-- The C4510 switch was upgraded from 3.9.1 to 3.9.2

-- The ip phones were failing authentication and ISE did not show any authentication attempt

-- Checked the Auth Manager and found no active sessions

#sh auth sess int g1/20

No sessions match supplied criteria.

-- Removing all AAA commands on interface, IP and DHCP snooping binds correctly

Troubleshooting Performed :

* IP Phone 7941 / 7961 / 8841 are impacted by this issue

* Not seeing session on 4510R+E Sup 8-3 ver 3.9.2 in Auth Manager

* Mac Address is being learned but as a dynamic entry -- instead of static

* Took radius/dot1x debugs and only saw the message for QoS to trust the IP Phone

-- no endpoint behind the phone.

* DHCP Snooping was turned off and issue was persisting, confirming not hitting CSCvc28141

* Debugs enabled :

-- debug epm all

-- debug authentication error

-- debug authentication event

-- debug dot1x error

* added "authentication mac-move permit" which we saw auth session but method list was empty

* Added "dot1x pae authenticator" to the interface g1/20 and afterwards not seeing the session in auth manager

* Ended up finding out later that the mac address is being moved around, even without "authentication mac-move permit"

* We found that since switch port had both "auth open" and pre-auth ACL "ACL-DEFAULT" may have been causing odd behavior

-- Moved into Closed mode per document: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_25_closed_mode.pdf  

* Now ISE Is getting the authentication attempt and successful with correct rules being matched as expected

* Net changes that improved/fixed issue

-- kept DHCP Snooping enabled

-- kept Inactivity Timer for dynamic macs enabled on interface

-- removed pre-auth acl  from interface

-- removed "auth open" from interface

-- removed "authentication mac-move permit"

-- added "dot1x pae authenticator" on interface

Analysis :

*  ISE is not part of issue, this might be caused by the switch when AAA is enabled.

NON-WORKING INTERFACE CONFIGURATION :

#sh run int g1/40

Building configuration...

Current configuration : 1080 bytes

!

interface GigabitEthernet1/40

description * Data30/Voip130 *

switchport access vlan 30

switchport mode access

switchport voice vlan 130

switchport priority extend trust

ip access-group ACL-DEFAULT in

no logging event link-status

authentication event fail action next-method

authentication event server dead action reinitialize vlan 30

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

no snmp trap link-status

dot1x pae authenticator

qos trust device cisco-phone

qos trust extend

spanning-tree portfast edge

spanning-tree bpduguard enable

spanning-tree guard root

service-policy input VoIP-Input-Policy

service-policy output VoIP-Output-Policy

ip dhcp snooping limit rate 10

end

----------------------------------------------------------------

#sh auth sess int g1/20

No sessions match supplied criteria

WORKING INTERFACE CONFIGURATION :

AB-PA01-SWL001#sh run int g1/20

Building configuration...

Current configuration : 995 bytes

!

interface GigabitEthernet1/20

switchport access vlan 30

switchport mode access

switchport voice vlan 130

switchport priority extend trust

no logging event link-status

authentication event fail action next-method

authentication event server dead action reinitialize vlan 30

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab

no snmp trap link-status

dot1x pae authenticator

qos trust device cisco-phone

qos trust extend

spanning-tree portfast edge

spanning-tree bpduguard enable

spanning-tree guard root

service-policy input VoIP-Input-Policy

service-policy output VoIP-Output-Policy

ip dhcp snooping limit rate 10

end

----------------------------------------------------------------

AB-PA01-SWL001#sh auth sess int gi1/20 det

            Interface:  GigabitEthernet1/20

          MAC Address:  xxxx.xxxx.xxxx

         IPv6 Address:  Unknown

         IPv4 Address:  10.90.11.241

            User-Name:  xx-xx-xx-xx-xx-xx

               Status:  Authorized

               Domain:  VOICE

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  86400s (local), Remaining: 84663s

       Session Uptime:  2036s

    Common Session ID:  0A28240900000B348082D8F4

      Acct Session ID:  0x00001B35

               Handle:  0x0E0009A7

       Current Policy:  POLICY_Gi1/20

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

      Security Policy:  Should Secure

      Security Status:  Link Unsecure

Server Policies:

              ACS ACL:  xACSACLx-IP-ACL-VOIP-SERVICE-PERMIT-59cedbcf

Method status list:

      Method            State

      dot1x              Stopped

      mab                Authc Success

ASSISTANCE REQUIRED :

++ Since the issue occurred after upgrading from 3.9.1 to 3.9.2, Reviewed the Release Notes for 3.9.2 : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/ol-39xe-4500e.html

-- Did not find anythinng significant that could cause a behaviour change.

I would appreciate it, if anyone could shed some light for the cause of the issue.