Do1x Cisco 3850

Hi experts,

is it possible to integrate 3850 Cisco switch with Active Directory so that users can be authenticated via AD prior to accessing the network.

I am confused between incorporating the switch AD and ACS. I know that ACS will be used for authentication of access management.

Grateful if someone can clarify this for me.

Thank you

Haitham Jneid

ACS to be integrated with AD to recover the database user/group - Yes

dot1x must be configured between the switch and DCC - ACS and Yes, as I said, this is where you will configure the authentication and authorization of dot1x strategies.

in this case wired to users once that they plug their laptop on a switch port enabled for authentication of the dot1x, the switch will be contact ACS and ACS already has the AD database. ACS verifies if the user is in the database and allow the access or not. Yes based on your authentication and authorization of dot1x strategies.

Please note and mark the correct comment if you find it useful. *

Tags: Cisco Security

Similar Questions

  • ESXi-> Cisco 3850-> router upstream routing does not

    Please see the attached diagram.

    I currently have the installation of "router on the stick" and I move to lass on Cisco 3850 battery. Initially, I moved VLAN100.  I can ping to each of the directly connected devices (i.e. the router 3850 and 2911). I can't do a ping to a virtual machine on vlan 100 router and vice versa. Here's what works what doesn't work.

    Work in both sense

    VM (172.16.100.51) <->GW on IVR (172.16.100.254)

    VM (172.16.100.51) <->an another IVR (172.16.230.254)

    VM (172.16.100.51) <->Int L3 on 3850 (10.2.2.2)

    L3 on 3850 (10.2.2.2) int <->int L3 on 2911 (10.2.2.1)

    SVI on 3850 (172.16.100.254) <->int L3 on 2911 (10.2.2.1)

    Does not not in both directions:

    VM (172.16.100.51) <->L3 interface on 2911 (10.2.2.1)

    VM (172.16.100.51) <->else NOT routed on 3850

    I have following routes on 2911 and 3850.

    3850:
    IP route 0.0.0.0 0.0.0.0 10.2.2.1

    2911:

    IP route 172.16.100.0 255.255.255.0 10.2.2.2

    IP route 172.16.230.0 255.255.255.0 10.2.2.2

    If in theory everything that comes from 172.16.100.51 no 3850 premises must be sent to 10.2.2.1 since it is the default route on 3850.

    I suspect that this is a problem with the license. I have IP Base feature set stack license 3850. I have checked using the license to show and display the version controls.

    According to this FAQ Cisco, http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-..., routing should work because I do not have more than 16 static routes and I'm only using base L3 routing features.

    I am at a loss here. What is going on? Can someone please confirm?

    I bought WS-C3850-24 t-S,

    http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst3850/software/...

    thinking that I would be able to use Lass and keep all traffic to get into the routers as switches upstream of our most ancient were only L2.

    It looks like an upgrade for all IP Services features is possible.

    https://cisco3850.wordpress.com/2015/04/22/licensing-for-cisco-catalyst-....

    That I have to upgrade the image so or can I just pass the license using the built-in commands described here.

    http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst3850/software/...

    I hope that I don't have to reboot switches because this configuration is currently using this stack as the core and distribution.

    Any help is appreciated.

    Thank you

    Turning and the "IP routing" did?

  • Updgrage IOS Cisco 3850

    Dear all

    I have updated IOS based cisco 3850, he came to Flash, but still is not in "sh version" command and also I can't boot from this new IOS, to mention the steps start the new IOS.

    Thanks and greetings

    Jean Luc

    3850 normaly use command:

software install file flash:cat3k_caa-universalk9.SPA.03.06.01.SE.150-1.EZ1.bin

  • Cisco 3850 - Direct Connect APs

    Can you not - APs to connect directly to a 3850. For example, if you had several offices in a branch of the site and your MC 3850 was in the Bay of server and had 2960 s in other offices. Could you connect your APs to 2960 switch and make them joined MC 3850?

    I read that must be connected directly to the 3850, however it supports flexconnect APs?

    If you'd be grateful if someone could shed some light.

    Thank you

    3850 will not support flexconnect. You must also connect the AP to 3850 (no transitional interrrupteurs as 2960).

    Refer to this Q & A to answer your two questions

    http://www.Cisco.com/en/us/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html

    HTH

    Rasika

  • Incompatibility of Version H/w stacking Cisco 3850

    I have a cisco failure 3850. I got a new switch and the IOS was lower than my pile to course, so I've updated. When I do a show worm IOS looks right but when I do a show the H/W version parameter are different.  What causes my carpet to fail?

    New switch:
     
    Model switch SW Version SW Image Mode ports
    ------ ----- -----              ----------        ----------            ----
    * 1 56 WS-C3850 - 48P INSTALL 03.07.03E cat3k_caa-universalk9
                                                                     
    Current H/W
    Switch # Mac address priority Version State role
    ------------------------------------------------------------
    * 1 active 15 ready V04
    Old switch:
    Model switch SW Version SW Image Mode ports
    ------ ----- -----              ----------        ----------            ----
    * 1 56 WS-C3850 - 48P INSTALL 03.07.03E cat3k_caa-universalk9

    S
    Current H/W
    Switch # Mac address priority Version State role
    ------------------------------------------------------------
    * 1 active 15-V06 ready

    Hi Kurt,.

    That will not cause the battery to fail, you just need to make sure that the version of IOS and the level of license are the same between the members of the battery and make sure you turn the switch before plugging in the battery again.

    HTH

    Julio

  • Change the certificate used by a Cisco 3850

    I have a new L3 3850 switch. He had a self-signed certificate installed when I first started the switch. The certificate is displayed either 512 or 1024 in length. I would like to create a key of 2048 in length. Can I issue the command generated rsa encryption key and specify the length of 2048 and I get a new cert. I can't just understand hw to make the new cert as the active cert.

    When he started it first, here is the configuration of the switch section:

    Crypto pki trustpoint TP-self-signed-127070658

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 127070658

    revocation checking no

    rsakeypair TP-self-signed-127070658

    !

    !

    TP-self-signed-127070658 crypto pki certificate chain

    certificate self-signed 01 nvram:IOS - Self-Sig #1.cer

    When I create new cert and validate them with the copy running-config startup-config and then recharge, it will show that the new cert is stored in NVRAM:private - config, but it does not show the cert when I cd in NVRAM: and issue the dir command. What is the right order to get the new cert to use.

    Here are the results of the dir command:

    2049 rw-1897 startup-config

    2050-3821 private-config

    2051 rw-1897 base-config

    1 0 rf_cold_starts

    2 cpu_trap.eci of - rw - 1079

    4 rw-1072 cpu_threshold_trap.eci

    6 - rw - 886 memory_trap.eci

    7 - rw - 858 rf_trap.eci

    8 rw-3123 wireless_trap.eci

    11 - rw - 270 ma_trap_keyword

    12-86 - persistent data

    14 - rw - 578 IOS-Self-Sig #1.cer

    -rw-0 15 ifIndex-table

    William Coats

    I was wondering how to do it myself, so I took him as a small project on our laboratory 3650. The documentation leaves to be desired, but I finally thought to it.

    1 generate a 2048 bit rsa key pair:

    seclab-3650 (config) #crypto generate keys rsa 2048 2048-bit-key module label

    2. create a trustpoint specifying registration self-signed and tell the TP to use this key pair

    seclab-3650 (config) #cry pki trustpoint 2048-bit-TP

    seclab-3650(ca-trustpoint) #enrollment selfsigned

    seclab-3650(ca-trustpoint) #usage - server ssl

    seclab-3650(ca-trustpoint) #on nvram:

    seclab-3650(ca-trustpoint) #rsakeypair 2048-bit-key

    seclab-3650(ca-trustpoint) #exit

    3 register the trustpoint - at this point the switch will generate the 2048-bit certificate.

    seclab-3650 (config) #crypto pki enroll 2048-bit-TP

    % Include the serial number of the router in the name of the topic? [Yes/No]: Yes

    % Include an IP address in the name of the topic? [None]:

    Generate a self signed certificate router? [Yes/No]: Yes

    Router self-signed certificate created successfully

    seclab-3650 (config) #.

    4. tell your ip http secure server to use this trustpoint

    seclab-3650 (config) #ip http secure-trustpoint 2048-bit-TP

    Once I did this, I can go to the switch via https and see the key of 2048 bits being used in the self-signed certificate. Click on the image below to enlarge:

  • HSRP in Cisco IOS - XE

    Hi, just got our Cisco 3850 switch newly shipped with IOS - XE. Here is an example of the command 'show version '.

    Switch(Config-if) #do show worm
    Cisco IOS software, IOS - XE software, catalyst L3 Switch (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE VERSION SOFTWARE (fc2)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2013 by Cisco Systems, Inc.
    Last update Mon 23 - Sep - 13 18:24 by prod_rel_team

    Cisco IOS Software - XE, Copyright (c) 2005-2013 by cisco Systems, Inc.
    All rights reserved.  Some components of the Cisco IOS - XE software are
    distributed under the GNU General Public License ("GPL") Version 2.0.  The
    software licensed code GPL Version 2.0 is a free software that comes
    WITHOUT ANY WARRANTY.  You can redistribute it and/or modify it
    Code GPL under the terms of the GPL Version 2.0.
    (http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
    documentation or "Mention of license" file that accompanies the IOS - XE software.
    or the applicable URL listed on the brochure that accompanies the IOS - XE
    software.

    ROM: IOS - XE ROMMON
    BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) 1.18 Version, SOFTWARE VERSION (P)
             
    The availability of HK-CSW001 is 4 hours, 0 minutes
    Availability for this command processor is 4 hours, 3 minutes
    System return to the ROM to reload
    System image file is "flash: packages.conf.
    Reload last reason: reload the command

    This product contains cryptographic features and is under the United States
    States and local laws governing the import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third party approval to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. laws and local countries. By using this product you
    agree to comply with the regulations and laws in force. If you are unable
    to satisfy the United States and local laws, return the product.

    A summary of U.S. laws governing Cisco cryptographic products to:
    http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

    If you need assistance please contact us by mail at
    [email protected] / * /.

    License level: Ipbase
    License type: Permanent
    Then reload license level: Ipbase

    Cisco WS-C3850-24 t (MIPS) processor with K 4194304 bytes of physical memory.
    Card processor ID FOC2007U0YG
    2 virtual Ethernet interfaces
    28 gigabit Ethernet interfaces
    4 ten interfaces Ethernet Gigabit
    2048K bytes of non-volatile configuration memory.
    K 4194304 bytes of physical memory.
    250456K bytes of Crash crashinfo files:.
    1609272K bytes of Flash Flash:.
    0K bytes of Flash model to usbflash0:.
    0K bytes of to webui::.

    MAC Ethernet base address: 00:cc:fc:d1:55:80
    Motherboard Assembly number: 73-16297-04
    Motherboard serial number: FOC20061W6G
    Revision number of the model: Z0
    Motherboard revision number: B0
    Model number: WS-C3850-24 t
    System serial number: XXXXXXXXXXX

    My problem is, I tried to HSRP 1 before using a plotter package and thought since he succeeded, I could do it here in this new switch, but after reading a few articles 1 HSRP went and here HSRP 2 but after I typed in the

    "interface vlan XXX".

    "ip address subnet XXX.XXX.XXX.XXX.

    command "watch version 2" is not available or the day before ipXXX XX. is not available either.

    I'm stuck with this problem now, appreciate any help from you guys.

    Thank you

    The f

    Hello Jeff,.

    We were also quite surprised at the point where we realized, that our brand new 3850 did not support HSRP. This feature was introduced in a second version of the IOS - XE. Currently, we run 03.06.00.E on our WS-C3850-24 t and this version support HSRP.

    I don't understand absolutely, why Cisco released such a combo of software/switch isn't over.

    So, please try a newer version of the software.

    See you soon

    Ichnafi

    Supplement: Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp) said: HSRP is supported since Version 3.3.0

  • Cisco Layer 3, singing and VLAN

    I have a 5.5 vSphere install and am currently an upgrade of the network for implementation of VOIP.  Switching equipment that I use is a stack of switches Cisco 3850 layer 3 and I go round and round on getting traffic vlan to work properly.  I hope someone can point me in the right direction.

    I have a NETWORK adapter that is connected to the switch (10GB fiber) which handles all the traffic for the esxi host (with the exception of management).  VLAN ID is set to zero (0) and the load balancing is set to the original function of virtual port route.

    I have 2 subnets, 10.1.0.0/16 (management, VLAN 1 and data) and 10.10.1.0/24 (voice, VLAN 10)

    On the host, I Win 2012 R2 server which will host a VOIP PBX.  It must be able to communicate with (VLAN 10) IP phones and other servers (vlan1).

    The switches will be intervlan routing.

    Finally can my question - anyone give me some advice on how to configure the interface on the Cisco for connecting fiber 10GB of my host?  The actual port settings would be extremely useful.  Everything I do at the end of vmware I should do differently?

    In case someone falls on this in a search, here's what I ended up with, 1 Cisco switch:

    switchport trunk allowed vlan 1.10

    switchport mode trunk

    switchport nonegotiate

    switchport voice vlan 10

    Cisco-switch macro description

    spanning tree portfast

    point to point spanning tree-type of link

    The virtual switch, I set all the vlan id and route from the originating virtual port.

  • TrustSec on WS-C3850-24 t

    Hello

    I want to configure security switch-switch link. (manual mode) on a Cisco 3850 IP basis.

    But under "sap... mode-list" is the only entry: No.-encap

    I need to gcm - encrypt, but this option is not displayed.

    SW version: 03.06.00E

    SW Image: cat3k_caa-universalk9

    License level: Ipbase

    Model: WS-C3850-24 t

    What could be the problem?

    Best regards

    3850 material is able to effect, but it is not yet implemented in the software:

    It's the 3850 Q & A:

    Q. what service modules for the Cisco Catalyst 3850?
    A. There is no service for the Cisco Catalyst 3850 module. Features supported by the service module of 3750-X (including Flexible NetFlow and effect *) are natively supported by the Cisco Catalyst 3850.
    * Software support effect could be added later as part of a software update.

  • Compatibility of the AP1240 series with the 8.2.111 of the WLC code

    Hello world

    I need advice on this one if anyone could happen to any suggestion.

    We have remote sites (4-5) where we again 1242 series APs. Recently, I upgraded my controller 8.2 WLC code and these APs do not come to live as they are stuck in "Download"... ».

    Linked below, Cisco said 1240 series is no longer supported.

    http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/release/notes/c...

    Now, my question is there any solution for this or that's all. We need new APs for remote sites.

    On the other hand, I also Cisco 3850 WLC active Cisco switch, so I can use Cisco 3850 for these APs. If so, then please share any link.

    Kind regards

    The choices are:

    1. the new APs get handled by the 3850 and the old APs is maaged by WLC running 8.0.X. or

    2. the years 1240 is converted into a stand-alone; or

    3. get another controller, as the 2504, for example.

  • Mixed architecture with 5508

    Hello

    I have an architecture of converged with 5508 as MC and 3850 as access MY. Currently, in the main site, him access point are saved on each 3850.

    My remote site, I do not have cisco 3850 and I want to use my 5508 FlexConnect. So the point of remote access, sign up to 5508. is this possible?

    My cisco 5508 can support a mixed architecture?

    • Converged access for main site,
    • Classical architecture, to the remote site.

    Thanks in advance,

    Sylvain.

    Do not forget to 8.1 onward MC feature supported in AireOS for 3850/3650MA will be deleted.

    • With Release 8.1 in a New Mobility environment, Cisco WLCs running Cisco Wireless software cannot function as mobility controllers (MC). However, the Cisco WLCs can function as guest anchors.

    http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/release/notes/crn81.html

    This is why it is advised to do not to have an AireOS controller as MC for the configuration of your converged access.

    HTH

    Rasika

    Pls note all useful responses *.

  • Port MGMT switch 3850

    Hello

    I've 3850 configured as a switch Board where I run BGP on it. I do not you connected our network MGMT port internal mgmt in light of security concerns. So what worries me is if the switch gets somehow hacked from the outside (we run SSH or HTTP server on it) the attacker access the MGMT port or not? MGMT interface is on a separate data plan, so there is no possible way to get the controller above the switch ports? I couldn't find this info in the Administrator's guide, so I ask if anyone of you know :).

    Thank you!

    The management port catalyst 3850, like many others of the most modern Cisco switches use a completely separate virtual routing and transfer (VRF) instance.

    As long as you do not expose the interfaces of layer 3 (routed ports or switch Virtual Interfaces (LASS)) to the outside world, your management plan is totally isolated. If the switch had external interfaces L3 and was completely compromised, you can connect to the switch and then throwing sessions (from the switch itself) for the accessible host internally which can be consulted via the VRF management.

    For more information about the internal architecture of the switch, please see Presentation Cisco Live BRKARC-3438. Notes on slide 30 + how they show the 'PEM' (the management Ethernet Port) directly connected to the switch CPU and don't share does not return or controllers that govern data ports.

    Also note the configuration guide which States:

    The switch cannot route packets from Ethernet port to a port in network management and vice versa.

  • 2504 versus 3850 wireless controller

    We are just beginning to look at wireless on our secure networks. We have a 2504 and some WAP 36xx but never installed. We also ordered a couple of 38xx WAP and group the 3850 templates which included the wireless controller. We plan use our Cisco ACS with CERT and AD for authentication.

    We're finally going wireless at several sites of fiber attached if cela pans.

    To save time by going down the wrong path, I have some basic questions to ask.

    My questions are... what (2504 versus 3850 WC) approach is better?   I know the 3850 series may have mulitgibit connections to WAP with the newest 3850 model x, which can be a more thereafter. I also don't know the process of how data is placed the user wireless via the WAP to the local network. Data must tunnel through a tunnel of IPSEC for the 2504 and then placed on the local network to the location of 2504?  Or is this just tunnel for authentication and wired LAN between WAP and switch allows direct data flow?   We have a few wireless on our network, but we use a totally different method.

    What bothers me is that if there is a certain wireless access to a corporate network and servers I think 1 GB for the WAP connection could be a bootleneck... esp if the data can not be placed right on the local network to the WAP connection to the switch.

    A 3850W model controls the only devices on the local stack or it may go beyond this restriction too? I mean, it's can support 3850W THAT connected to another WAP stack too?

    I would not use the 3850 unless your environment is weak, that being said, the 3850 and the AP must be on 3850 or 3650 in your environment. I'd go with the 2504 his stable and you will not regret it :)

    -Scott

    Please evaluate the useful messages *.

  • CiscoWorks LMS 4.0.1 and 3850 switch support

    HI, I want to know if the 3850 switch is supported in ciscoworks LMS 4.0.1 I added devices, successful inventory collections but peripheral icon is blue with question mark '? ' and config sync always fails.

    I tried to download the packages to install it, but I couldn't find it.

    Thanks help fo

    3850 is supported on LMS 4.2.3. Check the list supported here:

    http://www.Cisco.com/en/us/docs/net_mgmt/ciscoworks_lan_management_solution/4.2.3/device_support/table/lms423sdt.html

    You must upgrade to 4.2.3 LMS or 1.3 FT go.

    -Thank you

    Vinod

    *Side encourages contributors and it's really free. **

  • Could you let me know on 3850 catalyst to connect to the access point status?

    Dear experts,

    The 3850 catalyst to connect the Access Point.
    I checked the OCC, but I don't know to connect the access point directly or indirectly...
    Is that it must connect the Access Point to the 3850 catalyst directly?

    Could you let me know on 3850 catalyst to connect to the access point status?
    I want to know the ORC page on this subject.
     
    Best regards
    Takuro

    Hello

    See below

    http://www.Cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/qa_c67-722110.html

    Q. does the Cisco Catalyst 3850 in charge of indirectly connected access points?
    A. No. switch Cisco Catalyst 3850 will always take the CAPWAP tunnel locally. Pass-through or indirectly connected access point mode is not supported at this time. Note that a model SFP Cisco Catalyst 3850-12 or 24 channels can be a good choice to act as controller of mobility for a stack of switches Cisco Catalyst 3850 ending CAPWAP tunnels locally.
    HTH
    Rasika
    Pls note all useful responses *.

Maybe you are looking for

  • Is this Airport Extreme or cable provider?

    I have an IMAC (latest updates installed), an Airport Extreme (firmware updated this week) and use our local cable provider.  Suddenly lost all internet including wifi access.  Cable called - I was told it was an ipv4 vs ipv6 problem because of the A

  • Safari crashes constantly and is very slow

    Hello I have a problem with safari, it blocks constantly when I try to open the pages such as apple.com. Google.com works, but is very slow. I already deleted the internet plugins folder in both libraries. On another user, everything works fine. Proc

  • Satellite T110-107 - Touchpad does not properly

    I love my Satellite T110-107, but there are problems with the touchpad. (1) the mouse cursor does not move sometimes. With this one, I get to move taking both hands away from the laptop for a while.(2) the cursor of the mouse all of a sudden 'draws'

  • load itunes in 2000, I need refund

    I bought 4 itunes card loading 500 each scratch of the file number, take a photo sent to apple pay to make the payment online. How can I get my money back?

  • HP3070 analysis via the USB port, but don't scan the network, printing is ok? Used to work, but no more

    MyHP3070 deskjet will scan and print via USB link, but don't scan the network, printing is authorized via netowrk. Used to work but not anymor. I have windows XP laptop. I tried HP doctor but in vain. It says that it cannot connect with the driver. T