CM - User Tracking Report - Field 'dot1xEnabled' incorrect

Answered Question
Jan 28th, 2010

CiscoWorks Common Services 3.1.1

Campus Manager 5.0.5  for 1500

Campus Manager 5.0.5  for 1500

In reviewing the Data Collection Summary - End Host Report with all fields displayed, the 'dot1xEnabled' is false for all the ports that are listed.

The majority of the ports have "dot1x port-control auto" and several of the ports are active with the dot1x Auth & Port status is Authenticated and Authorized.  The rest of the reports looks correct, duplex, speeds, vlans, etc.

I am also hoping that I can add anothe field to collect and report on, "Port Security Enabled?",  this would allow me to audit my network security, is dot1x or port security enable on a port?

The Cisco Works Server was re-booted a few days ago and I noticed that "ANIServer" was not running, so I started it.  It has been over 2 weeks since the dot1x changes have been made to the switch and startup config does reflect the changes.

The switch is a WS-C2950G-48-EI, running c2950-i6k2l2q4-mz.121-22.EA11.bin.

Any advice is appreciated.

Charlie

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 6 years 10 months ago

First, the RME config archive has nothing to do with your UT dot1xEnabled problem.  The way Campus determines if ports are dot1xEnabled  is if the device supports the IEEE8021-PAE-MIB, and the value of dot1xPaePortCapabilities indicates that the port supports dot1x.  You also need to be doing dynamic User Tracking, and having the switch end MAC address notification tracks to UT for UT to recognize the dot1x is enabled on the ports.  When Campus sees a MAC address notification trap, the UTManager process will query the PAE MIB on the device, and if it sees that the port is dot1x capable, it will update UT accordingly.

As for config archive, no, RME does not require SSH to be able to archive the running and startup configs from 2950s.  RME can use SNMP and TFTP to do this (for all except the VLAN configuration where RME will require telnet or SSH).  It sounds like there may be a problem with the ConfigMgmtServer.  Restarting this server may allow you to fetch configs again.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
charlie-hall Fri, 01/29/2010 - 12:20

I found the problem with the 'dot1xEnabled' field,  the configuration stored in the Shadow Directory is over 4 weeks old and it does not have dot1xEnabled.  This is due to recent corporate security policy that restricts SSH access from only 2 hosts, and Cisco Works does not have SSH access to the network devices anymore.

From my understanding of the 'Archive Mgmt config Process' is that the 'Configuration Archive' will check the device for configuration changes via SNMP and if there was a change, either SSH or Telnet the Running config and the Startup config into the Shadow Directory.

On one device, I turned off SSH (removed the username and passwords from the fields, on the Device Credentials Screen) and only had SNMP configured, re-submitted the job and it went into a pending state.

My question now is, does Cisco Works need SSH access to the gear to fetch the configs or can Cisco Works use SNMP to fetch the configs?

Charlie

Correct Answer
Joe Clarke Fri, 01/29/2010 - 13:53

First, the RME config archive has nothing to do with your UT dot1xEnabled problem.  The way Campus determines if ports are dot1xEnabled  is if the device supports the IEEE8021-PAE-MIB, and the value of dot1xPaePortCapabilities indicates that the port supports dot1x.  You also need to be doing dynamic User Tracking, and having the switch end MAC address notification tracks to UT for UT to recognize the dot1x is enabled on the ports.  When Campus sees a MAC address notification trap, the UTManager process will query the PAE MIB on the device, and if it sees that the port is dot1x capable, it will update UT accordingly.

As for config archive, no, RME does not require SSH to be able to archive the running and startup configs from 2950s.  RME can use SNMP and TFTP to do this (for all except the VLAN configuration where RME will require telnet or SSH).  It sounds like there may be a problem with the ConfigMgmtServer.  Restarting this server may allow you to fetch configs again.

charlie-hall Fri, 01/29/2010 - 15:39

Thanks Joe!

Would you know of a way to add Port Security to this same User Tracking Report?

My goal is to have 1 report, show me for access ports, if the port is configured for 802.1x or for port-security.

I figure if I have 98% of all my access switch ports configured correctly, it will only take 2% of the access switch ports not be configured for security to make it all for not.  Trying to come up with a way to audit my own handy work.

Joe Clarke Fri, 01/29/2010 - 16:33

No, this is not possible.  The fields in the UT report are not configurable, and Campus does not track ports with port security enabled.  However, you can perhaps use the RME baseline compliance reports to determine which ports do not have dot1x or port security enabled.  You can build a template to check for those ports which lack the config you have otherwise specified on your ports.  This, of course, will require you to get config archive working again.

charlie-hall Tue, 02/02/2010 - 13:02

Joe,

It does not appear to me that I can do "OR" logic when checking commands on an interface, for example this is what I want to accomplish:

IF switchport mode access

then IF this command exist "dot1x port-control" OR this command exit "switchport port-security"

do nothing,

Else

Display the Interface Name

I best I have been able to do, is to check for the presense of both commands and a success will display one command per interface in the report and displaying both commands per interface means a failure.

I am running RME 4.1.1

Thanks

Actions

This Discussion

Related Content