This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Please help me understand why my switch (running iOS Denali 16.3.6) is crashing. Denali is a minimum requirement for us, we cannot use our Aironet 2802E APs using iOS 3.6.8E. We want to enable RADIUS authentication so we can assign VLANs to users. I have the switch and RADIUS (Windows NPS) server configured to the point that they communicate and I can log in using an AD user's credentials. The config to accomplish this is as follows:
conf t aaa new-model radius server myserver address ipv4 192.168.20.206 auth-port 1812 acct-port 1813 key 0 cisco123 exit aaa group server radius rad1 server name myserver exit aaa authentication dot1x default group radius local aaa authentication login default group radius local aaa authorization exec default group radius local if-authenticated aaa authorization network default group radius local if-authenticated aaa authorization console dot1x system-auth-control end
This has remained stable, no crashing. I then input the following:
conf t int gi1/0/2 switchport mode access dot1x pae both int gi1/0/45 switchport mode access authentication event fail action authorize vlan 50 authentication event no-response action authorize vlan 60 dot1x pae authenticator authentication port-control auto end
My RADIUS server is on port 1/0/2, and I have a computer (a MacBook using a Thunderbolt Ethernet adapter if that makes any difference) on port 1/0/45. When I connect my computer to this port it then asks for a username and password to authenticate with. I input a username and password that I have verified from using "test aaa group rad1 server myserver username password legacy" and after about 10-15 seconds I get this:
Oct 16 17:18:27.473 R0/0: %PMAN-3-PROCHOLDDOWN: The process smd has been helddown (rc 139) Chassis 1 reloading, reason - Reload command Oct 16 17:18:37.899 R0/0: %PMAN-5-EXITACTION: Process manager is exiting: reload fp action requested Oct 16 17:18:45.580 R0/0: %PMAN-5-EXITACTION: Process manager is exiting: rp processes exit with reload switch code Oct 16 17:19:09.116 R0/0: %PMAN-3-PROCESS_NOTIFICATION: System report /crashinfo/system-report_1_20181016-171859-UTC.tar.gz (size: 6510 KB) generated octeon_wdt: WDT device closed unexpectedly. WDT will not stop! reboot: Restarting system
This happens every time. The moment I add that line for "Authentication port-control auto" I get the login prompt on the computer and then a crash shortly after. Any insights as to why this could be crashing? If not, can anyone help me at least get a stable workaround config? Pretty sure this is a bug and I would submit to TAC, but no service contract for the few Catalyst 3850s we manage and I don't have $1600 just lying around to submit a bug report.
Solved! Go to Solution.
Thanks for the input. I chose 16.3.6 merely because it was flagged by Cisco as the most stable. 16.3.7 changelog states nothing about fixing an issue with dot1x, so I have a hard time believing it will resolve my issue, and unfortunately without dhcp snooping wireless clients connected to the Aironets can't even ping their gateway, so 16.6.4 is out. And, unfortunately, all trains of iOS 3 do not support Aironet 2800 series APs. I would still be on it if it did.
However, after looking at the caveats resolved by 16.3.7 I will be updating to it. Hopefully it does fix the issue, but even if it doesn't fix this issue it will resolve a few that are related to the 2800 series APs that I may encounter down the road. Let you know.
Update: Moved to 16.3.7, crashing stopped. Seems like Cisco should update their recommended version to 16.3.7.