Query 802.1x ports

Answered Question
Feb 28th, 2008

Is there a way in CiscoWorks I can query or create a custom report that queries the ports of all our Cisco 3750's to see if each port has 802.1x enabled ?

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 7 months ago

The latest version of UTLite33.exe for any given version of Campus Manager can always be found under NMSROOT/campus/bin once Campus Manager has been installed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Joe Clarke Thu, 02/28/2008 - 23:52

You can do this with LMS 3.0 and Campus Manager 5.0. Create a new Use Tracking custom report matching on the attribute, dot1xEnabled.

duncalsi75 Mon, 03/03/2008 - 16:49

Thankyou very much for your response. I am currently running LMS version 2.6 and Campus Manager 4.0.10, is it still possible or do I need to upgrade ?

Joe Clarke Mon, 03/03/2008 - 16:50

You will need to upgrade to LMS 3.0 to get this new dot1x piece.

duncalsi75 Wed, 03/26/2008 - 00:34

Thankyou for your advice, I have now upgraded to LMS 3.0. Could you please help me with another question, do I need to upgrade User Tracking to version 1.1.1. I currently have the UTLite33.exe running which does User Tracking for LMS 2.6. It will be quite a mission to remove the old version and install the new. Thanks in advance

Joe Clarke Wed, 03/26/2008 - 00:36

UTU and UTLite are two different things. Yes, you need to upgrade to UTU 1.1.1 if you want the User Tracking Utility to work with LMS 3.0. No, you do not need to upgrade UTLite to continue to get usernames, but you really should as there are a lot of bug fixes in the latest version.

duncalsi75 Wed, 03/26/2008 - 16:34

Hi, O.K now I am confused :) UTU which I assume is Utlite33.exe, is executed by PC's when they login, this is used by Cisco to do User Tracking on port 16236 and was used in LMS 2.6. Now with LMS 3.0 Cisco have released Cisco User Tracking Utility 1.1.1 which uses port 1741. Are you saying to remove Utlite33 from users PC's and replace with User Tracking utility 1.1.1, whch fixes bugs in Utlite33.exe and also provides other benefits...do you know what these other benefits are? I need an arguement to present to the business. Thankyou very much

Joe Clarke Wed, 03/26/2008 - 16:44

As I said in my previous post, UTU and UTLite are two different things. UTU is the help desk utility that sits in the Windows task bar and allows one to do quick lookups of UT data. UTLite is the tool which sends Windows usernames to User Tracking. The UTLite33.exe which came with previous versions of LMS will still work with LMS 3.0, but you are encouraged to upgrade to get recent bug fixes.

UTU is completely optional. If no one is using it now, then there's nothing to do unless you want a quick way of looking up UT data from Windows clients.

duncalsi75 Wed, 03/26/2008 - 18:29

The penny has dropped :) Thankyou for that...and my last question regarding this :) How do I know what the latest version of UTLite33.exe. Can I download it from Cisco website or is it on the LMS 3.0 CD, which I have done a search on but no results found

Correct Answer
Joe Clarke Wed, 03/26/2008 - 23:02

The latest version of UTLite33.exe for any given version of Campus Manager can always be found under NMSROOT/campus/bin once Campus Manager has been installed.

duncalsi75 Wed, 04/09/2008 - 19:07

regarding 802.1x reporting. On my switches I have enabled 802.1x with the global command

dot1x system-auth-control and on each interface

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

However when I run the 802.1x query in LMS 3.1 it reports every port is false. "dot1xEnabled" false. Can anyone let me know if I need additional 802.1x commands on my intefaces ?

Joe Clarke Wed, 04/09/2008 - 19:55

The dot1x data is collected via dynamic User Tracking. So, for example, you will need to be sending MAC address notification traps from your switches to the Campus Manager server to trigger queries for dot1x information.

The dot1x information is obtained from the following SNMP objects from the IEEE8021-PAE-MIB:




duncalsi75 Wed, 04/09/2008 - 21:45

I am running IOS

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(35)SE1, RELEASE SOFTWARE (fc1)and am missing the first two MIB's. How do I get them ?
































Joe Clarke Wed, 04/09/2008 - 22:26

I checked the IOS source code, and these objects are not available at all for this switch. As it turns out, it looks like dot1xAuthSessionTime is not nearly as important as dot1xAuthSessionUserName which is supported on 6500s, but not on the desktop switches. There is an open enhancement request (CSCsh68902) to add this object.

However, it doesn't appear that the missing object will be fatal to User Tracking. As long as the dot1xPaePortCapabilities is valid, and you are using Dynamic User Tracking, you should see dot1x enabled port details in UT.

duncalsi75 Wed, 06/04/2008 - 01:23

Hello,O.K I am back to this problem again, I still have not got it working :) How do I know if I have dynamic user tracking on ? And while going through previous posts to find a solution I found the following -

"I want to configure ciscoworks, so that whenever there is a 802.1x security violation, I get an email. I already have ciscoworks setup to send me a mail when a port goes into err disabled.

below is the message I get when I get a 802.1x violation.

NMC Distribution 2> (enable) 2005 Aug 18 08:14:12 EDT -04:00 %SECURITY-1-DOT1X_PORT_SHUTDOWN:DOT1X: port 9/38 shutdown because of dot1x security violation by 00-b0-d0-7d-65-0d >"

Does anyone know how to do this ?

Joe Clarke Wed, 06/04/2008 - 07:09

You can go to Campus Manager > User Tracking > Administration > Dynamic Updates to see if the Dynamic UT daemon is running. You must also configure MAC address notification traps on all of your switches. This can be done through Campus Manager > User Tracking > Administration > Dynamic Updates > Device Trap Configuration.

To get an email when this syslog message is generated, you can go to RME > Tools > Syslog > Automated Actions, and create a new email automated action.

duncalsi75 Wed, 06/04/2008 - 16:02

When I go to Device Trap configuration and select my device a Cisco 2960 I get this message "There are no ports to configure for the selected device(s).

Check whether you have selected any router(s)."

Joe Clarke Wed, 06/04/2008 - 16:18

It could be that Data Collection has not been done properly for this device, or there are no access ports on this switch. Check the NMSROOT/campus/etc/cwsi/portData.xml file for this switch. If it is not there, you need to run another Campus Data Collection. If it is there, make sure there are access ports listed.

duncalsi75 Wed, 06/04/2008 - 16:29

Hi, I have attached a bit of the config and the portData.xml file, could you have a quick look and see if I am missing anything ?

Joe Clarke Wed, 06/04/2008 - 20:38

This looks okay. I don't know why you're seeing the error, but it doesn't appear that you need to configure MAC address traps on this switch as they're already enabled. If you connect a host to a port on this switch, it should send a trap to the CiscoWorks server. If you've configured DFM to forward traps to localhost port 1431, then Campus will get the trap. Else, you need to configure:

snmp-server host x.x.x.x traps COMMUNITY udp-port 1431 mac-notification

Then the switch will sned traps directly to Campus.


This Discussion