Configs ISE Cisco switch

Similar Questions

• The ISE Cisco switch configuration

  Hi experts,

  I got the following network:

  Devices-> switch access-->--> access switch central office switch-> ISE Server

  All switches are capable IOS for the 802. 1 X and configurations of AAA for ISE to manage network devices. However, I read in the guide on the configuration of the switches in preparation for the deployment of the ISE of CIsco, but I wonder what should I configure switches for access and basic switches or only configure the switches for access to EHT?

  Thanks for your time to read!

  If all clients are non-DHCP clients, then no configuration is based or distribution at all.

  But you may need to search different options of profiling, if the customers are not active DHCP. Access switch supports the function of detection IOS? Would be very useful to have such a that it would send important profiling information at ISE. You may need to use the right options for ISE of profiling to determine the details of the endpoint.

  Concerning

  Vivek

• Why I can't command show running on cisco switch

  On a single switch, I found that some commands because they show execution or copy running-config tftp: on cisco switch WS-C2960X-24TS-L does not work it see more below. How I can use the command then show generally. Thank you.

  Building1_FAA_6F_SW3 #sh run
  Building configuration...

  Current configuration: 100 bytes
  !
  ! No change since the last restart configuration
  !
  boot-start-marker
  boot-end-marker
  !
  !
  !
  !
  !
  !
  end

  ---------------------------------------------------

  Building1_FAA_6F_SW3 #copy running-config tftp:
  ^
  Invalid entry % detected at ' ^' marker.

  OK, so the information you provided in your latest messages confirm that the privilege level you get via telnet/vty is different from the one you get via the console. This is due to the configuration of AAA which applies to the vty ports but not on the console port.

  So if you want the same rules apply to the console port, then you must configure the port console for AAA as well.

  If you don't want these rules then you need to remove the AAA configurations. The best way to remove these is by typing 'no new aaa - model' However, careful not to lock you out of the unit. Make sure you have local accounts with the privilege level 15 and you also know the active password/secret.

  I hope this helps!

  Thank you for evaluating useful messages!

• Problems with config Small Business switch

  Hi, I know that if I read the documentation I will come for answers, but I'd really like some input from someone with more knowledge than me. I have a problem with Cisco SF300, one of the Small Business switches. I have a single interface on my router and I need to separate my internal networks, I thought that one way would be to use VLANs. On my two internal networks a network has D-Link unmanaged switches, the other has the Cisco SF300 I did as follows.

  On the Cisco Switch, all of the default ports for ports of junction. I changed FE1-FE24 and GE1-2 to access ports.

  Created two VLAN and placed FE1-FE24 in VLAN10 (also my management VLAN), GE3 is a trunk Port for unidentified VLAN20, VLAN 20 uplinks to my DiLink switches. This way my unmanaged switches traffic arrives on a trunk on VLAN20 untagged port.

  GE4 is a trunk port and I assigned to VLAN1 untagged, tag VLAN10 VLAN20 tag and. 10 of VLANS and VLAN 20 then to my router.

  The plan was to connect GE4 to my router, but I had two things happen that I can't explain.

  All first as soon as I connected my D-Link to GE3 LAN on VLAN20 came down, I couldn't ping servers from computers etc, all devices are connected to the D-links unmanaged. Secondly, the responsibilities of VLAN changed on GE3 GE4, VLAN 10 and 20 disappeared and only the VLAN by default was assigned, also under settings VLAN my state of interface VLAN for VLAN20 shows people with reduced mobility. One of my FE12 continues also to change VLAN access ports.

  Can anyone offer any suggestions as to what might have crushed the LAN and why change my VLAN. I wrote my config running at startup configuration incidentally.

  I added two screenshots.

  Seriously, I'd appreciate the help.

  Thank you

  Bob

  Hi Bob,

  Could you please post a topology? I can help with this, but it would be much easier that I could see your network.

  Thanks in advance,

  Garrett

• Configuration Wireless 3G as online backup with cisco switch layer 3?

  Hi all

  We have an existing GPRS modems for data transfer between 2 different sites, this connection is a bit slow to no more than approximately 114 Kbps, the idea is to add a 3G modem, so the solution will be based on a two-way communication lines which are 3G network and the GPRS network.

  The line GPRS will be the main and 3G will be secondary, this redundancy offers a high level of availability of communication between the two sites.

  is it possible to configure this redundancy with a cisco switch layer 3? If this is the case do you have a tutorial or a link which explain how to do this work with a layer switch 3 ciso?

  all information will be useful for me, thanks

  Hello

  The config is one provided by anisaini, but you need to change your NAT like this:

  IP nat inside source MAIN interface map route x/x main interface

  IP nat inside source route-map interface o/o interface secondary SCHOOL

  Interior int z/z interface

  IP nat inside

  int x/x

  NAT outside IP

  int y/y

  NAT outside IP

  access-list 99

  permit x.x.x.x y.y.y.y where x.x.x.x is your home subnet addresses and y.y.y.y is the corresponding generic mask

  PRIMARY route map

  match ip add 99

  match interface x/x

  SECONDARY route map

  match ip add 99

  game interface y/y

  Concerning

  Alain

  Remember messages useful rate.

• MacBook as Cisco Switch profiles in 2.1

  I'm experimenting with trying to Mac to the profile to the ISE. 2.1. I tried installing AnyConnect, and for some reason he sees it as a Nexus 7000 switch.

  Here's the debug info

  Attribute: AAA-server value: ise-2
  Attribute: Airespace-Wlan-Id value: 5
  Attribute: AllowedProtocolMatchedRule value: EAP_Chaining_Wireless
  Attribute: AuthenticationMethod value: MSCHAPV2
  Attribute: AuthorizationPolicyMatchedRule value: default
  Attribute: BYODRegistration value: unknown
  Attribute: CacheUpdateTime value: 1465417705907
  Attribute: Called-Station-ID value:20-3a-07-66-96-20
  Attribute: Calling-Station-ID value:a4-5e-60-cf-81-83
  Attribute: CreateTime value: 1464896196500
  Attribute: DestinationIPAddress value: 10.10.207.156
  Attribute: Value DestinationPort: 1812
  Attribute value: DetailedInfo: authentication succeed
  Attribute value: IP address: 10.10.204.114
  Value of the attribute identifier: Device:
  Attribute value: device Port: 32772
  Attribute: Value Type Device: Device Type #All Types of devices
  Attribute: DeviceCompliance value: unknown
  Attribute: DeviceRegistrationStatus value: NotRegistered
  Attribute: value:A4-5E-60-CF-81-83 EndPointMACAddress
  Attribute: EndPointPolicy value: Cisco-switch
  Attribute value: EndPointPolicyID: 4afc4ae0-6d8e-11e5-978e-005056bf2f0a
  Attribute: EndPointProfilerServer value: ise-2
  Attribute: EndPointSource value: RADIUS probe
  Attribute: FailureReason value: 5440 abandoned Endpoint EAP session and began again
  Attribute: FirstCollection value: 1464896196418
  Attribute: value Framed-IP-Address:
  Attribute: value Framed-IPv6-Address:
  Attribute: IdentityAccessRestricted value: false
  Attribute value: IdentityGroup: profile
  Attribute value: IdentityGroupID: b132c920-6d8d-11e5-978e-005056bf2f0a
  Attribute: IsThirdPartyDeviceFlow value: false
  Attribute: LastActivity value: 1465417705904
  Attribute: LastNmapScanTime value: 1465245395228
  Attribute: value: a place #All locations
  Attribute: LogicalProfile value: infrastructure network devices
  Attribute: MACAddress value: A4:5E:60:CF:81:83
  Attribute value: MDMServerID:
  Attribute: MatchedPolicy value: Cisco-switch
  Attribute value: MatchedPolicyID: 4afc4ae0-6d8e-11e5-978e-005056bf2f0a
  Attribute: Value MessageCode: 5440
  Attribute: NAS-IP-address value: 10.10.204.114
  Attribute: NAS-identifier value: WLC-3
  Attribute: NAS-Port value: 1
  Attribute: NAS-Port-Type value: Wireless - IEEE 802.11
  Attribute value: Network Device Profile: Cisco
  Attribute: NetworkDeviceGroups value: location #All locations, Types of devices Device Type #All
  Attribute: NetworkDeviceName value: WLC-3
  Attribute value: NetworkDeviceProfileId: 8ade1f15-aef1-4a9a-8158-d02e835179db
  Attribute: NetworkDeviceProfileName value: Cisco
  Attribute: NmapScanCount value: 1
  Attribute: NmapSubnetScanID value: 0
  Attribute: YES value: Apple, Inc.
  Attribute value: PhoneID:
  Attribute: PolicyVersion value: 32
  Attribute value: PortalUser:
  Attribute: PostureApplicable value: Yes
  Attribute: PostureAssessmentStatus value: NotApplicable
  Attribute value: PostureExpiry:
  Attribute: PostureStatus value: unknown
  Attribute: RadiusFlowType value: Wireless802_1x
  Attribute: RadiusPacketType value: AccessRequest
  Attribute: RegistrationTimeStamp value: 0
  Attribute value: response: {RadiusPacketType = drop ;}
  Attribute: SSID value:20-3a-07-66-96-20
  Attribute: SelectedAccessService value: lack of access to the network
  Attribute value: SelectedAuthenticationIdentityStores: the internal users, ise-2, All_AD_Join_Points
  Attribute: SelectedAuthorizationProfiles value: DenyAccess
  Attribute: Service-Type value: box
  Attribute: StaticAssignment value: false
  Attribute: StaticGroupAssignment value: false
  Attribute: StepData value: 4 = standardized Radius.RadiusFlowType, 5 = EAP_Chaining_Wireless
  Attribute value: TLSCipher: ECDHE-RSA-AES256-SHA
  Attribute: TLSVersion value: TLSv1
  Attribute: TimeToProfile value: 44
  Factor of certainty attribute value: Total: 30
  Attribute value: UniqueSubjectID:
  Attribute: UpdateTime value: 1465245396597
  Attribute: allowEasyWiredSession value: false
  Attribute: Host-name value:
  Value of the attribute: ip:
  Attribute: value operating system switch: Cisco Nexus 7000 (NX - OS 4.2.6) (99% accuracy)
  Attribute: result of operating-system value: Cisco Nexus 7000 switch (NX - OS 4.2.6) (99% accuracy)
  Attribute: SkipProfiling value: false

  Yes you must add the ISE server in your help-dhcp (dhcp relay) in order to obtain information about the DHCP request to profile correctly the devices.

  Even after setting correctly ISE in your DHCP relay, you aren't able to profile?

• 10G Cisco switch

  I would like to know if the compatibility for the storage matrix Dell is updated regularly, especially for cisco switches.
  We seek to deploy a few PS6210 with 10G connectiivity and here for use with switches Cisco 4500 X series. However these are not included in the doc. There are a few cisco switches that are the end of life (4948 and some nexus switches).

  Hello

  Yes the guide is updated regularly, usually monthly or updates are available.

  Since the x 4500 is not a Nexus series switch, you looking for correct DCB support?

  In this case these Dell 'Level 3' offers better support for resonable effort.   I'll make sure that use you the latest firmware IOS and EQL.  There are other switches catalyst IOS in the guide.  Configure it in this sense would be a great place to start.   Ideally, the switch dedicated for iSCSI use, not VLANd with other types of traffic.

  If you can first test before production, then support can see table diagnosis and SANHQ archive for any signs of network related issues.   (retransmit rate and types for example)

  Kind regards

• To the main unit Infrastructure Cisco switch port

  Hello.

  I had a doubt as to the Port of the Switch in my Cisco Switch for a camera of the first Infrastructure.

  This port must be a Switchport to access or a Switchport Trunk?

  What is your recommendation on this subject? What is best practice?

  Thank you very much.

  Access port should work fine. You do not configure a VLAN on the device itself, just the IP address / subnet and default gateway.

  Thank you

  Ric

• Circuits on Cisco Switch SG200-50

  Hi all

  I'm trying to inter vlan routing using Cisco Switch SG200-50 with router Cisco 1941. The router I created three subinterface for VLAN1, 2, 3 and VLAN1 is vlan native. I have a LWAP with Cisco WLC connected to the same switch. I have activated assignemnet vlan dynamic using Windows /NPS. RADIUS Wireless successfully user can authenticate as well the vlan is assigned, but unable to ping the router subinterface.

  On the switch, you must activate the trunk port connected to the router ports and AP, tried all means, what makes the trunk port and General, nothing worked. users are unable to ping the gateway.

  If you have worked on this switch, pls help how to on this subject.

  If the Cisco technical support team can help me, that would be great

  Thanks in advance

  Concerning

  Joe

  Hi Joseph, creating a general port and disable the input filter and label properly login vlan. Also make sure your sub interface are dot1q.

  -Tom
  Please mark replied messages useful

• C300 Cisco switches when Cisco is considering additional CDP?

  Dear all,

  When Cisco plans to support CDP on C300 switches?

  I have it configured with LLDP based on the document "Adding a Cisco Switch series of 300 Business from small to SBCS 2.0", but this isn't the perfect according to me

  Kind regards

  Vellum Tsekov

  Vellum,

  We are very close. We anticipate releasing the firmware supporting CDP, CLI and several other new features this month - June 2011.

  Ivor

• Web authentication with RSA SecureID on a Cisco Switch

  Hello

  I recently searched by linking in our Cisco Switch of GB 2960 S with RSA SecureID via Radius

  I already managed to tie in to ssh access

  but I failed to make it work for http / web access to the switch

  I think it's because we use 'single use' maximum security with RSA SecureID tokens

  the web interface tries to authenticate several times against the Radius server RSA SecureID part

  (agreement on the first authentication, but every time after that he's going to want a different code in token)

  I was wondering if anyone knew a way around this? (if there is a way to get the right switch authenticate once instead of multiple times the radius server)

  FYI, the switch is a WS-C2960S-24TS-L with IOS 15.0 (1) SE2

  Hello Chris,

  You can test the following configuration?

  AAA webtac_grp radius server group

  Server

  expiration of cache 1

  authorization cache profile httpauth

  hiding authentication profile httpauth

  !

  AAA authentication login httpauth cache webtac_grp group webtac_grp

  AAA authorization exec httpauth cache webtac_grp group webtac_grp

  AAA authorization network httpauth cache webtac_grp group webtac_grp

  AAA cache profile httpauth

  all the

  IP http server

  IP http authentication aaa - authentication of the connection httpauth

  IP http authentication aaa exec-authorization httpauth

  RADIUS server host key *.

  I know for sure the above configuration works when you use GANYMEDE + instead of RADIUS in order to avoid multiple guests due to the authentication of JAVA Applets to access the GUI of the IOS. I him have not tested against RSA acting as an authentication server.

  NOTE: As "aaa authorization exec" is configured the RSA should send Service-Type attribute with administrative value for it to work as expected.

  If this was helpful please note.

  Kind regards.

• Turn on the mtu on cisco switch and cisco user server

  Hi all

  someone got bad luck turning on the mtu on their cisco switch?  I guess I need to turn it on for all because the command is for all ports on cisco catalyst and my server switch is nearby to my user of switches and a broadband bandwidth 6 G or 6 ports, I need to turn it on for all user ports?

  Thanks for any comments, that you can add.

  I assume you mean Jumbo frame support! You shouldn't have any problems with that. Please take a look at for example http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml for more details and the configuration of the different switches. According to the model, the parameters are for dedicated ports only or the entire switch. In the case of the switch everything you will need to reload (reboot) switch, so be careful.

  André

• ESXi - Trunking for Cisco switch

  Hi, I'm having a little trouble to create a trunk to a crowd of v4.1 ESXi.

  My config on the switch

  interface GigabitEthernet3/29
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 100 300
  switchport mode trunk
  switchport nonegotiate
  spanning tree portfast trunk

  ESXi side VLAN ID has been set to all (4095) - side switch and host configurations is passed to the host of vCentre.

  Defining the interface of switching on an access on VLAN100 port, the host will stand fine. Problem is that I need another network to be consulted (VLAN300)

  interface GigabitEthernet3/29
  switchport access vlan 100
  switchport mode access
  spanning tree portfast
  end

  I am able to allow a second card on the host computer and the whole upward like a trunk as above, seems to work fine, even if I don't have a virtual machine upwards on it yet to test

  *

  My query is, how can we allow multiple VLANs to an ESXi host on a single card? What I'm missing here...

  Thanks in adavance.

  Brendan

  For me, looks like the vmkernel interface used for the management network is not be marked, as the host responds when you define the physical switch as an access port port in the VLAN 100. So either mark the vmkernel with VLAN ID 100 port or VLAN 100 native VLAN on the switchport physical... (switchport trunk vlan 100 native)

  / Rubeck

• ISE web auth for other than cisco switch (D-link 3528)

  Is it possible to use ISE (posture inline node) to redirect to portal comments ISE wired users?

  And wired users will get full network access after they pass the web auth.

  Hello

  Theoretically, it could work if the switch is able to send all the attributes in accounting packets, such as IP address and mac address by asking the station id. If the attributes are missing or incorrect, the iPEP ISE will never create the session (see show pep session table).

  That said, who probably never have been tested, so you may want to reconsider your design, there is no guarantee that this can still work.

• Cisco ISE & 250 series Cisco switches

  I would just ask SG250 Cisco are supported in the title of the ISE of Cisco?

  Concerning

  These devices are not on the compatibility list. But as they support 802. 1 X AAA base should work. But I doubt that you can implement one of the workflow more advanced as the posture and so on.