Critical authentication VLAN
Hello
I have a problem with the vlan critical authentication. The connection to the radius server - works. If I cut the connection to the server, and then move the cisco cathalyst all new hosts in the vlan critic.
When the radius server is available again, the hosts will remain for 20 minutes in the VLAN critic. Why is it so?
And another problem is that despite the switch "critical dot1x EAPOL" send without success-eap the begging. The connection manager specifies the compound having failed, although it works.
What can this be?
Its some commands:
(global)
cooldown critical 2000 authentication
dot1x critical eapol
dead-criteria 10 tent 3 times RADIUS server
interface FastEthernet0/1
switchport mode access
action of death event authentication server allow vlan 3000
living action of the server reset the authentication event
Auto control of the port of authentication
dot1x EAP authenticator
dot1x quiet-period of waiting 3
dot1x timeout-tx
Thanks for the help.
Marco
As far as I know, begging by windows default behavior is not to deal with any request for access to the switch for 20 minutes after getting a rejection of explicit access. See kb957931 on ms site support.microsoft.com/kb/957931. Maybe this applies even when a pleading request got expired due to a non-responsive radius server, but I'm not sure.
Tags: Cisco Security
Similar Questions
-
NAC: How to reduce the time of connection of client computers Windows in authentication VLAN
Hi all
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 to 5.4pt 0 to 5.4pt; mso-para-margin: 0; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"} I'm trying to shrink the log in time client machines take when they are in the authentication vlan. The connection time increases from 5 minutes to 7 minutes when the machines are managed by the NAC.
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 to 5.4pt 0 to 5.4pt; mso-para-margin: 0; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
We need for the NAC Agent perform an assessment AD SSO and posture before login scripts or other processes run. It is essential for us to delay the other process to run until after that NAC place client machines on the vlan access because these process would hang & fail while they are in the authentication vlan. One of the processes that hung & failed is the mapping of different network drives when the login scripts are executed.
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 to 5.4pt 0 to 5.4pt; mso-para-margin: 0; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
We ran a script to test and discovered that the NAC Agent will not run until it fits into the task bar of the window that requires process execution window iExplorer. However, the window iExplorer process also means the execution of many other processes that should not be executed (because they will hang & fail) until after NAC moves these client machines in the vlan access.
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 to 5.4pt 0 to 5.4pt; mso-para-margin: 0; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
I need to know if it is possible to run the NAC Agent w/o it inserting itself in the system tray. If possible, how is it done?
Any help is appreciated.
Thank you
David,
Currently is not possible. NAC agent runs as a program and must operate under user credentials to be able to identify the user properly underway that would be of NAC. In later versions, there is a component of the agent service, but the SSO feature is always based on the Agent is loaded correctly. Your option is to run a script of late (detailed here: http://tinyurl.com/25d2aua ) and once this passes, then call your other scripts that do the mapping.
Also, if you experience excessive delays in the initial process of the SSO, ensure that you open all the ports that must be open, including the FRAGMENTS IP and ICMP for all your domain controllers in the unauthenticated role.
HTH,
Faisal
-
NAC - STACKED IN THE AUTHENTICATION VLAN IF THE PC IS CONNECTED TO THE CISCO IP PHONE
Hello
I have configured my NAC in L3OOB, if I connect my pc directly to the switch I have no problem, I can access the network as out-of-band user, I can pass authentication. BUT IF I CONNECT a Cisco ip to switch phone and my pc is connected to the Cisco ip phone I'm stacked to the vlan authentication and cannot access the network. The event logs of the my CAM, it's say that it detects several mac address.
Please guys help me with this problem...
Thank you and best regards.
Hello
Have you added your phone MAC address to your CAM in the filter to IGNORE it?
Faisal
-
authentication open for debugging of the aaa on Powerconnect
Hello
We put in place of the switches to use RADIUS. In order to check if all clients authenticate as we think they do, it would be nice to issue a command as they have in Cisco switches "open authentication". This allows 802. 1 x do its work, but allow the customer through anyway. In this way, you can see if the 802. 1 x has failed or succeeded, without worrying about end users.
Is there a similar function in Dell Powerconnect?
Concerning
Kjetil
I looked through several different options to see if the switch can be manipulated to perform the same action as the open authentication, but I couldn't find a way. I thought that the computer-vlan command would work. But with that VLAN must be different from the authenticated VLAN.
Page 508 of the user's guide has a detailed example that you can follow.
Expand each step you need to take to implement. Then during the hours full no implement and test. Be sure to have a backup of the current configuration.
-
Cisco NAC appliance - after a success does not change users to connect to the vlan propper
Hello
I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.
Also the user does not appear on the list of users online on cam.
Can someone help me figure out how can I fix? version 4.8, I'll post any information requested
Thank you
We recently had the problem with Windows AD SSO and Windows 7 clients.
Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.
Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.
What are the parameters of the port-profile to which is applied the switchport?
What is the map settings vlan ports trunk not approved or confidence?
-
Hello
We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.
I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.
version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcpradius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authenticationany help would be really appreciated.
I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.
Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.
Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...
-
Problem with NAC and 5508 WLC OOB
I have a wlc 5508 to shared resources to a 6500 switch. Shared resources to the switch on eth0 and eth1 is also the CASE. The CAM is connected to an access port.
The SCS and CAM are on VLANS separated and the CASE has been added to the CAM without problem.
I followed the example of document for OOB WLAN (VLANs and mapping etc.), but I don't get all current identifications. The client is associated and the WLAN interface is the quarantine VLAN but it seems that the client can connect to the network without problem (may web access a server in-house to campus)
The customer indicated in customers wireless on the device of the cam page
If I either CASE interfaces close client connectivity is broken.
Once, randomly the own access connection Page appeared on the client (battery dead and waited for about an hour) but when I rebooted the CASE check it was she never came back.
I do not set up the SSO part, must it be filled or is it a valid test without it so far?
No idea where to start with this problem?
Thank you
Yes, it looks like that somewhere, your 'placing in quarantine/no authenticated' vlan is filled to the full network, I do not see another explanation.
Try to configure the WLC for a new vlan quarantine which does not exist anywhere.
Then you should not have any access at all to anything whatsoever. Then try to leave this vlan gradually reach the heap and constantly test. You should find the point where the vlan 'flows '.
Nicolas
===
Remember responses of the rate that you find useful
-
Hello Experts,
Have some questions that came across while doing work of the NAC at one of our subsidiaries. If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.
Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.
the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.
Apprecite all help, thank you.
Hello
See online:
If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.
[Tiago] On the graphical interface of CAM, you can check which controlled uncontrolled ports are. It is the only place where ports can be determined to be managed/no managed.
Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.
the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.
[Tiago] When you perform the configuration of the switch, the switchports can be put on the vlan user or default access vlan. It depends on the port profile settings that you have configured. By default, when a port is managed on the basis, if a client connects, an SNMP trap is sent to the CAM. The CAM check whether the machine is certified or not (check the mac address). If the machine is not certified cam becomes the vlan the authenticated vlan configured on the port profile.
So, whenever you connect a PC to a switchport, CAM evaluates what is the vlan correct the PC to start and change it accordingly.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Actual gateway IP process to strip the NAC
Hi all
I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P
- How does the gateway IP In-band real?
- What is the point of the 30 subnets?
- Are there any access/auth pairs VLAN configurations in the band?
- How does quarantine work?
- I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
- Can you do role with configurations mapping in the band?
Assistance for all or part of these questions would be GREATLY appreciated!
Thank you a lot =]
~ Xavier.
Hi Xavier,.
I'll try to answer your questions
1. How does the Strip Real-IP Gateway?
The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes
2. What is the point of the 30 subnets?
The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.
Click here for an explanation:
3 is there access/auth pairs VLAN configurations in the band?
If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.
4. How does quarantine work?
When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.
So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.
5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.
Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.
This is mentioned here:
The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.
6. can you do role with configurations mapping in the band?
Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.
For example, check here for more details:
In a Word, regardless of the use of the band vs OutOfBand:
-customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.
The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :
-in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);
-in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.
I hope that answers your questions.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it. -
Error of groups based on MAC "it has no resources for this range.
Hello
I have a SG300-52. My goal is a facility, where a client can connect to all ports and is automatically placed in a vlan are dependent on its MAC address.
For this I put up some VLAN.
Ports created by virtual local network name
---- ----------------- --------------------------- ----------------
1 1 article gi1-46, gi48-52, Po1-8 D
10 10 article gi1-46, gi48, gi51 S
20 20 section gi1-46, gi48, gi51 S
30 30 article gi1-46, gi48, gi51 S
All ports where customers can connect the VLAN configured as unmarked.
I have about 40 MACs, I want to put in the VLANs dynamically. So I've set up a group of Mac mapping vlan:
conf t
Serial section gi1-46
switchport mode general
switchport map General Mac-group vlan 5 5
switchport map General Mac-group vlan 10 10
switchport map General Mac-group vlan 20 20
switchport map General Mac-group vlan 30 30
Now, I want to add addresses MAC Mac-groups:
mac 0000.0000.2222 Mac host card - group 10
But after a few Mac added, I get an error "there are no resources for that interval.
Is there a limitation on the number of MAC addresses in a group of Mac?
Please advice how to proceed or if there is another way to achieve the goal.
Tobias
Hello Tobias,.
There is a limitation on the number of MAC addresses could be added to the mac group and applied to interfaces. Each entry/MAC interface contains a single configurable AAGR resource (max allowed is around 500 I think). So, if you have addresses MAC 10 applied through 48 ports, it's 480 entries AAGR. This assumes you have no any other rule (ACL, MAC ACL etc.) configured. If you have a large number of MAC addresses that need assignment of VLAN static, the best approach would be to use the dot1x base assignment authentication vlan. It would be an evolutionary approach.
I hope this helps.
Nana
-
Users in Virtual Mode of Inband L2 wireless
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
Hello
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
At present the access point are just plugged access ports in vlan 10 and configured with vlan 10 SSID on the access point for wireless users users access the network very well without any problems. I have setup a CNA in L2 inband virtual mode it works fine when I tested for WIRED users.
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} To apply the evaluation of posture on wireless users, I just change the access switch ports vlan for authentication VLAN where the access point is connected to present and change the SSID vlan 10 to authentication vlan. As I m using only 1 vlan so I don't have to create a trunk switch port where the access point is connected? Anything else I should do? Correct me if I m wrong
Answers?
Hi Michael,
These conclusions should be correct.
Just to be 100% sure, we are in phase on your first conclusion.
The switchport where the access point is connected must be configured as an access port on vlan 20, in the case where the AP and wireless clients are connected on vlan 20.
However, be very careful that in such a situation, your AP traffic can also affect the CASE (being on the same vlan unreliable with regard to regular customers).Then you can consider keeping your AP on a BVI interface vlan separate in what concerns the vlan of the customer, otherwise you can end up breaking the AP traffic, because it is placed on the same vlan not reliable as your wireless clients. An alternative could be to add a filter for the AP in cam, but it is perhaps not as scalable that separate the traffic of the client subnet IVB of the AP wireless.
Kind regards
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it. -
In the NAC MAC address filter list
How are Faisal Hi, you? I have a question about this list of filters in the unit of the NAC. I want to do those recognized unit of the NAC mac addresses are to be get the network. However if a workstation's mac address is not in the filter list, would it not able to do the network. Is that the NAC has the ability to do? Please let me know. Thank you.
Richard
I'm not Faisal, but...
You want to make additional (such as LDAP or such) or any authentication simply based on the MAC address? If you want to only via the MAC, you can add them to the list of filters and then either set to 'allow' to allow all traffic, 'role' to put them in a specific role, or "check" to apply the evaluation of posture and then put them in the role. If no other server authentication is configured, users who were not in the list of filters would not be able to authenticate, and they would be stuck in the authenticated VLAN.
Thank you
Lauren
-
L3 deployment OOB virtual Gateway
Hi Faisal,.
Nice day! I would like to ask about the L3 deployment approach using virtual gateway OOB. What I did was activated L3 support and applied static routes. When I tried to connect a client computer can't obtain an ip address. The cisco switch that I'm using the remote site were already discovered in NAC appliances. When I check the ports he set up the authentication vlan 100 but no passthrough. The IP block for the site is 10.19.x.x. What should I put a managed subnet and mapping vlan? But what I read in the manual without having to configure the managed subnet rather a static route must apply.
For the virtual gateway OOB deployment L2 its market not now, the IP block im use is 10.1.x.x. I want to add L3 deployment for remote sites also for users authenticate by the NAC. I think to approach 2 for the NAC for L3 and L2 deployment for the main site to the remote site. Faisal, I'm doing it correctly? Please let me know what should I do demand and see the attachment. Thank you.
Richard
Richard,
I don't think it will work. You're using VGW and trying to subnets of the NAC L3 hops away. In the case of VGW acts as a bridge. How are you going to extend your tags VLAN multiple jumps away to the untrusted interface of the SCA?
Almost always us Let's customers who need NAC L3 subnets far hop use RIP because it is easier to separate and force no authenticated traffic to untrusted side of the SCA.
HTH,
Faisal
-
NAC and virtual machines on a pc
Hi all,
Is any one know if when a computer is connected to the network using the cisco or the web agent and he spent the authentication process, the user suddenly starts a virtual machine with a different operating system (linux, windows, etc.) the NAC solution will recognize this "new computer" and enter the process of authentication and sanitation?
Thanks in advance for your help.
Traffic from the virtual machine OS will have a different MAC address than the host operating system. That's why NAC will detect it as a new device.
If you inband, the virtual machine will go threw the authentication without disturbing the host operating system.
If you are using out of band, the switchport will change to the authentication vlan and the BONES will have to go threw to new authentication
-
Enable Snmp - Hp Procurve 2848
Hi all
I don't know why the snmp Protocol does not work on my Hp procurve 2848. (ping and interface web work!)
This is my config.
SW3_STIPA(config)# show config Startup configuration: ; J4904A Configuration Editor; Created on release #I.10.70 hostname "SW3_STIPA" snmp-server contact "STIPA" snmp-server location "Montreuil" no cdp run interface 1 no lacp exit interface 2 no lacp exit interface 3 no lacp exit interface 4 no lacp exit interface 5 no lacp exit interface 6 no lacp exit interface 7 no lacp exit interface 8 no lacp exit interface 9 no lacp exit interface 10 no lacp exit interface 11 no lacp exit interface 12 no lacp exit interface 13 no lacp exit interface 14 no lacp exit interface 15 no lacp exit interface 16 no lacp exit interface 17 no lacp exit interface 18 no lacp exit interface 19 no lacp exit interface 20 no lacp exit interface 21 no lacp exit interface 22 no lacp exit interface 23 no lacp exit interface 24 no lacp exit interface 25 no lacp exit interface 26 no lacp exit interface 27 no lacp exit interface 28 no lacp exit interface 29 no lacp exit interface 30 no lacp exit interface 31 no lacp exit interface 32 no lacp exit interface 33 no lacp exit interface 34 no lacp exit interface 35 no lacp exit interface 36 no lacp exit interface 37 no lacp exit interface 38 no lacp exit interface 39 no lacp exit interface 40 no lacp exit interface 41 no lacp exit interface 42 no lacp exit interface 43 no lacp exit interface 44 no lacp exit interface 45 name "INTERCO_VERS_SW1" no lacp exit interface 46 name "INTERCO_VERS_SW1" no lacp exit trunk 45-46 Trk2 Trunk ip default-gateway 192.168.12.1 snmp-server community "public" Operator snmp-server community "snmp-private" Operator Unrestricted snmp-server host 192.168.12.230 "public" snmp-server enable traps authentication vlan 1 name "DEFAULT_VLAN" untagged 33-34,36-44,47-48,Trk2 ip address dhcp-bootp no untagged 1-32,35 exit vlan 11 name "VLAN_STIPA" untagged 1-32 no ip address tagged Trk2 exit vlan 12 name "VLAN_PROCESS" untagged 35 ip address 192.168.12.13 255.255.255.0 tagged Trk2 exit vlan 20 name "VLAN_TOIP" ip address 10.0.0.3 255.255.255.0 tagged 1-44,Trk2 exit spanning-tree spanning-tree Trk2 priority 4 spanning-tree priority 4 ip ssh version 1-or-2 password manager
(192.168.12.230) server:
[root@ces:~/09:41:11]# ping -c 1 10.0.0.3 PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=1.15 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.158/1.158/1.158/0.000 ms [root@ces:~/09:41:14]# snmpwalk -v 1 -c public 10.0.0.3 Timeout: No Response from 10.0.0.3
Thank you for your help!
Hello:
I recommend that also post your question on the Business - section switches Procurve HP Support Forum.
http://h30499.www3.HP.com/T5/ProCurve-provision-based/BD-p/switching-e-series-Forum#.Uyr1POlOW9I
Maybe you are looking for
-
I downloaded Firefox 4 on the site of Firefox, dragging the new version in my applications folder, how it has replaced my old version (I think it was 3.11.16). Then when I went to open it, it says it can not be run on my OS X 10.4.11 system. Can I ge
-
Toshiba virtual store - blank white page
Hello! I have a problem with the virtual store. I did probably all things with my Tablet I found on this forum. Update my soft, hard reset, soft reset. and I can not open the virtual store. When I opened VS I have a blank white page, and anything els
-
HP 7600 SFF: 7600 SFF HP memory upgrade
Hello I'm new here, but looked in the forums for a solution to my problem, which is: I am trying to improve my HP 7600 SFF 1 GB RAM (256 X 4)-(4 X 1 GB). The first reason is that the machine was running slower and slower, a CMOS error on boot up and,
-
When you save the labels, they save as bmp files
When I try to save the groups tags that I am, they want to put in the form of bmp files. I just started having this problem Sunday morning March 6. When you save them before they were very good. I have never changed a setting or anything like that, s
-
file is landscape in Flight sim X unreadable or corrupt is texture.