cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2231
Views
2
Helpful
5
Replies
Highlighted
Cisco Employee

No sessions observed on the authentication interface of C4510 switch since upgrading from 3.9.1 to 3.9.2.

-- The C4510 switch was upgraded from 3.9.1 to 3.9.2

-- The ip phones were failing authentication and ISE did not show any authentication attempt

-- Checked the Auth Manager and found no active sessions

#sh auth sess int g1/20

No sessions match supplied criteria.

-- Removing all AAA commands on interface, IP and DHCP snooping binds correctly

Troubleshooting Performed :

* IP Phone 7941 / 7961 / 8841 are impacted by this issue

* Not seeing session on 4510R+E Sup 8-3 ver 3.9.2 in Auth Manager

* Mac Address is being learned but as a dynamic entry -- instead of static

* Took radius/dot1x debugs and only saw the message for QoS to trust the IP Phone

-- no endpoint behind the phone.

* DHCP Snooping was turned off and issue was persisting, confirming not hitting CSCvc28141

* Debugs enabled :

-- debug epm all

-- debug authentication error

-- debug authentication event

-- debug dot1x error

* added "authentication mac-move permit" which we saw auth session but method list was empty

* Added "dot1x pae authenticator" to the interface g1/20 and afterwards not seeing the session in auth manager

* Ended up finding out later that the mac address is being moved around, even without "authentication mac-move permit"

* We found that since switch port had both "auth open" and pre-auth ACL "ACL-DEFAULT" may have been causing odd behavior

-- Moved into Closed mode per document: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_25_closed_mode.pdf  

* Now ISE Is getting the authentication attempt and successful with correct rules being matched as expected


* Net changes that improved/fixed issue

-- kept DHCP Snooping enabled

-- kept Inactivity Timer for dynamic macs enabled on interface

-- removed pre-auth acl  from interface

-- removed "auth open" from interface

-- removed "authentication mac-move permit"

-- added "dot1x pae authenticator" on interface

Analysis :

*  ISE is not part of issue, this might be caused by the switch when AAA is enabled.

NON-WORKING INTERFACE CONFIGURATION :

#sh run int g1/40

Building configuration...

Current configuration : 1080 bytes

!

interface GigabitEthernet1/40

description * Data30/Voip130 *

switchport access vlan 30

switchport mode access

switchport voice vlan 130

switchport priority extend trust

ip access-group ACL-DEFAULT in

no logging event link-status

authentication event fail action next-method

authentication event server dead action reinitialize vlan 30

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

no snmp trap link-status

dot1x pae authenticator

qos trust device cisco-phone

qos trust extend

spanning-tree portfast edge

spanning-tree bpduguard enable

spanning-tree guard root

service-policy input VoIP-Input-Policy

service-policy output VoIP-Output-Policy

ip dhcp snooping limit rate 10

end

----------------------------------------------------------------

#sh auth sess int g1/20

No sessions match supplied criteria

WORKING INTERFACE CONFIGURATION :

AB-PA01-SWL001#sh run int g1/20

Building configuration...

Current configuration : 995 bytes

!

interface GigabitEthernet1/20

switchport access vlan 30

switchport mode access

switchport voice vlan 130

switchport priority extend trust

no logging event link-status

authentication event fail action next-method

authentication event server dead action reinitialize vlan 30

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

no snmp trap link-status

dot1x pae authenticator

qos trust device cisco-phone

qos trust extend

spanning-tree portfast edge

spanning-tree bpduguard enable

spanning-tree guard root

service-policy input VoIP-Input-Policy

service-policy output VoIP-Output-Policy

ip dhcp snooping limit rate 10

end

----------------------------------------------------------------

AB-PA01-SWL001#sh auth sess int gi1/20 det

            Interface:  GigabitEthernet1/20

          MAC Address:  xxxx.xxxx.xxxx

         IPv6 Address:  Unknown

         IPv4 Address:  10.90.11.241

            User-Name:  xx-xx-xx-xx-xx-xx

               Status:  Authorized

               Domain:  VOICE

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  86400s (local), Remaining: 84663s

       Session Uptime:  2036s

    Common Session ID:  0A28240900000B348082D8F4

      Acct Session ID:  0x00001B35

               Handle:  0x0E0009A7

       Current Policy:  POLICY_Gi1/20

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

      Security Policy:  Should Secure

      Security Status:  Link Unsecure

Server Policies:

              ACS ACL:  xACSACLx-IP-ACL-VOIP-SERVICE-PERMIT-59cedbcf

Method status list:

      Method            State

      dot1x              Stopped

      mab                Authc Success

ASSISTANCE REQUIRED :

++ Since the issue occurred after upgrading from 3.9.1 to 3.9.2, Reviewed the Release Notes for 3.9.2 : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/ol-39xe-4500e.html

-- Did not find anythinng significant that could cause a behaviour change.

I would appreciate it, if anyone could shed some light for the cause of the issue.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Since this is switching issue please work with switching and tac

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Since this is switching issue please work with switching and tac

View solution in original post

Highlighted
Cisco Employee

Jason,

My apologies if anything was left unclear -- mostly wanted to find out if there were any behavior or process flow changes between IOS-XE 3.9.1 versus IOS-XE 3.9.2 for 4500 series switches that is related to AAA and/or Mac Addresses being learned on multiple switch ports other than where physically connected to?

Highlighted

You would need to ask the switch team

Highlighted

Sure not a problem, will repost a new thread with the Switching team.   Thank you.

Highlighted
Cisco Employee

Thank you for your input

Content for Community-Ad