Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

vmurugan · ‎02-08-2015

Hello,

I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.

I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .

Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.

Any pointers or suggestions to overcome this ?

vmurugan · ‎02-08-2015

Add to this, I am able to authenticate successfully with PAP and CHAP protocols. Facing issue with EAp-TLS only.

jan.nielsen · ‎02-08-2015

What is an NMS ?

vmurugan · ‎02-08-2015

Network Management System. I am working for an NMS named, Cisco Prime Infrastructure where the login(authentication) and the authorization can be done in local or in remote(via RADIUS server). So we use ISE for remote authentication. We configure the RADIUS server ip address, shared secret and the required details in NMS server which will be used for authentication and authorization.

jan.nielsen · ‎02-08-2015

Not sure i understand, why would you use EAP-TLS to authenticate prime towards ise, you are logging into the Prime GUI with username/password right ?

vmurugan · ‎02-08-2015

To login to Prime GUI, the authentication will be done by ISE.

The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.

Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE.