cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1304
Views
2
Helpful
17
Replies

9400 series NAC issue with 17.9.6 code (code is pulled now)

RVTim
Level 1
Level 1

I was intending to write today looking for help, but, I may have answered my own question enough to satisfy me.  But, I thought I'd still post because this could be good information for someone else about to upgrade.

Somewhere around 9/27/2024 I downloaded the 17.9.6 code for the 9300/9400 series switches, right after their security vulnerabilities were made public.

I just upgraded to 17.9.6 and the next morning was immediately hit with issues.  In general, the code seems OK, however, we use dot1x NAC with Clearpass and certificate authentication for our laptops and PCs.

What is/was happening is this:   The PC connects, and all of the dot1x process goes fine. Clearpass logs show the PC being allowed, and the switch shows AUTH when you do 'show auth sessions'.   So everything is good.  Except, the PC can't get an IP address from DHCP, and, if you put a static IP on it, it won't talk to anything either.   The mac address-table gets populated but it shows as STATIC, even on a DYNAMIC port/device.  The arp in our case is done on a firewall for all vlans, and there is NO arp entry that ends up on the firewall for that mac address.  If you do "show interface" on that interface, you'll see 0 (zero) packets input.  You will see some packets output, but not too many.

Additionally, we have some devices that use mac authentication, and those seem to be working fine.  So it's just the dot1x stuff that blew up.  It's almost like the layer 2 side isn't being connected once dot1x succeeds, or, that an "open the port" Dynamic default ACL isn't being applied.

I was able to get all the ports functional by removing all of the NAC config.  I probably could have turned it off at the global level but was hoping I could troubleshoot and fix it.  Turns out the troubleshooting wasn't giving me any real results.  Debug logs clearly show the authentication successful.

So my next step was to come here and post for help, but, before I did that, I wanted to One star review the code on the download page, and comment there, to prevent others from having this issue. 

When I went to the download page, that 17.9.6 version is nowhere to be seen anymore.  This was the original data block on it:

Description : CAT9300/9400/9500/9600 Universal
Release : Cupertino-17.9.6
Release Date : 16-Sep-2024
FileName : cat9k_iosxe.17.09.06.SPA.bin
Min Memory : DRAM 8192 Flash 16384
Size : 1199.43 MB ( 1257688537 bytes)

So, should you be running NAC, for sure avoid the code.  And, I'm not sure what other bugs they must have been finding so do research before you upgrade to that rev for sure!

 

17 Replies 17

ok, so it internal SW issue you think Mac is learn but not forward the traffic 


9k#sh platform hardware fed switch active vlan 33 egress/ingress <<- check if the port add to vlan in both cases, when you use dot12x and when manually add access port to vlan 

9k#sh platform software fed switch 1 matm macTable vlan 33 <<- check if the Mac successfully add to vlan 33 

MHM 

RVTim
Level 1
Level 1

It looks like 17.9.6a is now available and there is a bug report in the system on 17.9.6 with Bug ID: CSCwm57734.

 


17.9.6_Bug.jpg

I have tested 17.9.6a, and it appears that NAC is once again working ok after an upgrade from 17.9.5.

I just thought I'd post and let you all know.

 

Review Cisco Networking for a $25 gift card