topic NenoNothing to do with that in Network Access Control

ISE v1.2 - Status-Server - 5405 RADIUS Request dropped

Ian Cowley — Mon, 11 Mar 2019 04:56:38 GMT

Just a note:

Some devices send regular RADIUS status messages;

The ISE drops these as

Event: 5405 RADIUS Request dropped

Failure Reason: 11031 RADIUS packet type is not a valid Request

Root cause: RADIUS packet type is not a valid Request.

Wireshark shows:-

Code: Status-Server (12)
Attribute Value Pairs:
AVP: l=6 t=Service-Type(6): Shell-User(6)
AVP: l=18 t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
AVP: l=6 t=NAS-IP-Address(4): 10.1.1.1

I believe that ISE should accept and respond to these messages RFC5997 up2866.

A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port). An Access-Challenge response is NOT RECOMMENDED. An Access-Reject response MAY be used.

Silly question but you do

nspasov — Fri, 15 Aug 2014 22:38:09 GMT

Silly question but you do have the NAS added in ISE's database?

NenoNothing to do with that

Ian Cowley — Mon, 18 Aug 2014 08:57:51 GMT

Neno

Nothing to do with that,

The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.

However they send keepalives to validate the RADIUS server is still there. ISE doesn't implement this and ISE logs get full of rejections. The end devices are unable to prioritise which ISE to used based on up/down. But still work.

This was just a note to everyone so they are aware of the issue,