After we have upgraded IOS XE on 3850 from version 3.6 to version 16.3.(6,7,8) dot1x authorization is stop working. We use dot1x authentication with VLAN and DACL assignment. With the same config on version 3.6 dot1x authentication and authorization is fine.
During dot1x authorization on the port in the log such messages appear:
04:21:22.746 [smd]: : UUID: 0, ra: 0 ==CLIENT-MAC=9c7b.ef00.0000,state=EV_SESSION_AUTHZ_FAILED, cnt=11237, idx=1==
04:21:22.746 [errmsg]: : UUID: 0, ra: 0 (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (9C7B.EF00.0000) on Interface GigabitEthernet1/0/2 AuditSessionID 0A2130100000002351924547
04:21:22.745 [caaa-ah]: : UUID: 0, ra: 0 (ERR): [CAAA:ACTION HANDLER:5000011] AH ub not exist for session 0x5000011
04:21:22.744 [auth-mgr]: : UUID: 0, ra: 0 (ERR): [9C7B.EF00.0000:Gi1/0/2] User Profile application failed for 0x05000011 - ASYNC - err 0x10
2019/06/14 04:21:22.744 [epm]: : UUID: 0, ra: 0 (ERR): Error in activating feature (EPM ACL PLUG-IN)
2019/06/14 04:21:22.740 [aaa-attr-err]: : UUID: 0, ra: 0 (ERR): ERROR: AAA/ATTR: invalid attribute prefix: "ACS"
What could have changed in 16.3 version, what had ceased to work what had worked before?
- I would suspect a bug. Roll back , if production urgence is a requirement. Below is a similar bug report :
This problem was related to the old ISE server version, which is the radius server for that catalyst. After updating the ISE server to the current version, authorization has worked. The server version was less than that required in the release notes software
Compatibility Matrix for IOS XE 16.3.