03-29-2019 07:36 AM - edited 03-29-2019 07:57 AM
Hi,
I have ISE 2.4.0.357.
On ISE I configured authentication dot1x for domain PC and MAB for printers and IP Phones. But authentication dot1x doesn't work and in ise logs I see the next error:
Failure Reason | 12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist |
Resolution | Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem. |
Root cause | Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late. |
Can anybody faced with problem like this?
The output command sh run int fa0/23 is:
!
interface FastEthernet0/23
description 204/1
switchport access vlan 101
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 101
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
end
The output command sh run | in rad is:
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
ip radius source-interface Vlan2 vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
switch is WS-C2960-24TT-L and IOS is 12.2(50)SE5
03-29-2019 06:38 PM
It appears that you are missing the following, per RADIUS Server Configuration on the Switch
radius-server attribute 25 access-request include
All Releases of IOS Software shows 12.2.55-SE12 recommended for this switch and 15.0.2-SE11 the latest that can run on the switch. Please consider updating the IOS binary.
End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 2960 Series Switches shows this switch series going to end of support later this. So, please plan to replace it.
03-31-2019 11:35 PM - edited 03-31-2019 11:37 PM
No, I don't missing this command, I have this one in RADIUS server configuration. I wrote all attributes:
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide