topic Re: Please remove the WLC from in Network Access Control

ISE Radius accounting

Lance Wendel — Mon, 11 Mar 2019 04:40:47 GMT

Hi all,

we are seen some error messages as below

11038 RADIUS Accounting-Request header contains invalid Authenticator field."

ISE cannot validate the Authenticator field in the header of the RADIUS Accounting-Request packet. Note that the Authenticator field should not be confused with the Message-Authenticator RADIUS attribute.
Ensure that the RADIUS Shared Secret configured on the AAA client matches that configured for the selected Network Device on the ISE server. Also, ensure that the AAA client has no hardware problems or problems with RADIUS compatibility.

we have removed the shared secrete and reapplied but still this error shows up.

any idea?

thanks

Lance

Please remove the WLC from

Saurav Lodh — Thu, 01 May 2014 11:23:51 GMT

Please remove the WLC from ISE, register there after rebooting the WLC once.

CSCtw56571Symptom:When aaa

mohanak — Thu, 12 Jun 2014 11:22:43 GMT

CSCtw56571

Symptom:
When aaa dot1x accounting and trustsec accounting are both enabled, RADIUS accounting does not work. When the ISE receives and accounting packet, it receives the following error.

Conditions:
The following command needs to be present on the device.

aaa accounting dot1x default start-stop group radius

Workaround:
Two workarounds:

1. Disable aaa accounting :

no aaa accounting dot1x default start-stop group radius

2. Define two AAA server groups: one with PAC for TrustSec and the other without PAC for non-TrustSec.

Below is a snippet of sample configuration for Catalyst 3850 03.03.02SE, tested ok with ISE:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! Define two radius servers;
!! one uses ports 1645 and 1646 and
!! the other uses PAC and ports 1812 and 1813
radius server ise.demo.local
address ipv4 10.1.100.21 auth-port 1645 acct-port 1646
automate-tester username radius-test ignore-acct-port idle-time 5
key ISEc0ld
!
radius server ise.demo.local+pac
address ipv4 10.1.100.21 auth-port 1812 acct-port 1813
pac key ISEc0ld
!
aaa group server radius ISE+PAC
server name ise.demo.local+pac
!
aaa group server radius ISE
server name ise.demo.local
!
aaa authentication dot1x default group ISE
aaa authentication dot1x authc-dot1x group ISE
aaa authorization network default group ISE
aaa authorization network cts-mlist group ISE+PAC
aaa accounting update newinfo periodic 15
aaa accounting dot1x default start-stop group ISE
aaa accounting network acct-net start-stop group ISE
!
!
aaa server radius dynamic-author
client 10.1.100.21 server-key ISEc0ld
auth-type any
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
!
!
aaa new-model
aaa session-id common
!
!
!!!! CTS configuration !!!!!!!!!
cts authorization list cts-mlist
cts sgt 2
cts logging verbose
cts role-based enforcement
cts role-based enforcement vlan-list 10,20,99-100,200

Further Problem Description:
The documentation guide for trustsec shows that aaa accounting is enabled, however once that is done the RADIus accounting is broken and we see the following error when the ISE receives an accounting packet :

11038 RADIUS Accounting-Request header contains invalid Authenticator field

On the Network device from

Gurudatt Pai — Thu, 19 Jun 2014 06:55:03 GMT

On the Network device from which you're receiving these Accounting packets, ensure that both the Authentication server and Accounting server is set to the same ISE IP address.

Regards,

Gurudatt

Just disabling the accounting

fashour — Fri, 04 Dec 2015 21:04:23 GMT

Just disabling the accounting tester fixed the same issue for me without adding 2 radius groups.

radius server MEGATRON
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
automate-tester username ise-check ignore-acct-port idle-time 5
pac key !radius-key!

aaa group server radius ISE
server name MEGATRON
ip radius source-interface Loopback0

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network CTS group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
cts authorization list CTS

Re: Please remove the WLC from

nohfendi1 — Thu, 26 Oct 2017 08:06:22 GMT

Dear Support

I got the same problem.

What the workaround for this case ?

I was try to re enter the secret-shared but the problem still occurs.

Thanks

Muhamad

Re: ISE Radius accounting

sanket — Wed, 25 Mar 2020 08:31:28 GMT

Make sure your ISE->NetworkDevice->WLC password is same as your WLC->Security->radius->Accounting->ServerAddress(x.y.z.w) password.

Thanks,

Sanket