Re: [OSL | CCIE_Security] IPV6 First Hop Security
Mark Go ahead and use this document : http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/swipv6.html#wp1130142 Regards, Piotr Kaluzny : Sr Instructor : iPexpert http://www.ipexpert.com CCIE # 25665 :: Security *:: World-Class Cisco Certification Training* Direct: +1.810.332.1444 :: Free Videos http://www.youtube.com/ipexpertinc :: Free Training / Product Offerings https://www.facebook.com/IPexpert :: CCIE Blog http://blog.ipexpert.com/ :: Twitter https://twitter.com/ipexpert On Fri, Nov 15, 2013 at 2:26 AM, Rieber, Mark mark.rie...@nexusis.comwrote: Does anyone know of a link in the Cisco docs that describes and/or provides the IPV6 First Hop Security feature using NDP with CGA and RSA signatures? If not in the Cisco docs then anywhere else? Thanks, *Mark Rieber* Consulting Engineer [image: Nexus Logo - SM.png] *Office*: 858-427-2612 *Mobile*: 626-475-4524 *24/7 Nexus CLIENT CARE*: 800-266-2003 *mark.rie...@nexusis.com* *Collaboration *[image: Chevrons.png] *Data Center **[image: Chevrons.png] Borderless Networks [image: Chevrons.png] Managed Services [image: Chevrons.png] Business Video [image: Chevrons.png] Cloud* Nexus IS, Inc. designs, builds and supports complete end-to-end technology solutions designed to help organizations *Connect *to their customers, *Collaborate *to achieve their vision, and *Create *innovative solutions to business problems. [image: BLOGrd.png] http://www.nexusis.com/blog/[image: linkedinrd.png]http://www.linkedin.com/company/nexus-is [image: twitterRD.png] https://twitter.com/nexusisinc [image: Facebookrd.png] https://www.facebook.com/NexusISInc *[image: hairline.jpg]* The information contained in this email and any additional attachments is confidential and may be legally privileged. If you are not the intended recipient then you must not use, disseminate, distribute or copy any information contained in this email or any attachments. If you receive this email in error, please destroy it immediately and contact the sender. Thank you. ___ Free CCIE RS, Collaboration, Data Center, Wireless Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc image005.pngimage002.pngimage006.jpgimage004.pngimage007.jpgimage003.jpgimage001.png___ Free CCIE RS, Collaboration, Data Center, Wireless Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
[OSL | CCIE_Security] Freaking stuck on AP (itself )dot1x authentication with Radius server, please help
All, im trying to authenticate AP with dot1x (NOT MAB) to ISE. my understanding is wlc push 802.1x auth user/pass to AP, then AP tries to respond to switche;s EAP. switch use open authentication so pass user/pass to ISE. I think in my case switch nver received user/pass from AP to pass it on to ISE. Can any one shed some light on this ? AP--SW-WLC and ISE on WLC: I enabled user/pass on 8021x on global config. registered ap without dot1x config on sw port with wlc and once it registered put the dot1x config on the sw. on ISE:(ive got authen/author profile and username/pass etup for the ap. on Sw: interface GigabitEthernet0/3 description Access Point switchport access vlan 10 switchport mode access switchport voice vlan 40 ip access-group ACL-DEFAULT in authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator spanning-tree portfast 3k-access#test aaa gr radius apuser Cisco123 new-code User successfully authenticated on AP: AP5475.d063.f8aa#sh dot1x Sysauthcontrol Disabled Dot1x Protocol Version2 *Debug on the switch:* *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.003b *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending out EAPOL packet *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.911: dot1x-ev:Enqueued the eapol packet to the global authenticator queue *Mar 1 01:33:54.911: EAPOL pak dump rx *Mar 1 01:33:54.911: EAPOL Version: 0x2 type: 0x0 length: 0x006B *Mar 1 01:33:54.911: dot1x-ev: dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 107 *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.006b *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending out EAPOL packet *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.937: dot1x-ev:Enqueued the eapol packet to the global authenticator queue *Mar 1 01:33:54.937: EAPOL pak dump rx *Mar 1 01:33:54.937: EAPOL Version: 0x2 type: 0x0 length: 0x002B *Mar 1 01:33:54.937: dot1x-ev: dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 43 *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.002b *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received an EAP Fail *Mar 1 01:33:54.945: %DOT1X-5-FAIL: Authentication failed for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Sending event (2) to Auth Mgr for 5475.d063.f8aa *Mar 1 01:33:54.945: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID 0A01FA02001300550D51 *Mar 1 01:33:54.945: %AUTHMGR-5-FAIL: Authorization failed for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID 0A01FA02001300550D51ogg 3k-access(config)#no epm logging 3k-access(config)# *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received Authz fail for the client 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending out EAPOL packet - *on AP console :* *Mar 1 00:06:41.325: dot1x-packet:Received an EAP packet on the GigabitEthernet0 from mac 5475.d0e3.1403 *Mar 1 00:06:41.325: dot1x-ev: dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_PKT *Mar 1 00:06:41.325: dot1x_supp_bend Gi0: during state supp_bend_receive, got event 7(eapolEap) *Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_receive - supp_bend_request *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_exit called *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_enter called *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_request_action
Re: [OSL | CCIE_Security] Freaking stuck on AP (itself )dot1x authentication with Radius server, please help
If you've been at this for a while, ISE is likely auto-blocking the AP's 802.1x authentication attempts. Go to Administration -- System -- Settings -- Protocols -- Radius -- Uncheck Reject Requests After Detection box. This is a default setting that can hurt during implementations and/or lab testing. Good to disable it during these scenarios. From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of jeremy co Sent: Friday, November 15, 2013 7:31 PM To: Cisco certification; ccie_security@onlinestudylist.com; Jay McMickle; Piotr Kaluzny Subject: [OSL | CCIE_Security] Freaking stuck on AP (itself )dot1x authentication with Radius server, please help All, im trying to authenticate AP with dot1x (NOT MAB) to ISE. my understanding is wlc push 802.1x auth user/pass to AP, then AP tries to respond to switche;s EAP. switch use open authentication so pass user/pass to ISE. I think in my case switch nver received user/pass from AP to pass it on to ISE. Can any one shed some light on this ? AP--SW-WLC and ISE on WLC: I enabled user/pass on 8021x on global config. registered ap without dot1x config on sw port with wlc and once it registered put the dot1x config on the sw. on ISE:(ive got authen/author profile and username/pass etup for the ap. on Sw: interface GigabitEthernet0/3 description Access Point switchport access vlan 10 switchport mode access switchport voice vlan 40 ip access-group ACL-DEFAULT in authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator spanning-tree portfast 3k-access#test aaa gr radius apuser Cisco123 new-code User successfully authenticated on AP: AP5475.d063.f8aa#sh dot1x Sysauthcontrol Disabled Dot1x Protocol Version2 Debug on the switch: *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.003b *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending out EAPOL packet *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.911: dot1x-ev:Enqueued the eapol packet to the global authenticator queue *Mar 1 01:33:54.911: EAPOL pak dump rx *Mar 1 01:33:54.911: EAPOL Version: 0x2 type: 0x0 length: 0x006B *Mar 1 01:33:54.911: dot1x-ev: dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 107 *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.006b *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending out EAPOL packet *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.937: dot1x-ev:Enqueued the eapol packet to the global authenticator queue *Mar 1 01:33:54.937: EAPOL pak dump rx *Mar 1 01:33:54.937: EAPOL Version: 0x2 type: 0x0 length: 0x002B *Mar 1 01:33:54.937: dot1x-ev: dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 43 *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.002b *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received an EAP Fail *Mar 1 01:33:54.945: %DOT1X-5-FAIL: Authentication failed for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Sending event (2) to Auth Mgr for 5475.d063.f8aa *Mar 1 01:33:54.945: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID 0A01FA02001300550D51 *Mar 1 01:33:54.945: %AUTHMGR-5-FAIL: Authorization failed for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID 0A01FA02001300550D51ogg 3k-access(config)#no epm logging 3k-access(config)# *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received Authz fail for the client 0xFF15 (5475.d063.f8aa) *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending out EAPOL packet