Mac-auth-bypass fails MAC: 0000.0000.0000
I have an old JetDirect which does not support 802.1 x. I enabled MAB on the port where it connects, but for some reason fails any MAB. I activated the debug dot1x and stick the output in a few here. I know that my config to dot1x is good... I have clients who authenticate via RADIUS to my ACS server. I also have a different port using MAB, not a JetDirect, however, the two ports are configured in the same way. Debugging, it seems that the switch can glean from the CMA of the JetDirect. Any ideas? It is a 3750 with 12.2 (44) SE2. I tried to close/no close the interface, reset the JetDirect, nothing seems to work. I see no request on my ACS server for the MAC address of the device.
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
host 192.168.x.x auth-port 1645 1646 RADIUS server acct-port
interface FastEthernet2/0/31
Description white A002
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
aging of the switchport port security 2
security violation restrict port switchport
inactivity of aging switchport port-security type
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x EAP authenticator
self control-port dot1x
multi-domain host-mode dot1x
restrict the dot1x mode violation
dot1x tx-timeout 2
dot1x timeout supp-timeout 10
spanning tree portfast
spanning tree enable bpduguard
012729: 5 May 14:51:31.672: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012730: 5 May 14:51:32.586: % LINEPROTO-5-UPDOWN: Line protocol Interface FastEthernet2/0/31, changed State to
012731: 5 May 14:51:33.727: dot1x-package: from a package of EAP EAP request for mac 0000.0000.0000
012732: 5 May 14:51:33.727: dot1x - sm:Posting EAP_REQ client = 4219220
012733: 5 May 14:51:33.727: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 7 (eapReq) event
012734: 14:51:33.727 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_request
012735: 14:51:33.727 may 5: request_action called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_
012736: 14:51:33.727 5: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: 5 May 14:51:33.727: dot1x-package: dot1x_mgr_send_eapol: code EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0 x 1 data:
012738: 5 May 14:51:33.727: dot1x - ev:FastEthernet2/0/31: package EAPOL to the address of the EAP group
012739: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_pre_process_eapol_pak: determination of role not required on FastEthernet2/0/31.
012740: 5 May 14:51:33.727: dot1x-registry: registry: dot1x_ether_macaddr called
012741: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_send_eapol: on FastEthernet2/0/31 EAPOL packet is sent
012742: 14:51:33.727 may 5: dump of pak EAPOL Tx
012743: 14:51:33.727 may 5: Version EAPOL: 0 x 2 type: 0 x 0 length: 0 x 0005
012744: 5 May 14:51:33.727: code of the EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0x1
012745: 5 May 14:51:33.727: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012746: 5 May 14:51:35.791: dot1x-ev: received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: 5 May 14:51:35.791: dot1x - sm:Posting EAP_TIMEOUT client = 4219220
012748: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 12 (eapTimeout) event
012749: 14:51:35.791 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_timeout
012750: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter
012751: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action
012752: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: idle during the auth_bend_timeout State
012753: 5 May 14:51:35.791: @ dot1x_auth_bend fa2/0/31: auth_bend_timeout-> auth_bend_idle
012754: 5 May 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: 5 May 14:51:35.791: dot1x - sm:Posting AUTH_TIMEOUT client = 4219220
012756: 14:51:35.791 may 5: dot1x_auth fa2/0/31: during the auth_authenticating State, had 15 (authTimeout) event
012757: 14:51:35.791 may 5: @ dot1x_auth fa2/0/31: auth_authenticating-> auth_fallback
012758: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit
012759: 5 May 14:51:35.791: r called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente
012760: 5 14:51:35.791: dot1x_auth_mab: mab_initialize of the initial State has enter
012761: 5 14:51:35.791: dot1x_auth_mab: during the mab_initialize State, had 2 (mabStart) event
012762: 14:51:35.791 may 5: @ dot1x_auth_mab: mab_initialize-> mab_acquiring
012763: 5 14:53:08.831: dot1x_auth_mab: during the mab_acquiring State, had 3 (mabResult) event (ignored)
HQ_1stFlr_3750 #sh int dot1x fa2/0/31 det
Dot1x Info FastEthernet2/0/31
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = MULTI_DOMAIN
Violation mode = RESTRICT
A re-authentication = off
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 10
ReAuthPeriod = 3600 (configured locally)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = active (EAP)
Timeout = None
Authenticator Dot1x customer list empty
Port status = not ALLOWED
The jetdirect card uses DHCP to get an IP address? If this isn't the case, then the Jetdirect will produce any traffic out to the auhenticate switch. To test this using the front panel of the printer to send a ping packet and see if it triggers the MAB.
Tags: Cisco Security
Similar Questions
-
Error of groups based on MAC "it has no resources for this range.
Hello
I have a SG300-52. My goal is a facility, where a client can connect to all ports and is automatically placed in a vlan are dependent on its MAC address.
For this I put up some VLAN.
Ports created by virtual local network name
---- ----------------- --------------------------- ----------------
1 1 article gi1-46, gi48-52, Po1-8 D
10 10 article gi1-46, gi48, gi51 S
20 20 section gi1-46, gi48, gi51 S
30 30 article gi1-46, gi48, gi51 S
All ports where customers can connect the VLAN configured as unmarked.
I have about 40 MACs, I want to put in the VLANs dynamically. So I've set up a group of Mac mapping vlan:
conf t
Serial section gi1-46
switchport mode general
switchport map General Mac-group vlan 5 5
switchport map General Mac-group vlan 10 10
switchport map General Mac-group vlan 20 20
switchport map General Mac-group vlan 30 30
Now, I want to add addresses MAC Mac-groups:
mac 0000.0000.2222 Mac host card - group 10
But after a few Mac added, I get an error "there are no resources for that interval.
Is there a limitation on the number of MAC addresses in a group of Mac?
Please advice how to proceed or if there is another way to achieve the goal.
Tobias
Hello Tobias,.
There is a limitation on the number of MAC addresses could be added to the mac group and applied to interfaces. Each entry/MAC interface contains a single configurable AAGR resource (max allowed is around 500 I think). So, if you have addresses MAC 10 applied through 48 ports, it's 480 entries AAGR. This assumes you have no any other rule (ACL, MAC ACL etc.) configured. If you have a large number of MAC addresses that need assignment of VLAN static, the best approach would be to use the dot1x base assignment authentication vlan. It would be an evolutionary approach.
I hope this helps.
Nana
-
rejected mac addresses are not placed in vlan comments
Hi all
I'm kind of new to the switches and learned a lot by reading the documentation sites. My job is to activate authentication aaa on our Cisco switches, we have a 3750stack, a few 3560 s and some 3550 s. I test on one of the 3560, a WS-C3560G-48PS 12.2 (53) SE1-IP-BASE running. Next week I'll update of firmware for 12.2 (55), but with this version, everything should already work.
Basically, the only thing I asked to do at the moment is Mac-Auth Bypass configuration. If the Mac address is accepted, RADIUS returns the VLAN, the device should be placed in, for the most part VLAN 4.
If the radius (freeradius v 2.1.10) server sends a rejection (see below), the port is not set to the vlan comments, because I expected.
19 12/21/10
4:23:19.000 PMDec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207
- SourceType=syslog
- source=udp:514
- client_mac=((f0de.f119.9870))
- client_action=FAIL
- LINEPROTO_LINK=AUTHMGR-5
20 12/21/10
4:23:19.000 PMDec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- SourceType=syslog
- source=udp:514
- client_mac=((f0de.f119.9870))
- client_action=NOT http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- LINEPROTO_LINK=MAB-5
21 12/21/10
4:23:18.000 PMDec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
- Host=10.1.1.207
- SourceType=syslog
- source=udp:514 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- client_mac=(f0de.f119.9870) http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
- client_action=START
- LINEPROTO_LINK=AUTHMGR-5
Can someone tell me where I'm wrong?
Thank you
Chris
Relevant parts of the running-config:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!
AAA - the id of the joint session!
control-dot1x system-auth
!
interface GigabitEthernet0/29
235 a description
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
authentication event failure action allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface Vlan1
IP 10.1.1.207 255.255.255.0
!
interface Vlan2
IP 10.1.10.207 255.255.255.0
!
default IP gateway - 10.1.1.201
IP classless
!
activate the IP sla response alerts
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS timeout 10 Server
Server RADIUS # 7 button wouldn't you know
RADIUS vsa server send accounting
RADIUS vsa server send authentication
!
endInformation of VLAN:
Ports of status for the name of VLAN
---- -------------------------------- --------- ------------------------------
1 default active Gi0/6, Gi0/8, Gi0/14, Gi0/15
Gi0/18, Gi0/21, Gi0/29, Gi0/30
Gi0/34, Gi0/36, Gi0/37, Gi0/49
Gi0/50, Gi0/51
2 voice active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/42, Gi0/43, Gi0/44, Gi0/45
Gi0/46, Gi0/47, Gi0/49
3 active video
4 active DHCP Gi0/1 and Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/7, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/16
Gi0/17, Gi0/19, Gi0/20, Gi0/22
Gi0/23, Gi0/24, Gi0/25, Gi0/26
Gi0/27, Gi0/28, Gi0/31, Gi0/32
Gi0/33, Gi0/35, Gi0/38, Gi0/39
Gi0/40, Gi0/41, Gi0/42, Gi0/43
Gi0/44, Gi0/45, Gi0/46, Gi0/48
5 active transfer
6 active Test ESX
7 COMMENTS-VLAN active
999 native active
1002 fddi-default law/unsup
default trcrf 1003 act/unsup
1004 default fddinet law/unsup
1005 trbrf default law/unsupNetwork type VLAN SAID MTU Parent RingNo BridgeNo Men BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 100001 1500 enet - 0 0
2 enet 100002 1500 - 0 0
3 100003 1500 enet - 0 0
4 100004 1500 enet - 0 0
5 enet 100005 1500 - 0 0
6 100006 1500 enet - 0 0
7 100007 1500 enet - 0 0
999 100999 1500 enet - 0 0
1002 101002 1500 fddi - 0 0
1003 trcrf 101003 4472 1005 3276 - srb 0 0
1004 etnbdf 101004 1500 - ieee - 0 0
1005 trbrf 101005 4472 - 15 ibm - 0 0VLAN AREHops STEHops backup RTC
---- ------- ------- ----------
1003 7 7 offVLAN SPAN remote
------------------------------------------------------------------------------Ports of secondary primary Type
------- --------- ----------------- ------------------------------------------Hello
Just to the user the correct names, what you want is a vlan auth failure (that you configured correctly). VLAN comments is for PCs that do not have capacity dot1x (do not respond to dot1x packages) but for the avoidance of the mac, the event of "no-response" will never happen.
Now that we have explained, your config seems therefore quite ok actually. I'd go with debugs to check what the problem is.
Debug RADIUS
debug all EMP
debugging authentication feature mab all
debugging authentication feature mda allNicolas
===
Remember responses of the rate that you find useful
-
Dot1x comments Vlan / Auth Fail Vlan editions
Hi all
Configure dot1x on our access layer switch ports and I have a few problems with devices that fail authentication. This is the current configuration on the way to the switch:
switchport mode access
switchport voice vlan 38
dot1x mac-auth-bypass
dot1x EAP authenticator
self control-port dot1x
multi-domain host-mode dot1x
dot1x timeout server-timeout 10
Server of reauth-dot1x timeout period
dot1x tx-time 10
dot1x timeout supp-timeout 3
dot1x max - req 3
dot1x max-reauth-req 3
dot1x re-authentication
criticism of dot1x
critical recovery dot1x action reset
dot1x auth failure vlan 7
dot1x comments - vlan 7
dot1x critical vlan 36
spanning tree portfast
spanning tree enable bpduguard
When a non-employee connects they go through the authentication process and eventually fail dot1x and mab and placed in the vlan designated guest 7. If you're doing a "show int gx / x status" on this port, switch-it shows the connected and to this vlan 7. If you're doing a "show dot1x int gx / x details" it also shows the port as authorized (by Guest-Vlan) and politics of vlan is 7. The problem is the user never gets a valid ip address - they receive only a 169.x.x.x. Anyone has experience with this type of question or have any recommendations?
Thank you
Brian
-First of all Eteinte, your switch orders tell me you are using old software on your switch, you must pass it first of all, there was a lot of correction of a bug and improvements to dot1x/mab in recent versions
-Your problem is probably that the client dhcp of your comments is delay until you are finished with dot1x and mab, susally tx-period to a lower number of adjustment could help the time it takes before joining the vlan comments, but could also have an impact on your computers running dot1x, you should try some different values. Also, using Windows XP SP3 or Windows 7, also helps on your machines to dot1x, and finally using supplicant AnyConnect NAM he will operate properly without having any problems when setting the timers dot1x on your switch.
-With the new software I go with default timers, perhaps change tx-5 second period and then use the "order mab dot1x authentication" and "authentication priority mab dot1x", also having your vlan comments like your vlan by default, will be generally also solve the problem of the guests have to do a new once-popular dhcp reqeust, however you can run into problems with stuff you wan't to use mab on.
-
Cisco ASA 5510 - IOS upgrade 7.0 failing. Not found Flash BIOS
Hello everyone
I have a Cisco ASA 5510 in a lab with none of the configurations environment what so ever.
Objective: upgrade the IOS current version 7.0 (8) to 7.1.1 (possibly go to 8.2 until memory upgrade on the SAA: 256 MB to 1 GB and then move to the latest version of 8.2 IOS).
Output to see the attached Version.
Output Flash attached show.
asa711 - k8.bin is the file that has been copied from a TFTP server to flash.
The following commands have been executed in order to update the IOS
ciscoasa (config) # boot flash system: / asa711 - k8.bin
INFO: Conversion of flash: / asa711 - k8.bin to disk0: / asa711 - k8.bin
ciscoasa (config) #.
ciscoasa (config) # end
ciscoasa # write memory
Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd
2713 bytes copied in 1,450 dry (2713 bytes/s)
[OK]
ciscoasa # reloadPROBLEM: the device ASA goes in an infinite loop (guard restart). This is the message on the console:
The system boot, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0 (11) 15:11:51.82 5 08/28/08
Memory: 631ko
Memory: 256 MB
PCI device table.
Bus Dev Func VendID DevID class Irq
00 00 00 8086 2578 host Bridge
00 01 00 8086 2579 PCI to PCI bridge
00 03 00 8086 PCI bridge to PCI 257 b
00 1 00 8086 PCI bridge to PCI 25AE
1 d 00 00 8086 25A 9 Serial Bus 11
1 00 01 8086 25AA Bus series 10 d
1 d 00 04 8086 25AB system
1 d 00 05 8086 25AC IRQ controller
1 d 00 07 8086 25AD Bus series 9
1E 00 00 8086 PCI bridge to 244th PCI
1F 00 00 8086 25A 1 ISA Bridge
1F 00 02 8086 25 IDE controller has 3 11
1F 00 03 8086 25A 4 Bus series 5
1F 00 05 8086 25A 6 Audio 5
02 01 00 8086 1075 Ethernet 11
03 01 00 177 D 0003 encrypt/decrypt 9
03 02 00 8086 1079 Ethernet 9
03 02 01 8086 1079 Ethernet 9
03 03 00 8086 1079 Ethernet 9
03 03 01 8086 1079 Ethernet 9
04 02 00 8086 1209 Ethernet 11
04 03 00 8086 1209 Ethernet 5
Evaluate the BIOS Options...
Launch of the BIOS Extension installation ROMMON
Cisco Systems ROMMON Version (1.0 (11) 5) #0: Thu Aug 28 15:23:50 CDT 2008
Platform ASA5510
Use BREAK or ESC to interrupt the boot.
Use the SPACE to start boot immediately.
Start the program boot...
Startup configuration file contains 1 entry.Load disk0: / asa711 - k8.bin... The starting...
256 MB OF RAM
Total of SSMs found: 0
Total cards network found: 7
mcwa i82557 Ethernet to irq 11 MAC: 0024.974a.65af
mcwa i82557 Ethernet to the irq 5 MAC: 0000.0001.0001
Not found BIOS flash.
Reset...The only way for me to do things to normal is if I BREAK the sequence starting with ESC and go into ROMMON mode. I then issue a start command for the SAA to start with 7.0 (8) default IOS Image.
Please can someone explain what is the problem here?
Apologies if I'm missing something obvious that I'm not an expert of the SAA.
Looks like that the ASA is hitting a field notice: fn62378. The FN, it's because of the incompatible version of hardware and software. Please upgrade to version 7.1.2 instead of 7.1.1. If you plan to spend in 8.2. So instead of going 7.1.2 you could go to 7.2.5 (recommanded), then 8.2.5
http://www.Cisco.com/c/en/us/support/docs/field-notices/620/fn62378.html
It will be useful.
Kind regards
Akshay Rouanet
Remember messages useful rate.
-
Hi all
First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.
I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.
Switch = 48-3560G IOS version 12.2 (55) SE1
RADIUS = Freeradius (version 2.1.10)
On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected
The switch configuration:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!interface GigabitEthernet0/29
235 a description
switchport access vlan 4
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
action retry authentication event 0 failure allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
restrict the authentication violation
MAB
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!dead-criteria 5 tent 5 times RADIUS server
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS server key 7 xxx
RADIUS vsa server send accounting
RADIUS vsa server send authenticationRadius response: (for the full reply see attached RADIUS - response.txt)
Sending acceptance of access to the port id 98 to 10.1.1.207 1645
Cisco-AVPair = "Tunnel-Type = VLAN.
Cisco-AVPair = "Tunnel-Medium-Type = 802.
Cisco-AVPair = "Tunnel-private-Group-ID = 7.
Cisco-AVPair = "Tunnel-preference.That's why access accept with assignment data VLAN
Debugging on the switch :
001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4ACSo RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.
Help would be appreciated!
Chris
Hi Chris,
In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
http://Tools.Cisco.com/Squish/d1791or using the pair of cisco-av according to the link:
http://Tools.Cisco.com/Squish/8Bd61As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
Debug RADIUS
Debug authentication of all the
debug functionality of authentication allAs a result the customer authentication event, also benefit from the following switch:
display the interface authentication sessionsI met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.
When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:
RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL
So the 2nd link, with the changes:
Cisco-avpair = "tunnel-type(#64) = VLAN (13).
Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.If you still have a question, please include the output of debug/display above which will shed light on the problem.
Thank you
Alex -
ISE and WLC for CWA (Web Central Auth)
Hi all
As we know that WLC (i.e. 5508) is intolerant of MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.
CWA is the result of successful MAB. So, how CWA to work for the wireless? So that means WLC support MAB?
Hello
The term in the wireless world is mac filtering. When mac filtering is fired, you will return the CWA portal in the access-accept.
Don't forget to set your condition in the authentication policy to continue if the user is not found, while the device can hit the CWA default rule.
Thank you
Tarik Admani
* Please note the useful messages *. -
12 c em connection failed.
All users connection failed. I have connection the use of success of the same repository user name and password database, but failed to connect on em.
eMoms.TRC shows that:
2015-03-19 15:42:44, 173 [ExecuteThread [ASSET]: '21' for queue: "(self-adjusting) weblogic.kernel.Default"] WARN auth. EMRepLoginFilter doFilter.450 - InvalidEMUserException taken in EMRepLoginFilter: failed to connect using the repository for the user authentication: SYSMAN
oracle.sysman.emSDK.sec.auth.InvalidEMUserException: failed to connect using the repository for the user authentication: SYSMAN
at oracle.sysman.emSDK.sec.auth.EMLoginService._performLogin(EMLoginService.java:1289)
at oracle.sysman.emSDK.sec.auth.EMLoginService._doEMLogin(EMLoginService.java:710)
at oracle.sysman.emSDK.sec.auth.EMLoginService.doEMLogin(EMLoginService.java:640)
at oracle.sysman.emSDK.sec.auth.EMLoginService.doLogin(EMLoginService.java:215)
at oracle.sysman.emSDK.sec.auth.EMLoginService.doLogin(EMLoginService.java:261)
at oracle.sysman.emSDK.sec.auth.EMLoginService.doLogin(EMLoginService.java:268)
at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:427)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.sysman.eml.app.MBeanServerConnFilter.doFilter (MBeanServerConnFilter.java:43)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:561)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.caching.filter.AdfFacesCachingFilter.doFilter(AdfFacesCachingFilter.java:137)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
to oracle.security.jps.ee.http.JpsAbsFilter$ 1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged (Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.wrapRun (WebAppServletContext.java:3730)
to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Hello.
+ Has been the changed sysman password recently?
+ Ensure job_queue_processes parameter is set to non-zero, ideally, it should be a value of 1000
If the value is 0 or low then proceed as follows
+ stop the SGD
OMS_HOME/bin emctl stop who-all
+ Connection to the database of rest as a SYSDBA user and set the job_queue_processes for a value of 1000:
SQL > ALTER SYSTEM SET job_queue_processes = 1000 SCOPE = BOTH SID ='* ';
+ Start the SGD
OMS_HOME/bin emctl start SGD
+ Check the connection to the console.
Kind regards
Rahul
-
Hello
We have upgrade to vCenter Server (build 880146) 5.1.0a to vCenter Server 5.1. U1b and now vcenter service does not start
This is the log:
2013 10-21 T 10: 58:40.221 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo (Administrators, true)
2013 10-21 T 10: 58:40.221 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [GetDomains]
2013 10-21 T 10: 58:40.252 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LazyInitAdmin] initialization
2013 10-21 T 10: 58:40.252 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices]
2013 10-21 T 10: 58:40.252 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CreateAdminSsoServiceContent] try to connect to the administration of the SSO server.
2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices] successfully.
2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LoginToAdmin]
2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity]
2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity] refreshing SSO token...
2013 10-21 T 10: 58:40.330 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [RefreshSsoToken]
2013 10-21 T 10: 58:40.408 + 02:00 [02800 error "[OSP] [SsoAdminFacadeImpl]"] AcquireToken [RefreshSsoToken] exception: failed authentication: authentication failed
2013 10-21 T 10: 58:40.408 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo NormalizationException: RemoteGetDomainNames RuntimeServiceFault exception: sso.fault.RuntimeServiceFault
2013 10-21 T 10: 58:40.408 + 02:00 [02800 error '[OSP]'] [UserDirectorySso] NormalizeUserName AuthException: allow exceptions
2013 10-21 T 10: 58:40.408 + 02:00 [02800 error '[OSP]'] [UserDirectorySso] GetDefaultPrincipal AuthException: allow exceptions
2013 10-21 T 10: 58:40.408 + 02:00 [02800 info '[OSP]'] GetDefaultPrincipal(, true) [UserDirectorySso]
2013 10-21 T 10: 58:40.408 + 02:00 [02800 info '[OSP]'] GetUserInfo(, true) [UserDirectorySso]
2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [GetDomains]
2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LazyInitAdmin] initialization
2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices]
2013 10-21 T 10: 58:40.408 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CreateAdminSsoServiceContent] try to connect to the administration of the SSO server.
2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices] successfully.
2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LoginToAdmin]
2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity]
2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity] refreshing SSO token...
2013 10-21 T 10: 58:40.439 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [RefreshSsoToken]
2013 10-21 T 10: 58:40.502 + 02:00 [02800 error "[OSP] [SsoAdminFacadeImpl]"] AcquireToken [RefreshSsoToken] exception: failed authentication: authentication failed
2013 10-21 T 10: 58:40.502 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo NormalizationException: RemoteGetDomainNames RuntimeServiceFault exception: sso.fault.RuntimeServiceFault
2013 10-21 T 10: 58:40.502 + 02:00 [02800 error '[OSP]'] [UserDirectorySso] NormalizeUserName AuthException: allow exceptions
2013 10-21 T 10: 58:40.502 + 02:00 [02800 info '[OSP]'] GetUserInfo(, true) [UserDirectorySso]
2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [GetDomains]
2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LazyInitAdmin] initialization
2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices]
2013 10-21 T 10: 58:40.502 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CreateAdminSsoServiceContent] try to connect to the administration of the SSO server.
2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [InitSsoAdminServices] successfully.
2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [LoginToAdmin]
2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity]
2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [CheckTokenValidity] refreshing SSO token...
2013 10-21 T 10: 58:40.533 + 02:00 [02800 info "[OSP] [SsoAdminFacadeImpl]"] [RefreshSsoToken]
2013 10-21 T 10: 58:40.595 + 02:00 [02800 error "[OSP] [SsoAdminFacadeImpl]"] AcquireToken [RefreshSsoToken] exception: failed authentication: authentication failed
2013 10-21 T 10: 58:40.595 + 02:00 [02800 info '[OSP]'] [UserDirectorySso] GetUserInfo NormalizationException: RemoteGetDomainNames RuntimeServiceFault exception: sso.fault.RuntimeServiceFault
2013 10-21 T 10: 58:40.595 + 02:00 [error 02800 "Default"] cannot add the default permission: user not found
2013 10-21 T 10: 58:40.595 + 02:00 [error 02800 "Default"] cannot start allow - system has no access rule
2013 10-21 T 10: 58:40.595 + 02:00 [error 02800 'Default'] [Auth] initialization failed: < class Vmacore::Authorize:AuthException(Authorize_Exception) >
2013 10-21 T 10: 58:40.595 + 02:00 [02800 error 'authvpxdAuthorize'] could not initialize security
2013 10-21 T 10: 58:40.595 + 02:00 [02800 WARNING "VpxProfiler"] ServerApp::Start [TotalTime] took ms 27456
2013 10-21 T 10: 58:40.595 + 02:00 [02800 info 'Default'] judgment of VMware VirtualCenter.
Hello
VMware support solve my problem:
We have seen two issues after the update.
First of all, there is no user of the solution for the virtual center when I checked the application users with SSO to the webclient service administration page.
Solve us this problem of repointing Virtual Centre to the next according to the kb SSO instance;
http://KB.VMware.com/kb/2033620
- repoint.cmd configure vc - search server https://vcenter.com:7444/lookupservice/sdk - password "laquesea" - openssl-path of the user "admin@System-Domain"-"C:\Program Files\VMware\Infrastructure\Inventory Service\bin."
After that, the modules in the vpxd.cfg solution was not properly updated and an operation manual.
C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt vCenterServer_251703 C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.key Above is the corrected version having replaced "null" with the correct path to the files of certificate and key.
This allowed vcenter service start successfully.
-
HSRP authentication problem.
Hello
We have 2 devices configured with HSRP in a single interface. Associated with a vlan.
Switch 1:
!
interface Vlan16
Description HSRP for VMware HA - November 13, 2015
IP 10.10.10.5 255.255.255.128
no ip redirection
no ip unreachable
no ip proxy-arp
Watch 11 ip 10.10.10.7
standby priority 11 110
11 standby preempt
Watch 11 authentication md5 key ring globo123
!Switch 2:
!
interface Vlan16
Description HSRP for VMware HA - November 13, 2015
IP 10.10.10.6 255.255.255.128
no ip redirection
no ip unreachable
no ip proxy-arp
Watch 11 ip 10.10.10.7
11 standby preempt
Watch 11 authentication md5 key ring globo123
!The thing is that we have the following message from switch 1:
370222: 02:29:20.439 Jan 19 UTC: % HSRP-4-BADAUTH: bad 10.10.10.6 authentication, Group 11, remote Active state
And the switch 2:
1308504: 02:30:11.823 Jan 19 UTC: % HSRP-4-BADAUTH: bad authentication of 10.10.10.5, Group 11, remote Active state
And also, switch 1:
370242: 02:29:39.290 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
370243: 02:29:39.290 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 129.39.189.3 pkt, no key for this key ID
370244: 02:29:39.354 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello on 10.10.10.2 pri Active 110 vIP 10.10.10.7
370245: 02:29:40.946 Jan 19 UTC: HSRP: Vl16 Grp 11 ARP CBC 129.39.189.36 tgt 10.10.10.7, answer with mac 0000.0c07.ac0b
370246: 02:29:42.058 Jan 19 UTC: HSRP: Vl166 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
370247: 02:29:42.058 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 129.39.189.3 pkt, no key for this key ID
370248: 02:29:42.110 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello to 10.10.10.5 pri Active 110 vIP 10.10.10.7
370249: 02:29:44.682 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello to 10.10.10.5 pri Active 110 vIP 10.10.10.7
370250: 02:29:44.858 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
370251: 02:29:44.858 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.6 pkt, no key for this key ID
370252: 02:29:47.306 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello to 10.10.10.5 pri Active 110 vIP 10.10.10.7
370253: 02:29:47.318 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 active pri 100 vIP 10.10.10.7
370254: 02:29:47.318 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.6 pkt, no key for this key ID
370255: 02:29:47.630 Jan 19 UTC: HSRP: Vl16 Grp 11 ARP CBC 172.16.1.41 tgt 10.10.10.7, answer with mac 0000.0c07.ac0band also to 2:
1308614: 02:31:47.308 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 10.10.10.6 pri Active 100 vIP 10.10.10.7
1308615: 02:31:48.668 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 10.10.10.5 pri Active 110 vIP 10.10.10.7
1308616: 02:31:48.668 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.5 pkt, no key for this key ID
1308617: 02:31:48.668 Jan 19 UTC: % HSRP-4-BADAUTH: bad authentication of 10.10.10.5, Group 11, remote Active state
1308618: 02:31:50.276 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 129.39.189.3 pri activates 10.10.10.6 100 vIP
1308619: 02:31:51.280 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 129.39.189.2 pri activates 10.10.10.6 110 vIP
1308620: 02:31:51.280 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 129.39.189.2 pkt, no key for this key ID
1308621: 02:31:51.892 Jan 19 UTC: HSRP: Vl16 Grp 11 ARP CBC 172.16.1.48 tgt 10.10.10.6, answer with mac 0000.0c07.ac0b
1308622: 02:31:52.916 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello 129.39.189.3 pri activates 10.10.10.6 100 vIP
1308623: 02:31:53.856 Jan 19 UTC: HSRP: Vl16 Grp 11 Hello in 129.39.189.2 pri activates 10.10.10.6 110 vIP
1308624: 02:31:53.856 Jan 19 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello 10.10.10.5 pkt, no key for this key IDThe command "Display sleep" I have to switch 1:
Vlan16 - Group 11
The State is active
2 state changes, last status change 9w3d
Virtual IP address is 10.10.10.7
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (the default value of the v1)
Hello time 3 sec, hold time 10 sec
Next morning sent in 0,560 seconds
Authentication MD5, key 'GSNIFri13unh4ck4bl3 '.
Preemption enabled
Active router is local
Standby router is unknown
Priority 110 (110 configured)
The group name is 'hsrp-Vl16-11' (default)And to pass 2:
Vlan16 - Group 11
The State is active
2 state changes, last status change 9w3d
Virtual IP address is 10.10.10.7
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (the default value of the v1)
Hello time 3 sec, hold time 10 sec
Next morning sent in 0,832 sec
Authentication MD5, key 'GSNIFri13unh4ck4bl3 '.
Preemption enabled
Active router is local
Standby router is unknown
Priority 100 (default value 100)
The group name is 'hsrp-Vl16-11' (default)Could someone tell me if this situation could cause the network to stop working?
Alternatively, what kind of problem do I have?Thank you
Rui Capao
Don't blame IOS for space, blame Windows copy and paste.
It would be awesome if you mark my answer as correct if you think this has helped you.
-
Hi all
Checked the POST on an ASA5505 (9.1 (3)) one it shows 2 Gigabit NIC:
Total network cards found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 885a.92d9.f938
88E6095 rev 2 Ethernet @ index 07 MAC: 885a.92d9.f937
88E6095 rev 2 Ethernet @ index 06 MAC: 885a.92d9.f936
88E6095 rev 2 Ethernet @ index 05 MAC: 885a.92d9.f935
88E6095 rev 2 Ethernet @ index 04 MAC: 885a.92d9.f934
88E6095 rev 2 Ethernet @ index 03 MAC: 885a.92d9.f933
88E6095 rev 2 Ethernet @ index 02 MAC: 885a.92d9.f932
88E6095 rev 2 Ethernet @ index 01 MAC: 885a.92d9.f931
y88acs06 Gigabit Ethernet rev16 @ index MAC 00: 885a.92d9.f939
Is there a Gigabit licenses on the roadmap?
Kind regards
Norbert
Hello
I doubt that it has nothing to do with subsequent changes, as the device is specced for only 150Mbps throughput.
I saw Cisco release any model replacement, even if I asked a few times.
I think that 2 GigabitEthernet interfaces refer to the internal-Data0 and Data1 internal interfaces
It is the output of my own ASA
The internal-Data0/0 interface ' ' is in place, line protocol is up
The material is y88acs06, BW 1000 Mbit/s, 10 DLY usec
(Full-duplex), (1000 Mbps)
Internal-Data0/1 interface ' ' is in place, line protocol is up
The material is 88E6095, BW 1000 Mbit/s, 10 DLY usec
(Full-duplex), (1000 Mbps)
Also, here is a picture of a Cisco Live! presentation on the architecture of the ASA5505 model (click to enlarge)
Hope this helps
-Jouni
-
3850 catalyst, MAB and RADIUS
Hello
This a 3850 catalyst drivers to speak (C3750 MAB auth works like a charm) and the strange thing is that I don't see RAIUS client sending packets button anywhere:
Statistics of RADIUS #show
Auth. ACCT. Both
Length maximum inQ: NA NA 0
Length maximum waitQ: NA NA 0
Length maximum doneQ: NA NA 0
Total number of responses seen: 0 0 0
Packages with answers: 0 0 0
Packages without answers: 0 0 0
Access releases: 0
Average answer delay (ms): 0 0 0
Maximum response delay (ms): 0 0 0
Number of timeouts RADIUS: 0 0 0
Detects duplicate IDS: 0 0 0
Buffer allocation failed: 0 0 0
Memory (bytes) maximum buffer size: 0 0 0
Malformed responses: 0 0 0
Authenticators: 0 0 0
Unknown answers: 0 0 0
Source Port range: (2 ports only)
1645 - 1646
Used in last Port Source / ID:
1645/0
1646/0Time passed since the last reset of counters: 6h44m
Distribution of radius of latency:
<= 2ms="" : ="" 0 ="">=>
3-5ms : 0 0
5 10ms: 0 0
10 20ms: 0 0
20 50ms: 0 0
50-100 m: 0 0
> 100ms: 0 0Current length of the NQI: 0
Current length of the doneQ: 0#debug talkative RADIUS
All mac addresses are unable to authenticate
#sh newspaper
03007: 3 August 17:55:20.239 UTC: % MAB-5-FAIL: failure of authentication for the client (XXXX. XXXX. XXXX) on the Interface item in gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXX
003008: 3 August 17:55:20.239 UTC: % MAB-5-FAIL: failure of authentication for the client (XXXX. XXXX.XXX) on the Interface item in gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXThere entry context very log in debugging MAB invalid EVT 9 of the EAP (I don't know what it could be)
MAB #debug all
003085: 3 August 18:04:26.146 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] context MAB received create from AuthMgr
003086: 3 August 18:04:26.146 UTC: mab - ev: MAB authorizing XXXX. XXXX. XXXX
003087: 3 August 18:04:26.146 UTC: mab - ev: client context created MAB 0x1B00004B
003088: 3 August 18:04:26.146 UTC: mab: State has original mab_initialize enter
003089: 3 August 18:04:26.146 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] sent to create a new event in context of EAP of MAB to 0x1B00004B (XXXX. XXXX. XXXX)
003090: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX, gi1/0/48 article] authenticating MAB began to 0x536EE850 (XXXX. XXXX. XXXX)
003091: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] Invalid EVT 9 of the EAP
003092: 3 August 18:04:26.147 UTC: mab - sm: [XXXX. XXXX. XXXX, item in gi1/0/48] received event 'MAB_CONTINUE' on the 0x1B00004B handle
003093: 3 August 18:04:26.147 UTC: mab: during the mab_initialize State, had 1 (mabContinue) event
003094: 3 August 18:04:26.147 UTC: @ mab: mab_initialize-> mab_authorizing
003095: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX] formatted mac = XXXXXXXXXXXX
003096: 3 August 18:04:26.147 UTC: mab - ev: [XXXX. XXXX. XXXX] created mab nickname dot1x profile dot1x_mac_auth_XXXX. XXXX. XXXX
003097: 3 August 18:04:26.148 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] from MAC-AUTH-BYPASS to 0x1B00004B (XXXX. XXXX. XXXX)
003098: 3 August 18:04:26.148 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] Invalid EVT 9 of the EAP
003099: 3 August 18:04:26.148 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] MAB received an Access-Reject for 0x1B00004B (XXXX. XXXX. XXXX)
003100: 3 August 18:04:26.148 UTC: % MAB-5-FAIL: failure of authentication for the client (XXXX. XXXX. XXXX) on the Interface 0A48021200000FD1007B87DE AuditSessionID item in gi1/0/48
003101: 3 August 18:04:26.148 UTC: mab - sm: [XXXX. XXXX. XXXX, item in gi1/0/48] received event 'MAB_RESULT' on the 0x1B00004B handle
003102: 3 August 18:04:26.148 UTC: mab: during the mab_authorizing State, had 5 (mabResult) event
003103: 3 August 18:04:26.148 UTC: @ mab: mab_authorizing-> mab_terminate
003104: 3 August 18:04:26.149 UTC: mab - ev: [XXXX. XXXX. XXXX, item in gi1/0/48] delete profile of credentials for 0x1B00004B (dot1x_mac_auth_XXXX. XXXX. XXXX)
003105: 3 August 18:04:26.150 UTC: mab - sm: [XXXX. XXXX. XXXX, item in gi1/0/48] received event 'MAB_DELETE' on the 0x1B00004B handleThe configuration is below:
RADIUS AAA Server Group XXX-XXXXXX
Server 10.XX. XX.30
Server 10.x.x.x. XX.30AAA authorization network default Group XXX-XXXXXX no
accounting dot1x default start-stop group AAA-XXX-XXXXXXradius of the IP source-interface Loopback0
RADIUS-server host 10.XX. XX.30 touches 7 XXXXXXXXXXXXXXXXXXXXXXX
RADIUS-server host 10.x.x.x. XX.30 touches 7 XXXXXXXXXXXXXXXXXXXXXXX
RADIUS server retransmit 0
RADIUS 3 server timeoutinterface GigabitEthernet1/0/6
XXXX XXXXX description
switchport access vlan XXX
switchport mode access
switchport voice vlan XXX
the host-mode multi-auth authentication
authentication order mab
Auto control of the port of authentication
authentication timer restart 180
MAB
no link-status of snmp trap
Storm-control broadcasts 0.50
spanning tree portfast
end#sh worm
Model switch SW Version SW Image Mode ports
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850 - 48P INSTALL 03.07.02E cat3k_caa-universalk9
2 56 WS-C3850 - 48P INSTALL 03.07.02E cat3k_caa-universalk9Any ideas?
P.
Your authentication dot1x missing "aaa".
-
Rogue Hub/Switch blocks?
Hello
I noticed MAC addresses with a 0000.0000.0000 on some of our switch ports in a particular building. It turns out that some end users have been connect hubs personal/no authorized and/or cheap 5 ports switches in our network on these interfaces. We have disabled the ports manually, then of course end users called the helpdesk informing us that they have lost network connectivity.
PortFast and BPDU guard is enabled all leading edge devices. However, given that these are switches and concentrators cheap I don't think they make same STP. In order to have custody BPDU err - disable the port isn't our fix.
So, is there another way to block these devices? ACL? MAC filtering? Can you just block MAC 0000.0000.0000? Maybe someone can explain what that means MAC 0000.0000.0000?
I am aware of the port security, and which is currently in the works, but there the hope of a quick solution in the meantime.
Thank you!
-Brett
Depending on what type of switch you have, you have dynamic inspection of arp, where you record only trust mac on the database of the switch and the switch will reject any other mac connection. Port security is another option, allow a maximum of 1 mac on the port, but the problem will persist that connect a hub + computers, the port will be closed and you will need to reactivate the suspended port each time.
Also here is a good post to review an ACL
https://supportforums.Cisco.com/message/3727181#3727181
-Tom
Please evaluate the useful messages -
Determine the NIF port used by the HEART when it is configured in a port channel
I recently saw an excellent video of live Cisco UCS troubleshooting performance that showed how to track traffic network within Cisco UCS. The speaker made a comment however, to determine that NIF is used by a high HEAT when port-channels are used between the FEX and FI there are different commands to run. You will need to determine the outcome of hash-load balancing. Unfortunately, he never entered what were these commands.
Then when we have pinned port-channel instead of HIFs and NIFs veths, what commands will indicate which way is used?
Matt,
You can use this command:
B (nxos) # sh port-channel - balance load< this="" will="" tell="" you="" the="" load="" balance="" method="">
If you use source-dest-ip as in my case, you can use this command:
B (nxos) # sh port-channel - the balance of the charge-transfer interface port-channel ID vlan ID x.x.x.x y.y.y.y dst - ip, src - ip and it will show you something like this:
Lack of params will be substituted by 0.
Algorithm to balance the load on the switch: source-dest-ip
crc8_hash: 109 port id coming out: EthernetX / Y < this="" is="" what="" you="" are="" looking="" for="">
Param (s) used to balance the load to calculate:
DST - ip: y.y.y.y
SRC - ip: x.x.x.x
DST - mac: 0000.0000.0000
CBC - mac: 0000.0000.0000For the blade, depends on which the active vNIC is, for the FEX, depends on pinning, based on the server is located in the blade slot. Strange servers go through odd links and same servers through the same ports.
Remember to rate helpful answers.
-Kenny
-
802.1 x Switch IOS Bug?
Seems to me IOS does not work as documentation States during the dot1x authentication management. In my view, that the last IOS 12.2 should not authenticate a client if the MAC address has not changed (with dot1x reauth off of course). However, I've tested this and it seems that the switch always sends EAPOL, even if I use the same PC on the same port. Is this a bug?
There is nothing that can be done about it. I don't know yet what means 'History of MAC', but if the port goes down, it is still deleted.
Now, I might have a work around for you here. MAC-Auth-Bypass (MAB). MAB authenticates the machines that cannot speak 1 X be their MAC address. If it fails and you have also the Guest-VLAN on, the port is being Guest-VLAN anyway (to support backward compatibility). From a treatment perspective, MAB is attempted after 1 X, but before the comments - VLAN (who just allow a port blindly).
What it means for your scenario here is that if you enable MAB, you can put a machine to sleep that will bounce the port). 802. 1 X expires (as your computer is idle). Then, MAB will kick and initiate. However, it will be hung there until the device is sending traffic, and while it is asleep, it will not pass the. In this way, the port does not in the comments - VLAN when go to sleep and you can wake the computer that upward of a VLAN is configured in native mode on the port.
Hope this helps,
Maybe you are looking for
-
sometimes monitor goes off and we
I have HP Pavilion a1340n, when I turn on my computer in the middle of windows the monitor's market (I have windows x / p)
-
HP Pavilion m94021: boot floppies do not match computer
Some years, I bought a desktop computer HP Pavilion back to Office Depot. They MADE the disks to start for me. Now, I have a new hard drive and I put in the first boot floppies and he whirred around for awhile, looking as if she was doing something
-
MFC TestUnitReady... What is it and why is it popping up?
For the second time a minimized window appears when I boot in Windows Vista. I can't open the window, and when I scroll the preview shows on it a white window with what appears to be three boxes colored in the middle (tan, blue and green) with the M
-
Error recovery system 0 x 4001001300001002
original title: error 0 x 4001001300001002 during a recovery measurement system the error message occurred before complete recovery. now windows will not boot.
-
OfficeJet Mobile 100: Printing from a Bluetooth for Officejet 100 Mobile Android device
Can I use my new "HP Officejet 100 Mobile" to print documents from my Android Samartphone? But I managed to pair the printer, cannot connect to it. Or I'm wasting my time trying to print from Android?