Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1495
Views
0
Helpful
3
Replies

Upgraded from IOS-XE 3.07 to Denali 16.02..Dot1x failing now

genexjeff
Level 1
Level 1

ā€Ž04-04-2016 05:51 PM - edited ā€Ž03-08-2019 05:13 AM

I upgraded my 3850 switch from IOS-XE 3.07 to 16.02 and now dot1x is failing. PC connected to Cisco IP Phone, which in turn is connected to 3850. After the upgrade my phones are stuck as the "registration" screen and this is the error in my log. Needless to say the PC cant get access either.

Apr  4 20:12:40.101: %DOT1X-5-FAIL:Switch 1 R0/0: smd:  Authentication failed for client (ACA0.166F.5C70) on Interface Gi3/0/25 AuditSessionID AC1200C800000019E3AFE41F

I must be missing something in my configs. Any help???

Old Working Config w/ IOS 3.0.7

aaa new-model

aaa group server radius NPS
 server 172.18.3.161
 server 172.18.3.162
!
aaa authentication dot1x default group NPS

!
dot1x system-auth-control


interface GigabitEthernet3/0/25
 switchport access vlan 106
 switchport mode access
 switchport voice vlan 206
 trust device cisco-phone
 authentication port-control auto
 dot1x pae authenticator


radius-server host 172.18.3.161 key 7 <removed>
radius-server host 172.18.3.162 key 7 <removed>

New Config with 16.0.2 NOT WORKING.

aaa new-model

aaa group server radius NPS
 server name NPS01
 server name NPS02
!
aaa authentication dot1x default group NPS

dot1x system-auth-control
!
interface GigabitEthernet3/0/25
 switchport access vlan 106
 switchport mode access
 switchport voice vlan 206
 trust device cisco-phone
 authentication port-control auto
 dot1x pae authenticator
!
radius server NPS01
 address ipv4 172.18.3.161 auth-port 1645 acct-port 1646
 key <removed>
!
radius server NPS02
 address ipv4 172.18.3.162 auth-port 1645 acct-port 1646
 key <removed>

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž04-04-2016 06:49 PM

16.x code is "bleeding edge" new.  I don't think I would use it in a production environment yet.

I would downgrade to the "gold star" release 3.6.4E.

https://software.cisco.com/download/release.html?mdfid=284455427&softwareid=282046477&release=3.6.4E&relind=AVAILABLE&rellifecycle=MD&reltype=latest

0 Helpful

edondurguti
Level 4
Level 4
In response to Philip D'Ath

ā€Ž02-05-2018 08:41 AM

16.3.3 is recommend by cisco for ISE and its compatible.

Some users can't downgrade (ie Multigig swtiches)

0 Helpful

arestrepo71
Level 1
Level 1

ā€Ž06-16-2017 09:05 AM

Hi, were you able to figured that out. I'm getting issues with a 4331 and radius also.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card