Dot1x multidomain on Catalyst 2960
Hello
I improved my 2960 with the latest basic version of LAN 12.2 (46) which includes the authentication of domain Multi (MDA) and I tried to configure what is described here:
http://www.Cisco.com/en/us/Tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
I have the following exceptions in my configuration:
(1) SE - cat 2960 with the latest version of IOS 12.2 (46) that supports the MDA;
(2) using the Win2K IAS as a server radius. and
(3) third party (Avaya) with active begging dot1x IP phone. I have a PC with ability to dot1x connected to the second port of the IP phone.
That's what I set up on the phone IP port:
interface FastEthernet0/9
switchport access vlan 221
switchport mode access
switchport voice vlan 222
dot1x EAP authenticator
self control-port dot1x
multi-domain host-mode dot1x
protect the dot1x violation-mode
dot1x reauth-deadline 30
dot1x re-authentication
spanning tree portfast
I also configured the server Radius IAS Win2K to send RADIUS 'cisco-av-pair attribute' tell the authenticator (Cisco Catalyst 2960) that a supplicant (IP phone) is authorized on the voice VLAN as described in config-notes above link.
When the supplicant IP phone starts to authenticate, he succeeds, but that the port does not allow the field of VOICE, even though the 2960 receives the attribute "cisco-av-pair" of the Radius Server RADIUS. I confirmed the reception of this attribute of debugging on the switch.
RADIUS: Receipt of id 160.2.100.74:1645 1645/64, Access-Accept, len
110
17:02:38: RADIUS: authenticator 7 d AC 50 FE 14 B4 FC DC - 3A A4 E5 3F 1E 76 62
C3
17:02:38: RADIUS: EAP-Message [79] 6
17:02:38: RADIUS: 03 05 00 04
17:02:38: RADIUS: [25] in class 32
17:02:38: RADIUS: 44 05 05 A2 00 00 01 37 00 01 A0 02 64 4A C9 01 1 33 79 52
D8 58 00 00 00 00 00 00 1 b E7 [D7dJ3yRX]
17:02:38: RADIUS: seller, Cisco [26] 34
17:02:38: RAY: Cisco-AVpair [1] 28 'device-traffic-class = voice.
17:02:38: RADIUS: Message-Authenticato [80] 18
17:02:38: RADIUS: D9 42 78 88 26 5A 65 83 68 B0 E0 C7 AF 5TH 0F 51 [B
[x & Zeh ^ Q]
17:02:38: RADIUS (00000009): receipt of id 1645/64
17:02:38: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Cat2960 #show dot1x int fa0/9 details
Dot1x FastEthernet0/9 information
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = MULTI_DOMAIN
Violation mode = PROTECT
A re-authentication = on
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 30 (configured locally)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x authenticator customer list
-------------------------------
Domain = DATA
"Supplicant" = 0004.0d9b.46d8
AUTH State = AUTHENTICATED SM
AUTH BEND State IDLE = SM
Port status = AUTHORIZED
ReAuthPeriod = 30
ReAuthAction = is re-authenticated
TimeToNextReauth = 20
Authentication method = Dot1x
Authorized by = authentication server
Policy of VLAN = n/a
I don't think I need CDP to allow the field of voice, if the Radius server sends the attribute "cisco-av-pair".
Have I misunderstood the concept?
Thank you!
You can share the config switch?
Missing for example aaa authorization network default radius group?
Tags: Cisco Security
Similar Questions
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
-
6248 FI Cisco's UCS with Cisco catalyst 2960 connectivity
In our environment, UCS, connects the two fabric as a Cisco Nexus 9 k switch upstream with vPC and it works well. But we need to isolate some virtual servers on the blades of the UCS on an entirely separate DMZ switch which is Cisco catalyst 2960.
(1) so can we connect cables separate physical twinax of FI uplink ports to catalyst 2960 and connectivity to the servers in the DMZ keeping YEW to nexus connectivity as it is?
(2) in this case, as there are 2 switches to nexus core 1 and 2 so we will require 2 cisco catalyst 2960 for disjoint such a network? or otherwise we can connect A FI and FI B to one on his 2 numbers 2960 switch. Gig SFP ports + 10?
(3) also suggest things must be taken in charge, the best guides practice or an illustration in this context.
The assignment is static and cannot be changed.
location 1 - uplink 1
slot 2 - uplink 2...
If a property has no blade, the corresponding uplink is not used and that can not be changed!
This dedication of uplinks of IOM is of course a lot of resources: cables, ports on FI, allowed port,...
-
Web authentication Catalyst 2960
Hello
I am trying to configure Web authentication relief on a catalyst 2960 switch. The goal is to authenticate customers via web authentication that are consistent (the part of 802. 1 x works fine) not 802. 1 x and allow them access to the network. The problem is that the web authentication seems to fail.
The equipment about my question: switch catalyst 2960 (version: 122 - 37.SE) and a FreeRadius.
Here's what happens:
The authentication window will appear in my browser and the access request is sent to the RADIUS.
The term RADIUS replies with an Access-Accept. Debugging running on the switch show that all this information is coming properly authentication and switch outputs debug a 'status = PASS' and permission to debug outputs a 'status = PASS_ADD'. Despite this the browser on the client generates a message "authentication failure".
I have read the manual and the Cisco attribute value pairs are mentioned: ' priv-lvl = 15' and «proxyacl...»» ». They are required to make it work? Given that I'm not setting up any authentication switch connection via RADIUS.
Any suggestions?
Thanks in advance
Yes, they are mandatory.
If priv-lvl = 15 is not returned to the switch, the user will see? Authentication failed? and the access list will not apply. If the source in the statements of proxyacl field is not? everything? or there are other errors of syntax, the user will see? Successful authentication? but the access list will not apply and the user will be denied access to the network.
Not sure about the configuration of specific FreeRADIUS, but you need to set up the? [026\009\001] Cisco av pair VSA. It should look like:
Priv-lvl = 15
proxyacl #10 = ip permit a whole
Let me know if this lets you squared
-
Aironet 1252 with catalyst 2960-8TC-L &; 1841 router compatibility
Hello
First of all they are togther a good combination?
I'll buy new ap 1252 and switch catalyst 2960-8TC-L my question can I connect the access point to 1 x 10/100/1000Base-T/SFP (mini-GBIC) (uplink) port?
because to work on ap with capacity 300 Mbps, it needs port 1000, I will use to power ap powerinjector.
It will be 15 sereve pc as a working group and 60 customers on wlan.
Concerning
Saher
Depending on the type of traffic and bandwidth customer requirements demand, you might need a couple more of ap which means you may have to settle for a switch of 24 ports. Cisco recommends 15-25 users by so, but still, you can have more if it's just e-mail and web browsing.
-
How acess catalyst 2960-s
The main method of management is the Cisco Network Assistant however if you need to use the console port, then use the supplied RJ45 to DB9 cable to connect to a local serial port.
Software wise, that it is possible to extract the 2 files HyperTerminal from a CD in Windows XP to run on a Win7 PC. The best alternative is a PuTTY terminal emulator.
-
not visible on the switch Catalyst 2960 vNIC...
Dear all,
I configured the UCS chassis with 5 blades and installed the esxi on all five blades...
I created a VNIC 10 per server and by now I have ip for esxi management by combining two NICs for and YEW is connected to the switch catalyst 2960. The uplinks are 1 Gig at the END and at the end of the switch... and I made these trunk at the end of the switch, all permitted the VLAN on the trunk link
I have configured all the VLANS on during vNIC based on a model and all of those selected. vlan1 is the vlan by default & selected the same.
Please help me to solve the problem... I got tired of all the means & could not able to find a solution.
Kind regards
Gopi G
Greetings.
Please confirm you learn your esxi mgmt addresses (VMK0 will inherit mac vnic UCSM) on FI: #connect nxos
#See table of mac addresses
Do the same on your 2960 switches. You see the mac addresses on the ports of 2960 connected for the UCSM uplinks?
Your uplinks UCSM go the 2960 into a port channel?
Thank you
Kirk
-
Hello
Can someone tell me a method of turning off the function of the Mode button on a catalyst 2960 to stop this reboot of the switch after being detained for 10 seconds? Even with a config full on the switch, the function "reset" always seems to bypass the config and clear/reload the switch.
Is it possible to disable this feature in the software?
Thank you very much
Charlie Read
Try the following command: no express installation
See the following link for more details on the order.
I hope this helps.
Steve
-
The Catalyst 2960 G switch configuration
Is it possible to configure a Catalyst 2960 G Switch to act as / be an unmanaged (no router) switch? If so, please provide detailed and simple instructions.
Hi @lcbalogh1,
I think that these switches are not routing compatible, but one thing... What you want to do is to have the switch set in a single broadcast domain (all ports in the same VLAN), right? If so, follow these steps:
- Disable the routing features with the configuration command global "don'tno ip Routing.
- If the first command is not accepted, type the "No dsm prefer lanbase-routing.
These two steps above to disable the routing features.
OK, to mark all the ports of the members of the same VLAN, you have a few options:
- You can leave all the default ports VLAN (VLAN 1)
- Or, you can configure all ports in another VLAN different
- switchport mode access
- access switchport vlan id - vlan>
Hope this is useful for you.
Rgrds,
Martin, computer scientist
-
Comments-vlan; Catalyst 2960
Hello
I would like to set up a guest - vlan and vlan restricted on a switch 2960, but I can't.
The version of IOS (hollow obtained: see version) is:
SW Version SW Image model switch ports
------ ----- ----- ---------- ----------
* 1 52 WS-C2960S-48 I/S-L 12.2 (53) SE2 C2960S-UNIVERSALK9-MI am configuring the interface using the following commands:
RAK-ASW01 #configurer
Configuration of terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
RAK-ASW01 (config) #interface gigabitEthernet 0/1/11
Access to RAK-ASW01(config-if) #switchport mode
Self control-port RAK-ASW01(config-if) #dot1x
RAK-ASW01(config-if) #dot1x comments - vlan 17
RAK-ASW01(config-if) #endthe result is the following, as if the comments - vlan only is not supported:
RAK-ASW01 #show dot1x interface gigabitEthernet 0/1/11
Dot1x Info GigabitEthernet1/0/11
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30RAK-ASW01 #.
similar result is trying to set up a local network virtual auth failure.
the full configuration file is attached.
Many thanks in advance,
Wawan972_
Hello
You see it here. It is expected if you use this command.
How to see he uses 'show interface running x/x' and see if configuration commands are there, or if there is already a device on the port if you use the command 'show the interface of the x/x authentication session' and see if the vlan comments is used or not.
HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Reviews for iSCSI NFS e 3100 &; Catalyst 2960-S vs?
I'll put up my first SAN, a 3100 e with 2 NICs by MS. We chose a pile of Cisco 2960-S for redundancy at the network level, and during the planning phase, I had chosen to use NFS. E does not deduplication with iSCSI support (someone?), and the performance is roughly equal to this environment. It is 3 guests with approximately 15 production MV; I expect a usage rate of 20% per host based on statistics collected from the current production environment.
The glitch is 2960-S is limited to 6 ports-channels, even in a pile! Initially, my plan was simple enough, and a commercial engineer. Create channel-port on each host to storage traffic and traffic VM vMotion/HA. Each of them would be 2 gigabit NIC in a VLAN dedicated. But, now that I have that 6 Channel ports to work with, what is the best solution? I would go with NFS, if possible, but I can't understand a good way to provide a high availability and balancing at the network level (yes I know that the effectiveness of IP hash is questionable in a port channel).
In the past, I have Setup iSCSI multipathing in environments of test with good results, but it is a little more complex that I want to get for such a small environment, and we lose deduplication.
Is back to the original question - possible to NFS, highly available, without aggregation of links? I am referring to each element of the stack - host, network and SAN. Is there another method would you recommend, and if so, why?
A few thoughts I had:
Wouldn't be better to put the vMotion/HA NIC on access ports with 1 NIC in standby mode and use the port for NFS instead channels? Once the environment is fully migrated, I expect vMotion will be made during failures and maintenance periods.
If I assigns an IP address to a store NFS SP A and it fails, MS B will remain passive until a failure and then take control of this IP/action? Or the store NFS appears twice in my list of data stores?
Thanks for your comments!
Here is my attempt at bad taking a picture to help visualize this
I had to redact the names and IP addresses
MGMT use vmnic1 as a primary vmnic5, as a backup. It is the VLAN 125
vMOTION uses vmnic5 as a primary vmnic1, as a backup. It is 126 VLAN.
vmnic1 and vmnic5 are shared resources at the level of the physical switch to allow the 125 & 126 VLAN.
-
Hi Experts,
I have some confusion with the button Mode with cisco 2960/3560 switches.
I read on many forums and articles, but where things are not clear.
a place given 3 seconds and somewhere is given 7 or 10 seconds.
Qus1), what is the exact time to press/hold Mode button to perform two following tasks:
A. password recovery (according to my knowledge 3 sec) good or bad?
Configuration of the switch (start + run) would be safe
After the recovery of password? Yes or no
B. factory default (according to my knowledge 10 dry) good or bad?
I'm afraid, because if I press mode button more than 3 seconds, then
It will delete any configuration of cisco switch. Yes or no
Qus2) I want to recover the catalyst 2960/3560 switch password without
Start/run configuration to lose. That is my main concern.
Please tell me how to do this, what will be the time keeping Mode buttom
in a few seconds?
Qus3) which means this line
"If the password recovery mechanism is disabled in switch
then you will lose all the config.
This sentence has been given on this forum url
https://supportforums.Cisco.com/thread/140848
KS
Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) port console switch.
Use the following terminal settings:
Bits per second (baud): 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: Xon/Xoff
Note: For more information on the wiring and connection of a terminal to the console port, refer to connecting a Terminal to the Console Port of Catalyst switches.
Unplug the power cable.
The power switch and take it to the switch: command prompt:
2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 switches of the series, to do this:
Press and hold the mode button located on the left side of the façade, while you reconnect the power cable from the switch.
2960, 2970 Release the Mode button when the SYSTEM LED flashes orange and then turns green. When you release the Mode button, the SYSTEM LED flashes green. 3560, 3750 Release the Mode button after about 15 seconds when the SYSTEM LED turns green. When you release the Mode button, the SYSTEM LED flashes green. The system was interrupted before the flash at the end file system initialization
loading the operating system software:
flash_init
load_helper
boot
switch:
Run the flash_init command.
switch: flash_init Initializing Flash... flashfs[0]: 143 files, 4 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672 flashfs[0]: Bytes used: 2729472 flashfs[0]: Bytes available: 883200 flashfs[0]: flashfs fsck took 86 seconds ....done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 switch: !--- This output is from a 2900XL switch. Output from !--- other switches will vary slightly.
Run the load_helper command.
switch: load_helper switch:
Question the dir flash: command.
Note: Be sure to type a colon ":" after the dir flash.
Appears in the file system of the switch:
switch: dir flash: Directory of flash:/ 2 -rwx 1803357 c3500xl-c3h2s-mz.120-5.WC7.bin !--- This is the current version of software. 4 -rwx 1131 config.text !--- This is the configuration file. 5 -rwx 109 info 6 -rwx 389 env_vars 7 drwx 640 html 18 -rwx 109 info.ver 403968 bytes available (3208704 bytes used) switch: !--- This output is from a 3500XL switch. Output from !--- other switches will vary slightly.
Type rename flash: flash: config.old config.text to rename the configuration file.
switch: rename flash:config.text flash:config.old switch: !--- The config.text file contains the password !--- definition.
Issue the boot command to boot the system.
switch: boot Loading "flash:c3500xl-c3h2s-mz.120-5.WC7.bin"...############################### ################################################################################ ###################################################################### File "flash:c3500xl-c3h2s-mz.120-5.WC7.bin" uncompressed and installed, entry po int: 0x3000 executing... !--- Output suppressed. !--- This output is from a 3500XL switch. Output from other switches !--- will vary slightly.
Enter "n" at the prompt to abort the initial configuration dialog box.
--- System Configuration Dialog --- At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Continue with configuration dialog? [yes/no]: n !--- Type "n" for no. Press RETURN to get started. !--- Press Return or Enter. Switch> !--- The Switch> prompt is displayed.
At the switch prompt, type en to enter a mode.
Switch>en Switch#
Password recovery
Type rename flash: config.old flash: config.text to rename the configuration file with its original name.
Switch#rename flash:config.old flash:config.text Destination filename [config.text] !--- Press Return or Enter. Switch#
Copy the configuration file in the memory.
Switch#copy flash:config.text system:running-config Destination filename [running-config]? !--- Press Return or Enter. 1131 bytes copied in 0.760 secs Sw1#
The configuration file is now reloaded.
Replace the current passwords that you do not know. Choose a password with at least one capital letter, one number and one special character.
Note: Replace passwords that are required. You must crush not all passwords listed.
Sw1# conf t !--- To overwrite existing secret password Sw1(config)#enable secret !--- To overwrite existing enable password Sw1(config)#enable password !--- To overwrite existing vty password Sw1(config)#line vty 0 15 Sw1(config-line)#password Sw1(config-line)#login !--- To overwrite existing console password Sw1(config-line)#line con 0 Sw1(config-line)#password
Write the running configuration in the configuration file with the write memory command.
Sw1#write memory Building configuration... [OK] Sw1#
For factory reset:
do not give under the control of factory reset
Switch#copy flash:config.text system:running-config
can I copy the running configuration to Flash
Switch flash running-config #copy:
Destination file name [running-config]?
Building configuration...
[OK]
Switch #copy running-config startup-config
Name of destination file [startup-config]?
Building configuration...
[OK]
Review the link for more information below
Please note the useful messages.
Concerning
Vesta
"Everybody is genius." But if you judge a fish by its ability to climb on a tree, he will live his entire life, believing that this is stupid. " -
Make a choice of switching - catalyst 500/520/ESW Linksys SRW / SFE
Hello someone would be able to clarrify please where Cisco takes in what concerns the SMB switching product portfolio that I'm getting a little confussed.
My estimate that we currently have available that which follows to the SMB market, has decided there is a price difference significant between some of the product lines, but it seems that the choice when choosing a suitable switch fades a bit and starts to go down in price rather than the features and performance characteristics.
- Cisco Catalyst Express 500 series switches
- Cisco Catalyst Express 520 series switches
- Cisco Small Business Pro ESW 500 series switches
- Cisco Small Business Managed switch (Linksys Business Series)
- Cisco Small Business Smart switch (Linksys Business Series)
- Cisco Catalyst 2960 Series switches
- Can I ask if there are plans to merge some of the ranges of products like the 500 and 520, which are the two similiarly priced, managed in almost the same way and have the same function defined.
- Are there plans for the ESW line replace the Linksys SRW/SFE and Cisco 500/520 existing equivalents?
- I would correct assuming the ESW line runs the Code of IOS?
Any help would be appreciated.
Concerning
Mark Rigby
Mark,
Big questions. Thanks for posting.
1. Yes, you can expect that over time, the ESW 500 series will replace the Catalyst Express series.
2. There are no plans for the series of ESW 500 replace SRW/SFE switches. These product families are somewhat overlapping, but intended for different types of SME customers and partners VAR.
3. you are incorrect in assuming that the ESW is base IOS. It is not the case.
The attached PDF provides a comparison of high-level Cisco switches that sell on SMB.
Thank you
Florian
-
Modules SFP to use on catalyst 3650-24TD-E
Hello
We intend to buy a catalyst 3650-24TD-E switches, and I would be about to buy the good modules SFP and SFP + for it. As you know, this switch model supports 2 1 Gigabit SFP and 2-port 10 Gigabit SFP + uplink.
We have already other catalyst 2960 switch with SFP GLC-SX-MM modules for uplink connections.
What SFP / SFP + models you recommend?
Best regards
What SFP / SFP + models you recommend?
GLC-SX-MMD
-
AAA w/RSA: "any type of permission...". »
I've set up a router and a switch to AAA using a server RADIUS of RSA. Both are RSA 'Agent hosts' with identical configurations. Router (2621XM/EntServ Version 12.4 (18)) and switch (3560-24PS/IPBase - 12.2 (25) SEB2) have identical configs AAA, and RADIUS/RSA is very well regarding the access code will be accepted. But the switch won't let me:
**********************
User name:
Password:
PASSWORD accepted
% Failed authorization.
**************************
When I do "deb radius authentication" on each, the outputs are the same until the last 2 lines. The router that works says:
000055.: Jan 16 12:22:51 CEST: RADIUS (00000005): receipt of id 1645/3
000056:. Jan 16 12:22:51 IS: RADIUS/DECODE: fragments of response Message, 19, total 19 bytes
But the switch says:
000284: Jan 16 12:20:47 UTC: RADIUS: saved the authorization for user 3030220 to 3034440 data
000285: Jan 16 12:20:47 UTC: RADIUS: no type of permission for the user.
The only other difference I can think of is that I use ssh for router and switch telent (IPBase apparently no habla "crypto", I could use another IOS I think.)
Any clue? TIA
Paul
If I were you, I would like to 'disable' permission
on the catalyst 3560. I n an identical
Setup like yours on mine Catalyst 2960 and it
works very well. See below:
[[email protected] / * / root] # telnet 192.168.0.5
192.168.0.5 by train...
Connected to 192.168.0.5 (192.168.0.5).
[Escape character is ' ^]'.
C
*****************
User access audit
Username: test4
Password:
Enter your new PIN, containing 4-8 digit.
or
to cancel the procedure of the new PIN:
Please re - enter new PIN code:
Wait for the code on your card to change, and then sign in with the new PIN code
Enter the PASSWORD:
C2960 #sh worm
Cisco IOS software, software C2960 (C2960-LANBASEK9-M), Version 12.2 (25) SEE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Updated Tuesday 16 July 07 02:53 by myl
Image text-base: 0 x 00003000, database: 0x00CC0000
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) 12.2 (25r) the SEE1, release SOFTWARE (fc1)
C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes
System to regain the power ROM
System restarted at 23:20:30 GMT Wednesday, December 26, 2007
System image file is "flash: c2960-lanbasek9 - mz.122 - 25.SEE4.bin".
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
processor of WS-C2960G-24TC-L (PowerPC405) Cisco (revision B0) with 61440K / 4088K bytes of memory.
Card processor ID FOC1036X0F1
Last reset of tension
2 virtual Ethernet interfaces
24 gigabit Ethernet interfaces
Password recovery mechanism is activated.
64K bytes of memory simulated by flash not volatile configuration.
Basic Ethernet MAC address: 00:19:55:1 B: D6:00
Number of the motherboard: 73-10015-05
Power supply part number: 341-0098-02
Motherboard serial number: FOC10352NF2
Power supply serial number: AZS103402ZF
Revision number of the model: B0
Motherboard revision number: B0
Model number: WS-C2960G-24TC-L
System serial number: FOC1036X0F1
Top Assembly part number: 800-26673-02
Top of page revision number of the Assembly: C0
Version ID: V02
CLEI Code number: COM3G00BRA
Revision number of hardware consulting: 0x01
SW Version SW Image model switch ports
------ ----- ----- ---------- ----------
* 1 WS-C2960G-24TC-L 12.2 24 (25) SEE4 C2960-LANBASEK9-M
Configuration register is 0xF
C2960 #sh run | AAA Inc.
AAA new-model
AAA RADIUS local group authentication connection test
AAA authentication login test1 group Ganymede + local
AAA authentication login notac local
Group AAA dot1x default authentication RADIUS
AAA - the id of the joint session
C2960 #.
CCIE Security
Maybe you are looking for
-
Difficulty of the spectrum Tv App
FFIX spectrum tv app
-
can I save my updates downloaded (after installation) to later reinstall again?
I downloaded and installed my last round of updates for xp (intend to continue to use this old machine offline until it dies because I still love him). If at some point in the future, I want to reinstall the system from scratch, I can save the update
-
"Waiting for socket available...". »
After the AC1200 of LINKSYS router I can not load some sites in my Chrome.Chrome status bar continues to display: "Waiting for socket available...". "One of the Web sites not available for me is more Google search resutls. It works well with the prev
-
ISATAP adapter 3 deleted from my computer.
I did a diagnostic check on my computer so that the ISATAP 3 card does not work and windows cannot load the drivers required devices (Code 31). I was told, by yourself, the computer would operate satisfactorily without this adapter. However, mine
-
I have a desktop computer and a laptop. Both use the same router. The laptop does not connect to the network, but the office has no problem. My wireless adapter on the laptop is on, I tried troubleshooting. I tried to turn it off for 30 seconds then