Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22989
Views
62
Helpful
6
Replies

Cisco 9300 Authorization failure: Failure reason: Authc fail. Authc failure reason: Missing Config.

mvdsteen1982
Level 1
Level 1

‎10-18-2019 04:19 AM - edited ‎10-18-2019 05:01 AM

We are using for authentication both mab/dot1x, see port config below.

For authentication order we use dot1x mab. authentication, mab, dot1x ,ise

 

When connection a device that uses mab, we are receiving this error:

 

%SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (XXXX.XXXX.XXXX) on Interface GigabitEthernet1/0/28 AuditSessionID 1180FC0A00000047DE238CC2. Failure reason: Authc fail. Authc failure reason: Missing Config.

 

When we change the order to mab dot1x, the authorization succeeds.

 

This device don't support dot1x, so normally it will fall back to mab. On our 2960X platform, using the same port configurtion, this error doens't occur. It looks like a bug to me... 

 

Environment: C9300-48U running 16.09.04

 

Port config:

 

switchport access vlan XX
switchport mode access
switchport voice vlan XX
switchport port-security maximum 2
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security
load-interval 30
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-req 1
storm-control broadcast level pps 1k 500
storm-control action shutdown
spanning-tree portfast
spanning-tree guard root
ip dhcp snooping limit rate 100

 

17 people had this problem
Labels:
0 Helpful
6 Replies 6

Rps-Cheers
VIP
VIP

‎10-18-2019 05:26 AM

I think you can config the simply and needly commands on interface first. Then,you can add the command one by one.to check the root reason.

thx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

aszverev
Level 1
Level 1

‎07-25-2021 03:27 AM

Hi, folks. 2 yeas left after question was asked. But maybe my comment will help someone forgetful person like me. 

I just replaced my 2960 with new 9200 switch and faced same problem. I did debug and saw same message "Failure reason: Authc fail. Authc failure reason: Missing Config" .

Finally I found a misconfiguration  in my new  9200 config. I forgot to add command dot1x system-auth-control in global configuration.

After I added this command MAB works great again.

 

It's my first day!

diggsc
Level 1
Level 1
In response to aszverev

‎10-06-2021 11:45 AM

Thanks, this solved my problem.

PatWruk
Level 1
Level 1
In response to aszverev

‎03-02-2023 11:07 AM

almost 2 years later and your comment saved me banging my head against the wall. Thank you!

funny enough, i was also replacing a 2960 with a 9200 and somehow missed that command

0 Helpful

ShahrulEzwvn
Level 1
Level 1

‎01-10-2023 06:57 AM

Thanks. It worked. 

0 Helpful

KillBill66
Level 1
Level 1

‎07-27-2023 03:59 PM - edited ‎07-27-2023 04:12 PM

This happened to me slightly differently.  On a 3850 switch, I defaulted an interface and applied access commands and called the template below:

--------------------------  Interface config  -----------------

interface GigabitEthernet1/0/21
description data/voice
subscriber aging inactivity-timer 60 probe
switchport mode access
access-session control-direction in
access-session port-control auto
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x timeout quiet-period 300
dot1x timeout tx-period 7
dot1x timeout held-period 300
source template WIRED_DOT1X_OPEN_EP

-------------- Template being called -------------------

template WIRED_DOT1X_OPEN_EP
dot1x pae authenticator
mab
access-session host-mode multi-auth
no access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X_MAB_POLICY

-----------------------------------------------------

I was getting the Authc fail. Authc failure reason: Missing Config.  in the logs

-----------------------------------------------------

When I applied the line below directly on the interface it successfully authenticated 
dot1x pae authenticator

After that I removed the line from the interface and it still authenticates even after a shut/no shut.  Meaning it's working from the template.  Maybe the problem is the use of a template right after a default of the interface.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents