Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
2
Replies

IPPHONE don't dot1x authenticate after cat3650 reload, go to mab and not re-authenticate

Go to solution
nkleiman
Cisco Employee
Cisco Employee

‎02-08-2019 02:20 AM

Hi Team,

I have catalyst 3650-24p-pdm with dot1x enable for multiauth, after reloading the switch, all IPPHONE failed to dot1x authentication and go to mab, even if the priority is set to dot1x and even after increasing the timeout/retries.

if I shutdown and no shut the port, the IPPHONE authenticate with dot1x.

I have the same configuration with catalyst 3850 and everything is working fine after reload with the IPPHONE.

the version that i run 16.6.2.

 

any suggestion?

 

thank you in advance,

Nir 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkleiman
Cisco Employee
Cisco Employee
In response to marce1000

‎02-10-2019 04:53 AM

thanks fot eh reply, i will check with my customer,

anyhow, we have encounter the following bug:

We found the following bug id CSCvh69402

Dot1x specific configuration applied but not working on the interface
CSCvh69402
 
Description
Symptom:
After device reload dot1x/MAB does not work (no Radius packets are generated by the switch to AAA server)

Conditions:
- Issue seen after IOS upgrade
- dot1x/MAB configuration on the port.

-Issue can also been seen (sometimes) after a normal reload on 16.6.1

Workaround:
Work Around 1
1) Default affected interface
2) Re-apply port configuration again on the port
3) Shut/no shut the port.

Work Around 2.
Have found if switch has old style configuration, dot1x/MAB would stop working after reload
radius-server key 7

When you change to the new style configuration, the dot1x/MAB continues to work after reload
radius server i210t
address ipv4 x.x.x.x
key 7
This has been seen on code 16.6.1 and 16.6.3 (after an upgrade from 16.6.1).
 
So, the customer will upgrade and check the configuration fro the accounting as well.
Nir

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marce1000
VIP
VIP

‎02-08-2019 03:11 AM

 

 - Check this thread :

 https://community.cisco.com/t5/policy-and-access/wired-802-1x-fails-after-switch-reload/td-p/3016274

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
nkleiman
Cisco Employee
Cisco Employee
In response to marce1000

‎02-10-2019 04:53 AM

thanks fot eh reply, i will check with my customer,

anyhow, we have encounter the following bug:

We found the following bug id CSCvh69402

Dot1x specific configuration applied but not working on the interface
CSCvh69402
 
Description
Symptom:
After device reload dot1x/MAB does not work (no Radius packets are generated by the switch to AAA server)

Conditions:
- Issue seen after IOS upgrade
- dot1x/MAB configuration on the port.

-Issue can also been seen (sometimes) after a normal reload on 16.6.1

Workaround:
Work Around 1
1) Default affected interface
2) Re-apply port configuration again on the port
3) Shut/no shut the port.

Work Around 2.
Have found if switch has old style configuration, dot1x/MAB would stop working after reload
radius-server key 7

When you change to the new style configuration, the dot1x/MAB continues to work after reload
radius server i210t
address ipv4 x.x.x.x
key 7
This has been seen on code 16.6.1 and 16.6.3 (after an upgrade from 16.6.1).
 
So, the customer will upgrade and check the configuration fro the accounting as well.
Nir
0 Helpful
Customers Also Viewed These Support Documents