Wireless dot1x authenticated but no IPv4 DHCP assignment

Similar Messages

• Apple wireless clients authenticated but show no username in WLC

  Running 7.0.220. There are several 'unknown' users every day reported in WCS. Investigating the connections on the WLC I find the clients are in a run state and passing traffic but there is no username listed on the client detail. (hence the unknown on WCS)
  (mcm-189jsoc-wlc1) >show client detail 60:c5:47:07:b6:5a
  Client MAC Address............................... 60:c5:47:07:b6:5a
  Client Username ................................. N/A
  AP MAC Address................................... 00:1e:13:42:16:a0
  AP Name.......................................... mcm-208dorm-wap1
  Client State..................................... Associated
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 1
  BSSID............................................ 00:1e:13:42:16:a0
  Connected For ................................... 599 secs
  Channel.......................................... 11
  Clients in this state are usually Apple products. From initial investigation it looks like the do authenticate with the ACS.
  Any ideas for debugs to run, or fixes on the WLC? Perhaps there's a bug on this behavior?
  Thanks
  Kyle Morrison

  Kyle:
  I suppose you are using PEAP or some EAP that utilizes TLS tunnel.
  The username that appears is what cold "outer identity" username. This is sent to the AAA server outside the TLS channel and need not to be the correct username although it can be the same. So I think with macBooks the outer identity is empty. But I don't remember if it appears on the WLC as unknown.
  For ipad I can see my username explicitly appearing on my WLC which means the outer identity is same asthe correct username.
  What mac devices that you use?
  You need no debugs. Wireless packet capture while the client is trying to authenticate should be enough to show what outer identity is used.
  HTH
  Amjad
  p.s: with windows it depends on the supplicant software if an outer identity can be configured or not.
  Sent from Cisco Technical Support iPad App

• 802.1x and DHCP assigned addresses

  I've done a lot of reading on this but I am still confused. I'm not a Microsoft guru so I don't really know waht is going on with login scripts, or cached user/pass.
  Scenario 1
  ==========
  I have 802.1x implemented and Joe the contractor comes into the office and plugs in his laptop. He is a guest. I allow guests to have access to a guest VLAN. How can Joe automatically get an IP address, or does he have to do ipconfig /renew?
  Scenario 2
  ==========
  What is the behind the scenes process that takes place for my corporate users that login to a domain....how do they get DHCP assigned addresses?
  Thanks

  I assume from what you have written 'Joe' doesn't have an 802.1x supplicant on his PC? Therefore the switchport eapol frames are ignored by the PC and after a timeout the port is placed in the guest vlan. You need to make sure DHCP is enabled for the guest vlan - either add the appropriate entried to the protecting ACL or add a scope on the router? Depending on the timeouts you may have some delay issues here; I would test this before you roll it out.
  For clients with 802.1x supplicants what happens is the PC effectively thinks it is disconnected from the network until the supplicant has authenticated. Once it has authenticated the PC thinks the network adapter is then connected and it will attempt to lease an IP address by broadcasting a DHCP request.
  There are however a few 802.1x supplicants and I am not sure how they all integrate with the host O/S. I know the built-in Microsoft one operates as I have described.
  HTH
  Andy

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Delay the first dot1x authentication message after a port comes up

  Cisco ISE: 1.2
  Switch IOS: 15.0.2.EX4
  Hello,
  I have configured the APs to authenticate with 802.1X via the switch.
  When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.
  I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.
  I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?
  When I use debug commands I see
  %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)
  Thank you for all answers

  Hello,
  Thank you for your reply. That document is very interesting.
  I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.
  However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.
  - You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)
  - A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.
  That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.
  It's possible to do this with the Cisco APs
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html
  I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)
  So in my humble opinion, the mab/profiling solution is good but not optimal.

• No IPv4 DHCP

  I recently installed the 10.4.11 update and the security update that came at the same time the next morning when I woke up I had no wireless or wired IPv4 DHCP. I have plenty of other computers in my house both Mac and Windows, wired and wireless, and they all work fine.
  I get an IPv6 address and can ping6 my router by IPv6 address, but I get no internet or communication through IPv4.
  When I run ifconfig I get no inet entries, only inet6.
  I tried the "sudo ipconfig set en0 BOOTP; sudo ipconfig set en0 DHCP" along with "sudo ipconfig en0 down; sudo ipconfig en0 up". This only returns "ipconfig server not active"
  Any ideas?

  Was that the 1.0 or the 1.1 Security update?
  Might be some lists to try dragging to the Desktop & reboot...
  /Users/YourUserName/Library/Preferences/com.apple.internetconnect.plist
  /Library/Preferences/SystemConfiguration/preferences.plist
  /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
  /Library/Preferences/com.apple.sharing.firewall.plist
  /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
  /Library/Preferences/com.apple.networkConfig.plist
  Also any...
  ~/Library/Preferences/ByHost/com.apple.networkConnect.<12 digit number>.plist
  Can always drag them back & Reboot if it doesn't work.

• Tcpdump: WARNING: en0: no IPv4 address assigned

  This is the result that I get when I type "sudo tcpdump" into the terminal: tcpdump: WARNING: en0: no IPv4 address assigned
  When I use "sudo tcpdump -i en1" there are so many responses that I cannot type the next line of command. Is it possible that when the results include the other two computer on the AirPort network? Or is there some way so that I can see only the IPs once (if IP "X" came up as a result it would only display " IP X" once), or that it would disregard the port numbers so that I would not see "IP X: Port 1"?
  Thank you to anyone who can clarify this.
  PS This is for my AirPort Extreme wireless network, but when I connect physically with an Ethernet cable I get the same result (but you don't have to help me resolve that).

  I retried with the sudo command. After a few seconds my results became:
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
  13:35:26.687557 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: P 2401743191:240
  1743201(10) ack 2132261488 win 65535 <nop,nop,timestamp 796491829 580358465>
  13:35:26.687692 IP 10.0.1.2.49210 > imap-mtc4.mx.aol.com.imaps: P 2583668193:258
  3668228(35) ack 2860833822 win 65535 <nop,nop,timestamp 796491829 2081793890>
  13:35:26.689269 IP 10.0.1.2.49319 > 10.0.1.1.domain: 43583+ A? pop.sbcglobal.ya
  hoo.com. (41)
  13:35:26.712849 IP 10.0.1.1.domain > 10.0.1.2.49319: 43583 3/0/0 CNAME[|domain]
  13:35:26.769554 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: . ack 10 win 241
  2 <nop,nop,timestamp 580364456 796491829>
  13:35:26.805972 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: P 1:24(23) ack 1
  0 win 2412 <nop,nop,timestamp 580364460 796491829>
  13:35:26.806074 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: . ack 24 win 655
  35 <nop,nop,timestamp 796491829 580364460>
  13:35:26.869270 IP imap-mtc4.mx.aol.com.imaps > 10.0.1.2.49210: . ack 35 win 648
  00 <nop,nop,timestamp 2081799898 796491829>
  13:35:26.891602 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: S 38
  12351761:3812351761(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 796491
  829 0>
  13:35:26.908946 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: S 25
  14494269:2514494269(0) ack 3812351762 win 65535 <mss 1452,nop,wscale 1,nop,nop,t
  imestamp 794004504 796491829>
  13:35:26.909034 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ac
  k 1 win 65535 <nop,nop,timestamp 796491829 794004504>
  byte 1481
  I know that the IP address 10.0.1.1 is my sister, who shares the AirPort network with me. (She is also on my iChat buddly list, and I have heard that this type of command with the Terminal can include the IP addresses of contacts in iChat.) I know why her IP is there, but why are there references to mail servers from AOL and SBC? I have accounts with them, and I have set Mail to check for new mail every minute. Is this why they are in the results of the tcpdump?
  EDIT: A few minutes later, new results were added:
  op,nop,timestamp 796491829 580358465>
  13:35:26.687692 IP 10.0.1.2.49210 > imap-mtc4.mx.aol.com.imaps: P 2583668193:2583668228(35) ack 2860833822 win 65535 <n
  op,nop,timestamp 796491829 2081793890>
  13:35:26.689269 IP 10.0.1.2.49319 > 10.0.1.1.domain: 43583+ A? pop.sbcglobal.yahoo.com. (41)
  13:35:26.712849 IP 10.0.1.1.domain > 10.0.1.2.49319: 43583 3/0/0 CNAME[|domain]
  13:35:26.769554 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: . ack 10 win 2412 <nop,nop,timestamp 580364456 79649182
  9>
  13:35:26.805972 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: P 1:24(23) ack 10 win 2412 <nop,nop,timestamp 580364460
  796491829>
  13:35:26.806074 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: . ack 24 win 65535 <nop,nop,timestamp 796491829 5803644
  60>
  13:35:26.869270 IP imap-mtc4.mx.aol.com.imaps > 10.0.1.2.49210: . ack 35 win 64800 <nop,nop,timestamp 2081799898 796491
  829>
  13:35:26.891602 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: S 3812351761:3812351761(0) win 65535 <mss 1
  460,nop,wscale 0,nop,nop,timestamp 796491829 0>
  13:35:26.908946 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: S 2514494269:2514494269(0) ack 3812351762 w
  in 65535 <mss 1452,nop,wscale 1,nop,nop,timestamp 794004504 796491829>
  13:35:26.909034 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 1 win 65535 <nop,nop,timestamp 796491
  829 794004504>
  13:35:26.925701 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 1:33(32) ack 1 win 33120 <nop,nop,timesta
  mp 794004506 796491829>
  13:35:26.925784 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 33 win 65535 <nop,nop,timestamp 79649
  1829 794004506>
  byte 175913:35:26.687557 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: P 2401743191:2401743201(10) ack 2132261488 win 65535 <nop,nop,timestamp 796491829 5
  80358465>
  13:35:26.687692 IP 10.0.1.2.49210 > imap-mtc4.mx.aol.com.imaps: P 2583668193:2583668228(35) ack 2860833822 win 65535 <nop,nop,timestamp 796491829 2
  081793890>
  13:35:26.689269 IP 10.0.1.2.49319 > 10.0.1.1.domain: 43583+ A? pop.sbcglobal.yahoo.com. (41)
  13:35:26.712849 IP 10.0.1.1.domain > 10.0.1.2.49319: 43583 3/0/0 CNAME[|domain]
  13:35:26.769554 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: . ack 10 win 2412 <nop,nop,timestamp 580364456 796491829>
  13:35:26.805972 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: P 1:24(23) ack 10 win 2412 <nop,nop,timestamp 580364460 796491829>
  13:35:26.806074 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: . ack 24 win 65535 <nop,nop,timestamp 796491829 580364460>
  13:35:26.869270 IP imap-mtc4.mx.aol.com.imaps > 10.0.1.2.49210: . ack 35 win 64800 <nop,nop,timestamp 2081799898 796491829>
  13:35:26.891602 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: S 3812351761:3812351761(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,tim
  estamp 796491829 0>
  13:35:26.908946 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: S 2514494269:2514494269(0) ack 3812351762 win 65535 <mss 1452,nop,wscal
  e 1,nop,nop,timestamp 794004504 796491829>
  13:35:26.909034 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 1 win 65535 <nop,nop,timestamp 796491829 794004504>
  13:35:26.925701 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 1:33(32) ack 1 win 33120 <nop,nop,timestamp 794004506 796491829>
  13:35:26.925784 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 33 win 65535 <nop,nop,timestamp 796491829 794004506>
  13:35:26.926295 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 1:34(33) ack 33 win 65535 <nop,nop,timestamp 796491829 794004506>
  13:35:26.945409 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 33:57(24) ack 34 win 33120 <nop,nop,timestamp 794004508 796491829>
  13:35:26.945493 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 57 win 65535 <nop,nop,timestamp 796491829 794004508>
  13:35:26.945848 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 34:51(17) ack 57 win 65535 <nop,nop,timestamp 796491829 794004508>
  13:35:27.064525 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: . ack 51 win 33120 <nop,nop,timestamp 794004520 796491829>
  13:35:27.105756 IP 10.0.1.2.49320 > 10.0.1.1.domain: 17943+ PTR? 249.171.12.64.in-addr.arpa. (44)
  byte 256213:35:26.687557 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: P 2401743191:2401743201(10) ack 2132261488 win 65535 <nop,nop,timestamp 796491829 580358465>
  13:35:26.687692 IP 10.0.1.2.49210 > imap-mtc4.mx.aol.com.imaps: P 2583668193:2583668228(35) ack 2860833822 win 65535 <nop,nop,timestamp 796491829 2081793890>
  13:35:26.689269 IP 10.0.1.2.49319 > 10.0.1.1.domain: 43583+ A? pop.sbcglobal.yahoo.com. (41)
  13:35:26.712849 IP 10.0.1.1.domain > 10.0.1.2.49319: 43583 3/0/0 CNAME[|domain]
  13:35:26.769554 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: . ack 10 win 2412 <nop,nop,timestamp 580364456 796491829>
  13:35:26.805972 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: P 1:24(23) ack 10 win 2412 <nop,nop,timestamp 580364460 796491829>
  13:35:26.806074 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: . ack 24 win 65535 <nop,nop,timestamp 796491829 580364460>
  13:35:26.869270 IP imap-mtc4.mx.aol.com.imaps > 10.0.1.2.49210: . ack 35 win 64800 <nop,nop,timestamp 2081799898 796491829>
  13:35:26.891602 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: S 3812351761:3812351761(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 796491829 0>
  13:35:26.908946 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: S 2514494269:2514494269(0) ack 3812351762 win 65535 <mss 1452,nop,wscale 1,nop,nop,timestamp 794004504 79649
  1829>
  13:35:26.909034 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 1 win 65535 <nop,nop,timestamp 796491829 794004504>
  13:35:26.925701 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 1:33(32) ack 1 win 33120 <nop,nop,timestamp 794004506 796491829>
  13:35:26.925784 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 33 win 65535 <nop,nop,timestamp 796491829 794004506>
  13:35:26.926295 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 1:34(33) ack 33 win 65535 <nop,nop,timestamp 796491829 794004506>
  13:35:26.945409 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 33:57(24) ack 34 win 33120 <nop,nop,timestamp 794004508 796491829>
  13:35:26.945493 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 57 win 65535 <nop,nop,timestamp 796491829 794004508>
  13:35:26.945848 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 34:51(17) ack 57 win 65535 <nop,nop,timestamp 796491829 794004508>
  13:35:27.064525 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: . ack 51 win 33120 <nop,nop,timestamp 794004520 796491829>
  13:35:27.105756 IP 10.0.1.2.49320 > 10.0.1.1.domain: 17943+ PTR? 249.171.12.64.in-addr.arpa. (44)
  13:35:27.194864 IP 10.0.1.1.domain > 10.0.1.2.49320: 17943 1/0/0 (79)
  13:35:27.195400 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 57:131(74) ack 51 win 33120 <nop,nop,timestamp 794004533 796491829>
  13:35:27.195450 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 131 win 65535 <nop,nop,timestamp 796491830 794004533>
  13:35:27.195782 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 51:57(6) ack 131 win 65535 <nop,nop,timestamp 796491830 794004533>
  byte 306013:35:26.687557 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: P 2401743191:2401743201(10) ack 2132261488 win 65535 <nop,nop,timestamp 796491829 580358465>
  13:35:26.687692 IP 10.0.1.2.49210 > imap-mtc4.mx.aol.com.imaps: P 2583668193:2583668228(35) ack 2860833822 win 65535 <nop,nop,timestamp 796491829 2081793890>
  13:35:26.689269 IP 10.0.1.2.49319 > 10.0.1.1.domain: 43583+ A? pop.sbcglobal.yahoo.com. (41)
  13:35:26.712849 IP 10.0.1.1.domain > 10.0.1.2.49319: 43583 3/0/0 CNAME[|domain]
  13:35:26.769554 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: . ack 10 win 2412 <nop,nop,timestamp 580364456 796491829>
  13:35:26.805972 IP imap-mtc14.mx.aol.com.imap > 10.0.1.2.49209: P 1:24(23) ack 10 win 2412 <nop,nop,timestamp 580364460 796491829>
  13:35:26.806074 IP 10.0.1.2.49209 > imap-mtc14.mx.aol.com.imap: . ack 24 win 65535 <nop,nop,timestamp 796491829 580364460>
  13:35:26.869270 IP imap-mtc4.mx.aol.com.imaps > 10.0.1.2.49210: . ack 35 win 64800 <nop,nop,timestamp 2081799898 796491829>
  13:35:26.891602 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: S 3812351761:3812351761(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 796491829 0>
  13:35:26.908946 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: S 2514494269:2514494269(0) ack 3812351762 win 65535 <mss 1452,nop,wscale 1,nop,nop,timestamp 794004504 796491829>
  13:35:26.909034 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 1 win 65535 <nop,nop,timestamp 796491829 794004504>
  13:35:26.925701 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 1:33(32) ack 1 win 33120 <nop,nop,timestamp 794004506 796491829>
  13:35:26.925784 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 33 win 65535 <nop,nop,timestamp 796491829 794004506>
  13:35:26.926295 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 1:34(33) ack 33 win 65535 <nop,nop,timestamp 796491829 794004506>
  13:35:26.945409 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 33:57(24) ack 34 win 33120 <nop,nop,timestamp 794004508 796491829>
  13:35:26.945493 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 57 win 65535 <nop,nop,timestamp 796491829 794004508>
  13:35:26.945848 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 34:51(17) ack 57 win 65535 <nop,nop,timestamp 796491829 794004508>
  13:35:27.064525 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: . ack 51 win 33120 <nop,nop,timestamp 794004520 796491829>
  13:35:27.105756 IP 10.0.1.2.49320 > 10.0.1.1.domain: 17943+ PTR? 249.171.12.64.in-addr.arpa. (44)
  13:35:27.194864 IP 10.0.1.1.domain > 10.0.1.2.49320: 17943 1/0/0 (79)
  13:35:27.195400 IP pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3 > 10.0.1.2.49495: P 57:131(74) ack 51 win 33120 <nop,nop,timestamp 794004533 796491829>
  13:35:27.195450 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: . ack 131 win 65535 <nop,nop,timestamp 796491830 794004533>
  13:35:27.195782 IP 10.0.1.2.49495 > pop-sbc-v1.mail.vip.sc5.yahoo.com.pop3: P 51:57(6) ack 131 win 65535 <nop,nop,timestamp 796491830 794004533>
  13:35:27.195904 IP 10.0.1.2.49321 > 10.0.1.1.domain: 9534+ PTR? 2.1.0.10.in-addr.arpa. (39)
  byte 3153

• ISE; machine based dot1x authentication not working

  Hi there,
  I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.
  I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.
  In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.
  Does anybody have a tip on how to solve this?
  Thanks in advance

  If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.
  This is what I got from the documentation:
  "Certificate authentication profiles are used in  authentication policies for certificate-based authentications in place  of identity sources to verify the authenticity of the user."
  I intend to use machine based authentication without contacting an external identity source.
  I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.
  This brings me to another question.
  If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?
  Thanks in advance
  Regards,
  Patrick

• Dot1x authentication - Switch 3650 / Polycom phone 430

  Hi,
  I have a switch 3650 with the IP base image IOS 12.2(25) SEE3, a polycom phone SoundPoint IP 430 SIP, A radius server IAS 2003 and a Windows XP PC.
  I enabled the windows XP pc for wired authentication ( started the service Wired AutoConfig, added the registry entries AuthMode, SupplicantMode,  choose Enable IEEE 802.1x authenticaiton with PEAP, then secured password EAP-MSCHAP-v2.
  I configured the RADIUS server for ethernet authentication and domain users. In the profile I choose Eap, mschap v2
  The port configuration of the switch is as following:
  Switch#sh run int fa0/1
  Building configuration...
  Current configuration : 590 bytes
  interface FastEthernet0/1
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 155
  switchport priority extend trust
  service-policy input QoS-Policy-LAN
  speed 100
  duplex full
  spanning-tree portfast
  end
  I configured the switch as the following:
  switch(config)#dot1x system-auth-control
  Under the interface configuration mode:
  switch(config-if)#dot1x port-control auto
  switch(config-if)#dot1x pae authenticator
  switch(config-if)#dot1x host-mode multi-host
  I plugged the PC directly into the switch port, I got that additional credentials are required for the PC to connect to the network, So I put my username and password for windows and was successfully authenticated.
  Then I plugged the PC to the phone( Polycom 430) and the phone into the switch port. the network card appears as attempting to authenticate but it doesn't prompt, and I am not able to access the network, neither I am able to use the phone.( the problem that the authentication packets sent from the PC do not reach the switch, as I see in the debug dot1x (on the switch) comparison when I was connecting the PC alone and when I connected the PC&Phone, the client ID trying to authenticate is different in each case. I will put the debug for both down, when it connects and when it was unable to connect)
  I tried dot1x host-mode single-host
  I did many changes , one time with single-host and then with multi-host: ( each time , I tried to disable/enable Network card of the PC, and make a phone call in order generate traffic)
  First added dot1x mac-auth-bypass  - disconnected and reconnected -- didn't work(neither phone , nor PC)
  Second in addition to First , i added dot1x control-direction in   --- didn't work (neither phone , nor PC).
  Then I removed both these settings and I set:
  dot1x guest-vlan 155 where 155 is the voice vlan
  dot1x auth-fail vlan 155
  Nothing was working
  Then I added these 2 records, in addition to the dot1x mac-auth-bypass, nothing was working.
  In the attachment, I marked with blue font, where I saw the ClientID, After that state-machine record that shows the client ID, I saw that the debug output of the debug changed
  CDP is enabled on both the phone and the switch, and when I use show cdp , i see the phone connected to the port.
  Thanks
  Sayed

  I run a  test that I run was making the duplex to half on all switches/phone/PC,
  I brought a small switch, connected to the the cisco 3650 with the port configuration
  and I did two more tests:
  test1,     
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode multi-host
  the PC authenticated successfully and I was able to to access the network as well as to make phone calls.
  Test2.
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode single-host
  The PC was able to authenticate  and access the network but the phone was not able.
  The problem that I am thinking is that the phone wants to try to authenticate, and doesn't let the authentication of the PC to pass.
  I hope somebody can help me, regarding this problem
  Thanks

• WLC connect LDAP for Authentication, but could not connect to server

  Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
  Service Port - Not connected
  Distrubution port include:
       Management Interface - in AP Management VLAN - 30
       Student AP interface - in Student VLAN - 20
       Staff AP interface - in Staff VLAN - 10
  AD is in Staff VLAN - 10
  WLC LDAP Server setting
  Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  User Attribute: sAMAccountName
  User Object Type: Person
  Debug aaa all enable message
  *LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
  WLC GUI Log:
  *LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  LDP Message of LDAP BaseDN:
  Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
  Result <0>: (null)
  Matched DNs:
  Getting 1 entries:
  >> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  4> objectClass: top; person; organizationalPerson; user;
  1> cn: Frankie F. Yeung;
  1> sn: Yeung;
  1> givenName: Frankie;
  1> initials: F;
  1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  1> instanceType: 0x4 = ( IT_WRITE );
  1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
  1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
  1> displayName: Frankie F. Yeung;
  1> uSNCreated: 3850555;
  1> uSNChanged: 3850571;
  1> name: Frankie F. Yeung;
  1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
  1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
  1> badPwdCount: 0;
  1> codePage: 0;
  1> countryCode: 0;
  1> badPasswordTime: 0;
  1> lastLogoff: 0;
  1> lastLogon: 0;
  1> pwdLastSet: <ldp error <0x0>: cannot format time field;
  1> primaryGroupID: 513;
  1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
  1> accountExpires: <ldp error <0x0>: cannot format time field;
  1> logonCount: 0;
  1> sAMAccountName: fckyeung;
  1> sAMAccountType: 805306368;
  1> userPrincipalName: [email protected];
  1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  Hope I can resolve this problem ASAP, thanks!

  Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
  The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
  But you can do LDAP for web authentication, that has no eap methods.
  Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD.

• ISE dot1x working BUT ..... client is getting "PROXY SERVER unreachable"

  Dear Experts,
  From ISE 2.x I am able to ping the proxy server but once windows user authenticated and logs in, he cannot go to the internet and gets proxy error.
  Let me know some points and vectors to look into !!!
  waiting.

  The only time ISE would perform traffic redirection is when you doing things like CWA (Central Web Authentication), Posture Assessment, etc. If you are just doing basic dot1x/mab authentication then ISE just decides who gets on the network and what type of access that person/devices gets. 
  With that being said, what happens if you remove dot1x authentication from the port? Can the client reach ISE then? (you can quickly remove dot1x by issuing no authentication port-control auto)
  Other things to try:
  1. Remove the dACL
  2. In the authorization rule, return the default "permit access"
  3. Remove the ACL on the FW
  4. Anything else that might be affecting the connection
  With the process of elimination you should be able to find the root cause of the issue
  Thank you for rating helpful posts! 

• I purchased a 3TB Airport Time Capsule After 8 hours been able to configure the box using Ethernet connection but now I want to move my current backups and it wants authentication but no box is available to provide my administrator name can anyone help ?

  I purchased a 3TB Airport Time Capsule to use with my Mac running latest Maverics. After 8 hours been able to configure the box using Ethernet connection but now I want to move my current backups from my small driveand it wants authentication but no box is available to provide my administrator name can anyone help ?

  I overcame the permissions by allowing both paths to have read and write access to anyone but that didnt solve it until I copied it into the DATA directory which I created on the Airport Time Capsule.
  I had already discovered the TIME MACHINE How to transfer backups but I am struggling still with the item and cannot currently get it to work. My setup seems to have created a wireless link to my router which is what I wanted and in that set up there are three options. I have simply gone for the extension of my network. I ignored the other option there which I cannot remember something like DNS? That may be the problem becasuse when I remove the Ethernet connector it just doesnt go anywhere.
  I have also found I cannot update my TIME MACHINE software (currently 1.3) as although Apple tell me I should be able to set backups hourly daily or weekly I have only ever been able to run it hourly when i would prefer longer intervals so thought an update might be necssary.
  Also tried to get an update for my Airport Utility (Currently 6.3.2 but cannot find one even though I have read there might be one available and again this might be the problem.
  Have reset the Time Capsule now about a dozen times.
  Following the instructions and trying to copy my existing backup it suggests you need to copy it to the root directory but that is when I get some sort of security issue and I found I could only get it to accept if I dragged my .backupdb to the DATA directory on the Time Capsule. I dont even know if I do this it will work when I come to use it.
  I therefore found your reply of no more help than i had discovered but I hope you return to read this note because I really do need some help.
  I am intending starting again in the next couple of days and fully documenting what I do and what I see and then as I suspect it will be no different and I will then seek an appointment at the Apple Store in Trafford Centre and if that proves unsuccessful then I still have time to return and become a dissatisfied customer with Apple for the first time in a long experience with Apple. I have noticed frightening notes on the conversations which point to problems of Mavericks working with Airport Time Machine!! So in the end it might not be me doing anything wrong. Unfortunately you do feel left out in the dark sometimes that is why I hope you can respond with a solution?

• Static [Public] IP vs. DHCP Assigned IP [Router IP Allocation] on Server 2012 R2 Setup

  I am deploying a new server specifically for creating and managing VM's with Hyper-V. My testing environment includes a Dell T620 server with 3 each 1 Tb drives configured for Raid 5. My server has 2 Nics. I am installing Server 2012 R2 along with AD
  & Hyper-V Roles. I have a block of public IP's from my provider. My first question is related to how I configure a Nic to use a public IP. One option is to use DHCP to have an internal IP assigned and then once the IP is assigned, I log into my router
  and configure IP Address Allocation to assign the public IP network details to the DHCP assigned IP. I have used this method on a T610 testing server that uses the VMware ESXi Hypervisor with success. Option 2 is to actually input the public IP network details.
  I also have to ask the same question as to which method is better when it comes to the Switch. If any of the experienced engineers want to throw in additional advice or tips, that would be appreciated. My initial deployment has gone well but I feel like I
  can make it easier and more secure. Thanks in advance for the support.
  Gregory Woodruff
  St. Louis, Missouri
  LuckyWoody.com

  1. For servers static IP addresses are used.
  2. It is a good habit to use one nic for communication and one for management.
  3. DC should be single home server (otherwise you may have problems)
  4. Use split brain configuration for DNS if you really need it. Otherwise private subnet is used.
  5. Use firewall to prevent bad guys to enter your infrastructure.
  6. Use DHCP server for client computers only.
  7. DHCP on router is not used for AD clients, because these clients needs information on resouce records (to find DC).
  HTH
  Milos

• DHCP Assigned IPs

  My old D-Link router had a table where I could tell the DHCP server to assign specific IPs based on the MAC address of the device. I can't find a place in the WRT54G to do this. Do I have to go to each device and assign a fixed IP at the device? I like to keep the DHCP server active for setting up new devices and visitors. By using DHCP in my devices I don't have to reconfigure when I travel. With the old D-Link this worked find. It appears this could be a problem with the WRT54G. Am I missing something? Thanks, Bob

  You are correct.   The WRT54G does not support the "DHCP reservation" feature.   However, several of the newer Linksys wireless n routers support this feature.
  With the WRT54G, you can manually assign your computers a fixed LAN IP address.  You can also have a fixed address on some computers, while others take their address from the WRT54G's DHCP server.  Generally, unless you have a specific need for a fixed LAN IP address (for example, some online games require this for port forwarding to work properly), you should use a DHCP assigned address.
  Linksys has some specific rules about assigning fixed LAN IP addresses.  They are different from the D-Link.
  Rules for using fixed LAN IP addresses on Linksys routers:
  With Linksys routers, a fixed (static) LAN IP addresses must be assigned in the device that is using the address. So you need to enter the fixed address in the computer or printer, not in the router.
  When using a Linksys router, any fixed LAN IP address must be outside the DHCP server range (typically 192.168.1.100 thru 192.168.1.149), and it cannot end in 0, 1, or 255.
  Therefore any fixed LAN IP address would normally need to be in the range of
  192.168.1.2 thru 192.168.1.99 or
  192.168.1.150 thru 192.168.1.254
  assuming you are still using the default DHCP server range.
  Also, in the computer, when you set up a static LAN IP address, you would need to set the "Subnet mask" to 255.255.255.0 and the "Default Gateway" to 192.168.1.1 and "DNS server" to 192.168.1.1
  It is also important that no two devices on your network be set to the same static LAN IP address.

• Wireless user authentication detail at syslog server

  Hi Dear.  I configurated wireless network. i want to see my wireless user authentication detail(ip address, username and if it is possibly mac-address) at my syslog server. i do some configuration, the wireless controller send something to my syslog server but i need exctahly the user authentication detail.
  how i do that? please help me. thank you veru much.

  Hi dears. please help me