No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

mumustha — Sat, 16 Dec 2017 06:06:34 GMT

-- The C4510 switch was upgraded from 3.9.1 to 3.9.2

-- The ip phones were failing authentication and ISE did not show any authentication attempt

-- Checked the Auth Manager and found no active sessions

#sh auth sess int g1/20

No sessions match supplied criteria.

-- Removing all AAA commands on interface, IP and DHCP snooping binds correctly

Troubleshooting Performed :

* IP Phone 7941 / 7961 / 8841 are impacted by this issue

* Not seeing session on 4510R+E Sup 8-3 ver 3.9.2 in Auth Manager

* Mac Address is being learned but as a dynamic entry -- instead of static

* Took radius/dot1x debugs and only saw the message for QoS to trust the IP Phone

-- no endpoint behind the phone.

* DHCP Snooping was turned off and issue was persisting, confirming not hitting CSCvc28141

* Debugs enabled :

-- debug epm all

-- debug authentication error

-- debug authentication event

-- debug dot1x error

* added "authentication mac-move permit" which we saw auth session but method list was empty

* Added "dot1x pae authenticator" to the interface g1/20 and afterwards not seeing the session in auth manager

* Ended up finding out later that the mac address is being moved around, even without "authentication mac-move permit"

* We found that since switch port had both "auth open" and pre-auth ACL "ACL-DEFAULT" may have been causing odd behavior

-- Moved into Closed mode per document: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_25_closed_mode.pdf

* Now ISE Is getting the authentication attempt and successful with correct rules being matched as expected

* Net changes that improved/fixed issue

-- kept DHCP Snooping enabled

-- kept Inactivity Timer for dynamic macs enabled on interface

-- removed pre-auth acl from interface

-- removed "auth open" from interface

-- removed "authentication mac-move permit"

-- added "dot1x pae authenticator" on interface

Analysis :

* ISE is not part of issue, this might be caused by the switch when AAA is enabled.

NON-WORKING INTERFACE CONFIGURATION :

#sh run int g1/40

Building configuration...

Current configuration : 1080 bytes

interface GigabitEthernet1/40

description * Data30/Voip130 *

switchport access vlan 30

switchport mode access

switchport voice vlan 130

switchport priority extend trust

ip access-group ACL-DEFAULT in

no logging event link-status

authentication event fail action next-method

authentication event server dead action reinitialize vlan 30

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

no snmp trap link-status

dot1x pae authenticator

qos trust device cisco-phone

qos trust extend

spanning-tree portfast edge

spanning-tree bpduguard enable

spanning-tree guard root

service-policy input VoIP-Input-Policy

service-policy output VoIP-Output-Policy

ip dhcp snooping limit rate 10

end

----------------------------------------------------------------

#sh auth sess int g1/20

No sessions match supplied criteria

WORKING INTERFACE CONFIGURATION :

AB-PA01-SWL001#sh run int g1/20

Building configuration...

Current configuration : 995 bytes

interface GigabitEthernet1/20

switchport access vlan 30

switchport mode access

switchport voice vlan 130

switchport priority extend trust

no logging event link-status

authentication event fail action next-method

authentication event server dead action reinitialize vlan 30

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

no snmp trap link-status

dot1x pae authenticator

qos trust device cisco-phone

qos trust extend

spanning-tree portfast edge

spanning-tree bpduguard enable

spanning-tree guard root

service-policy input VoIP-Input-Policy

service-policy output VoIP-Output-Policy

ip dhcp snooping limit rate 10

end

----------------------------------------------------------------

AB-PA01-SWL001#sh auth sess int gi1/20 det

Interface: GigabitEthernet1/20

MAC Address: xxxx.xxxx.xxxx

IPv6 Address: Unknown

IPv4 Address: 10.90.11.241

User-Name: xx-xx-xx-xx-xx-xx

Status: Authorized

Domain: VOICE

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Periodic Acct timeout: 86400s (local), Remaining: 84663s

Session Uptime: 2036s

Common Session ID: 0A28240900000B348082D8F4

Acct Session ID: 0x00001B35

Handle: 0x0E0009A7

Current Policy: POLICY_Gi1/20

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Security Policy: Should Secure

Security Status: Link Unsecure

Server Policies:

ACS ACL: xACSACLx-IP-ACL-VOIP-SERVICE-PERMIT-59cedbcf

Method status list:

Method State

dot1x Stopped

mab Authc Success

ASSISTANCE REQUIRED :

++ Since the issue occurred after upgrading from 3.9.1 to 3.9.2, Reviewed the Release Notes for 3.9.2 : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/ol-39xe-4500e.html

-- Did not find anythinng significant that could cause a behaviour change.

I would appreciate it, if anyone could shed some light for the cause of the issue.

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Jason Kunst — Sat, 16 Dec 2017 12:18:15 GMT

Since this is switching issue please work with switching and tac

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Nicholas DiNofrio — Mon, 18 Dec 2017 23:29:05 GMT

Jason,

My apologies if anything was left unclear -- mostly wanted to find out if there were any behavior or process flow changes between IOS-XE 3.9.1 versus IOS-XE 3.9.2 for 4500 series switches that is related to AAA and/or Mac Addresses being learned on multiple switch ports other than where physically connected to?

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Jason Kunst — Tue, 19 Dec 2017 00:09:48 GMT

You would need to ask the switch team

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Nicholas DiNofrio — Tue, 19 Dec 2017 00:11:39 GMT

Sure not a problem, will repost a new thread with the Switching team. Thank you.

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

mumustha — Tue, 19 Dec 2017 12:39:29 GMT

Thank you for your input

topic Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2. in Network Access Control

No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

Re: No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.