Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
0
Helpful
4
Replies

dot1x on catalyst 3850 16.3 Denali

abw
Level 1
Level 1

‎06-14-2019 08:58 AM

Hello,

   After we have upgraded IOS XE on 3850 from version 3.6 to version 16.3.(6,7,8) dot1x authorization is stop working. We use dot1x authentication with VLAN and DACL assignment. With the same config on version 3.6 dot1x authentication and authorization is fine.

  During dot1x authorization on the port in the log such messages appear:

04:21:22.746 [smd]: [1551]: UUID: 0, ra: 0 ==CLIENT-MAC=9c7b.ef00.0000,state=EV_SESSION_AUTHZ_FAILED, cnt=11237, idx=1==
04:21:22.746 [errmsg]: [1551]: UUID: 0, ra: 0 (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (9C7B.EF00.0000) on Interface GigabitEthernet1/0/2 AuditSessionID 0A2130100000002351924547
04:21:22.745 [caaa-ah]: [1551]: UUID: 0, ra: 0 (ERR): [CAAA:ACTION HANDLER:5000011] AH ub not exist for session 0x5000011
04:21:22.744 [auth-mgr]: [1551]: UUID: 0, ra: 0 (ERR): [9C7B.EF00.0000:Gi1/0/2] User Profile application failed for 0x05000011 - ASYNC - err 0x10
2019/06/14 04:21:22.744 [epm]: [1551]: UUID: 0, ra: 0 (ERR): Error in activating feature (EPM ACL PLUG-IN)
2019/06/14 04:21:22.740 [aaa-attr-err]: [1551]: UUID: 0, ra: 0 (ERR): ERROR: AAA/ATTR: invalid attribute prefix: "ACS"

 

What could have changed in 16.3 version, what had ceased to work what had worked before?

 

Regards

1 person had this problem
Labels:
0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎06-14-2019 09:47 AM

 

  - I would suspect a bug. Roll back , if production urgence is  a requirement. Below is a similar bug report :

                https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum17258/?rfs=iqvred

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-14-2019 06:28 PM

Can you try 16.6.6 and see if it helps?
0 Helpful

abw
Level 1
Level 1
In response to Leo Laohoo

‎06-19-2019 03:03 AM

Unfortunately, ver. 16.6.6 does not help.

 

Regards

0 Helpful

abw
Level 1
Level 1

‎01-28-2020 01:37 AM

This problem was related to the old ISE server version, which is the radius server for that catalyst. After updating the ISE server to the current version, authorization has worked. The server version was less than that required in the release notes software

Compatibility Matrix for IOS XE 16.3.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card