https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711476#M54532 <P>Your missing "aaa authentication dot1x"</P> Tue, 04 Aug 2015 09:35:34 GMT jan.nielsen 2015-08-04T09:35:34Z https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711474#M54528 <P>Hello,</P><P>This a&nbsp;Catalyst 3850&nbsp;pilot so to speak (C3750's MAB Auth&nbsp;working like a charm)&nbsp;and the strange thing is that I cannot&nbsp;see the&nbsp;RAIUS client on the switch&nbsp;<STRONG>sending </STRONG>packets anywhere:</P><P><STRONG>#show radius statistics</STRONG><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Auth.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Acct.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Both<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Maximum inQ length:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Maximum waitQ length:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Maximum doneQ length:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Total responses seen:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;&nbsp;&nbsp;&nbsp; Packets with responses:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp; Packets without responses:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp; Access Rejects&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;Average response delay(ms):&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;Maximum response delay(ms):&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp; Number of Radius timeouts:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Duplicate ID detects:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;Buffer Allocation Failures:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Maximum Buffer Size (bytes):&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Malformed Responses&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Bad Authenticators&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Unknown Responses&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&nbsp;Source Port Range: (2 ports only)<BR />&nbsp;1645 - 1646<BR />&nbsp;Last used Source Port/Identifier:<BR />&nbsp;1645/0<BR />&nbsp;1646/0</P><P>&nbsp; Elapsed time since counters last cleared: 6h44m<BR />Radius Latency Distribution:<BR />&lt;= 2ms :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />3-5ms&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />5-10ms :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />10-20ms:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />20-50ms:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />50-100m:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />&gt;100ms :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>Current inQ length&nbsp; : 0<BR />Current doneQ length: 0</P><P><STRONG>#debug radius verbose </STRONG></P><P>&nbsp;</P><P><STRONG>// All mac adresses are unable to&nbsp;authenticate</STRONG></P><P><STRONG>#sh log</STRONG></P><P>03007: Aug&nbsp; 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXX<BR />003008: Aug&nbsp; 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXX</P><P>&nbsp;</P><P>// There's very insteresting log entry in the MAB debug&nbsp;<STRONG>Invalid EVT 9 from EAP (I have no idea what it could be)</STRONG></P><P><STRONG>#debug mab all&nbsp;&nbsp;&nbsp; </STRONG></P><P>003085: Aug&nbsp; 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Received MAB context create from AuthMgr<BR />003086: Aug&nbsp; 3 18:04:26.146 UTC: mab-ev: MAB authorizing XXXX.XXXX.XXXX<BR />003087: Aug&nbsp; 3 18:04:26.146 UTC: mab-ev: Created MAB client context 0x1B00004B<BR />003088: Aug&nbsp; 3 18:04:26.146 UTC:&nbsp;&nbsp;&nbsp;&nbsp; mab : initial state mab_initialize has enter<BR />003089: Aug&nbsp; 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Sending create new context event to EAP from MAB for 0x1B00004B (XXXX.XXXX.XXXX)<BR />003090: Aug&nbsp; 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB authentication started for 0x536EE850 (XXXX.XXXX.XXXX)<BR />003091: Aug&nbsp; 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] <STRONG>Invalid EVT 9 from EAP</STRONG><BR />003092: Aug&nbsp; 3 18:04:26.147 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_CONTINUE' on handle 0x1B00004B<BR />003093: Aug&nbsp; 3 18:04:26.147 UTC:&nbsp;&nbsp;&nbsp;&nbsp; mab : during state mab_initialize, got event 1(mabContinue)<BR />003094: Aug&nbsp; 3 18:04:26.147 UTC: @@@ mab : mab_initialize -&gt; mab_authorizing<BR />003095: Aug&nbsp; 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] formatted mac = XXXXXXXXXXXX<BR />003096: Aug&nbsp; 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] created mab pseudo dot1x profile dot1x_mac_auth_XXXX.XXXX.XXXX<BR />003097: Aug&nbsp; 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Starting MAC-AUTH-BYPASS for 0x1B00004B (XXXX.XXXX.XXXX)<BR />003098: Aug&nbsp; 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48]<STRONG> Invalid EVT 9 from EAP</STRONG><BR />003099: Aug&nbsp; 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] <STRONG>MAB received an Access-Reject for </STRONG>0x1B00004B (XXXX.XXXX.XXXX)<BR />003100: Aug&nbsp; 3 18:04:26.148 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/48 AuditSessionID 0A48021200000FD1007B87DE<BR />003101: Aug&nbsp; 3 18:04:26.148 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_RESULT' on handle 0x1B00004B<BR />003102: Aug&nbsp; 3 18:04:26.148 UTC:&nbsp;&nbsp;&nbsp;&nbsp; mab : during state mab_authorizing, got event 5(mabResult)<BR />003103: Aug&nbsp; 3 18:04:26.148 UTC: @@@ mab : mab_authorizing -&gt; mab_terminate<BR />003104: Aug&nbsp; 3 18:04:26.149 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Deleted credentials profile for 0x1B00004B (dot1x_mac_auth_XXXX.XXXX.XXXX)<BR />003105: Aug&nbsp; 3 18:04:26.150 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_DELETE' on handle 0x1B00004B</P><P>&nbsp;</P><P>The configuration is below:</P><P>aaa group server radius&nbsp;XXX-XXXXXX<BR />&nbsp;server 10.XX.XX.30<BR />&nbsp;server 10.XXX.XX.30</P><P>aaa authorization network default group XXX-XXXXXX none<BR />aaa accounting dot1x default start-stop group XXX-XXXXXX</P><P>ip radius source-interface Loopback0</P><P><STRONG>radius-server host 10.XX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX</STRONG><BR /><STRONG>radius-server host 10.XXX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX</STRONG><BR />radius-server retransmit 0<BR />radius-server timeout 3</P><P>interface GigabitEthernet1/0/6<BR />&nbsp;description&nbsp;XXXX XXXXX<BR />&nbsp;switchport access vlan&nbsp;XXX<BR />&nbsp;switchport mode access<BR />&nbsp;switchport voice vlan&nbsp;XXX<BR />&nbsp;authentication host-mode multi-auth<BR />&nbsp;authentication order mab<BR />&nbsp;authentication port-control auto<BR />&nbsp;authentication timer restart 180<BR />&nbsp;mab<BR />&nbsp;no snmp trap link-status<BR />&nbsp;storm-control broadcast level 0.50<BR />&nbsp;spanning-tree portfast<BR />end</P><P>&nbsp;</P><P><STRONG>#sh ver</STRONG></P><P>Switch Ports Model&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SW Version&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SW Image&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Mode&nbsp;&nbsp;<BR />------ ----- -----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ----------&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ----------&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ----&nbsp;&nbsp;<BR />*&nbsp;&nbsp;&nbsp; 1 56&nbsp;&nbsp;&nbsp; WS-C3850-48P&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 03.07.02E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cat3k_caa-universalk9 INSTALL<BR />&nbsp;&nbsp;&nbsp;&nbsp; 2 56&nbsp;&nbsp;&nbsp; WS-C3850-48P&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 03.07.02E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cat3k_caa-universalk9 INSTALL</P><P>&nbsp;</P><P>Any ideas?</P><P>P.</P><P>&nbsp;</P> Mon, 11 Mar 2019 05:57:19 GMT https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711474#M54528 peteroseneff 2019-03-11T05:57:19Z https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711475#M54530 <P>Just look at this:</P><P>&nbsp;</P><P>(config)#radius-server ?<BR />&nbsp; accounting&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Accounting information configuration<BR />&nbsp; attribute&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Customize selected radius attributes<BR />&nbsp; authorization&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Authorization processing information<BR />&nbsp; backoff&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Retry backoff pattern(Default is retransmits with constant delay)<BR />&nbsp; cache&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AAA auth cache default server group<BR />&nbsp; challenge-noecho&nbsp;&nbsp;&nbsp; Data echoing to screen is disabled during Access-Challenge<BR />&nbsp; configure-nas&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Attempt to upload static routes and IP pools at startup<BR />&nbsp; dead-criteria&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set the criteria used to decide when a radius server is marked dead<BR />&nbsp; deadtime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Time to stop using a server that doesn't respond<BR />&nbsp; directed-request&nbsp;&nbsp;&nbsp; Allow user to specify radius server to use with <A href="mailto:`@server'">`@server'</A><BR />&nbsp; domain-stripping&nbsp;&nbsp;&nbsp; Strip the domain from the username<BR />&nbsp; load-balance&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Radius load-balancing options.<BR />&nbsp; optional-passwords&nbsp; The first RADIUS request can be made without requesting a password<BR />&nbsp; retransmit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify the number of retries to active server<BR />&nbsp; retry&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify how the next packet is sent after timeout.<BR />&nbsp; source-ports&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source ports used for sending out RADIUS requests<BR />&nbsp; throttle&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Throttle requests to radius server<BR />&nbsp; timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Time to wait for a RADIUS server to reply<BR />&nbsp; transaction&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify per-transaction parameters<BR />&nbsp; unique-ident&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Higher order bits of Acct-Session-Id<BR />&nbsp; vsa&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Vendor specific attribute configuration</P><P>There's no <STRONG>host </STRONG>statement as you can see but full&nbsp;entry above presents in the&nbsp;configuraion</P><P><STRONG>#show radius server-group </STRONG></P><P>Server group XXX-XXXXX<BR />&nbsp;&nbsp;&nbsp; Sharecount = 1&nbsp; sg_unconfigured = FALSE<BR />&nbsp;&nbsp;&nbsp; Type = standard&nbsp; Memlocks = 1<BR />&nbsp;&nbsp;&nbsp; Server(10.XX.XX.30:1645,1646) Transactions:<BR />&nbsp;&nbsp;&nbsp; Authen: 0&nbsp;&nbsp; Author: 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Acct: 0<BR />&nbsp;&nbsp;&nbsp; Server_auto_test_enabled: FALSE<BR />&nbsp;&nbsp;&nbsp;&nbsp; Keywrap enabled: FALSE<BR />&nbsp;&nbsp;&nbsp; Server(10.XXX.XX.30:1645,1646) Transactions:<BR />&nbsp;&nbsp;&nbsp; Authen: 0&nbsp;&nbsp; Author: 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Acct: 0<BR />&nbsp;&nbsp;&nbsp; Server_auto_test_enabled: FALSE<BR />&nbsp;&nbsp;&nbsp;&nbsp; Keywrap enabled: FALSE</P> Tue, 04 Aug 2015 08:05:00 GMT https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711475#M54530 peteroseneff 2015-08-04T08:05:00Z https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711476#M54532 <P>Your missing "aaa authentication dot1x"</P> Tue, 04 Aug 2015 09:35:34 GMT https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711476#M54532 jan.nielsen 2015-08-04T09:35:34Z https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711477#M54535 <P>Exactly! That entry simply didnt migrate somehow from C3750 configuration. Many thanks.&nbsp;</P> Tue, 04 Aug 2015 16:34:48 GMT https://community.cisco.com/t5/network-access-control/catalyst-3850-mab-and-radius/m-p/2711477#M54535 peteroseneff 2015-08-04T16:34:48Z