11-18-2022 06:42 AM
Good morning,
I am attempting to troubleshoot an odd issue I am seeing with a Cat9300 v17.3.3 pointing to a v3.1 p4 ISE Server. When configuring interfaces with 802.1x/MAB, the devices will fail to Auth. The switch configuration matches a known good working config, and I have repeatedly deleted the device and recreated it within ISE to no avail. While troubleshooting, their are a few things I don't quite understand so I am attempting to find some answers.
When I perform a "sh access-ses brief" I see the following:
Interface MAC Address      AuthC     AuthZ        Fg  Uptime
-----------------------------------------------------------------------------
Gi2/0/4 0011.74a6.2cdf m:AD d:TO UZ: SA- FA- X 3668245s
AD = AAA Failure, TO = Timeout
When I check the AAA server status, I see the following:
RADIUS: id 1, priority 1, host X.X.X.X, auth-port 1812, acct-port 1813, hostname ISE-RADIUS
State: current UP, duration 4883s, previous duration 60s
Dead: total time 1980s, count 1
Platform State from SMD: current DEAD, duration 3668794s, previous duration 60s
SMD Platform Dead: total time 60s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
When checking the RADIUS live logs, you can not see any attempts from this NAD from any device. The next weird issue is that when I use the "test aaa" command from the troublesome NAD, the authentication request is seen by ISE and is properly Rejected.
There are no Firewall or ACL in the path of the NAD to the PSN, so that can be ruled out.
My concern is that the Platform state from SMD is showing as DEAD and it may be the cause, but I can not find any answers within Cisco docs as to what the SMD platform is. Is there any experts on this board that can explain what I am seeing here and what exactly the SMD Platform is? I have exhausted all my troubleshooting steps and unsure how to proceed further.
Solved! Go to Solution.
11-20-2023 05:20 AM
hi Walker, reload works around the issue for us too,however not recovering from a dead server still, what version did you upgrade too please as we are on 17.3.6. our MAB config was upgraded a while back by ios 17.3.x.
04-03-2024 01:36 PM
Hi, just wanna know if the issue was solved at the end? We encounter the same on 17.9.3.
10-17-2024 08:33 AM - edited 10-17-2024 12:21 PM
Upgraded a 9400 to 17.9.5 and we are seeing this behavior. AAA was working perfectly and we just realized AAA has been dead on this thing for a week which correlates to the upgrade time. ISSU was used. Going to schedule a reload and see if it resolves the issue.
Edit - reload fixed issue for us.
01-13-2025 11:10 AM
Hello-
My team has seen this behavior on various trains of code and hardware platforms (9300/9200, 17.3, 17.6, 17.9, 17.12)...what we have found is that we are running in FIPS operating mode and running AES password encryption. If we disable AES password encryption, re-apply the radius server keys, and then re-enable AES password encryption and save the config...it all starts working again.
Reload may also resolve, or may not. 17.12.4 and 17.3.5 seems to have this happen more frequently than 17.6.5 in our experience...but it happens on all of the recently recommended software trains.
I have found a bug related to this, but it says it was "not reproduceable." 
https://bst.cisco.com/bugsearch/bug/CSCvu58791
Cheers!
01-13-2025 12:35 PM - edited 01-13-2025 12:41 PM
This is it. This fixed my switch without a reboot (had another one and decided to leave it in failed state so TAC could troubleshoot). I've had a TAC case open for almost 2.5 months and you're the one that identified the culprit / posted a work-around. Congrats
01-13-2025 12:59 PM
Glad to be able to help. We were in the same boat with TAC, and due to loss of confidence, I started combing the bug tool.
10-21-2025 08:10 AM
I don't know if that is your case but in mine, I spent 2 days to find out the solution until our vendor sent me the RADIUS template.
Then here what I missed in the switch configuration:
ip http server
ip http secure-server
Please note that Cisco once recommended to turn off http in switches due to one of vulnerabilities with some old IOS version before
10-21-2025 08:21 AM
We also confirmed that if you are running FIPS and using EAP-TLS, password encryption AES is not supported.  With "password encryption AES" configured along with FIPS, after every reboot, the type 6 radius key is corrupted and leads to this issue.  Long term fix is disable "password encryption aes".  You can run key-config encryption to keep tacacs keys type 6, but unfortunately, radius keys when using eap-tls must be type 7 in order to work while in FIPS operating mode.  So, in order to be more secure, you have to be less secure 
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide