Re: [WIRELESS-LAN] Multiple VLANs configuration
At 08:04 PM 12/15/2005, you wrote: While trying to set the Windows XP client to authenticate via 802.1x the authentication is successful. However after disconnecting from the network and trying to get back on, Windows XP does not ask for the user credentials and uses a cached entry to connect again. Where would you set the host to ask for credentials every time a connection is initiated? Hi If your RADIUS server supports it could you configure EAP-TTLS and install the SecureW2 client on your XP boxes? http://www.securew2.com/uk/index.htm The SecureW2 client is more configurable and I think you can tell it to ask you for the password every time as one or the options. Cheers Ben ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Multiple VLANs configuration
-Original Message- Where would you set the host to ask for credentials every time a connection is initiated? You can use DNS views to provide the giaddr address for a specified vlan to clients on that vlan using the same certified name. Randy Randall Grimshaw Room 203 Machinery Hall Syracuse University Syracuse, NY 13244 315-443-5779 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Multiple VLANs configuration
Ranjit, There currently is no automatic setting in the windows setup to remove these. Their recommendation is to remove a couple of entries in the registry. http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 good luck dave At 08:04 PM 12/15/2005, you wrote: While trying to set the Windows XP client to authenticate via 802.1x the authentication is successful. However after disconnecting from the network and trying to get back on, Windows XP does not ask for the user credentials and uses a cached entry to connect again. Where would you set the host to ask for credentials every time a connection is initiated? Thank you. Ranjit ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Multiple VLANs configuration
While trying to set the Windows XP client to authenticate via 802.1x the authentication is successful. However after disconnecting from the network and trying to get back on, Windows XP does not ask for the user credentials and uses a cached entry to connect again. Where would you set the host to ask for credentials every time a connection is initiated? Thank you. Ranjit ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Multiple VLANs configuration
-Original Message- Where would you set the host to ask for credentials every time a connection is initiated? Short answer, Not sure you can do this. There is a registry key you would have to delete manually to effect this. You can also set the 802.1x to use the windows domain and username. (I believe this is the default setting) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Multiple VLANs configuration
On Wed, 2005-12-14 at 14:25 -0800, Ranjit Philip wrote: The port configuration that is currently on is: I would suggest modifying the switch with the following configuration. Reason, you don't need 'swichport access vlan 168' since you are trying to configure a trunk. Also you don't want 'spanning-tree portfast' because you DO want to run spanning tree on that port. interface FastEthernet2/36 no switchport access vlan 168 switchport trunk encapsulation dot1q switchport trunk native vlan 168 switchport trunk allowed vlan 1,19,168,998,999,1001-4094 qos trust cos no snmp trap link-status tx-queue 3 priority high no spanning-tree portfast If I do a 'sh vlan id 19' on the same switch it does not show the VLAN active on the same port The reason why is not showing there is because this interface is a trunk. Is your Cat4500 doing the routing? or if another device is routing then you need to trunk vlan 19 to the 4500. Also do you have vlan 19 created on the 4500? 'sho vlan' should show you if it exists, even though it might not have any interfaces assigned to it. Should I be configuring the port differently to carry multiple VLANs to the access point? Also you ap should be configured for trunking. ** interface FastEthernet0.168 encapsulation dot1Q 168 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled interface FastEthernet0.19 no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ** Hope this helps. --Samuel -- Samuel Petreski Network Systems Analyst Computing and Network Services Kansas State University (785) 532-4943 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Multiple VLANs configuration
First execute a couple of commands 1) sh int fa2/36 switchport Look at the output from this and see if your interface is actually in trunk mode 2) conf t int fa2/36 switchport mode trunk This will turn trunking on Alternatively, you can do a switchport mode dynamic auto which sets the trunk negotiation to auto, or you can do a switchport mode dynamic desirable which sets the trunk negotiation to desirable 3) no spanning-tree portfast 4) sh vtp stat If you are using a VTP domain, You want to make sure your vtp domain info is correct as well This should get you up and going J. Bart Casey Network Engineer Wofford College -Original Message- From: Ranjit Philip [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 5:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Multiple VLANs configuration We are currently testing setting up our Cisco Aironet 1100 and 1200 infrastructure with multiple VLANs Our test device is statically configured for VLAN 168. We have another test VLAN 19 which we want to have trunked to the device. The access point is connected to a port on a Cisco 4500 chassis running native IOS. The port configuration that is currently on is: interface FastEthernet2/36 switchport access vlan 168 switchport trunk encapsulation dot1q switchport trunk native vlan 168 switchport trunk allowed vlan 1,19,168,998,999,1001-4094 qos trust cos no snmp trap link-status tx-queue 3 priority high spanning-tree portfast If I do a 'sh vlan id 19' on the same switch it does not show the VLAN active on the same port Should I be configuring the port differently to carry multiple VLANs to the access point? Any clues would be appreciated... Ranjit Philip ITR Network Engineering California State University, Northridge ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Multiple VLANs configuration
Thank you all for the responses. The 'switchport mode trunk' actually did the trick. Little mistakes...arrrgh I am going to take out the 'spanning-tree portfast' command nonetheless as most of you have suggested. I however found out that when you have a port configured in trunk mode and you try to enable 802.1x on that port it gives me this message: (config-if)#dot1x port-control auto Command rejected: Trunking enabled on one or more ports. Dot1x is supported only on Ethernet interfaces configured in Access, Routed or Private-vlan Host Mode. (config-if)# *Apr 4 12:16:02.104: %DOT1X-5-ERR_TRUNK: Dot1x can not be enabled on Trunk port This takes us into another subject, but, I was trying to configure the AP in such a way that it has one SSID tied to VLAN 168 which requires MAC based open authentication and no encryption and another SSID tied to VLAN 19 which requires 802.1x based authentication using EAP-PEAP with MS-CHAPv2 and WPA encryption. Do I need to have the port the AP is connected to set for 1x? How would I do it on a trunk port if 1x is configured on the port wouldn't all the SSIDs on the AP require 802.1x based authentication? Thank you. Ranjit Philip ITR Network Engineering California State University, Northridge Original message Date: Wed, 14 Dec 2005 18:21:46 -0500 From: Casey, J Bart [EMAIL PROTECTED] Subject: RE: [WIRELESS-LAN] Multiple VLANs configuration To: [EMAIL PROTECTED], WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU First execute a couple of commands 1) sh int fa2/36 switchport Look at the output from this and see if your interface is actually in trunk mode 2) conf t int fa2/36 switchport mode trunk This will turn trunking on Alternatively, you can do a switchport mode dynamic auto which sets the trunk negotiation to auto, or you can do a switchport mode dynamic desirable which sets the trunk negotiation to desirable 3) no spanning-tree portfast 4) sh vtp stat If you are using a VTP domain, You want to make sure your vtp domain info is correct as well This should get you up and going J. Bart Casey Network Engineer Wofford College -Original Message- From: Ranjit Philip [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 5:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Multiple VLANs configuration We are currently testing setting up our Cisco Aironet 1100 and 1200 infrastructure with multiple VLANs Our test device is statically configured for VLAN 168. We have another test VLAN 19 which we want to have trunked to the device. The access point is connected to a port on a Cisco 4500 chassis running native IOS. The port configuration that is currently on is: interface FastEthernet2/36 switchport access vlan 168 switchport trunk encapsulation dot1q switchport trunk native vlan 168 switchport trunk allowed vlan 1,19,168,998,999,1001-4094 qos trust cos no snmp trap link-status tx-queue 3 priority high spanning-tree portfast If I do a 'sh vlan id 19' on the same switch it does not show the VLAN active on the same port Should I be configuring the port differently to carry multiple VLANs to the access point? Any clues would be appreciated... Ranjit Philip ITR Network Engineering California State University, Northridge ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Multiple VLANs configuration
Just wanted to stress this data point regarding trunked Cisco AP's (Ranjit has it right): Switch ports connected to APs that are trunking must be configured to allow only those vlans that are configured on the AP. This is done using the 'switchport trunk allowed' command on the switch port. ex) switchport trunk allowed vlan 1,314,953 http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml (this page is for 1100 series, but applies to 1200 series as well) (Not sure if this URL requires CCO login) From that Cisco page: ..If you ignore minor points in these concepts when you deploy VLANs with Cisco Aironet wireless equipment, you will experience unexpected performance, such as: The failure to limit allowed VLANs on the trunk to those defined on the wireless device If VLANs 1, 10, 20, 30 and 40 are defined on the switch, but only VLANs 1, 10 and 30 are defined on the wireless equipment, you must remove the others from the trunk switchport. hope this helps. Mike *** Michael DicksonPhone: 413-545-9639 Network AnalystFax: 413-545-3203 University of MassachusettsEmail: [EMAIL PROTECTED] Network Systems and Services *** Ranjit Philip wrote: Thank you all for the responses. The 'switchport mode trunk' actually did the trick. Little mistakes...arrrgh I am going to take out the 'spanning-tree portfast' command nonetheless as most of you have suggested. I however found out that when you have a port configured in trunk mode and you try to enable 802.1x on that port it gives me this message: (config-if)#dot1x port-control auto Command rejected: Trunking enabled on one or more ports. Dot1x is supported only on Ethernet interfaces configured in Access, Routed or Private-vlan Host Mode. (config-if)# *Apr 4 12:16:02.104: %DOT1X-5-ERR_TRUNK: Dot1x can not be enabled on Trunk port This takes us into another subject, but, I was trying to configure the AP in such a way that it has one SSID tied to VLAN 168 which requires MAC based open authentication and no encryption and another SSID tied to VLAN 19 which requires 802.1x based authentication using EAP-PEAP with MS-CHAPv2 and WPA encryption. Do I need to have the port the AP is connected to set for 1x? How would I do it on a trunk port if 1x is configured on the port wouldn't all the SSIDs on the AP require 802.1x based authentication? Thank you. Ranjit Philip ITR Network Engineering California State University, Northridge Original message Date: Wed, 14 Dec 2005 18:21:46 -0500 From: Casey, J Bart [EMAIL PROTECTED] Subject: RE: [WIRELESS-LAN] Multiple VLANs configuration To: [EMAIL PROTECTED], WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU First execute a couple of commands 1) sh int fa2/36 switchport Look at the output from this and see if your interface is actually in trunk mode 2) conf t int fa2/36 switchport mode trunk This will turn trunking on Alternatively, you can do a switchport mode dynamic auto which sets the trunk negotiation to auto, or you can do a switchport mode dynamic desirable which sets the trunk negotiation to desirable 3) no spanning-tree portfast 4) sh vtp stat If you are using a VTP domain, You want to make sure your vtp domain info is correct as well This should get you up and going J. Bart Casey Network Engineer Wofford College -Original Message- From: Ranjit Philip [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 5:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Multiple VLANs configuration We are currently testing setting up our Cisco Aironet 1100 and 1200 infrastructure with multiple VLANs Our test device is statically configured for VLAN 168. We have another test VLAN 19 which we want to have trunked to the device. The access point is connected to a port on a Cisco 4500 chassis running native IOS. The port configuration that is currently on is: interface FastEthernet2/36 switchport access vlan 168 switchport trunk encapsulation dot1q switchport trunk native vlan 168 switchport trunk allowed vlan 1,19,168,998,999,1001-4094 qos trust cos no snmp trap link-status tx-queue 3 priority high spanning-tree portfast If I do a 'sh vlan id 19' on the same switch it does not show the VLAN active on the same port Should I be configuring the port differently to carry multiple VLANs to the access point? Any clues would be appreciated... Ranjit Philip ITR Network Engineering California State University, Northridge ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion
