topic Re: 5405 RADIUS Request Dropped in Network Access Control

5405 RADIUS Request Dropped

paul — Thu, 08 Feb 2018 20:33:42 GMT

I am pulling my hair out (well I really don't have hair left) on an issue that I am sure I am missing something obvious.

I am testing wireless SSIDs against ISE, something I have done 100s of times. I have a guest SSID working just fine against the deployment but on my 802.1x SSIDs I am getting the following in the logs:

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

5405 RADIUS Request dropped

There is no reason for the request being dropped. It is not even trying to match one of my policy sets, just dropping the RADIUS request. I know because the guest SSID works on the same controller the Shared Secrets and ISE network device definitions are working.

I am sure I am missing something obvious, but can't see it. I saw the same thing with the customer on their APIC-EM RADIUS authentications being dropped with no apparent reason why.

Re: 5405 RADIUS Request Dropped

hslai — Fri, 09 Feb 2018 01:53:06 GMT

The built-in Cisco NAD profile does not check password for MAB so it possible to work with wrong shared secret. Other than that, we need Runtime-AAA in DEBUG and check prrt-server.log.

Re: 5405 RADIUS Request Dropped

paul — Fri, 09 Feb 2018 02:52:42 GMT

Wow there is nothing more in the log files either at debug mode. At least nothing I see obvious. I am fighting two RADIUS request dropped issues. The one I can easily reproduce remotely is APIC-EM RADIUS authentication for GUI access. No matter what I try I get RADIUS request drops. ISE shows all the details of the network device in the details of the record so I know it is matching the right network device. I tried putting in the wrong shared secret in purpose and it still just says RADIUS request drop. The prrt server logs don’t show much detail:

AcsLogs,2018-02-08 21:35:39,442,DEBUG,0x7fc23c60b700,cntx=0000252715,sesn=MASV-ISE-PSN/307501790/27367,Formatter got 1676 attributes,MessageFormatter.cpp:150

AcsLogs,2018-02-08 21:35:39,442,DEBUG,0x7fc23c60b700,cntx=0000252715,sesn=MASV-ISE-PSN/307501790/27367,Duplicate pair: attr = NetworkDeviceName value = MAS-APIC-EM,MessageFormatter.cpp:394

AcsLogs,2018-02-08 21:35:39,442,DEBUG,0x7fc23c60b700,cntx=0000252715,sesn=MASV-ISE-PSN/307501790/27367,Log_Message=[2018-02-08 21:35:39.442 -05:00 0000437894 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=13, Device IP Address=10.201.41.0, Device Port=33585, DestinationIPAddress=10.201.9.10, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=MAS-APIC-EM, User-Name=phaferman, NAS-Identifier=b1c6c99d-d1da-493f-a693-60d77239fbd5, NetworkDeviceProfileName=Dart_Cisco_Customized, NetworkDeviceProfileId=f0628b3b-95af-4db4-b4ca-e72657d38595, AcsSessionID=MASV-ISE-PSN/307501790/27367, Step=11001, Step=11017, Step=5405, NetworkDeviceGroups=Location#All Locations#Mason DC, NetworkDeviceGroups=Device Type#All Device Types#Servers#APIC-EM, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=ISE Phase#ISE Phase#Auth, DTLSSupport=Unknown, Network Device Profile=Dart_Cisco_Customized, Location=Location#All Locations#Mason DC, Device Type=Device Type#All Device Types#Servers#APIC-EM, IPSEC=IPSEC#Is IPSEC Device#No, ISE Phase=ISE Phase#ISE Phase#Auth, ],MessageFormatter.cpp:94

I put a customized device profile to see if turning off some of the attributes would help, but so far it hasn’t. I guess I will have to open a TAC case and see if they can get more data.

Thanks for the feedback Hsing.

Re: 5405 RADIUS Request Dropped

Nitipat Dilokwattanakoon — Sun, 08 Jul 2018 02:55:23 GMT

Do you find anything from TAC?

I got same problem.

Re: 5405 RADIUS Request Dropped

paul — Sun, 08 Jul 2018 05:05:44 GMT

I think if I remember right it was odd characters in the RADIUS shared secret that caused some devices to not work correctly. Are you just having the issue from APIC-EM or from something else?

Re: 5405 RADIUS Request Dropped

Nitipat Dilokwattanakoon — Sun, 08 Jul 2018 06:12:00 GMT

May be not same issue with me because my RADIUS shared secret just common character.