Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2078
Views
5
Helpful
5
Replies

Cisco 3650 no radius debug output

joeharb
Level 5
Level 5

‎05-21-2020 02:19 PM

We are deploying dot1x and have noticed that we don't get debug information displayed on more than one cisco 3650.  If I do something like debug ip packet and then term mon I get output, but if I do debug radius accounting or even debug radius and then term mon we get nothing but syslog messages.  

The are both on the 16.X train...one is on 16.9.4

Is there something I am missing, our 4500's display information without issue.

 

Thanks,

 

Joe

 

Labels:
0 Helpful
5 Replies 5

Damien Miller
VIP Alumni
VIP Alumni

‎05-21-2020 05:58 PM

I've seen this before in a lab and I wasn't exactly sure why it happened. There is an old Cisco Live deck that indicates with ios-xe debug radius won't work, yet I know it can. For what it's worth, I just tried this on 16.9.5 with a 3850 and I added just those two commands, term mon + debug radius. Following that I get the radius debugs for the endpoint.

Now you at least have an alternative. Set this trace.
set platform software trace smd switch active R0 radius debug

View the trace debugs with this command.
show platform software trace message smd switch active r0


0 Helpful

poongarg
Cisco Employee
Cisco Employee
In response to Damien Miller

‎05-22-2020 06:52 AM

Adding to above:

 

Due to changes in software architecture starting from IOS-XE version 16.3.2, all AAA components have been moved to separate Linux daemon Session Manager Daemon (SMD), . Ultimate result of this change is that traditional CLI debugs like:

 

debug radius
debug access-session all
debug dot1x all

do not produce any output during troubleshooting (No output returned in console/terminal/syslog when corresponding destination configured to receive appropriate level of log messages, particularly "debugging" for this example). The reason behind of this is that IOS syslog subsystem is implemented in IOS Daemon (IOSd) which is independent from SMD. 

 

Table below contains mappings between most common old and new style debugs:

 

Old style command New style command
#debug radius #set platform software trace smd switch active R0 radius debug
#debug dot1x all #set platform software trace smd switch active R0 dot1x-all debug
#debug access-session all #set platform software trace smd switch active R0 auth-mgr-all debug
#debug epm all #set platform software trace smd switch active R0 epm-all debug

joeharb
Level 5
Level 5
In response to poongarg

‎05-22-2020 06:59 AM

Awesome...thanks so much for the information....one last question...how do turn off the debugging or set it back to default?

 

Thanks,

 

Joe

0 Helpful

poongarg
Cisco Employee
Cisco Employee
In response to joeharb

‎05-22-2020 07:08 AM

Classical way of disabling debug using "no debug" of "undebug all" - Traditional no debug commands will be automatically converted in corresponding set platform software trace commands, undebug all will reset all components to their default level.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to poongarg

‎05-22-2020 07:59 AM

I've always found this poorly documented, and it's not even a blanket statement that holds true. As mentioned above, debug radius works fine again on a 3850 running 16.9.5 without the need to set the trace. So it's like it went that way, then did a u-turn.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents