08-21-2019 02:50 AM
Hi,
after recent upgrade of C3650s from 16.6.4 to 16.6.6 switches started requesting CTS data before PAC is provisioned. Because of this ISE is dropping RADIUS messages with the error message 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute. These silent drops are effectively marking the RADIUS server "DEAD" and because of "radius-server deadtime 15" making it unusable for some time.
Does anyone else also observed this change of CTS request behavior? Is this now new expected behavior? Is there a way to force the switch to ask for CTS data only once the PAC is provisioned or change the ISE not to silently drop the requests but reply with access reject message?
Thank you.
08-21-2019 05:59 AM
08-21-2019 08:09 AM
08-23-2019 03:55 AM
Hi,
RADIUS servers are probed every 1 with the automate-tester feature and ISE is sending back access-reject messages however this doesn't bring the RADIUS servers UP again. I have also tried to remove the whole RADIUS config and applied back but no difference. Looks that logging a case is the only option left.
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide