cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
617
Views
0
Helpful
4
Replies
abw
Beginner
Beginner

dot1x on catalyst 3850 16.3 Denali

Hello,

   After we have upgraded IOS XE on 3850 from version 3.6 to version 16.3.(6,7,8) dot1x authorization is stop working. We use dot1x authentication with VLAN and DACL assignment. With the same config on version 3.6 dot1x authentication and authorization is fine.

  During dot1x authorization on the port in the log such messages appear:

04:21:22.746 [smd]: [1551]: UUID: 0, ra: 0 ==CLIENT-MAC=9c7b.ef00.0000,state=EV_SESSION_AUTHZ_FAILED, cnt=11237, idx=1==
04:21:22.746 [errmsg]: [1551]: UUID: 0, ra: 0 (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (9C7B.EF00.0000) on Interface GigabitEthernet1/0/2 AuditSessionID 0A2130100000002351924547
04:21:22.745 [caaa-ah]: [1551]: UUID: 0, ra: 0 (ERR): [CAAA:ACTION HANDLER:5000011] AH ub not exist for session 0x5000011
04:21:22.744 [auth-mgr]: [1551]: UUID: 0, ra: 0 (ERR): [9C7B.EF00.0000:Gi1/0/2] User Profile application failed for 0x05000011 - ASYNC - err 0x10
2019/06/14 04:21:22.744 [epm]: [1551]: UUID: 0, ra: 0 (ERR): Error in activating feature (EPM ACL PLUG-IN)
2019/06/14 04:21:22.740 [aaa-attr-err]: [1551]: UUID: 0, ra: 0 (ERR): ERROR: AAA/ATTR: invalid attribute prefix: "ACS"

 

What could have changed in 16.3 version, what had ceased to work what had worked before?

 

Regards

4 REPLIES 4
marce1000
VIP Advisor

 

  - I would suspect a bug. Roll back , if production urgence is  a requirement. Below is a similar bug report :

                https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum17258/?rfs=iqvred

M.

Leo Laohoo
VIP Community Legend

Can you try 16.6.6 and see if it helps?

Unfortunately, ver. 16.6.6 does not help.

 

Regards

abw
Beginner
Beginner

This problem was related to the old ISE server version, which is the radius server for that catalyst. After updating the ISE server to the current version, authorization has worked. The server version was less than that required in the release notes software

Compatibility Matrix for IOS XE 16.3.