Hello,

We are seeing some strange behaviour on Catalyst 4K SUP 8 running 03.06.04.E

1. One configuring the below interface commands the machine is denied access as "no sessions match supplied criteria" message is displayed by issuing "show authentication session interface gi4/15 de" command.

2. The ISE logs show that the machine is trying to authenticate via MAB.

By removing dot1x configuration everything is working.

interface GigabitEthernet4/15

switchport access vlan 912

switchport mode access

switchport voice vlan 942

ip access-group Dot1x_Preauth_Restricted_IN in

logging event link-status

authentication event fail action next-method

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation replace

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x max-reauth-req 1

storm-control broadcast include multicast

storm-control broadcast level 0.10

spanning-tree portfast

spanning-tree bpduguard enable

end

The endpoint is correctly configured with dot1x. After stopping wired autoconfig  "no sessions match supplied criteria" is displayed again even though we should be expecting MAB.

It seems to be an issue with a particular machine as other machines are able to authenticate from the same port.

However shouldn't the switch still be able authenticate the machine via MAB if for some reason the supplicant is corrupted ?

Please let me know if anyone has encountered the same issue.

Thanks,

Utkarsh