Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
0
Helpful
4
Replies

I have a mobile GGSN (Nokia) which does RADIUS Authentication with ISE 2.0.

rainyhill
Level 1
Level 1

‎11-13-2015 07:17 AM - edited ‎03-10-2019 11:14 PM

Steps

 

11001

Received RADIUS Access-Request

 

11017

RADIUS created a new session

 

15049

Evaluating Policy Group

 

15008

Evaluating Service Selection Policy

 

15006

Matched Default Rule

 

11014

RADIUS packet contains invalid attribute(s)

 

11003

Returned RADIUS Access-Reject

 

5434

Endpoint conducted several failed authentications of the same scenario

 

Even after loading the corresponding RADIUS Dictonaries on Nokia and 3GGP I still have the same error and the ISE does not do any kind of authentication. My AUTH Policy looks like this:

>Default> use "internal Users" and "if authentication failed“ => Continue

 

I have the corresponding user created, but I still cannot get any positive authentication. Here are the detailed steps:

 

Overview

Event

5434 Endpoint conducted several failed authentications of the same scenario

Username

449476530

Endpoint Id

449476530

Endpoint Profile

Authentication Policy

Default >> Default

Authorization Result

 

Authentication Details

Source Timestamp

2015-11-06 16:50:22.46

Received Timestamp

2015-11-06 16:50:22.461

Policy Server

ISEPrimaryServer

Event

5434 Endpoint conducted several failed authentications of the same scenario

Failure Reason

11014 RADIUS packet contains invalid attribute(s)

Resolution

Check the network device or AAA Client for hardware problems. Also check the network that connects the device to the ISE for hardware problems. Also check whether the network device or AAA Client has any known RADIUS compatibility issues.

Root cause

One of the attributes in the RADIUS packet did not parse correctly

Username

449476530

Endpoint Id

449476530

Service Type

Framed

Network Device

GGSN15

Device Type

All Device Types

Location

All Locations

NAS IPv4 Address

10.20.0.14

NAS Port Type

Virtual

Response Time

2

 

 

 

Other Attributes

ConfigVersionId

64

Device Port

45586

DestinationPort

1812

RadiusPacketType

AccessRequest

UserName

449476530

Protocol

Radius

NAS-IP-Address

10.20.0.14

Framed-Protocol

GPRS PDP Context

Acct-Session-Id

8ABC02424bf11ec9

IsEndpointInRejectMode

false

NetworkDeviceProfileName

Nokia_GGSN

NetworkDeviceProfileId

22d57725-0308-4239-b38a-6f6636a9f86e

IsThirdPartyDeviceFlow

true

3GPP-MS-TimeZone

40:00

3GPP-Charging-Characteristics

0800

3GPP-GGSN-Address

1.2.2.66

3GPP-NSAPI

5

3GPP-PDP-Type

0

3GPP-IMSI

228013520583313

3GPP-IMSI-MCC-MNC

22801

3GPP-SGSN-Address

1.2.3.3

3GPP-Selection-Mode

0

3GPP-Charging-ID

1274093257

3GPP-SGSN-MCC-MNC

22801

3GPP-IMEISV

3533460584460301

3GPP-Charging-Gateway-Address

0.0.0.0

3GPP-GGSN-MCC-MNC

22801

3GPP-GPRS-Negotiated-QoS-profile

08-03070000048000001CC0

3GPP-Negotiated-DSCP

1e:

3GPP-RAT-Type

01:

AcsSessionID

ise20/236197777/4

CPMSessionID

0a0788361QoR0T9eiFPTIt4HzaTCM9pKHryz0aarnnCjlGA0mx4

ISEPolicySetName

Default

AllowedProtocolMatchedRule

Default

Model Name

Unknown

Software Version

Unknown

Location

Location#All Locations

Device Type

Device Type#All Device Types

Called-Station-ID

abc.3gg.com

 

Result

RadiusPacketType

AccessReject

AuthenticationResult

Failed

Is there any way to find out which RADIUS Attribute the ISE does not accept?

Maybe like this i can find out which dictonary still missing.

Labels:
0 Helpful
4 Replies 4

Mikael Gustafsson
Level 5
Level 5

‎11-17-2015 05:47 AM

If you capture the traffic on the ISE and download to Wireshark it should be possible to find out. 

GUI: Operations > Troubleshoot > Diagnostic tools > General Tools > TCP Dump

0 Helpful

rainyhill
Level 1
Level 1
In response to Mikael Gustafsson

‎11-18-2015 08:43 AM

Thanks Mikael

with the TCP Dump I can see 3 attributes which should have a different value in the "other attributes" list.

which are

ATTRIBUTE      3GPP-MS-TimeZone                             23        string à “@”

ATTRIBUTE      3GPP-Negotiated-DSCP                                  26        string à “1e”

ATTRIBUTE      3GPP-RAT-Type                                              21        string à “02”

0 Helpful

kurmai
Cisco Employee
Cisco Employee

‎11-17-2015 11:54 AM

Please disable suppression (right click on the record under RADIUS Livelog and select Bypass Suppression for 1 hour) and test again. There will be more specific errors provided.

0 Helpful

rainyhill
Level 1
Level 1
In response to kurmai

‎11-18-2015 08:40 AM

Hello Kurmai

thank you for your answer, unfortunately there arn't more specific errors listed, although I enabled bypass suppression.

I have 3 attributes which won't show properly in the "other attributes". I changed the config to string, octet string and integer.

When I set the values to string, then the value in the other attributes list is:

ATTRIBUTE      3GPP-MS-TimeZone                             23        string à “@”

ATTRIBUTE      3GPP-Negotiated-DSCP                                  26        string à “1e”

ATTRIBUTE      3GPP-RAT-Type                                              21        string à “02”

ATTRIBUTE      3GPP-MS-TimeZone                             23        octet stringà “40:00”

ATTRIBUTE      3GPP-Negotiated-DSCP                                  26       octet  string à “1e”

ATTRIBUTE      3GPP-RAT-Type                                              21        octet string à “02”

ATTRIBUTE      3GPP-MS-TimeZone                             23        integer à “dosen't show in the attributes list”

ATTRIBUTE      3GPP-Negotiated-DSCP                                  26        integer àdosen't show in the attributes list

ATTRIBUTE      3GPP-RAT-Type                                              21        integer àdosen't show in the attributes list

0 Helpful
Customers Also Viewed These Support Documents