Cisco Bug: CSCus79132 - Dot1x authentication legacy behaviour broken
May 01, 2018
- Cisco Catalyst 4000 Series Switches
Known Affected Releases
Symptom: On Catalyst 4500E with Sup-8E and IOS-XE 3.6.1E, when the VLAN is statically assigned, authentication fails because of a Radius Access-Accept message that is seen as a failure: Jan 30 13:58:03.293: RADIUS: Received from id 1645/97 188.8.131.52:1812, Access-Accept, len 281 Jan 30 13:58:03.293: RADIUS: authenticator 5E A7 92 8B 31 E2 9C C5 - 8C 3D 3B 3D 17 04 AD E2 Jan 30 13:58:03.293: RADIUS: Service-Type  6 Framed  Jan 30 13:58:03.293: RADIUS: Tunnel-Medium-Type  6 00:ALL_802  Jan 30 13:58:03.293: RADIUS: Tunnel-Type  6 00:VLAN On IOS-XE/IOS releases before IOS-XE 3.5.0 / IOS 15.2(1)E the above Radius message was accepted and the supplicant was successfully authenticated. This is what we call "legacy behaviour". Starting from IOS-XE 3.5.0 / IOS 15.2(1)E, the above Radius message is seen as a failure and the supplicant is not authenticated. This change breaks the legacy behaviour and is not compatible with customer environment. Support for the above described legacy behaviour in new software releases is what the customer expects. Conditions: All access platforms (Cat2k/3k/4k) with IOS-XE 3.5.0 / IOS 15.2(1)E and above.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases