Solved: ACS RADIUS Request dropped : 11051 RADIUS packet contains invali

Laurent BOURHIS · ‎01-11-2012

Hi all,

We're running a very strange issue for a couple of days now. Our ACS v5.2.0.26 started to drop connection from wired and wireless connections, with a "Radius Request Dropped" message. The detailed message is : "RADIUS Request dropped : 11051 RADIUS packet contains invalid state attribute".

This message is usually preceded with a "RADIUS Request dropped : 24444 Active Directory operation has failed because of an unspecified error in the ACS" error.

The communication with Active Directory seems to be ok since worstations are getting a valid ip adress when connected to a non 802.1x switch port (Cisco 4506).

Any help grealty appreciated,

Best Regards and happy new year to all members,

Laurent

camejia · ‎01-11-2012

Hello Laurent,

Please check on all of your ACS servers (Secondary instances if applicable) the AD connectivity status between the ACS and the AD.

Users and Identity Stores > External Identity Stores > Active Directory

Is the Connectivity Status showing CONNECTED or DISCONNECTED on any of your ACS servers? If any of the servers is showing as DISCONNECTED that might be the root cause of the issue.

Hope this points you into the right direction.

Regards.

View solution in original post

camejia · ‎01-11-2012

Hello Laurent,

Please check on all of your ACS servers (Secondary instances if applicable) the AD connectivity status between the ACS and the AD.

Users and Identity Stores > External Identity Stores > Active Directory

Is the Connectivity Status showing CONNECTED or DISCONNECTED on any of your ACS servers? If any of the servers is showing as DISCONNECTED that might be the root cause of the issue.

Hope this points you into the right direction.

Regards.

Laurent BOURHIS · ‎01-11-2012

Hi Carlos and thanks for helping,

Following your advice, we've observed the connectivity status on ou primary and secondary instances. It shows connected most of the time. For time to time the status shows disconnected. On the event log of our Active Directory controllers, we have a lot of events Id 27, source kdc referring to the adminacs account used to join the domain. We also have the same events referring to the computer accounts primaryacs and secondaryacs. The exact message is : "While processing a TGS request for the target server

the account adminacs did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were

. The accounts available etypes were 23 -133 -128 3 1."

We've tried to clear the AD configuration the recreate the acs computer accounts. It seems to be ok for now.

I guess the link to AD got somewhat corrupted. It seems to be connected with Kerberos encryption.

I'll give an update on this since we are working with MS Support on this.

Thx for pointing in the right direction

yenaungoo · ‎05-15-2013

Hi I also encounter same issue as below, can help to advice?

ACS VM Ver 5.3.0.40 (standalone)

Problem Description:

ACS VM Ver 5.3.0.40 Radius Request Dropped by ACS with below error logs

- 24444 Active Directory operation has failed because of an unspecified error in the ACS

- 11051 RADIUS packet contains invalid state attribute

Condition:

- everything is configured properly (no changes)

- AD Connectivity Status is CONNECTED.

- Other Wireless Users connecting to different SSID with same ACS & AD are fine.

- Just some authentications for a policy with 2 user groups from AD are dropped by ACS suddenly.

- already restart ACS two times, still the same issue.

With milllion thanks,

Ye

ACS RADIUS Request dropped : 11051 RADIUS packet contains invalid state attribute