Solved: Re: Cisco Switch crashing after enabling AAA, RADIUS, and authentication port-control auto

cfc · ‎10-16-2018

Please help me understand why my switch (running iOS Denali 16.3.6) is crashing. Denali is a minimum requirement for us, we cannot use our Aironet 2802E APs using iOS 3.6.8E. We want to enable RADIUS authentication so we can assign VLANs to users. I have the switch and RADIUS (Windows NPS) server configured to the point that they communicate and I can log in using an AD user's credentials. The config to accomplish this is as follows:

conf t
aaa new-model
radius server myserver
address ipv4 192.168.20.206 auth-port 1812 acct-port 1813
key 0 cisco123
exit
aaa group server radius rad1
server name myserver
exit
aaa authentication dot1x default group radius local
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated
aaa authorization network default group radius local if-authenticated
aaa authorization console
dot1x system-auth-control
end

This has remained stable, no crashing. I then input the following:

conf t
int gi1/0/2
switchport mode access
dot1x pae both
int gi1/0/45
switchport mode access
authentication event fail action authorize vlan 50
authentication event no-response action authorize vlan 60
dot1x pae authenticator
authentication port-control auto
end

My RADIUS server is on port 1/0/2, and I have a computer (a MacBook using a Thunderbolt Ethernet adapter if that makes any difference) on port 1/0/45. When I connect my computer to this port it then asks for a username and password to authenticate with. I input a username and password that I have verified from using "test aaa group rad1 server myserver username password legacy" and after about 10-15 seconds I get this:

Oct 16 17:18:27.473 R0/0: %PMAN-3-PROCHOLDDOWN: The process smd has been helddown (rc 139)

Chassis 1 reloading, reason - Reload command
                                            Oct 16 17:18:37.899 R0/0: %PMAN-5-EXITACTION: Process manager is exiting: reload fp action requested
Oct 16 17:18:45.580 R0/0: %PMAN-5-EXITACTION: Process manager is exiting: rp processes exit with reload switch code
Oct 16 17:19:09.116 R0/0: %PMAN-3-PROCESS_NOTIFICATION: System report /crashinfo/system-report_1_20181016-171859-UTC.tar.gz (size: 6510 KB) generated

octeon_wdt: WDT device closed unexpectedly.  WDT will not stop!
reboot: Restarting system

This happens every time. The moment I add that line for "Authentication port-control auto" I get the login prompt on the computer and then a crash shortly after. Any insights as to why this could be crashing? If not, can anyone help me at least get a stable workaround config? Pretty sure this is a bug and I would submit to TAC, but no service contract for the few Catalyst 3850s we manage and I don't have $1600 just lying around to submit a bug report.

Damien Miller · ‎10-16-2018

I would first suggest trying 16.3.7 and 16.6.4. I have had good dot1x results on 16.6.4 with the exception of a bug that drops fragmented udp traffic when dhcp snooping is enabled. If you aren't running dhcp snooping I would give it a shot. I have not run 16.3 train on switches.

I've also had positive results on 3.7.5E, so the other thought that comes to mind would be does it work on 3.7.5E, if yes, then one could assume that it's possibly a bug. Not sure if you AP's will work on 3.7.5E but worth trying, each train has it's own quirks. Code is often reused so bugs often show up in other trains but are fixed at different times.

View solution in original post

Damien Miller · ‎10-16-2018

I would first suggest trying 16.3.7 and 16.6.4. I have had good dot1x results on 16.6.4 with the exception of a bug that drops fragmented udp traffic when dhcp snooping is enabled. If you aren't running dhcp snooping I would give it a shot. I have not run 16.3 train on switches.

I've also had positive results on 3.7.5E, so the other thought that comes to mind would be does it work on 3.7.5E, if yes, then one could assume that it's possibly a bug. Not sure if you AP's will work on 3.7.5E but worth trying, each train has it's own quirks. Code is often reused so bugs often show up in other trains but are fixed at different times.

cfc · ‎10-17-2018

Thanks for the input. I chose 16.3.6 merely because it was flagged by Cisco as the most stable. 16.3.7 changelog states nothing about fixing an issue with dot1x, so I have a hard time believing it will resolve my issue, and unfortunately without dhcp snooping wireless clients connected to the Aironets can't even ping their gateway, so 16.6.4 is out. And, unfortunately, all trains of iOS 3 do not support Aironet 2800 series APs. I would still be on it if it did.

However, after looking at the caveats resolved by 16.3.7 I will be updating to it. Hopefully it does fix the issue, but even if it doesn't fix this issue it will resolve a few that are related to the 2800 series APs that I may encounter down the road. Let you know.

Update: Moved to 16.3.7, crashing stopped. Seems like Cisco should update their recommended version to 16.3.7.

Mohammed al Baqari · ‎10-16-2018

Did you try another image in Denali train.