Web authentication Catalyst 2960

Similar Questions

• Bundle of Web authentication on a WLAN controller integrated Catalyst 3750

  We have set up a wifi zone based on a few 1131AG access points and a few Cisco 3750 integrated WLAN controllers. We are now trying to use web authentication for our comments area. No problem by defining a WLAN of COMMENTS and the associated VLAN. We have also managed to download a custom controller authentication web page.

  However, when I try to display the custom page, both controllers of show me the internal default page (preview and during the phase of actual authentication).

  Global web authentication settings are the following: Security--> Auth Web--> Web Login Page--> custom (downloaded).

  On the controller software version is 4.2.112.0, and the page is an HTML page.

  Reveal any help be appreciated.

  Kind regards

  Sonia

  What you need to do is set internally (by default) and hit apply, then play again to custom and click on apply. You can still see the defaul if you use the preview, but if you associate the SSID and open your web browser, you should get the webauth page. I hope this helps.

• Cisco Catalyst 2960-S switch configured for 802. 1 x sends a query to access the Radius Server Radius

  Setup

  Cisco Catalyst 2960-S running 15.0.2 - SE8

  Under Centos freeRadius 6.4 RADIUS server

  Client (supplicant) running Windows 7

  When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
  Here is my config running. Any advice would be greatly appreciated.
  #show running mySwitch-
  mySwitch #show running-config
  Building configuration...

  Current configuration: 2094 bytes
  !
  version 12.2
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname myswitch
  !
  boot-start-marker
  boot-end-marker
  !
  activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
  !
  !
  AAA new-model
  !
  !
  AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
  !
  !
  AAA - the id of the joint session
  1 supply ws-c2960s-24ts-l switch
  !
  !
  !
  !
  !
  control-dot1x system-auth
  pvst spanning-tree mode
  spanning tree extend id-system
  !
  !
  !
  !
  internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
  GigabitEthernet1/0/1 interface
  !
  interface GigabitEthernet1/0/2
  !
  interface GigabitEthernet1/0/3
  !
  interface GigabitEthernet1/0/4
  !
  interface GigabitEthernet1/0/5
  !
  interface GigabitEthernet1/0/6
  !
  interface GigabitEthernet1/0/7
  !
  interface GigabitEthernet1/0/8
  !
  interface GigabitEthernet1/0/9
  !
  interface GigabitEthernet1/0/10
  !
  interface GigabitEthernet1/0/11
  !
  interface GigabitEthernet1/0/12
  switchport mode access
  Auto control of the port of authentication
  dot1x EAP authenticator
  !
  interface GigabitEthernet1/0/13
  !
  interface GigabitEthernet1/0/14
  !
  interface GigabitEthernet1/0/15
  !
  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20
  !
  interface GigabitEthernet1/0/21
  !
  interface GigabitEthernet1/0/22
  !
  interface GigabitEthernet1/0/23
  !
  interface GigabitEthernet1/0/24
  !
  interface GigabitEthernet1/0/25
  !
  interface GigabitEthernet1/0/26
  !
  interface GigabitEthernet1/0/27
  !
  interface GigabitEthernet1/0/28
  !
  interface Vlan1
  IP 10.1.2.12 255.255.255.0
  !
  IP http server
  IP http secure server
  activate the IP sla response alerts
  recording of debug trap
  10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
  Line con 0
  line vty 0 4
  password password
  line vty 5 15
  password password
  !
  end

  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20

  Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.

  Regarding the configuration, it seems a bit out of the AAA. Try to remove the:

  line "aaa dot1x group service radius authentication" and this by using instead:

  "aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.

• Aironet 1252 with catalyst 2960-8TC-L & 1841 router compatibility

  Hello

  First of all they are togther a good combination?

  I'll buy new ap 1252 and switch catalyst 2960-8TC-L my question can I connect the access point to 1 x 10/100/1000Base-T/SFP (mini-GBIC) (uplink) port?

  because to work on ap with capacity 300 Mbps, it needs port 1000, I will use to power ap powerinjector.

  It will be 15 sereve pc as a working group and 60 customers on wlan.

  Concerning

  Saher

  Depending on the type of traffic and bandwidth customer requirements demand, you might need a couple more of ap which means you may have to settle for a switch of 24 ports. Cisco recommends 15-25 users by so, but still, you can have more if it's just e-mail and web browsing.

• Dot1x multidomain on Catalyst 2960

  Hello

  I improved my 2960 with the latest basic version of LAN 12.2 (46) which includes the authentication of domain Multi (MDA) and I tried to configure what is described here:

  http://www.Cisco.com/en/us/Tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

  I have the following exceptions in my configuration:

  (1) SE - cat 2960 with the latest version of IOS 12.2 (46) that supports the MDA;

  (2) using the Win2K IAS as a server radius. and

  (3) third party (Avaya) with active begging dot1x IP phone. I have a PC with ability to dot1x connected to the second port of the IP phone.

  That's what I set up on the phone IP port:

  interface FastEthernet0/9

  switchport access vlan 221

  switchport mode access

  switchport voice vlan 222

  dot1x EAP authenticator

  self control-port dot1x

  multi-domain host-mode dot1x

  protect the dot1x violation-mode

  dot1x reauth-deadline 30

  dot1x re-authentication

  spanning tree portfast

  I also configured the server Radius IAS Win2K to send RADIUS 'cisco-av-pair attribute' tell the authenticator (Cisco Catalyst 2960) that a supplicant (IP phone) is authorized on the voice VLAN as described in config-notes above link.

  When the supplicant IP phone starts to authenticate, he succeeds, but that the port does not allow the field of VOICE, even though the 2960 receives the attribute "cisco-av-pair" of the Radius Server RADIUS. I confirmed the reception of this attribute of debugging on the switch.

  RADIUS: Receipt of id 160.2.100.74:1645 1645/64, Access-Accept, len

  110

  17:02:38: RADIUS: authenticator 7 d AC 50 FE 14 B4 FC DC - 3A A4 E5 3F 1E 76 62

  C3

  17:02:38: RADIUS: EAP-Message [79] 6

  17:02:38: RADIUS: 03 05 00 04

  17:02:38: RADIUS: [25] in class 32

  17:02:38: RADIUS: 44 05 05 A2 00 00 01 37 00 01 A0 02 64 4A C9 01 1 33 79 52

  D8 58 00 00 00 00 00 00 1 b E7 [D7dJ3yRX]

  17:02:38: RADIUS: seller, Cisco [26] 34

  17:02:38: RAY: Cisco-AVpair [1] 28 'device-traffic-class = voice.

  17:02:38: RADIUS: Message-Authenticato [80] 18

  17:02:38: RADIUS: D9 42 78 88 26 5A 65 83 68 B0 E0 C7 AF 5TH 0F 51 [B

  [x & Zeh ^ Q]

  17:02:38: RADIUS (00000009): receipt of id 1645/64

  17:02:38: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

  Cat2960 #show dot1x int fa0/9 details

  Dot1x FastEthernet0/9 information

  -----------------------------------

  EAP AUTHENTICATOR =

  PortControl = AUTO

  ControlDirection = both

  HostMode = MULTI_DOMAIN

  Violation mode = PROTECT

  A re-authentication = on

  QuietPeriod = 60

  ServerTimeout = 0

  SuppTimeout = 30

  ReAuthPeriod = 30 (configured locally)

  ReAuthMax = 2

  MaxReq = 2

  TxPeriod = 30

  RateLimitPeriod = 0

  Dot1x authenticator customer list

  -------------------------------

  Domain = DATA

  "Supplicant" = 0004.0d9b.46d8

  AUTH State = AUTHENTICATED SM

  AUTH BEND State IDLE = SM

  Port status = AUTHORIZED

  ReAuthPeriod = 30

  ReAuthAction = is re-authenticated

  TimeToNextReauth = 20

  Authentication method = Dot1x

  Authorized by = authentication server

  Policy of VLAN = n/a

  I don't think I need CDP to allow the field of voice, if the Radius server sends the attribute "cisco-av-pair".

  Have I misunderstood the concept?

  Thank you!

  You can share the config switch?

  Missing for example aaa authorization network default radius group?

• 6248 FI Cisco's UCS with Cisco catalyst 2960 connectivity

  In our environment, UCS, connects the two fabric as a Cisco Nexus 9 k switch upstream with vPC and it works well. But we need to isolate some virtual servers on the blades of the UCS on an entirely separate DMZ switch which is Cisco catalyst 2960.

  (1) so can we connect cables separate physical twinax of FI uplink ports to catalyst 2960 and connectivity to the servers in the DMZ keeping YEW to nexus connectivity as it is?

  (2) in this case, as there are 2 switches to nexus core 1 and 2 so we will require 2 cisco catalyst 2960 for disjoint such a network? or otherwise we can connect A FI and FI B to one on his 2 numbers 2960 switch. Gig SFP ports + 10?

  (3) also suggest things must be taken in charge, the best guides practice or an illustration in this context.

  The assignment is static and cannot be changed.

  location 1 - uplink 1

  slot 2 - uplink 2...

  If a property has no blade, the corresponding uplink is not used and that can not be changed!

  This dedication of uplinks of IOM is of course a lot of resources: cables, ports on FI, allowed port,...

• WLC (foreign-anchor), problem with external web authentication-> ISE

  Hello guys

  I am designing a platform for a network of comments, which must be isolated from the LAN, the following facilities:

  • ISE 1.2 (SNS-3415-K9 Cisco)
  • WLC 7.0.230.0 (Cisco 5508 controller)---> foreign wlc
  • WLC 7.0.230.0 (Cisco 5508 controller)---> wlc anchor.

  The PAES tunnel between wlc is successfully completed.

  The wireless client gets the IP address of the anchor wlc (DHCP server).

  Test 1:

  I have set up the ANCHOR WLC with local web authentication (internal), the wireless client is authenticated by WLC and successfully navigate.

  Test 2:

  Configure the authentication web external anchor (ISE) WLC. Configure a user to the portal comments ISE.

  The wireless client gets the IP address of the anchor wlc (DHCP server), attempting to engage not display comments portal.

  Debugging a wireless client, try to connect to the guest network is attached.

  That's right... they have a version of code required minimum supported for this.

  Thank you

  Scott

  Help others using the system of rating and marking answers questions like "answered."

• Assignment of VLAN dynamic of the Web authentication

  In a firmware WLC 4402 v.5.2.157 is possible to assign users to one VLAN dynamic based on the RADIUS response received from ACS?

  Yes and no. You can do for a WLAN 802.1 x internal, that the customer does not get an IP address, until they have completed the authentication process. To do this, you use 64/65/81, 64 802, 65 VLAN and to 81 use the name of the interface, not the number VLAN. you will also need to make sure you have AAA Overrided activated under the WLAN.

  If, as is said for Web authentication, the answer is no. The client has an IP address before being validated by the AAA server.

  HTH,

  Steve

• Web authentication passthrough with input from the e-mail

  Is it possible to use a custom login.html page when web auth/passthrough is used with the input of the email? I have a requirement to have just the users to register with an e-mail address and I need to provide a custom page.

  I receive custom login pages, but I can't figure out how to make a customized with only e-mail login.html page entry.

  Any help is appreciated.

  Thank you

  Kurt

  You should also check wireless downloads. In the area where you can find the code of the controller to download, you can also find a 'Wireless LAN Controller Web authentication Bundle' containing several samples of html, including e-mail data.

  This link might work, maybe not:

  http://Tools.Cisco.com/support/downloads/go/InterfaceModuleSWT.x?mdfid=279911269&mdfLevel=model&treeName=wireless&modelname=Cisco%204404%20Wireless%20LAN%20Controller&treeMdfId=278875243

• Independent WAP Web authentication?

  Is it possible to do the redirection of web authentication using 1131 s independent or that the function is available with WLAN controllers?

  Hello

  Authentication on the Web is only a solution for a unified environment (WLC). Autonomous aPs cannot perform this function.

  -Patrick Croak

  TAC wireless

• How acess catalyst 2960-s

  How acess catalyst 2960-s

  The main method of management is the Cisco Network Assistant however if you need to use the console port, then use the supplied RJ45 to DB9 cable to connect to a local serial port.

  Software wise, that it is possible to extract the 2 files HyperTerminal from a CD in Windows XP to run on a Win7 PC. The best alternative is a PuTTY terminal emulator.

• Ie9 beta does not have the web authentication

  Hello

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : SimSun ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : Arial ; mso-bidi-theme-font : minor-bidi ;}

  I have a question:

  We had a user who defines the Cisco web-authentuicated WiFi SSID as network Public in the firewall of Windows 7 and when he tried to connect to WiFi, it appears a troubleshooting page and said: "Connection to Web pages are currently redirected to a different Web page."  It uses IE9 beta.  Most likely the browser it's a MiTM attack.

  Apart from declaring (SSID) network as a private network secure, y at - there another solution?

  Our goal is to get the users (which come from major conferences) on the network without them having to change a lot of things on their laptops. They would be naturally defined as a Public network.

  Thank you

  Suman

  The concept of web authentication IS a man in the Middle somehow attack... And IE9 is not a browser supported either.

  I don't know what makes IE cause this error exactly well. You have a DNS host name and the certificate on your webauth?

  Nicolas

• not visible on the switch Catalyst 2960 vNIC...

  Dear all,

  I configured the UCS chassis with 5 blades and installed the esxi on all five blades...

  I created a VNIC 10 per server and by now I have ip for esxi management by combining two NICs for and YEW is connected to the switch catalyst 2960. The uplinks are 1 Gig at the END and at the end of the switch... and I made these trunk at the end of the switch, all permitted the VLAN on the trunk link

  I have configured all the VLANS on during vNIC based on a model and all of those selected. vlan1 is the vlan by default & selected the same.

  Please help me to solve the problem... I got tired of all the means & could not able to find a solution.

  Kind regards

  Gopi G

  Greetings.

  Please confirm you learn your esxi mgmt addresses (VMK0 will inherit mac vnic UCSM) on FI: #connect nxos

  #See table of mac addresses

  Do the same on your 2960 switches.  You see the mac addresses on the ports of 2960 connected for the UCSM uplinks?

  Your uplinks UCSM go the 2960 into a port channel?

  Thank you

  Kirk

• The web authentication.

  I want to configure a switch for IEEE 802 authentication port. 1 x with web authentication as a means of rescue.

  Can anyone provide an example of a valid configuration?

  Only web authentication does not work!

  Switch #sh run

  Building configuration...

  Current configuration: 3012 bytes

  !

  version 12.2

  no service button

  horodateurs service debug uptime

  Log service timestamps uptime

  no password encryption service

  !

  Switch host name

  !

  !

  AAA new-model

  Group AAA authentication login default RADIUS

  connection of line-con AAA authentication, no

  Group AAA dot1x default authentication RADIUS

  Group AAA authorization auth-proxy default RADIUS

  !

  AAA - the id of the joint session

  switch 1 supply ws-c3750 - 48P

  mtu 1500 routing system

  IP subnet zero

  IP - cisco.com domain name

  property intellectual admission name rule1 http proxy

  !

  !

  !

  !

  control-dot1x system-auth

  !

  !

  !

  !

  !

  !

  Profile relief aid

  IP access-group Policy1 in

  rule1 admission IP

  !

  pvst spanning-tree mode

  spanning tree extend id-system

  !

  internal allocation policy of VLAN ascendant

  !

  !

  !

  !

  interface FastEthernet1/0/1

  switchport access vlan 142

  switchport mode access

  !

  interface FastEthernet1/0/47

  switchport access vlan 142

  switchport mode access

  dot1x EAP authenticator

  self control-port dot1x

  relief aid dot1x

  !

  interface Vlan1

  no ip address

  Shutdown

  !

  interface Vlan142

  IP 10.1.254.1 255.255.255.0

  !

  IP classless

  !

  peche1 extended IP access list

  allow udp any any eq bootps

  deny ip any any newspaper

  !

  Server RADIUS attribute 8 include-in-access-req

  secret key of acct-port 1645 auth-10.1.254.187 - RADIUS server host port 1646

  Server RADIUS ports source-1645-1646

  RADIUS vsa server send authentication

  !

  control plan

  !

  !

  Line con 0

  line vty 5 15

  !

  end

  Try adding this:

  analysis of IP device

  In addition, if you want your users to web-auth to use DNS to resolve URLS, you probably want to add something like this to Policy1:

  allow udp any any eq field

  Don't forget that you need to wait until the 802. 1 X times out (90 seconds by default) for Web-Auth to kick.

  Shelly

• Button Mode Catalyst 2960

  Hello

  Can someone tell me a method of turning off the function of the Mode button on a catalyst 2960 to stop this reboot of the switch after being detained for 10 seconds? Even with a config full on the switch, the function "reset" always seems to bypass the config and clear/reload the switch.

  Is it possible to disable this feature in the software?

  Thank you very much

  Charlie Read

  Try the following command: no express installation

  See the following link for more details on the order.

  http://www.Cisco.com/en/us/products/hw/switches/ps628/products_command_reference_chapter09186a00801a6c4a.html#3549999

  I hope this helps.

  Steve