|
Zuhzuhzombie!! posted:Is 802.1x fairly straight forward? Short answers: I think so. You'll want a few others. Possibly, depending on what you want to have happen based on auth state. See last response. Reading time: http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html I'm not being a dick. IBNS has a ton of features you need to read up on. Is this a "hey can we do this" idea? Or is this a "Hey, we have these requirements and are looking at 802.1x to be part of that solution"?
|
#
?
Aug 27, 2012 04:12
|
|
|
|
| # ? Apr 19, 2024 06:09 |
|
|
It was more or less "Hey, were getting a NAC. Read up on 802.1x and do some testing and figure it out". So here I am. I've gone over the config guide but its a little obtuse. Wanted to hit the thread up for any quick advice. About to setup a 3750 for testing purposes now.
|
|
#
?
Aug 27, 2012 14:29
|
|
|
We got talked into purchasing Prime to replace WCS, so please post any hints you come up with on NAC. It's not something I really want to deploy, but sounds like Cisco's trying to press the issue. I can't have a meeting with my rep without some hard-sell presales engineer FUDding me about how I'm not doing NAC.
|
|
#
?
Aug 27, 2012 15:44
|
|
|
I'm not doing any config on it/heading it up but I'll gladly post any interested tid bits we happen to come across. Currently I'm upgrading the software on this 3750g since I can turn Dot1x on globally but can't configure it on any interfaces. Command isn't recognized.
|
|
#
?
Aug 27, 2012 15:50
|
|
|
Zuhzuhzombie!! posted:I'm not doing any config on it/heading it up but I'll gladly post any interested tid bits we happen to come across. There is a cheat sheet on the page I linked you to. A lot of the commands are deprecated/changed. Which NAC solution are you guys going with?
|
|
#
?
Aug 27, 2012 16:50
|
|
|
wired 802.1x is full of so many caveats it's nearly unimaginable. I don't know the current state of things, but when I looked most recently, following the command overhaul in IOS, it was still messy. I was asked to implement wired 802.1x a few years ago, and I dug my heels in hard to avoid having to do it. It's such a terrific way to guarantee that periodically machines will be shunted off the network.
|
|
#
?
Aug 27, 2012 18:38
|
|
|
Yeah, that's what I thought. I'm hoping I can duplicate my current WCS functionality in Prime and ignore anything related to wired auth.
|
|
#
?
Aug 27, 2012 18:54
|
|
|
Tremblay posted:There is a cheat sheet on the page I linked you to. A lot of the commands are deprecated/changed. Cool. I'll see if I can find that cheat sheet. Not sure on NAC just yet. Lemme ask. ed nvm, had to be explicit in the type of switchport. Zuhzuhzombie!! fucked around with this message at 22:25 on Aug 27, 2012 |
|
#
?
Aug 27, 2012 20:57
|
|
|
I have a login to various cisco routers and switches in our company. I need to change the password of the other person who has an account on those same switches and routers. How do I go about doing that? Is it different for different models? Or is it all the same across ios?
|
|
#
?
Aug 28, 2012 22:42
|
|
|
Jim Silly-Balls posted:I have a login to various cisco routers and switches in our company. I need to change the password of the other person who has an account on those same switches and routers. username firedguy privilege 15 secret newpass enable secret enablepass
|
|
#
?
Aug 28, 2012 22:51
|
|
|
or just delete his access entirely: no username fireguy
|
|
#
?
Aug 29, 2012 00:09
|
|
|
falz posted:same across IOS. 'privilege xx' is optional. 'secret' or 'password' can be used, 'password' will give you reversible type 7 encryption while 'secret' is MD5/more secure. If it is because some guy is getting fired, reset enable passwords too. CrazyLittle posted:or just delete his access entirely: Awesome. Yes it is because someone is getting fired. Is either one of the above methods better or worse for any real reason?
|
|
#
?
Aug 29, 2012 02:02
|
|
|
Well if you get fired then there won't be any more users to delete. We use RADIUS/LDAP so we can disable accounts without modifying configs. I'd keep an admin user with some obnoxious password in the configuration to use as a backup, then individual accounts for users for various reasons.
|
|
#
?
Aug 29, 2012 02:31
|
|
|
falz posted:Well if you get fired then there won't be any more users to delete. +1 for this, centralized TACACS+ tied into a directory service, and local backup account and enable secret. If the TACACS+ server is up and available the backup account/enable secret won't work. And while you're setting this up, set up RANCID too. You'll thank us later.
|
|
#
?
Aug 29, 2012 03:26
|
|
|
See, heres the thing. I dont know how to change a password in IOS, or lock an account out. RADIUS tied back to AD through LDAP is a bit beyond my current IOS knowledge, although I agree that we should head there. So, is just changing the password the best bet?
|
|
#
?
Aug 29, 2012 04:57
|
|
|
Unless you think you're going to need to give that user or someone else access to the router using that username then just delete it (from another account). Change the enable secret while your at it (unless you give all your users privilege 15 or something). no username firedguy enable secret 0 passwordhere
|
|
#
?
Aug 29, 2012 06:48
|
|
|
radius or tacacs on IOS isn't too bad. It works more or less how you'd want out of the box. The ASA's on the other hand... *shakes fist*
|
|
#
?
Aug 29, 2012 16:23
|
|
|
Would aaa new-model being active prevent me from using "login local" on vty lines for SSH?
|
|
#
?
Aug 29, 2012 21:52
|
|
|
Zuhzuhzombie!! posted:Would aaa new-model being active prevent me from using "login local" on vty lines for SSH? Yes. By setting AAA you're telling it to read auth info from the AAA config and not the local config on the VTY lines.
|
|
#
?
Aug 29, 2012 23:22
|
|
|
CrazyLittle posted:Yes. By setting AAA you're telling it to read auth info from the AAA config and not the local config on the VTY lines. If you have local in your method list you should be fine if: it is before another source (or only source), or if the connectivity to external stores is down. Presuming its configured. I think.
|
|
#
?
Aug 30, 2012 02:27
|
|
|
My work just dumped a ton of money into getting a bunch of Cisco 3502i access points. They seemed fine when they tested one. However, after installing them (dozens), we've ran into one big problem: iPhones and iPads cannot connect (most of our mobile devices). We get a bunch of "Unable to connect to xxx network" errors. If we try and retry and retry, eventually they connect. I'm talking 20+ attempts. I found this page through a search: http://www.101tech.net/2012/04/04/cant-connect-to-wlc-5508-and-3502-aps-using-iphone/ quote:If you’re having this issue – try disabling aironet-ie under WLAN -> advanced. I also saw this: https://supportforums.cisco.com/thread/2080311 quote:After scouring the Apple forums there was a brief mention of the Apple products having an issue when the same SSID is broadcast on both the 2.4 & 5ghz frequencies. iPhones don't use the 5GHz frequency, so I don't know if that would be an issue. Other than those two things, anyone have any idea of what to look for or change to make this work?
|
|
#
?
Aug 30, 2012 18:00
|
|
|
Are you using them as standalone APs or as lightweight APs in conjunction with a controller?
|
|
#
?
Aug 30, 2012 18:10
|
|
|
n0tqu1tesane posted:Are you using them as standalone APs or as lightweight APs in conjunction with a controller? I'm not sure (I didn't set them up), but I'm guessing it's the second option. We have a bunch in a hallway so you go from one to the other as you're walking somewhere (the LED goes from green to blue as it becomes the "active" one you're using).
|
|
#
?
Aug 30, 2012 18:37
|
|
|
Xenomorph posted:My work just dumped a ton of money into getting a bunch of Cisco 3502i access points. They seemed fine when they tested one. To answer your question about controller, 3500+ series can't even be used without a controller. See here: http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10981/data_sheet_c78-594630.html Stuff we've seen may be related to the iPads/iPhones seeing too many SSIDs and not gracefully connecting to the closest WAP (since they're all broadcasting the same thing). Setting found to help is under Controller>General>Fast SSID change (enable)
|
|
#
?
Aug 30, 2012 19:15
|
|
|
Fatal posted:To answer your question about controller, 3500+ series can't even be used without a controller. See here: http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10981/data_sheet_c78-594630.html I was just told "We did a test with this enabled and it seems to do the trick." Hopefully, that's the end of it. I should know more later. Thanks!
|
|
#
?
Aug 30, 2012 21:24
|
|
|
Is it open authentication or WPA/WEP? We could not get apple products to connect unless we allowed them to connect with either AES or TKIP, I don't remember which one it ultimately worked with.
|
|
#
?
Aug 30, 2012 21:24
|
|
|
I just had this problem. Enabling Fast SSID change on the controller fixed it for me. Supposedly 7.2.110.0 has better Apple support. I'm still on old locators so I have to stay on the 6 train (next stop: Brooklyn Bridge!)  edit: beaten, but bolsters the casereal edit: those 3502s are monsters. Serious radio range. bort fucked around with this message at 06:49 on Aug 31, 2012 |
|
#
?
Aug 31, 2012 06:45
|
|
|
Speaking of WLC, is there a way to change the idle timeout on individual SSIDs instead of just on the controller in general?
|
|
#
?
Aug 31, 2012 15:21
|
|
|
I could have sworn there was, but I don't have access to a controller anymore these days to check.
|
|
#
?
Aug 31, 2012 18:47
|
|
|
bort posted:I just had this problem. Enabling Fast SSID change on the controller fixed it for me. What kind of range? How many devices can be connected to one? The people installing them here are seriously putting them about 30 feet apart. I have one dinky WRT54GL proving WiFi for my entire house, and in that same amount of space they'd have eight 3502i APs set up.
|
|
#
?
Aug 31, 2012 21:29
|
|
|
Xenomorph posted:How many devices can be connected to one? Xenomorph posted:I have one dinky WRT54GL proving WiFi for my entire house, and in that same amount of space they'd have eight 3502i APs set up. That is because they build their network for capacity, not coverage. ior fucked around with this message at 22:23 on Aug 31, 2012 |
|
#
?
Aug 31, 2012 22:09
|
|
|
Zuhzuhzombie!! posted:Speaking of WLC, is there a way to change the idle timeout on individual SSIDs instead of just on the controller in general? Yes, there is. It's under the Advanced tab on the wlan configuration.
|
|
#
?
Aug 31, 2012 22:46
|
|
|
Xenomorph posted:I was just told "We did a test with this enabled and it seems to do the trick." Glad it worked! High density (or even just multiple AP wireless) is a tricky bitch. I'm just glad we don't do voice let alone asset tracking installs yet, that just sounds like a whole bunch of fun (every device must see at least 3 APs for asset)
|
|
#
?
Sep 1, 2012 00:03
|
|
|
Xenomorph posted:What kind of range? How many devices can be connected to one? The people installing them here are seriously putting them about 30 feet apart. If you want to get serious, get Ekahau heatmapper (or Fluke, etc. if you have budget) and put yourself through a survey. That's really the only way you can see what's up -- even though WCS has heatmaps, they're not terribly reliable for decision making and you need to survey it with clients on it. The other answer to "how many devices can connect to one" has to do with the uplink: how many clients do you want to link to a single 1Gbit connection? And how many of them are 2.4GHz clients that are competing for three non-overlapping channels? One problematic client can slow the rest down. The 3502s are pretty terrific at problem isolation, finding where bluetooth or microwaves or (in my case) radar are interfering with your wireless and dynamically working around that. e: I have two of them in a 30-person office in Australia and the people go across the street to the coffee shop and still have wireless.  ee: WLC best practices is a really good doc. I was especially happy with config ap syslog host global to log what my APs are doing. bort fucked around with this message at 00:30 on Sep 1, 2012 |
|
#
?
Sep 1, 2012 00:18
|
|
|
bort posted:e: I have two of them in a 30-person office in Australia and the people go across the street to the coffee shop and still have wireless.
|
|
#
?
Sep 1, 2012 01:13
|
|
|
Anyone here work for an MSP with a service or specialty on managing WANs? We are going to be replacing our MPLS WAN with a hodgepodge of Metro Ethernet providers. The company that does our circuit monitoring and who can give router config advice for these circuits is wanting a giant pile of money to continue doing so, $150/mo/site. Considering we have over 50 sites, we could easily hire a network guy just for this, possibly also a helpdesk guy as well with the price they are asking. Can anyone give me an estimate of what a reasonable price would be? The primary duties would be initial configuration assistance of the routers, monitoring them for downtime and interface errors, and being on standby to answer general to advanced networking questions regularly (less than 1 hour per month of this).
|
|
#
?
Sep 1, 2012 01:40
|
|
|
Is that 150/mo/site including the cost of the circuits? Because I'm not seeing how you are going to possibly be able to beat the price. Also what kind of bandwidth etc are you talking about? Even our no frills, VPLS T1's are like 300/mo minimum, and often more.
|
|
#
?
Sep 5, 2012 20:28
|
|
|
I'm sure that's on top of the circuits and to be honest it's really not that excessive. I work for a MSP doing what you describe and providing the support you're talking aboout. We're probably in that ballpark as far as CPE router/firewall/etc. management. I think our managed firewall service is $99/mo. or so. Routers are in that same area if I recall correctly. You're asking for skilled labor on demand so it costs a little bit of scratch.
|
|
#
?
Sep 5, 2012 21:04
|
|
|
Well, it's about 90k a year, so you _could_ hire a FTE. But then you'll have to also incorporate payroll tax, health care, 401k contribution, equipment, yadda yadda.
|
|
#
?
Sep 5, 2012 22:15
|
|
|
|
| # ? Apr 19, 2024 06:09 |
|
|
Powercrazy posted:Is that 150/mo/site including the cost of the circuits? Because I'm not seeing how you are going to possibly be able to beat the price. Also what kind of bandwidth etc are you talking about?
|
|
#
?
Sep 6, 2012 00:44
|
|