General

Issue is customer visible, customer found.

Symptom

When using type 6 passwords (passwords encrypted with AES) under the RADIUS server group, IOS XE Router (issue has been seen on C1111 but it's not limited to only this platform) stops generating RADIUS packets used for 802.1X authentication.

Conditions

Router configured to encrypt the password: password encryption aes key config-key password-encrypt radius server ISE2 address ipv4 x.x.x.x auth-port 1645 acct-port 1646 key 6 * This issue only exhibits when a dot1x authentication needs to be performed. ** "Test aaa" will work fine.

Workaround

Remove the "password encryption aes" and "key config-key password-encrypt" commands** and re-enter the key for the ISE server in clear text. **By doing this, all passwords/keys that were in the router (type 6) will become unusable, that's why they need to be re-entered again in clear text

Further Problem Description