cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
2
Helpful
15
Replies

9400 series NAC issue with 17.9.6 code (code is pulled now)

RVTim
Level 1
Level 1

I was intending to write today looking for help, but, I may have answered my own question enough to satisfy me.  But, I thought I'd still post because this could be good information for someone else about to upgrade.

Somewhere around 9/27/2024 I downloaded the 17.9.6 code for the 9300/9400 series switches, right after their security vulnerabilities were made public.

I just upgraded to 17.9.6 and the next morning was immediately hit with issues.  In general, the code seems OK, however, we use dot1x NAC with Clearpass and certificate authentication for our laptops and PCs.

What is/was happening is this:   The PC connects, and all of the dot1x process goes fine. Clearpass logs show the PC being allowed, and the switch shows AUTH when you do 'show auth sessions'.   So everything is good.  Except, the PC can't get an IP address from DHCP, and, if you put a static IP on it, it won't talk to anything either.   The mac address-table gets populated but it shows as STATIC, even on a DYNAMIC port/device.  The arp in our case is done on a firewall for all vlans, and there is NO arp entry that ends up on the firewall for that mac address.  If you do "show interface" on that interface, you'll see 0 (zero) packets input.  You will see some packets output, but not too many.

Additionally, we have some devices that use mac authentication, and those seem to be working fine.  So it's just the dot1x stuff that blew up.  It's almost like the layer 2 side isn't being connected once dot1x succeeds, or, that an "open the port" Dynamic default ACL isn't being applied.

I was able to get all the ports functional by removing all of the NAC config.  I probably could have turned it off at the global level but was hoping I could troubleshoot and fix it.  Turns out the troubleshooting wasn't giving me any real results.  Debug logs clearly show the authentication successful.

So my next step was to come here and post for help, but, before I did that, I wanted to One star review the code on the download page, and comment there, to prevent others from having this issue. 

When I went to the download page, that 17.9.6 version is nowhere to be seen anymore.  This was the original data block on it:

Description : CAT9300/9400/9500/9600 Universal
Release : Cupertino-17.9.6
Release Date : 16-Sep-2024
FileName : cat9k_iosxe.17.09.06.SPA.bin
Min Memory : DRAM 8192 Flash 16384
Size : 1199.43 MB ( 1257688537 bytes)

So, should you be running NAC, for sure avoid the code.  And, I'm not sure what other bugs they must have been finding so do research before you upgrade to that rev for sure!

 

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

This is could be bug, that is reason most of the time before upgrade and after upgrade compare the configuration, sometimes some of the features break with the upgrade - so cisco suggesting 17.9.5 as best version so far for all production and working.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World