switch 3750 EAPoL transmission RADIUS server
I have a running version of the 3750 switch stack 12.2 (53) SE2 IPBASEK9-M. I have dot1x configured on the switch and a Windows 7 PC, connected with 802. 1 x configured on the interface. I see the EAPoL start message from the PC, but I do not see the packets from the switch to the RADIUS server RADIUS. I have a config simple dot1x just to try to make it work before adding additional features such as comments - vlan...
Config and debug of attached file.
I don't know if the configuration ip dhcp snooping and arp of inspection is cause a problem with that or not. I see the EAPoL packet received on the switch, as shown in the attachment of debugging, but I never see the RADIUS packet. I've defined both trust on the interface, but always the same result. I can't turn it off because there is a switch of production with a test interface.
Any ideas?
Thank you
Mark
I had the same problem and solved it is enough to configure the switch as authenticator instead of "supplicant". "Supplicant" means customer, "authenticator" means in fact the switch acts as an authenticator to pass through, it will forward the requests to the auth server, for example, host of RADIUS.
Tags: Cisco Security
Similar Questions
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
-
How to restrict Internet access by using the RADIUS server via switch Catalyst 3560
Dear all,
I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.
I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.
The RADIUS server will be having a login page to type the name of user and password.
Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.
Thanks in advance!
Samrat.
I only did this in a very long time, but you probably want to do is activate the web authentication.
-
Dell Powerconnect 35xx series features Radius Server behaviorfin
Hello Dell Community,
I'm not able to find out how 35xx series switches handle 'server radius deadtime' parameter as described below:
In the config of switch, I use two hosts(for redundancy) radius. The first has priority of '1' configured RADIUS, the second server is priority '2 '. So normally, if the first sever(priority 1) RADIUS online, auth requests switch are sent to this server all the time. And they really are.
Now, I have also configured the 'deadtimet 10 radius server', meaning to jump on the radius server does not respond. Does that mean exactly?
If the radius with priority 1 server is offline for a few seconds, the switch instantly consider this as dead radius server and sent no auth request it for the "period deadtime ' 10 minutes (depending on configuration)? How often switch check for the availability of the radius server host?
config swtich:
IP address Port port Prio time - Ret-dead-source IP. Its use
AUTH Acct Out rans times
--------------- ----- ----- ------ ------ ------ --------------- ----- -----
10.10.10.10 1812 1813 global Global Global Global 1 all the
10.10.10.20 1812 1813 global Global Global Global every 2Global values
--------------Waiting period: 2
Broadcast: 5
Deadtime: 10
Source IP: 0.0.0.0
Source IPv6:Retransmission will say the switch many times in an attempt to authenticate to the RADIUS server before moving on to the second server. Timeout is indicative of the switch, the waiting time for a response. Deadtime will subsequently intervene in these two parameters have been exhausted.
Example config:
Server radius coverage of console (config) # 3
Console (config) # timeout 3 radius server
Deadtimet console (config) # 10 radius server
Result of config:
-The client tries to connect.
-switch attempts to authenticate the server 1.
-Switch means no RADIUS server 1 for 3 second.
-Switch waits 3 seconds.
-Switch attempts to authenticate to the RADIUS server 1 for the second time and does not return to server for 3 seconds.
-Switch waits 3 seconds.
-Switch attempts to authenticate to the RADIUS server 1 for the third time and does not return to server for 3 seconds.
-switch place RADIUS server, one in a State of low/dead for 10 minutes.
-switch attempts to authenticate to Server 2.
-
Newbie question on access to the RADIUS server
I've worked before on RADIUS servers running on Windows but not on Unix. I'm new to an environment without any documentation and I make sure I have access to the GANYMEDE/ACS config.
I go to my config switch and I see that ' 10.0.0.1 radius-server.
Then I ssh into ' 10.0.0.1' and I see the below after "method.
From the bottom, you have an idea on how to access the configuration of the ACS in case I need to change any setting it? I tried http://10.0.0.1 but it does not work.
-bash-3, $00 ls
bin features core net sbin TT_DB
Start the etc. opt system usr lib
export of CDROM lost + found tftpboot var platform
dev House Dem proc tmp flight-bash-3. $00 ls
bin features core net sbin TT_DB
Start the etc. opt system usr lib
export of CDROM lost + found tftpboot var platform
dev House Dem proc tmp flightTry http://10.0.0.1:2002 for ACS listening on port default 2002.
Pete
-
Primary/secondary RADIUS server
Hey all,.
I tried to find out for awhile how primary and secondary RADIUS servers work about WLC 4400 s. If the primary RADIUS server goes down, and the secondary image is used, when the controller will return to the primary once it is up? He waits until the secondary breaks down, or done immediately switch back to the primary when it becomes available?
Thanks in advance!
The f
On versions 4.2 and earlier, if the principal fails, then the secondary image is used until the secondary level is not available. So if you want the main for the radius server to use purpose, restart the secondary image. Then the tertiary then back to the primary. 5.0 has a feature in which you can define a Dungeon alive so that when the primary comes back upward, the primary will be used again. 5.0 code not a version of good code, however.
-
change the IP address of the RADIUS server
Hi all
I'm looking to reloacte a Ganymede server + inside the demilitarized zone and, consequently, the server will be on a new IP range.
I will seek the role these command using chat tools that I have a large number of switches
the configuration of switches is less than
existing Ganymede:
host key 10.11.11.40 radius-server 9090897979800090908
Now I move the server to a new IP 10.99.1.40
If I put the command
host key 10.99.1.40 radius-server 9090897979800090908
the configuration looks like this:
host key 10.11.11.40 radius-server 9090897979800090908
host key 10.99.1.40 radius-server 9090897979800090908
I need to confirm that when I switch the server again this IP switches will turn to the new ip address of 10.99.1.40 and I do after all, that is, remove the old line: no host key 10.11.11.40 radius-server 9090897979800090908
Or it will work now and I have to set up a group that is located at the bottom of the page from the link below
http://www.Cisco.com/c/en/us/TD/docs/iOS/12_2/security/configuration/guide/fsecur_c/scftplus.html
Thank you very much
The method explained in the linked document is the most recent. On IOS 15.x the previous method (which still works) generates a message in the cli parser that it was withdrawn and Cisco recommends to the new method.
That said, each method should work. The new method should be good all switches or routers with IOS 12.0 +.
When there are two servers configured, IOS them will try in order and, if a response is not received in three trials (each in the case of multiple servers), it may fall to another configured method aaa (or fails aaa if no second method has been defined)
-
RADIUS server for authentication
Hello
I want to configure the radius server, so whenever someone tries to connect to a cisco (Telnet) switch, I want the radius to authenicate them server. Is this possible?
Yes it is possible as long as you configure your switches to authenticate to the Radius server. To achieve this, you must use a feature called AAA. This feature is compatible with the protocols such as Radius, GANYMEDE +, to name a few. The following link will give you an idea on how to set it up on switches IOS based specifically on the 3550:
Make sure that apply you the authentication list to the vty lines to ensure that telnet access is authenticated with the radius server. FOT based CatOS switches than the following link will be useful:
http://www.Cisco.com/en/us/Partner/Tech/tk583/TK642/technologies_tech_note09186a0080094ea4.shtml
-
privilege level of the AAA RADIUS server control
I had the radius authentication on my switch, but I'm trying to allow two types of connection of users using Windows Active Directory. NetworkUsers that can display the configuration and NetworkAdmins who can do what either. I would like to NetworkAdmins when they log on, go directly to the privilege level 15 but could not get that part to work. Here is my configuration:
Domain controller for Windows 2008 R2 with NPS installed.
RADIUS client: I have the IP address of the switch as well as the key. I selected under the name of the Vendor tab in advance of cisco
Network policies:
NetworkAdmins which has the Group networkadmin in conditions and under settings I have nothing the standard and for the individual seller I have:
Cisco Cisco-AV-pair shell: priv-lvl = 15
My config switch:
AAA new-model
!
!
RADIUS AAA server group MTFAAA
Server name dc-01
Server name dc-02
!
Group AAA authentication login NetworkAdmins local MTFAAA
Group AAA authorization exec NetworkAdmins local MTFAAAdc-01 RADIUS server
address ipv4 10.0.1.10 auth-1645 acct-port of 1646
7 button *.
!
dc-02 RADIUS server
ipv4 10.0.1.11 address auth-1645 acct-port of 1646
7 button *.
!No matter what I do, it is not the default privilege level 15 when I login. All thoughts
You have specified the permission under line vty group? I think it is the authorization exec command. Something like that.
-
Test of the RADIUS server options
Hello
Does anyone have experience in the radius server availability tests? I have what the switch is used to test the availability of the radius server and what measures he will take after the detection of server are dead? Setup is done with ISE 1.4.
Hello
Because how switch contact RADIUS and how to configure the switch for dead timers, I will redirect you on the Cisco documentation which is very simple and complete as well.
http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/iDEN...
All parameters to mark a server as dead and how long it will be considered as dead are tweak-able. Setting dynamically some servers as dead if no responses may result in better performance of RADIUS response.
Thank you
PS: Please don't forget to rate and score as correct answer if this answered your question.
-
RADIUS-server host command problem
Hi all
I have cisco 4506 e - 8 L - e sup with the latest IOS image, but host X.X.X.X command radius server is not available, I've heard that this order has been changed now, can someone tell me the new syntax of this command because I'm setting this switch to cisco ISE...
Kind regards
The syntax is:
radius server A-NAME-FOR-THE-SERVER address ipv4 10.10.10.10 auth-port 1812 acct-port 1813 key YOUR-KEY
-
RADIUS server with no devices of the airport
Is there a way I can set up a radius server by using the OS X application but not a Terminal airport at el capitan? Thank you
See if that helps.
Mavericks of OS X Server - setting up FreeRADIUS
-
Can what Windows operating system I switch from Windodw 2000 Advance Server?
Need to upgrade the operating system
Can what Windows operating system I switch from Windodw 2000 Advance Server running an AMD Athlon 64 processor?
Hi SCB99,
You can read the following article.
Paths supported for upgrading to Windows Server 2003 or to Windows Small Business Server 2003
For more information you can contact Microsoft Support.
How and when to contact Microsoft and support Customer Service
-
RADIUS Server - Windows server 2008
Hello world
We use the windows 2008 standard server to our domain controller. We have been in for the last two years radius server in our campus. I could see that we can configure the client only 50 radius in NPS. Is it possible to add a plus in windows 2008 standard?
Please help me
Teckzx
This issue is beyond the scope of this site and must be placed on Technet or MSDN -
I need help on setting up a secondary RADIUS server. I have a primary and secondary school. I would like AAA sending requests to the secondary server when the primary is either down or stopped service on the primary. Any ideas?
You should consider two methods:
The old school one like that.
AAA new-model
AAA authentication login default group Ganymede + local
!
radius-server host 10.1.122.11
radius-server host 10.2.32.13
RADIUS-server key abcdef
If not, try a method of group like this:
AAA new-model
AAA server Ganymede group + ABCGROUP
Server 10.1.1.5
10.1.1.13 Server
!
ABCGROUP line group AAA authentication login default
!
GANYMEDE-Server 10.1.1.5 host
radius-server host 10.1.1.13
RADIUS-server key abcdef
!
Because the shared key (secret) cannot be configured in the configuration group, you must define RADIUS servers again at the end of the config.
!
Make sure that you have connectivity at a time before testing. Stop the service on your primary ACS and keep an eye on the reports to see the authentications spent in vain.
Here; s another tip:
By fallback authentication 'line', you can immediately distinguish a line Login and Ganymede Login. GANYMEDE will show: "username:" and encourages you to line "password:
!
Let me know how things are going.
See you soon
Maybe you are looking for
-
transfer digital audio books of macbook pro for iphone
I can't transfer an audio book to my Macbook Pro to my iPhone 5. No software needs updating or the other device. The phone is plugged into the computer, and iTunes of the Macbook, it offers the simple ability to go Audiobook-> add-> iPhone device. I
-
Add an entry in my music to an existing list of on-the-go
just bought a song on Itunes store. He appears in 'my music', but I can't move it to an existing list of on-the-go. Any thoughts?
-
Cannot shut down Windows XP properly.
I have a portable satellite 1110. I am facing a problem then the closure of the system. When I try to stop the system hangs on the blue screen saying "closing windows. I have to manually shut down the system.Any help on this would be appreciated.
-
I5-d001sx: could not find the usb drivers for win 7 32 bits for the model 15-d001sx
HelloI have hp laptop 15-d001sx. My USB doesn't work not with win 7 someone can you please tell me from where I can download the usb drivers.
-
I bought my laptop from well known dealer ab so I know that microsoft is valid but it came not with a then of course hard disk, no disc. I created a bootstick and reinstalled everything on my pc, now it says ian can't valid windows. There is a sticke