Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
0
Helpful
2
Replies

Cisco 3850 not performing 802.1x

Richard Lucht
Level 1
Level 1

‎01-04-2019 06:48 PM - edited ‎03-08-2019 04:57 PM

I have 2 stacks of 3850s running 3.6.8E, they were 3.6.6E.  all of our 802.1x clients are failing in ISE.  Our MAB devices are authenticating in ISE  We have other 3.6.8E switches that are authenticating just fine 802.1x and MAB on the same network.  I can move a device that is failing to a different switch and it authenticates just fine.

 


Interface MAC Address Method Domain Status Fg Session ID
Gi4/0/24 00ca.e540.3b1d N/A UNKNOWN Unauth 0A00011E00001273003E36F4
Gi2/0/44 ecb1.d737.a01c N/A DATA Unauth 0A00011E0000121C003E0F08
Gi2/0/48 5065.f344.56b7 N/A DATA Unauth 0A00011E00001281003E5792
Gi4/0/17 a08c.fdc9.7a36 N/A DATA Unauth 0A00011E00001206003E0C42

 

 

policy-map type control subscriber ISE-PMAP-522
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN_522
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication
50 clear-authenticated-data-hosts-on-port
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
50 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_VLAN do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_VLAN do-until-failure
10 resume reauthentication
event violation match-all
10 class always do-until-failure
10 restrict

 

 

interface GigabitEthernet2/0/22
switchport access vlan 3216
switchport mode access
switchport voice vlan 2123
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
no cdp enable
spanning-tree portfast
service-policy type control subscriber ISE-PMAP-3216

 

 

We have Cisco IP phones with certs along with PC with Certs.

We are using new style and I have compared all the aaa settings and policy maps.  I am starting to draw blanks on what to look at next.

 

Any help would be insightful.

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎01-04-2019 10:19 PM

Have a look other post with same issue, is there any reason you can not  upgrade to working version.

 

https://community.cisco.com/t5/policy-and-access/3850-x-cdp-device-sensor-and-ise-issue/td-p/2562429

 

Release notes :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/OL3262101.html#pgfId-977490

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎01-05-2019 01:28 AM

Hello,

 

in addition to Balaji's post, I faintly remember a similar problem from a while ago, it had to do with the authentication host mode, not sure if that is related at all. Try and configure the below on your interfaces:

 

authentication host-mode multi-auth

 

Also, try to default the interface (e.g. default interface Gi4/0/24), then reapply the entire interface configuration, then shut/no shut the interface...

0 Helpful
Customers Also Viewed These Support Documents