Solved: Re: 3850 (RX_METHOD_NEW_MAC) un-authenticated clients

x00008037 · ‎06-27-2019

Hi ,

I currently have anissue with ISE authentication. I have Motorola wireless access point hangin off a 3850 (16.6.2) .

Some clients are getting Stuck in this state below and the Auth session is not clearing...and the port have this message on the affected port "Blocked On: apply user profile - RX_METHOD_NEW_MAC (1)"

Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/3 fc0a.81c0.a350 N/A DATA Unauth U AC101F0B000A04C78DDBD673
Gi1/0/3 7467.f7af.e1dc mab DATA Auth AC101F0B000ADDAE9BD1111E
Gi1/0/3 000b.ab81.58f6 N/A DATA Unauth U AC101F0B0009F7FA8D42EAED
Gi1/0/3 000b.ab85.00f5 N/A DATA Unauth U AC101F0B00098ED1882B25E9

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Interface: GigabitEthernet1/0/3
IIF-ID: 0x13280E3F
MAC Address: fc0a.81c0.a350
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: FC-0A-81-C0-A3-50
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC101F0B000A04C78DDBD673
Acct Session ID: Unknown
Handle: 0x20000f07
Current Policy: POLICY_Gi1/0/3
Blocked On: apply user profile - RX_METHOD_NEW_MAC (1)

Method status list:
Method State
mab Authc Success

Has anyone else had this type of issue??

interface GigabitEthernet1/0/3
description [EDGE] Wireless
switchport access vlan 102
switchport mode access
power inline never
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server
authentication timer unauthorized 5
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 1.00
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root

hslai · ‎07-01-2019

The error is similar to that found in CSCvm07425. As this is a switch IOS platform code issue, please open a Cisco TAC case to troubleshoot and get advised on which release might work for your deployment.

View solution in original post

howon · ‎06-28-2019

Few questions:

- What is the auth status for these endpoints on the 3850 'show auth sess int gig1/0/3 detail'?

- What is the AuthC status of these endpoints on ISE?

- What is the AuthZ profile sent for these endpoints?

- Are these endpoints still connected?

- How are these endpoints authenticated on the Motorola AP?

x00008037 · ‎06-30-2019

- What is the auth status for these endpoints on the 3850 'show auth sess int gig1/0/3 detail'? IT is Success but it should get a 5 second inactivity timer pushed from ISE like the second example below.

Switch#sho authentication sessions interface gigabitEthernet 1/0/26 details
Interface: GigabitEthernet1/0/26
IIF-ID: 0x2A3D51D4
MAC Address: fc0a.81c2.0024
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: FC-0A-81-C2-00-24
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC103F07000C790EA7603412
Acct Session ID: Unknown
Handle: 0x33000750
Current Policy: POLICY_Gi1/0/26
Blocked On: apply user profile - RX_METHOD_NEW_MAC (1)

Method status list:
Method State
mab Authc Success

----------------------------------------

Interface: GigabitEthernet1/0/26
IIF-ID: 0x2DD24675
MAC Address: fc0a.81c3.32c0
IPv6 Address: Unknown
IPv4 Address: 172.16.34.212
User-Name: FC-0A-81-C3-32-C0
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC103F07000CC0DDAB3D0860
Acct Session ID: 0x00038722
Handle: 0xb900007d
Current Policy: POLICY_Gi1/0/26

Local Policies:

Server Policies:
Idle timeout: 5 sec

Method status list:
Method State
mab Authc Success

- What is the AuthC status of these endpoints on ISE? -- Unauthorized

- What is the AuthZ profile sent for these endpoints?-- the below gets pushed

Access Type = ACCESS_ACCEPT
Idle-Timeout = 5

- Are these endpoints still connected? These are endpoint's that are in a moving vesicle and connect to each AP at the vehicle station

- How are these endpoints authenticated on the Motorola AP? The just associate to the Motorolla AP but this systme i dont have too much visibility of. We just MAB them once they appear on the switch port..

hslai · ‎07-01-2019

The error is similar to that found in CSCvm07425. As this is a switch IOS platform code issue, please open a Cisco TAC case to troubleshoot and get advised on which release might work for your deployment.

x00008037 · ‎07-01-2019

This link to the bug is not working

hslai · ‎07-01-2019

That bug is customer visible. Likely, you are not currently entitled to, somehow.

As it's not an ISE issue, I am unable to tell whether you hitting that particular bug or which IOS releases have the fix. That is why I asked you to engage TAC.

x00008037 · ‎07-01-2019

OK Thanks for your help.

I have TAC case opened

cheers