https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528812#M311197 We came across the same issue and found bug <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq00652/?rfs=iqvred" target="_blank" rel="nofollow noopener noreferrer">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq00652/?rfs=iqvred</A> which was affecting our test results. Fri, 11 Oct 2019 17:16:55 GMT Eric101 2019-10-11T17:16:55Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528805#M311190 <P>Hello</P><P>Firmware: 25.13</P><P>Cisco ISE: <SPAN>2.3.0.298</SPAN></P><P>just testing the radius authentication from the dashboard to our Cisco ISE radius</P><TABLE><TBODY><TR><TD>Total APs: </TD><TD>9</TD></TR><TR><TD>APs passed: </TD><TD>4</TD></TR><TR><TD>APs failed: </TD><TD>5</TD></TR><TR><TD>APs unreachable: </TD><TD>0</TD></TR></TBODY></TABLE><P>these are same subnet, same site, same everything</P><P>each time I test I receive different results and sometime I receive an error</P><DIV><STRONG>RADIUS attributes used:</STRONG><BR />Airespace-ACL-Name:HS-Laptop<BR /><BR /><STRONG>RADIUS attributes unused:</STRONG><BR />User-Name: *domain\user*<BR />State:ReauthSession:0a2d000fKS4uutHjQp5FArmB2ZstcLZ63zRmIXdtubIA7tDgTB4</DIV><DIV> </DIV><DIV> </DIV><DIV>I managed to find a good site explaining this a long time ago but I am unable to find it now so looking for help with a solution of explanation</DIV><DIV> </DIV><DIV>our old Cisco ISE box (decommissioned) used to always be 100% but as I am not a Cisco ISE person I unable to to even work out the difference</DIV><DIV>and cisco forums are a mess so hoping here someone can point me in the correct direction</DIV><DIV> </DIV><DIV>Working AP ISE output:</DIV><DIV><H3>Authentication Details</H3><TABLE border="0"><TBODY><TR><TD>Source Timestamp</TD><TD>2019-09-05 09:42:20.332</TD></TR><TR><TD>Received Timestamp</TD><TD>2019-09-05 09:42:20.333</TD></TR><TR><TD>Policy Server</TD><TD>servername</TD></TR><TR><TD>Event</TD><TD>5200 Authentication succeeded</TD></TR><TR><TD>Username</TD><TD>domain\user</TD></TR><TR><TD>Endpoint Id</TD><TD>00:00:00:00:00:02</TD></TR><TR><TD>Calling Station Id</TD><TD>00-00-00-00-00-02</TD></TR><TR><TD>Authentication Identity Store</TD><TD>HS_AD</TD></TR><TR><TD>Authentication Method</TD><TD>MSCHAPV2</TD></TR><TR><TD>Authentication Protocol</TD><TD>PEAP (EAP-MSCHAPv2)</TD></TR><TR><TD>Network Device</TD><TD>Meraki_AP</TD></TR><TR><TD>Device Type</TD><TD>All Device Types#Meraki_AP</TD></TR><TR><TD>Location</TD><TD>All Locations</TD></TR><TR><TD>NAS IPv4 Address</TD><TD>10.45.99.12</TD></TR><TR><TD>NAS Port Type</TD><TD>Wireless - IEEE 802.11</TD></TR><TR><TD>Authorization Profile</TD><TD>HS_Laptop_Permit_All</TD></TR><TR><TD>Response Time</TD><TD>19 milliseconds</TD></TR></TBODY></TABLE><P>failing AP ISE output</P><H3>Authentication Details</H3><TABLE border="0"><TBODY><TR><TD>Source Timestamp</TD><TD>2019-09-05 09:42:21.899</TD></TR><TR><TD>Received Timestamp</TD><TD>2019-09-05 09:42:21.9</TD></TR><TR><TD>Policy Server</TD><TD>servername</TD></TR><TR><TD>Event</TD><TD>5400 Authentication failed</TD></TR><TR><TD>Failure Reason</TD><TD>12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist</TD></TR><TR><TD>Resolution</TD><TD>Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.</TD></TR><TR><TD>Root cause</TD><TD>Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.</TD></TR><TR><TD>Username</TD><TD>domain\user</TD></TR><TR><TD>Endpoint Id</TD><TD>00:00:00:00:00:02</TD></TR><TR><TD>Calling Station Id</TD><TD>00-00-00-00-00-02</TD></TR><TR><TD>Network Device</TD><TD>Meraki_AP</TD></TR><TR><TD>Device Type</TD><TD>All Device Types#Meraki_AP</TD></TR><TR><TD>Location</TD><TD>All Locations</TD></TR><TR><TD>NAS IPv4 Address</TD><TD>10.45.99.13</TD></TR><TR><TD>NAS Port Type</TD><TD>Wireless - IEEE 802.11</TD></TR><TR><TD>Response Time</TD><TD>4 milliseconds</TD></TR></TBODY></TABLE><P>any help on this is greatly appreciated</P></DIV> Thu, 05 Sep 2019 10:14:09 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528805#M311190 jake.ryan1 2019-09-05T10:14:09Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528806#M311191 <P>I can't help here as I don't mess with ISE, but found the following links that might be of assistance (unless you've already read them then never mind lol).</P><P>You'll want to make sure your ISE is updated/patched etc.</P><P>Are you able to open up a TAC case for your issue?</P><DIV><SPAN> </SPAN></DIV><DIV><SPAN><A href="https://community.cisco.com/t5/identity-services-engine-ise/ise-2-4-and-error-12953/td-p/3828922" target="_blank" rel="nofollow noopener noreferrer">https://community.cisco.com/t5/identity-services-engine-ise/ise-2-4-and-error-12953/td-p/3828922</A></SPAN></DIV><DIV><SPAN> </SPAN></DIV><DIV> </DIV><DIV><SPAN><A href="https://community.cisco.com/t5/wireless-security-and-network/ise-ad-802-1x-authentication-failure-all-of-the-sudden/td-p/2502236" target="_blank" rel="nofollow noopener noreferrer">https://community.cisco.com/t5/wireless-security-and-network/ise-ad-802-1x-authentication-failure-all-of-the-sudden/td-p/2502236</A></SPAN></DIV><DIV><FONT color="#FF0000"><SPAN>Old, mentioning if you have load-balancer in the mix</SPAN></FONT></DIV><DIV><SPAN> </SPAN></DIV><DIV><SPAN><A href="https://community.cisco.com/t5/policy-and-access/ise-eap-authentication-fails/td-p/2658436" target="_blank" rel="nofollow noopener noreferrer">https://community.cisco.com/t5/policy-and-access/ise-eap-authentication-fails/td-p/2658436</A></SPAN></DIV><DIV><FONT color="#FF0000"><SPAN>Old, but mentioning switch IOS version</SPAN></FONT></DIV><DIV> </DIV><DIV><SPAN><A href="https://community.cisco.com/t5/policy-and-access/ise-ad-authentication-stop-working-for-wireless/td-p/2363848" target="_blank" rel="nofollow noopener noreferrer">https://community.cisco.com/t5/policy-and-access/ise-ad-authentication-stop-working-for-wireless/td-p/2363848</A></SPAN></DIV><DIV><SPAN><FONT color="#FF0000">Old, but might help?</FONT></SPAN></DIV> Thu, 05 Sep 2019 14:28:59 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528806#M311191 Nolan H. 2019-09-05T14:28:59Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528807#M311192 <P>Hi <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/8886">@jake.ryan1</A> </P><P>Do you have radius accounting enabled? If so you might be running into an ISE bug. </P><P>Can you try disabling accounting and see if you still see the same issue?</P><P>P.S: For security reasons, it will be a good idea to mask out sensitive information like Re-auth session IDs and all <SPAN class="lia-unicode-emoji" title=":slightly_smiling_face:"><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>Cheers!</P><P>Raj </P> Thu, 05 Sep 2019 17:13:06 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528807#M311192 raj.yarlagadda@meraki.com 2019-09-05T17:13:06Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528808#M311193 <P>Are all the APs listed as clients in ISE?</P> Thu, 05 Sep 2019 20:49:25 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528808#M311193 Philip D'Ath 2019-09-05T20:49:25Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528809#M311194 <P>Hi Raj</P><P>sorry I was not sure what is passed in all these things</P><P>do you have any description of what the ISE bug could be as I am sure we are running accounting</P><P>cheers</P> Thu, 05 Sep 2019 22:58:33 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528809#M311194 jake.ryan1 2019-09-05T22:58:33Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528810#M311195 <P>Hi Philip</P><P>i am covering our entire network subbnet with meraki so authentication is covered at this point as you can see the Same subnet is taking authentication the same as the AP which is not </P> Thu, 05 Sep 2019 23:00:03 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528810#M311195 jake.ryan1 2019-09-05T23:00:03Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528811#M311196 <P>Hi <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/8886">@jake.ryan1</A> I was looking into the Auth error details and found this article in Cisco forums which is related to the auth error you are seeing. You can see the bug id in there.</P><P><A href="https://community.cisco.com/t5/policy-and-access/ise-ad-authentication-stop-working-for-wireless/td-p/2363848" target="_blank" rel="nofollow noopener noreferrer">https://community.cisco.com/t5/policy-and-access/ise-ad-authentication-stop-working-for-wireless/td-p/2363848</A></P><P>Cheers!</P><P>Raj</P> Fri, 06 Sep 2019 16:02:11 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528811#M311196 raj.yarlagadda@meraki.com 2019-09-06T16:02:11Z https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528812#M311197 We came across the same issue and found bug <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq00652/?rfs=iqvred" target="_blank" rel="nofollow noopener noreferrer">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq00652/?rfs=iqvred</A> which was affecting our test results. Fri, 11 Oct 2019 17:16:55 GMT https://community.cisco.com/t5/wireless/radius-testing-cisco-ise-not-all-passing/m-p/5528812#M311197 Eric101 2019-10-11T17:16:55Z