cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11980
Views
0
Helpful
5
Replies

5405 RADIUS Request Dropped

paul
Level 10
Level 10

I am pulling my hair out (well I really don't have hair left) on an issue that I am sure I am missing something obvious.


I am testing wireless SSIDs against ISE, something I have done 100s of times.  I have a guest SSID working just fine against the deployment but on my 802.1x SSIDs I am getting the following in the logs:



11001 Received RADIUS Access-Request

  11017 RADIUS created a new session

  5405 RADIUS Request dropped


There is no reason for the request being dropped.  It is not even trying to match one of my policy sets, just dropping the RADIUS request.  I know because the guest SSID works on the same controller the Shared Secrets and ISE network device definitions are working.

I am sure I am missing something obvious, but can't see it.  I saw the same thing with the customer on their APIC-EM RADIUS authentications being dropped with no apparent reason why.

5 Replies 5

hslai
Cisco Employee
Cisco Employee

The built-in Cisco NAD profile does not check password for MAB so it possible to work with wrong shared secret. Other than that, we need Runtime-AAA in DEBUG and check prrt-server.log.

Screen Shot 2018-02-08 at 5.50.47 PM.png

Wow there is nothing more in the log files either at debug mode. At least nothing I see obvious. I am fighting two RADIUS request dropped issues. The one I can easily reproduce remotely is APIC-EM RADIUS authentication for GUI access. No matter what I try I get RADIUS request drops. ISE shows all the details of the network device in the details of the record so I know it is matching the right network device. I tried putting in the wrong shared secret in purpose and it still just says RADIUS request drop. The prrt server logs don’t show much detail:

AcsLogs,2018-02-08 21:35:39,442,DEBUG,0x7fc23c60b700,cntx=0000252715,sesn=MASV-ISE-PSN/307501790/27367,Formatter got 1676 attributes,MessageFormatter.cpp:150

AcsLogs,2018-02-08 21:35:39,442,DEBUG,0x7fc23c60b700,cntx=0000252715,sesn=MASV-ISE-PSN/307501790/27367,Duplicate pair: attr = NetworkDeviceName value = MAS-APIC-EM,MessageFormatter.cpp:394

AcsLogs,2018-02-08 21:35:39,442,DEBUG,0x7fc23c60b700,cntx=0000252715,sesn=MASV-ISE-PSN/307501790/27367,Log_Message=[2018-02-08 21:35:39.442 -05:00 0000437894 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=13, Device IP Address=10.201.41.0, Device Port=33585, DestinationIPAddress=10.201.9.10, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=MAS-APIC-EM, User-Name=phaferman, NAS-Identifier=b1c6c99d-d1da-493f-a693-60d77239fbd5, NetworkDeviceProfileName=Dart_Cisco_Customized, NetworkDeviceProfileId=f0628b3b-95af-4db4-b4ca-e72657d38595, AcsSessionID=MASV-ISE-PSN/307501790/27367, Step=11001, Step=11017, Step=5405, NetworkDeviceGroups=Location#All Locations#Mason DC, NetworkDeviceGroups=Device Type#All Device Types#Servers#APIC-EM, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=ISE Phase#ISE Phase#Auth, DTLSSupport=Unknown, Network Device Profile=Dart_Cisco_Customized, Location=Location#All Locations#Mason DC, Device Type=Device Type#All Device Types#Servers#APIC-EM, IPSEC=IPSEC#Is IPSEC Device#No, ISE Phase=ISE Phase#ISE Phase#Auth, ],MessageFormatter.cpp:94

I put a customized device profile to see if turning off some of the attributes would help, but so far it hasn’t. I guess I will have to open a TAC case and see if they can get more data.

Thanks for the feedback Hsing.

Do you find anything from TAC?

I got same problem.

I think if I remember right it was odd characters in the RADIUS shared secret that caused some devices to not work correctly.  Are you just having the issue from APIC-EM or from something else?

May be not same issue with me because my RADIUS shared secret just common character.