASEK9-M
  System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
  According to Cisco, this image supports
  802.1x. Why can't enable it at the
  interface level?
  Can someone help me out? Thanks.

  some additional info:
  C2960#sh dot1x all
  Sysauthcontrol Enabled
  Dot1x Protocol Version 2
  Critical Recovery Delay 100
  Critical EAPOL Enabled
  C2960#

• Cisco catalyst 2960 booting garbage, help on restore IOS

  Dear All,
  This is my first time on terminal access of Cisco Catalyst 2960 (2960TC-L), normally would use the web configuration for most task.
  Now the switch has an issue with the web interface and when I try to access through terminal, I was greeted with garbage upon the booting of the switch, I searched for the terminal boot process and it wasn't what I was expected for my switch. I was a bit dumbfound now of how can I recover the firmware to its default stage, now that I cannot even boot through its terminal console.
  Any help is highly appreciated. Thank you for your time.

  Hi,
  I just verified with my colleague of whom have done quite a few bits before I took over his task.
  His reply was he actually did an IOS flash before, though I'm not sure how he did it, but according to him, it was actually a success and the web interface still works for few times before it become like this.
  As I tried another time to goes into root mode (or Admin mode??) for the switch, the steps as I performed below:
  1. Refer to cisco-2960-putting-setting.jpg for the settings. I press Open and it does display the console Window, no issue there.
  2. I hold the "mode" button on the switch and turn on the switch power, and after few seconds the screen display as such (refer to cisco-2960-putty-output2.jpg), the SYST L.E.D. did flash with following pattern: Green (blink ~15 times) then Orange-Green (repeat blink twice) then Green (stable light), for this I was expecting it to goes off after few seconds but it didn't, I wait about a minute before I let go the "mode" button.
  3. After I let go the "mode" button, it goes to the screen (refer cisco-2960-putty-output3.jpg), and the SYST still blinking, possibly infinitely... with the console output screen stays like that... and whatever I entered display weird/garbage characters instead, I can't do anything on it.
  Each tries display different weird characters, as the SYST still blinking infinitely.
  I'm unsure if I'm giving enough details for online troubleshooting, I'll try my best to give as per instructed.
  Thank you for your time.

• Catalyst 2960 after upgrade

  hello,
  I have a Catalyst 2960 series switch after upd blocked by the Web console,
  I turned on the switch and connected the console cable but it does not reponds, LED Lighted system remains,
  I feel that the update process was interrupted because that I was trying to update the others switchs at the same time,and all switch are cascaded,
  can you please help me?
  Regards,

  If you've tried two or three different clients and you can't get anything (not even garbage characters) from console then there's a sure chance the appliance is toast.
  Your remedial action would be to raise a TAC Case and get the appliance RMA-ed.

• Dot1x from catalyst 2960 to rsa

  My infrastructure:
  - Windows Vista or XP PC
  - Catalyst 2960
  - RSA Authentication Manager 7.1 with radius server
  I'm trying to authenticate my clients through RSA secureid but it doesn't work...
  If I try radius authentication with a test client it works properly...
  My switch is configured (interesting parts):
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  interface GigabitEthernet0/4
  dot1x pae authenticator
  dot1x port-control auto
  radius-server host 10.242.5.63 auth-port 1645 acct-port 1646 key 7 <removed>
  radius-server source-ports 1645-1646
  I've read some documents about this, and I've tried all tyoe of authentication, I think that correct auth is Cisco PEAP-GTC
  Anyone has a working configuration?
  Thanks
  Daniele

  With RSA you need to set GTC and no other authentication protocol will work.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm#wp623530
  Regards,
  ~JG
  Do rate helpful posts

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Having trouble with web authentication in 5504

  Hi everybody,
  We´re experiencing a trouble with our Wireles LAN solution. We have a WLC 5504, a ACS 4.2 and APs 1131AG.
  After deploying the solution and doing some tests we noticed when a user attempted to connect by wireless network there was too much delay since they clicked ie (internet explorer) until web authentication into WLC was shown. the delay was around 3 minutes. This issue also ocurrs despite of doing a test from my laptop that was next to one access point, then, I moved to another access point and the result was the same, a laptop problem is ruled out.
  Has anybody ever had this kind of trouble? , How could I reduce this time?, is it possible?, Which part of configuration shoud I check?
  Regards,
  Manuel

  Friends,
  I´ve made a mistake. Our WLC is a 4404.  
  Regards,
  Manuel

• Troubleshooting Fiber Connection on a Catalyst 2960

  I am trying to test my fiber connectivity on a Catalyst 2960 before I deploy it. So what I thought I would do is connect it to another switch in my office with a open port for the fiber connection. The other switch is a Catalyst 3560G. Here are the port configurations:
  interface GigabitEthernet0/2
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  macro description cisco-switch
  interface GigabitEthernet0/25
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  The first one is the catalyst 2960 and the 3560G is the second.
  When you show the interface for each of these it shows that it recognizes the media but the line protocal and the GigbitEthernet Port is down.
  Any Ideas?

  Sorry... a fiber optic cable with a connector on each end.
  To aid in troubleshooting, many times we loopback the signal back to the originating device. An optical loopback is just connecting the transmit (Tx) to the receive (Rx).
  The multimode SFP/GBIC transceiver you are using will allow you to directly connect the Transmit and Receive ports without damage to the unit. This should provide you with a green link LED.
  If so, then you can reconnect your fibers and loopback (connect the two fibers together) at the far end of the fiber link (use an optical adapter) and see if you get a green LED.

• Bandwidth monitoring on a Catalyst 2960

  Hello all, I'm working with two Catalyst 2960 switches and I would like to know if there is a way to monitor bandwidth on individual ports. Ideally I would like to have one graph showing a bandwidth usage reading on each port. I tried using the Network Assistant to accomplish this, but I was only able to view one port at a time. I also tried using a traffic graphing program from Paessler, but a MIB file is needed to allow the program to connect to the switch. When I ran a search on the network management page the 2960 was not on the list for MIB supported products. Is this type of graph possible to do? Or is there a more effective way to accomplish what I would like to do. Any ideas or suggestions would be helpful.

  Hi, we have just swapped all our avaya switches with catalyst 2960 (12, 24 and 48 ports) and 3750 (48 ports with 10gig module).
  How do I find what port I should monitor for bandwith graphs?
  Target[10.0.0.22_loc1]: 1:@10.0.0.22:

• Catalyst 2960 SF Stacking

  Hi
  I am stacking 6 Catalyst 2960 SF Series PoE 48 ports, I am using the Bladestack cable. I plug it in from 1 to 2 on all the switches. If I look at the lights it shows 4 in on group and 2 in another. If I do a show switch detail it shows the following
  Switch/Stack Mac Address : 44ad.d982.a100
                                             H/W   Current
  Switch#  Role   Mac Address     Priority Version  State
  1       Member 5006.0425.7e00     1      1       Ready              
  *2       Master 44ad.d982.a100     1      1       Ready              
  3       Member 5006.0435.bc00     1      1       Waiting            
  4       Member 5006.04d8.7000     1      1       Ready              
           Stack Port Status             Neighbors    
  Switch#  Port 1     Port 2           Port 1   Port 2
    1       Down        Ok              None       2
    2        Ok         Ok                4        1
    4       Down        Ok              None       2

  Hi , i think only four 2960 SF switches can be stacked into a singe logical switch.
  Please refer the link , hope this helps:
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html

• Catalyst 2960 Problem with Cisco SPA512

  Hi there,
  I hope someone can help me.
  I don't have much experience with switches, I'm doing the desktop support in our company.
  We have Catalyst 4510 R+E to 2 Catalyst 2960 switches and seperate VLAN's for IP Phones and for Internet in one part of our office.
  Now I'm running into trouble with some IP Phones that are connected to the 2960 switches. It appears only to happen with Cisco's SPA-512. I've tried FW 7.5.2, 7.5.5 and 7.5.5b. These phones sporadically drop the call / connection, with the red MIC button blinking. Based on my research this means that it looses Internet connection. I have 1 SPA512 with FW 7.5.1 that does not show these symptoms.
  I have other phones SPA942 and Polycom IP335 in the same area behind the same switches and no issues.
  We've tried to disable auto negotiate and set a fixed transmition rate or either 1Gbps and 100Mbps, both without success.
  I also have SPA512 in other areas of the office just connected to our Catalyst 4510 R+E and they work just fine. That's why I don't believe it has anything to do with the 4510, but I can be wrong.
  That's all I have for you guys. Hope someone can help me to fix / troubleshoot this..
  Frank

  SSwitch3#test cable-diagnostics tdr int g1/0/16
  TDR test started on interface Gi1/0/16
  A TDR test can take a few seconds to run on an interface
  Use 'show cable-diagnostics tdr' to read the TDR results.
  SSwitch3#show cable-diagnostics tdr int g1/0/16
  TDR test last run on: June 27 13:39:21
  Interface Speed Local pair Pair length        Remote pair Pair status
  Gi1/0/16  1000M Pair A     52   +/- 10 meters Pair A      Normal
                  Pair B     52   +/- 10 meters Pair B      Normal
                  Pair C     52   +/- 10 meters Pair C      Normal
                  Pair D     52   +/- 10 meters Pair D      Normal
  SSwitch3#