cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
4
Replies
Highlighted
Beginner
Beginner

dot1x on catalyst 3850 16.3 Denali

Hello,

   After we have upgraded IOS XE on 3850 from version 3.6 to version 16.3.(6,7,8) dot1x authorization is stop working. We use dot1x authentication with VLAN and DACL assignment. With the same config on version 3.6 dot1x authentication and authorization is fine.

  During dot1x authorization on the port in the log such messages appear:

04:21:22.746 [smd]: [1551]: UUID: 0, ra: 0 ==CLIENT-MAC=9c7b.ef00.0000,state=EV_SESSION_AUTHZ_FAILED, cnt=11237, idx=1==
04:21:22.746 [errmsg]: [1551]: UUID: 0, ra: 0 (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (9C7B.EF00.0000) on Interface GigabitEthernet1/0/2 AuditSessionID 0A2130100000002351924547
04:21:22.745 [caaa-ah]: [1551]: UUID: 0, ra: 0 (ERR): [CAAA:ACTION HANDLER:5000011] AH ub not exist for session 0x5000011
04:21:22.744 [auth-mgr]: [1551]: UUID: 0, ra: 0 (ERR): [9C7B.EF00.0000:Gi1/0/2] User Profile application failed for 0x05000011 - ASYNC - err 0x10
2019/06/14 04:21:22.744 [epm]: [1551]: UUID: 0, ra: 0 (ERR): Error in activating feature (EPM ACL PLUG-IN)
2019/06/14 04:21:22.740 [aaa-attr-err]: [1551]: UUID: 0, ra: 0 (ERR): ERROR: AAA/ATTR: invalid attribute prefix: "ACS"

 

What could have changed in 16.3 version, what had ceased to work what had worked before?

 

Regards

Everyone's tags (3)
4 REPLIES 4
Highlighted
VIP Engager

Re: dot1x on catalyst 3850 16.3 Denali

 

  - I would suspect a bug. Roll back , if production urgence is  a requirement. Below is a similar bug report :

                https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum17258/?rfs=iqvred

M.

Highlighted
Hall of Fame Community Legend

Re: dot1x on catalyst 3850 16.3 Denali

Can you try 16.6.6 and see if it helps?
Highlighted
Beginner
Beginner

Re: dot1x on catalyst 3850 16.3 Denali

Unfortunately, ver. 16.6.6 does not help.

 

Regards

Highlighted
Beginner
Beginner

Re: dot1x on catalyst 3850 16.3 Denali

This problem was related to the old ISE server version, which is the radius server for that catalyst. After updating the ISE server to the current version, authorization has worked. The server version was less than that required in the release notes software

Compatibility Matrix for IOS XE 16.3.

CreatePlease to create content
Content for Community-Ad