Guest

Preview Tool

Cisco Bug: CSCus79132 - Dot1x authentication legacy behaviour broken

Last Modified

May 01, 2018

Products (1)

  • Cisco Catalyst 4000 Series Switches

Known Affected Releases

15.2(1)E 15.2(2)E

Description (partial)

Symptom:
On Catalyst 4500E with Sup-8E and IOS-XE 3.6.1E, when the VLAN is statically assigned, authentication fails because of a Radius Access-Accept message that is seen as a failure:

Jan 30 13:58:03.293: RADIUS: Received from id 1645/97 172.0.32.53:1812, Access-Accept, len 281
Jan 30 13:58:03.293: RADIUS:  authenticator 5E A7 92 8B 31 E2 9C C5 - 8C 3D 3B 3D 17 04 AD E2
Jan 30 13:58:03.293: RADIUS:  Service-Type        [6]   6 Framed                    [2]
Jan 30 13:58:03.293: RADIUS:  Tunnel-Medium-Type  [65]  6 00:ALL_802                [6]
Jan 30 13:58:03.293: RADIUS:  Tunnel-Type         [64]  6 00:VLAN

On IOS-XE/IOS releases before IOS-XE 3.5.0 / IOS 15.2(1)E the above Radius message was accepted and the supplicant was successfully authenticated. This is what we call "legacy behaviour".

Starting from IOS-XE 3.5.0 / IOS 15.2(1)E, the above Radius message is seen as a failure and the supplicant is not authenticated. This change breaks the legacy behaviour and is not compatible with customer environment.

Support for the above described legacy behaviour in new software releases is what the customer expects.

Conditions:
All access platforms (Cat2k/3k/4k) with IOS-XE 3.5.0 / IOS 15.2(1)E and above.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.