Guest

Preview Tool

Cisco Bug: CSCup67361 - 3750X Stack Master Switch blocks traffic on Dot1x Port

Last Modified

Mar 15, 2018

Products (1)

  • Cisco IOS

Known Affected Releases

15.2(1.1)

Description (partial)

Symptom:
issue with two ports on the NAD where users are not getting network access.

Switch Model: 3750X  Code Versio: 15.02(SE5)  C3750E-UNIVERSALK9-M 

In ISE we see an Authc and Authz success.

On the switch we see an Authc and Authz success.

End devices have ip addresses but customer cant ping them nor can they access anything on the network.

all interfaces of the 1st witch in the 3750X Switch stack are seeing the issue where as with other ports on the 2nd switch in the stack are authenticating fine.

Conditions:
Switch Model: 3750X  Code Version: 15.02(SE5)  C3750E-UNIVERSALK9-M

ISE Version: 1.2 P6 3415

Port config:

interface GigabitEthernet1/0/8
 switchport access vlan 112
 switchport mode access

 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 112
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-reauth-req 1
 spanning-tree portfast
 ip dhcp snooping trust

Debug output from the switch:


Jun 23 16:14:35.910: %DOT1X-5-SUCCESS: Authentication successful for client (xxxx.xxxx.xxxx) on Interface Gi1/0/8 AuditSessionID 0A01023F000012B129E4580C
Jun 23 16:14:35.910: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (xxxx.xxxx.xxxx) on Interface Gi1/0/8 AuditSessionID 0A01023F000012B129E4580C
Jun 23 16:14:35.927: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.xxxx.xxxx| AuditSessionID 0A01023F000012B129E4580C| AUTHTYPE DOT1X| EVENT APPLY
Jun 23 16:14:35.927: %EPM-6-POLICY_APP_SUCCESS: IP X.X.X.X| MAC xxxx.xxxx.xxxxx| AuditSessionID 0A01023F000012B129E4580C| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-Wired_Machine-53445937| RESULT SUCCESS
Jun 23 16:14:37.319: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Gi1/0/8 AuditSessionID 0A01023F000012B129E4580C



LAK3750-1S-1822_3#show auth sess int gi1/0/8
            Interface:  GigabitEthernet1/0/8
          MAC Address:  xxxx.xxxx.xxxx
           IP Address:  X.X.X.X
            User-Name:  host/hostname.host.com
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-Wired_Machine-53445937
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A01023F000012B129E4580C
      Acct Session ID:  0x000028E0
               Handle:  0xAA0002C9

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

Yet no traffic will pass on the interface.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.